The reason for the adoption of the new Personal Data Protection Law (“Official Gazette of RS", no. 87/2018), which will become effective on 21 August 2019, is the harmonisation of the national legislation with the European Union regulations, ensuring the highest personal data protection level, in particular based on:
- Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and
- Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.
Among all, the new legal framework introduces new means, in accordance with the time we live in: profiling, pseudonymisation, biometric data processing, information society service, introduction of IP address as personal data, obligatory creation of Data Protection Impact Assessment, as well as notifications to data subjects on breach of personal data, under the conditions set out in the Law, etc.
The Personal Data Protection Law was enacted, modelled on the General Data Protection Regulation - GDPR, the regulation which does not apply in the Republic of Serbia, but in the EU since 25 May 2018. Both regulations ensure the highest personal data protection level and, to a high extent, change the manner of operation of all entities dealing with personal data collection and processing.
From the time when personal data protection field was last regulated at the European level - in 1995, the world was faced with the expansion of communication and social network occurrence, therefore, the need of detailed and stricter regulation of the protection of data against unauthorised, groundless, and, above all, excessive use and transmission to other persons, was recognised by regulators.
Personal data are very broadly set out in the Law. Personal data are numerous and various, because those are all data based on which a person may directly or indirectly be identified (i.e. combined with other data). An obvious example includes name and surname, e-mail address, and unique personal identification number, but those are also voice recording, photograph, video recording of face, IP address, etc.
Particular personal data enjoy specific protection based on the law, therefore, processing thereof is prohibited in majority of cases. Those are the following data:
- racial or ethnic origin,
- political affiliation,
- religious or philosophical affiliation, membership at trade union, as well as
- processing of genetic data, biometric data aimed at unique facial identification,
- medical data,
- data on sexual life or sexual orientation of natural person.
In the majority of cases, e-mail addresses and business contact information are deemed personal data. Personal data are defined by the Law as any information relating to a natural person who may be identified or identifiable based on such information.
Since business e-mail addresses mostly include name and surname, name of employer based on which it may be identified where particular natural person is employed, name of natural person’s position and similar data identifying particular natural person, they are deemed personal data.
The above-mentioned does not apply in the event the Erste Leasing processes business contact data on natural person when such person does not have contact with the Erste Leasing in his/her private capacity (e.g. as a party within agreement on credit taken on his/her behalf and for his/her account), but acts within his/her operating or statutory tasks, as a representative of his/her employer which has business relation with the Erste Leasing.
Personal data processing is not only the expert analysis of consumer data based on which decision of business relation between respective consumer and the Erste Leasing is made, but it also means data collection and storing, recording, classification, restriction, deletion, or deletion, etc.
In its operation, personal data are processed by the Erste Leasing for the purpose of entering into and executing agreement with consumer, as well as for the purpose of meeting obligations set out in law and other regulations. Implementation of the business relation with the Erste Leasing is not possible unless obligatory data, conditioned by particular operation, are collected and processed.
The first group includes identification data, as well as other data which the Erste Leasing is obligated to collect in accordance with the Law on the Prevention of Money Laundering and Terrorism Finance and other applicable regulations, as follows: name and surname, address of domicile and/or place of stay, personal identification number, date, place, and state of birth, nationality(ies), and other data in accordance with regulations.
Other data group collected by the Erste Leasing are those the processing of which is necessary for the purpose of the execution of agreement with data subject or to take actions upon request of data subject, prior to agreement execution. In specific case, these data depend on service/product agreed and/or used, whereby strict care is taken by the Erste Leasing to be in compliance with the “data minimum” principle (therefore, only those personal data necessary for respective processing purpose are processed).
Other data necessary for agreement execution may also be contact data, as necessary for the implementation of Erste Leasing service or product (e.g. e-mail address or mobile phone number for the service of sending of SMS on debt status via mobile phone).
The third data group includes contact data as voluntarily provided data, used for notification by the Erste Leasing, in the fastest and simplest manner, on facts significant for respective product or service you have shown interest in, or which is used by you, and for providing other useful information/documentation by the Erste Leasing upon your request, whereby it may also be a statutory obligation by the Erste Leasing.
Acceptance of data processing may be given for one or several specified processing purposes, such as:
- Creation of specific offers/recommendations of products, services, and options of their use (personalised marketing) in order for you, as the consumer, to efficiently manage your finance.
- Temporary information on products and services, benefits, prize games, news, and changes in the operation of the Erste Leasing, Erste Group members, and business partners with which you may agree cooperation through the Erste Leasing (direct marketing) for the purpose of the availability of useful information on the Erste Leasing operation, products, and services which may be of interest to you.
- Improvement of the Erste Leasing products and services based on your requirements and expectations, based on results of interim surveys about your satisfaction and experience in connection with the use of the Erste Leasing products and services.
At any time, you may withdraw (recall) your acceptance of data processing, after which your data will not be processed by the Erste Leasing for the purpose which related to your acceptance.
Regarding its business relation with consumer, automated, individual decision-making resulting in adverse legal consequences to such person is not used by the Erste Leasing.
