Data Protection






The privacy right is a basic human right proclaimed by international agreements and conventions, constitutive acts of nation states and unions, but also by laws. Also, the legal norms that prescribe its protection represent one of the most important achievements of legal theory and practice.

Initially designed to guarantee people that their mail, and later messages sent to other telecommunications channels, as well as the apartment where they reside shall be inviolable by third parties, modern high technology, especially the Internet, gave a whole new and deeper dimension to the concept of privacy.

The etymology of the word Privacy dates back to ancient times. Aristotle first mentioned it in his work Politics, separating the private and public spheres, in terms of good of individual or general importance.[1] However, the ancient Greeks also practiced the separation of private and public. Starting with architecture, where houses were built in a way to provide secrecy to certain rooms, and on the other hand, windows and other openings on buildings were designed to allow light to enter, but not the possibility of views from the public areas. However, the fact that privacy was known in ancient Greece and Rome does not mean that it was implemented to the extent that we know it today. Especially in Rome, there were modern wide unfenced gardens, public baths, where naked people were a common occurrence. Only with early Christianity and the propagation of prayer in silent, the rights and the neediness for solitude and isolation, privacy in the full sense of the word gained importance. If we take into account the act of confession, and especially the practice in Western European Christianity, where confessional rooms are design to provide visual privacy of the confessor, we can conclude how important the act of privacy within society and human relations is in the Christian religion. However, there is no privacy in the relationship with God, according to Christian beliefs and customs, because the relationship between man and God is direct and transparent.

In its centuries-long and decades-long struggle to occupy the most important place in regulatory hierarchies, privacy as such had to be compromised for other rights, such as freedom of expression and the press, or security and other state and public interests.

Privacy in the form as we know it today was incorporated into modern legislation and became a constitutional category  in the 19th century. However, the most important international act that was classified the right to privacy as a fundamental human right is certainly the European Convention on Human Rights and its Article 8:

Everyone has the right to respect for his private and family life, his home and his correspondence.

Already by paragraph 2 of the same article, the Convention limits the effect of this right, taking into account the public interest and the interests of others:

Public authorities shall not interfere with the exercise of this right unless it is in accordance with the law and necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, to prevent disorder or crime, to protect health or morals, or to protect rights and freedom of others.

Furthermore, the same act in Article 10 proclaims freedom of expression and places it in direct correlation with the right to private life:

Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. This Article shall not prevent States from requiring the licensing of broadcasting, television or cinema enterprises.

The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial integrity or public safety, for the prevention of disorder or crime, for the protection of health or morals, for the protection of the reputation or rights of others, for preventing the disclosure of information received in confidence, or for maintaining the authority and impartiality of the judiciary

Although initially established by the 1950 Convention, the European Court of Human Rights in Strasbourg later extended the effects of the aforementioned Article 8 to the Internet and other electronic communications, monitoring, collection and processing of personal data concerning the physical and mental integrity of human beings, such as health status, name, origin, preferences, tracking locations and IP addresses of devices from which they are having access to the Internet, etc. This is the case, among other things, in the famous decision of Hannover v. Germany, 40660/08, the court extended the effect of Article 8 by finding that the right to protection of privacy includes the right to prohibit the publication of photographs and recordings that are not in the public interest and were not taken for public purposes.[2]

However, the effect of the described paragraph 1, Article 8, is not unlimited. Already in Article 2 of the same article of the Convention, the Council of Europe has provided for its limitations, such as the interests of safety or health protection, but only to a justified extent and in accordance with the principles of suitability, necessity and comparability. The principle of comparability implies an assessment of the importance of the public interest being protected against the value of the good endangered by such a restriction.

The level of privacy protection in national legislation varies. Thus, the French Code Civil guarantees the right to privacy in Article 9. Although intrusion into private life in the 19th century was much less pronounce than later, and incomparable compared to nowadays, French law even then criminalized the publication of facts about someone’s private life.

