In its recently issued decision Serbian DPA found that the public postal service company “The Post of Serbia” (hereinafter: “the Post”) breached a right of access to privacy data, since it refused to give certain information to the data subject.
Namely, the applicant sought from the Post the information and a copy of the personal data concerning him which were related to the shipment sent to him by the court (i.e. which court sent the shipment, the number and date of the shipment, how many shipments the court sent, whether some of the shipments returned to the sender, etc.). However, the Post refused to provide such information, stating that, when it comes to the processing of personal data of users of postal services, including court documents, the Post keeps records as a processor on behalf of the controller pursuant to Art. 47, para. 4 of the Serbian Law on Personal Data Protection, and on the basis of the Serbian Law on Postal Services. In other word, the Post stated that as a processor it has no authority nor obligation to act upon the request of the applicant and that the applicant can submit such request only to the court.
The applicant lodged a complaint with a Serbian DPA, which decided that there was a breach of the right of access since the Post was the controller of the listed data, and not a processor, and as such had the obligation to give the requested information to the applicant.
In its decision, the Serbian DPA draw a line between a processor and a controller, stating that a controller is the one who determines the purposes and means of the processing of personal data, while the processor is the one who processes personal data on behalf of the controller. It stated that a person has a right to obtain from the controller confirmation as to whether personal data concerning him or her are being processed, access to the personal data, and a copy of the personal data undergoing processing. Furthermore, the Serbian DPA stated that processing by a processor shall be governed by a contract or other legal act that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
The Serbian DPA cited Serbian Law on Postal Services and emphasized that this law prescribes the obligation of the postal service providers to adopt general conditions for the provision of postal services, which must include the types of postal services to be performed, manner and conditions of providing postal services and deadlines for delivery of shipments, as well as that postal operators are obliged to perform postal services in accordance with their adopted general business conditions. Having in mind the above, the Serbian DPA concluded that the contracts that the Post concludes with its users are not data processing agreements, but contracts related to the provision of a certain postal service. Thus, it cannot be concluded that the Post process personal data based on the instructions of its users. Quite opposite, the Post processes personal data to fulfil its legal obligations, in the manner regulated by law, bylaws and general business conditions of the Post. For these reasons, the Post should be regarded as a controller, and as such it should have acted upon applicants request with respect to access of data concerning him.
As seen, the overall conclusion is that you need to assess carefully whether you are a controller or a processor, since these roles carry different responsibilities, and wrongful assessment may lead to the breach of data subject rights.
Article provided by INPLP member: Ana Popović (Živković Samardžić, Serbia)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)