The Erste Leasing has the obligation in accordance with the Financial Leasing Act and relevant by-laws to calculate credit rating. Credit rating is determined by comparing statistical models on the grounds of available data, among all, data collected from consumer, data on products and services used by consumer, as well as whether liabilities are settled at maturity.
Particular data processing is performed by the Erste Leasing using service providers’ services, applying relevant technical and organisational personal data protection measures, e.g. providers of IT services, archiving, printing and sending letters to consumers etc.
Care is taken by the Erste Leasing that such service providers are always from the Republic of Serbia, EU, or the states which are the members of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, pursuant to the Personal Data Protection Law. Also, in the event of outsourcing data processing to a third party (service provider), the Erste Leasing is obligated to stipulate the same level of protection as provided by it in this field, in accordance with the Law.
In addition, the Erste Leasing is entitled, and, in particular cases obligated, to forward personal data to:
- members of its bodies, its members, Erste Group members the updated list of which may be found on the following web page https://www.erstegroup.com/en/about-us
- Erste Leasing’s external auditor,
- Serbian Bank Association Credit Bureau,
- National Bank of Serbia,
- other public authorities and persons who, due to the nature of the work they perform, must have access to such data, in accordance with regulations.
Data subject is entitled to access personal data processed by the Erste Leasing.
In the cases provided for in the Personal Data Protection Law, data subject is entitled to request data deletion, as well as processing restriction.
The right which is also guaranteed in the Law is the right to data correction and updating, however, please note that in business relation, data correction and updating are stipulated obligation of the Erste Leasing’s consumer, and such obligation is implemented in accordance with respective agreement, in majority of cases, by providing evidence indicating which data need to be corrected (e.g. change in ID, address, etc.).
Under the conditions stipulated in the Personal Data Protection Law, data subject is entitled to personal data transferability i.e. to receive from the Erste Leasing any data which have been provided to the Erste Leasing by data subject, for the purpose of transfer to other controller, as well as the right that data on such subject are directly transferred to other controller by the Erste Leasing if it is technically feasible and if, in accordance with the assessment by the Erste Leasing, necessary personal data transfer security standard has been ensured. For the time being, such standards have not been defined yet at the financial sector level.
If deemed reasonable in terms of particular situation, data subject whose data are processed is entitled to, at any time, provide the Erste Leasing, as the controller, with complaint regarding processing of his/her personal data, in accordance with the Personal Data Protection Law, also including profiling based on such Law.
If the Erste Leasing fails to act upon request of person whose data are processed, it must, without any delay, notify such person on reasons of such failure within the term stipulated in the law and instruct such person on his/her right to file complaint to the Commissioner or to file claim to respective court.
The right to deletion is not an absolute right. It is possible to enforce it only unless data are further necessary for the purpose they have originally been collected for and for which there are still statutory grounds of processing. Please note that particular data must be processed by the Erste Leasing based on the Law (for instance, the Law on the Prevention of Money Laundering and Terrorism Finance sets out a large set of mandatory data), as well as to be able to execute its stipulated obligations with client.
In many cases, deletion is directly prohibited by particular laws in specified time period following business relation termination (for example, the above Law on the Prevention of Money Laundering and Terrorism Finance clearly stipulates obligation for the Erste Leasing to keep data and documentation in connection with consumer, established business relation with such consumer, risk analysis made, and executed transaction, for minimum ten years from the date of business relation termination).
Also, the so-called legitimate interest for data processing excluding acceptance is prescribed in the Law, which is a valid legal basis for processing, let’s say, in case of the protection of the Erste Leasing in pending legal proceedings with consumer, for the purpose of prevention of fraud at the Erste Leasing, prevention of consumer’s security threat, etc. It is necessary to construe such legitimate interest in a very restrictive manner, which is done by the Erste Leasing.
In accordance with the Law, independent, Personal Data Protection Expert has been nominated by the Erste Leasing, whose contact is e-mail address: zastita.podataka@s-leasing.rs.
Request for exercising his/her right is filed by a consumer i.e. a person whose data are processed is always filed to the Erste Leasing by completing particular form which is provided:
- directly in the headquarters
- in written form, by ordinary mail provided that indicated sender's address is the address reported by consumer to the Erste Leasing as the official communication channel.
The Erste Leasing must provide the consumer and/or person whose data are processed with information based on his/her request, no later than 30 days from the date of request receipt. Such deadline may be prolonged by further 60 days, as necessary.
Yes, but such consent must be recorded and documented (in specific case recorded based on prior consent granted for conversation recording) in cases of control by supervisory body (Commissioner for Information of Public Importance and Personal Data Protection), and it must satisfy all requirements of the Law relating to correct granting of consent (also including consumer identification in accordance with the Law, which is not always possible, or only for restricted data processing where identification is not necessary - e.g. only for telephone number in sense of further call by the Erste Leasing).
Yes, it is also possible to accept data processing by e-mail, but only for specified purposes, on which you may be informed on the web site, as well as at the Erste Leasing seat.
For the purpose of security of your data, in this case particular prerequisites must be met, as follows: adequate consumer identification in accordance with the Law, as well contacting of the Erste Leasing solely through the e-mail address which has been reported to the Erste Leasing as the communication channel with the consumer.