However, the United States has not constitutionally established the protection of privacy, as well as many other private rights that are heavily influenced by the First Amendment and the protection of freedom of speech and expression. But the United States have begun to develop the concept of privacy with legal solutions, since 1890. Also, the Fourth Amendment prohibits intrusion into private property by a public authority without a permit, which is represent s one of the rights to privacy, although it is not explicitly mentioned anywhere in the amendment.

Italy and Germany recognize the right to privacy, while the United Kingdom relies on the European Convention on Human Rights and its Article 8.

The Internet has brought new ways in which one’s privacy can be violated with much more devastating and far-reaching consequences for the injured party. Through the personal data that can be collect in this way, one can enter the deepest spheres of the personality, and human integrity can be irreparably endangered in the most difficult ways.

One of the characteristic ways of violating the right to protection of personal data and privacy on the Internet is unauthorized monitoring, storage and processing of information about the activities of Internet users. The most dangerous type of data that reveals a person in the most private sense are the so-called metadata, which will be discuss further in the text, and which represent information about the communications themselves. These data represent high-risk categories of information on human privacy, because today’s software systems, with the help of algorithms, easily connect and cross the obtained data and based on them generate a very precise and detailed picture of person’s contacts, interests and other preferences to which metadata refers.[3]

Therefore, following several previous recommendations and guidelines for the protection of privacy, the European Union adopted the Data Protection Directive 95/46 EC of 23 November 1995, which for the first time regulated this area in detail and in a binding form. It had two goals, to ensure the right to respect for privacy as one of the basic human rights, as well as to achieve free and secure traffic of personal data between EU members.

The Directive have been obliged Member States to enacted their own laws and implemented their rules, as Directives are not a direct source of law in the EU.[4]

In addition to data subjects, who is defined as any person whose identity is or can be determined on the basis of some data, directly or indirectly, the Directive for the first time provided for the mandatory establishment of supervisory bodies, in the form of public supervisors.

The basic person’s rights guaranteed by this regulation were:

  • the right to information,
  • the right to access the collected data and
  • the right to protest


With the development of the Internet and high technology, the Directive has shown its deficiency. Especially in terms of the flow of information between members and third countries, which was allowed under certain conditions. It is this outflow of data to third countries, and especially those whose privacy rules are significantly different from the EU, such as the United States, that posed the biggest problem for the protection of EU citizens’ data. Following the European Commission’s initial decision in 2000 approving the transfer of data to the United States, which was declared void and by the EU Court of Justice, the European Commission adopted a new decision regulating this area, known as the Privacy Shield.

In the meantime, regardless of the specific problem of exporting data outside the EU, there is a need for much stricter regulations when it comes to data protection. Practice has shown that citizens are not trained and careful enough to be able to actively resist to data controllers and processors.




Personal data can be used to characterize all data related to a natural person whose identity has been determined or can be determined. In the age of modern technologies and means of communication, the phrase “identifiable” should be taken seriously, because with the help of modern algorithms, by crossing certain data it is very easy to get a person’s identity or data that can identify a person with great certainty.

Namely, as the Regulation prescribes, a natural person whose identity can be determined is a person who can be identified directly or indirectly, especially using identifiers such as name, identification number (ID), location data, one or more factors specific to the physical, physiological, the genetic, mental, economic, cultural or social identity of that individual. The GDPR emphasizes the possibility of identifiable identity, because with the help of today’s technology and computer algorithms, a small amount of data is enough to perform personality profiling or even identification of an individual.

As a narrower category of data related to a natural person, their special categories also appear, which due to their sensitivity and potential risk, whose detection and misuse it carries, deserve to be under a special regulatory regime. Therefore, in the process of data mapping, it is very important to determine if the controller collects or processes some of the data from the category of sensitive. In any case, such a provision should be reducing to a minimum or only to the extent necessary to achieve a legitimate purpose.

The GDPR does not apply to legal entities, and in the preamble of the Regulation is limits also its effect to deceased persons. This is one of the differences between the GDPR and the LPDP of the Republic of Serbia. Namely, as our law did not include the solutions of the preamble, it remains unclear from the letter of the law whether it also applies to deceased persons or not. To increase the confusion, our previous Law on Personal Data Protection from 2008, explicitly prescribed that its provisions also have an effect on the privacy of persons who are no longer alive.

