The Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia (the "Commissioner") addressed the public in early April on the right of protecting personal data during the state of emergency. During the state of emergency in the Republic of Serbia, the exercises of certain human rights are temporarily constrained: the right to freedom of movement and freedom of gathering together. Still, the right to protection of personal data is not limited by measures taken by the state, so controllers and processors are obliged to process personal data exclusively in accordance with the Law on Personal Data Protection.

The Commissioner welcomed and agreed with quotations of the Chair of the Committee of Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and the Data Protection Commissioner of the Council of Europe, who issued a joint statement regarding the  protection of personal data during the COVID-19 pandemic (the "Statement"), which emphasized that due to the implementation of certain measures during the COVID-19 pandemic, states should pay attention to which extent these measures represent a threat to democracy, the rule of law and human rights, including rights to privacy and personal data protection.

The Statement points that special attention should be paid to:
-data processing on population health in the health sector and sharing of data with other sectors
-large-scale data processing
-data processing by the employers
-data from mobile devices
-data processing in education systems.

The Statement points out that during the pandemic, employers will be in a position to process some personal or sensitive data that they do not normally process, such as specific health information. In this regard, employers should only process personal data necessary to identify potentially ill employees, with full respect for the principles of necessity, proportionality and responsibility. Therefore, if employers are required to disclose certain information about the health status of employees to government bodies, then it is necessary that there is a valid legal basis for such disclosure.

Thus the Commissioner stresses out that special care should be taken so not to violate the privacy of persons who are ill and potentially infected persons by disclosing their identity when publishing information on these persons, but to publish only a minimum information necessary to protect public health and reduce the number of patients.

Schools and school-staff are giving their best to increase the skills and resources for remote learning: here one should make sure that the use of remote applications and software does not violate the rights of the persons whose data is processed (concept of default privacy) and that the use of the data is limited to the purpose of the processing. IIt would be useful for employers to direct their employees who have children to inform themselves about their own rights in terms of processing personal data, with responding in a timely manner by protecting the rights of their minor children.

In the Statement one also may read that telecommunications companies, internet platforms and internet providers are being actively involved in combating the spread of COVID-19 viruses and are frequently being asked to provide retained information of their users in order for their geolocation to be identified, inter alia. When processing such data, it should be considered that the processing of the above data for a large number of persons can only be carried out if, on the basis of valid evidence, it could contribute to the cessation of the spread of the pandemic.

Ultimately, the Statement stresses out the need for IT companies to develop a risk management strategy when developing new solutions to combat COVID-19 viruses, and for IT solutions to be focused on minimizing and quality of data collected. This is because the aforementioned solutions include mass processing of personal data, both basic and sensitive, and it is necessary to provide adequate organizational and technical measures and to develop IT solutions in accordance with the data processing guidelines in the context of Big Data and AI (Artificial Intelligence).