AmCham has received official Opinion from the Commissioner for Information of Public Importance and Personal Data Protection on two important topics for AmCham members.
AmCham has received official Opinion from the Commissioner on two important topics for AmCham members – the procedure for data export to cloud storage located in the countries that ratified the Council of Europe`s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as if the Law on Personal Data Protection applies in case of encrypted data.
As for the question whether companies need to get Commissioner’s approval for the export of data to cloud storages located in countries that ratified the Convention and which could then be accessed from other locations worldwide, the response was that companies need to obtain the Commissioners approval only when exporting data from Serbia to countries that didn’t ratify the Convention. For any further export of personal data, the regulations of the state where the processing takes place/or where the data are exported from, will apply. However, this does not mean that the Commissioner, when deciding on the granting a permit for data export from Serbia to a country that is not a member of the Convention, will not consider the intention of the operator – namely, whether and in which country he will continue to export the data, after the intended export to the country for which the license is requested for.
As for the question regarding encrypted data, Commissioner elaborated the difference between encryption and pseudonymization of personal data. It was noted that in both cases, encryption key could in some point become available, making data decrypted again. Therefore, Commissioner`s stance was that in concrete cases, when the person could be specified according to the available data, the Law on Personal Data Protections applies.