Special personal data include:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Health condition
  • Sex life
  • Sexual orientation


The processing of these categories of data is prohibited in principle, with exceptions if any of the following conditions are met:

There is the explicit, voluntary and previously given consent of the person whose data is being processed

Execution of legal duties and rights of the controller or data subject in the field of employment rights and social security and social protection rights

When a person is not physically or legally capable of giving consent, and processing is in his interest

If the processing is performed by a foundation, association and non-profit body, and it refers exclusively to the members

Processing refers to personal data that are obviously published by the data subject

Processing is necessary to establish, pursue or defend legal claims on court

Processing in the public interest, with mandatory compliance with security measures and the principles of the regulation

Processing is necessary for the needs of public health, preventive medicine or occupational medicine, medical diagnosis, provision of health or social protection, provide that the controller is obliged to hire a professional person for the processor.

Archiving in the public interest, the need for scientific or historical research or statistical needs




Traditional monitoring and control methods often require resources which makes them unprofitable in the sense that they directly affect the possibility of massive monitoring, data collection and processing. On the one hand, the costs of collecting information (recording, eavesdropping, interrogation), and on the other hand, processing them by the hired labor force. Also, data processed in this way, which includes the human factor, are additionally subject to errors, which makes them unreliable.

In this regard, the ability to collect metadata and their automated processing represent a revolutionary change in the whole concept of monitoring the activities of individuals.

Today’s largest companies in the world, such as Google, Facebook, etc., base their business model on the collection and using user’s metadata. The same is the case with many other platforms for free messaging, blogging, sharing pictures, videos, etc. Although seemingly free services, they charge for their services with private data.

Metadata was traditionally used in library cartographic catalogs until the 1980s, when libraries converted their catalog data into digital databases. During the 1990s, as digital formats became the most important way to store data and information, metadata was also use to describe digital data using appropriate standards.

The first description of “metadata” for computer systems was given by MIT Center for International studies experts David Griffel and Stuart McIntosh in 1967, defining them as statements in object language about descriptions of data subject and who describe the relationship between data and transformation.

There are different metadata standards for each other discipline (e.g. museum collections, digital audio files, websites, etc.). Describing the content and context of data or data files increases its usefulness. For example, a web page may include metadata stating the language of the software in which the page is written (e.g., HTML), the tools used to create it, the topics on which the page is locate, and where more information can be found about subject. This metadata can automatically improve the reader experience and make it easier for users to find a web page online.

Metadata also tells us about the date of data creation, purpose, meaning, author or creator, location of the computer on which it was created, standards who were used, file size, quality, data sources and processes and methods used in its production.

Although metadata is protected by law and cannot be collected by private companies without the user’s consent, the problem lies in the fact that users themselves are not sufficiently informed of their rights and the consequences of their actions and readily agree to proposed privacy rules that are often incomprehensible, too long and intentional position to not be read before giving consent. The new regulations have imposed a number of obligations on data managers in order to better inform users, in clear and understandable language, in a separate place in the space provided.

Other major metadata processors are state or public security services, which are given the right to collect and process data without the consent of individuals, but with respect to predetermine purposes and in the case of legitimate interests for that processing. In fact, the Constitution and laws represent the indirectly express will of natural persons, which can be interpret as indirectly given consent for collection and processing. Thus, the Constitution of Serbia, in Article 41, guarantees the secrecy of letters and other means of communication, while Article 42 protects citizens’ data from abuses that are further defined and regulated in detail by laws.

The interest of national security often prevails in practice but also in the consciousness of public opinion, which is the case in both the USA and Western European countries, many of  them participate in the development of surveillance and mass collection of metadata on communication. Faced with terrorist attacks on their territory, citizens are happy to give up part of their rights and freedoms, treating privacy as a good that they will gladly give up in fear of violence and attacks that are recorded throughout Europe and the world. On the other hand, among many users, especially the younger generation, Instagram, Facebook and other similar platforms have already made old ideas about privacy meaningless, and legal provisions on personal data protection among young people have been characterized as – conservative measures that interfere with modern everyday life.

In short, metadata is data that provides information about other data.

There are different types of metadata, among these descriptive metadata, structural metadata, administrative metadata, statistical and reference metadata.

  • Descriptive metadata describes a resource for processing purposes such as discovery and identification. It can contain elements such as title, abstract, author and keywords.
  • Structural metadata is a set of data that indicates how some data is structured. Describes the types, versions, relationships, and other characteristics of digital materials.
  • Administrative metadata provides information to help manage resources, such as defining when and how a file or other similar information was created, and who can access it.
  • Statistical metadata can also describe the processes that collect, process, or produce data for statistical purposes. It is also called process data.
  • Reference metadata describes the content and quality of statistics.


Metadata can be written to the original digital photo file (RAW file) that will identify who owns it, copyright and contact information, which brand or model of camera created the file, along with exposure information (shutter speed, f-stop, etc.) as well as descriptive information, such as keywords about a photo, who make a file or image for the searchable purpose on a computer or the Internet. Some metadata is created by the camera, and some is entered by the photographer or software after downloading to the computer.

Metadata can be used to facilitate post-production organization using keywords.

Photographic metadata standards are regulated by organizations that include, but are not limited to, the following standards:

IPTC Information Interchange Model IIM (International Press Telecommunications Council),

IPTC Core Schema for XMP

XMP – Extensible Metadata Platform (an ISO standard)

EXIF – Exchangeable image file format, Maintained by CIPA (Camera & Imaging Products Association) and published by JEITA (Japan Electronics and Information Technology Industries Association)

Dublin Core (Dublin Core Metadata Initiative – DCMI)

PLUS (Picture Licensing Universal System).

VRA Core (Visual Resource Association)







The first and most important principle of data protection is certainly – the principle of legality, because it depends on whether the Operator has any basis to perform a certain processing operation. Therefore, processing will be considered legal if:

  • the data subject has given his CONSENT
  • processing is necessary for THE PERFORMANCE OF A CONTRACT to which the data subject is party
  • processing is necessary for compliance with a LEGAL OBLIGATION to which the controller is subject
  • processing is necessary in order to PROTECT THE VITAL INTERESTS of the data subject or of another natural person
  • processing is necessary for THE PERFORMANCE OF A TASK carried out in the public interest or in the exercise of official authority vested in the controller
  • processing is necessary for the purposes of THE LEGITIMATE INTERESTS pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.



The actions of the controller must be legal, fair and transparent to the person whose data is used, i.e. it is necessary to point out in a clear and unambiguous way, in simple, understandable language, the rights he has on the basis of data protection. This principle protects individuals from covert rules, the so-called small letters, complex and professional legal constructions that the vast majority of people cannot understand in the right way or are not interested in delving into analyzing the message of a text that can be created deliberately in order to be vague. Therefore, the legislator insists on transparency, simple language and easy visibility of important data. Therefore, the form of consent by law must be separated from other rules, and clearly marked as consent.



The data may be used only for the purpose for which they were collected and for which the person gave consent, i.e. until the purpose is fulfilled, regardless of the basis of data processing. The data may only be used to the extent necessary to fulfill a certain pre-known purpose of processing. Therefore, it is recommended to collect or process only the data that are really necessary for the controller, and from time to time it is necessary to revise the type of personal data and assess whether the need for their processing still exists, or whether the person who processing data still needs for that fulfillment of the subject purpose.

If the basis of processing is consent – the change of purpose requires the neediness to request a new consent except in cases provided by regulation. Further processing for another purpose without the consent of the person is allow only under the conditions exhaustively prescribed by law. That such an assessment should take into account the relationship between the purpose for which the data were collected and other purposes of the intended processing, the general circumstances in which the data were collected, and the relationship between the controller and the data subject, the nature of the data (are they sensitive and to what extent) and should anticipate the possible consequences of further processing for the data subject. Of course, appropriate data protection measures should be applied.



The data must be accurate, and the person whose privacy is in question should be given the opportunity to point out inaccuracies free of charge, to request that such data to be update or delete. For example, if a person points out the inaccuracy of some personal data, the Controller  is obliged to update it, otherwise he faces a violation of the provisions of this law.



The data may be used only to the extent necessary to fulfill the purpose of processing, i.e. – the smallest possible scope of processing. Therefore, the starting position of everyone who chooses the method of processing and the amount of data he intends to process must be – the less the better. The processing of any data that is unnecessary leads to the risk of data leakage, but also depending on the nature of the data may require completely different security measures by the Controller. Namely, if someone collects data on the fingerprint of employees for the purpose of controlling the arrival of employees, not only he uses an unnecessarily invasive method of privacy, in order to achieve the purpose, but he must raises the information security system to a significantly higher level. Which can be complicate, and financially burdensome.



The data have to be store for as short a time as possible, i.e. they have not be store longer than it is necessary for the purposes for which they were collected, and the person must be informed about the duration of the storage of his data.



The controller and processor must make every effort to ensure adequate data security, including protection against unauthorized and unlawful processing or accidental loss. The legislator deliberately did not enter into detailed prescribe in which situation, i.e. in relation to which data and which processing actions  and witch level of security should be applied. True, recommendations are given for encryption or pseudonymization of data, but it is up to the Controller to choose based on the risk of assessment which security level to apply, and he will be responsible for that choice if it turns out that the data was not sufficiently protected and that he was responsible.

Also, the controller is obliged to prove the compliance of its activities with all the above principles, i.e. to prove the legality of its actions and legitimate interests for the collection and processing in a certain way and to a certain extent. Although it is very difficult to prove negative facts in practice, for the sake of “higher” interests, and adequate protection of individuals and their privacy, this obligation is imposed on the Controller by the Law.




If there is no other basis for some processing to be legal, and the controller or processor wants to process the data, consent is required, i.e. the basis for such processing is consent given under the conditions and in a manner in accordance with the Law. Otherwise, consent can be defined as any voluntary, explicit, informed and unambiguous expression of the person’s will to whom the data relates by which he gives consent by a statement or implied action to process personal data relating to him.

Consent have to be give by clear affirmative action expressing the voluntary, specific, informed and unambiguous consent of the data subject, such as a written statement (including an electronic statement) or an oral statement. Although the law includes the oral form, as a legal way of obtaining consent, the problem with possible proof should be borne in mind, so this type of form is not recommend.

It may include ticking the box when data subject visiting websites, selecting technical settings for information society services or another statement or action that clearly shows in that context that the data subject is accepting the proposed processing of his or her personal data.

Consent will not be legally obtained if:

  • the user’s attitude is passive or restrained
  • if the consent field in electronic form is already pre-ticked
  • there is a clear imbalance between the parties (especially if one party is the authority)
  • there is no true and free choice
  • it is impossible to refuse or withdraw consent without consequences


The legislator pays special attention to the Conditions for the consent, because the burden of proving that a certain person has given consent is on the controller. With consent, it is necessary to ensure full information of persons in a clear and unambiguous manner, in an understandable and easily accessible form. It is also very important to clearly separate the consent text from other text or other information.

A person who has given his consent once, has the right to withdraw it at any time in the same simple way as it is prescribed for giving consent. Withdrawal does not affect the lawfulness of the processing who have been carried out before the withdrawal. For the collection and processing of data of persons under the age of 16, it is necessary to obtain parental consent. National legislation can move this limit to the age of 13.

Characteristic of obtaining parental consent is that the regulation in addition to the burden of proving that consent was obtained, obliges the controller to do everything in his power to check whether the consent was actually given by the parent or legal representative of the child.




While respecting the principles of data processing, it is of great importance for the Controller to ensure that the persons whose data are processed are informed in a time and detailed manner about all important elements of processing, as well as their rights guaranteed by law.



The controller shall take appropriate measures to provide the data subject with all information and communications relating to the processing in a concise, transparent, comprehensible and easily accessible form, using clear and simple language, in particular all information that is specifically intended for the child.

The information shall be provided in writing or in other forms, including in electronic form when it is appropriate

Upon request, the data controller shall provide the data subject with information on the actions taken without undue delay, and in any case no later than one month from the day of request reception.

This period may be extended by an additional two months, as appropriate, taking into account the complexity and number of requests.

The controller shall notify the data subject of any such extension within one month from the day of the request, stating the reasons for the delay.



The data subject has the right to obtain confirmation from the controller as to whether his or her personal data are being processed and, if such personal data are being processed, has the right to access personal data and the right to a copy thereof.

The information shall be provided in the usual electronic form, unless the person requests otherwise.

Find a modality for easier realization of rights



The data subject has the right to require from controller allowances him to correct inaccurate personal data relating to him without undue delay.

Taking into account the purposes of processing, the data subject has the right to supplement incomplete personal data, inter alia by giving an additional statement.



The data subject has the right to require from controller, without undue delay, allowances him to delete personal data relating to him without delay (and delete the data of all processors or third parties), if one of the following conditions is met:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
  • the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing
  • the data subject objected to the processing
  • the personal data have been unlawfully processed
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject
  • the personal data have been collected in relation to the offer of information society services to the person under the aged of 16


The right to be forgotten and to delete does not exist if processing is necessary:

  • for exercising the right of freedom of expression and information
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • for reasons of public interest in the area of public health
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing
  • for the establishment, exercise or defense of legal claims


Right to be forgotten is a legacy of the case law of the European Union. Namely, referring to Directive 95/46 / ce, a Spanish citizen Mario Costeja Gonzales asked the court to order Google not to show pages with personal data related to him in the search results, which are no longer relevant. The first instance court in the Kingdom of Spain stopped the procedure and forwarded the preliminary issue to the European Court of Justice. The decision made by the ECJ was very important for the protection of personal data on the Internet at that time, but it also  made the new way for the development of the right to delete data in the future, which indirectly affected the implementation of this solution in the GDPR. Although the original scope of the Right to be forgotten Institute was significantly limited and only affected the non-display of pages in search engine results, compared to today’s much broader effect, the achievements of this court ruling are immeasurable under our right to privacy.



The data subject has the right to require a restriction on processing by the controller if one of the following conditions is met:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead
  • the data controller no longer needs personal data for the purposes of processing, but the data subject seeks to establish, implement or defend legal claims
  • the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject


The person whose data are processed also has the right to correct the already collected data as well as the right to be forgotten, i.e. to delete them under certain conditions.



It has the right to (directly) transfer this data to another data controller without interference by the controller to whom the personal data were provided, if:

is processing based on consent

processing is perform automatically



File an objection at any time if the data is processed on the basis of consent.

The controller is obliged to suspend unless he proves legitimate reasons for processing

In case of objections regarding the use in direct marketing, the data must no longer be use.

Irrespective of the right to object to the supervisory authority, the person whose data are processed in any case has the right to initiate court proceedings for damages.




The legislator, through the institution of the supervisory body with all its public powers, has provided stronger protection over the data, in order to better control the processing and transmission. In the Republic of Serbia, the role of the supervisory body is performed by the Commissioner for Information of public importance and personal data protection.

Among other things, the Controller and processors are obliged to inform the Commissioner on all issues related to the violation of the rules of the regulation, especially the misuse and outflow of data to third parties. The Controller’s attitude towards the obligations towards the Commissioner, will, among other things, be taken into account when assessing the amount of a possible fine, the payment of which may be imposed on them in misdemeanor proceedings.



[1] D. Popović, M. Jovanović, Internet Law – Selected Topics, Faculty of Law in Belgrade 2017, page 123

[2] Ibid, page 127

[3] Ibid, page 128

[4] Ibid, page 132