The case of unlawful disclosure of personal data of thousands of public officials and persons connected with them outside the borders of Montenegro represents a new compromising of the Agency for Prevention of Corruption (APC), although they should represent an example of compliance with laws and regulations in society.
The Council of the Agency for Personal Data Protection and Free Access to Information (APDP) recently made a decision that the APC had violated the Law on Personal Data Protection, because information on public officials and members of their households was taken and processed outside of Montenegro.
The initiative to launch proceedings before the APDP was submitted by MANS back in April this year.
According to the decision of the Council of the Agency, APC entrusted these tasks to the company “Prozone” from Novi Sad, contrary to the Law on Personal Data Protection, which is why the institution headed by Jelena Perović was prohibited from doing so. APC should submit proof of this to APDP, no later than the end of December.
“For the last six years, according to the available data on public procurement, APC has concluded several contracts with the company ‘Prozone’ Novi Sad which had access to personal data, worth around 250,000 euros”, Milovac specified in a statement to “Vijesti”.
APDP sought and received the help of colleagues from Serbia and found illegalities
According to the documents that “Vijesti” had access to, APDP, upon the initiative of MANS, has been determining since April whether APC is violating the Law on Personal Data Protection. For this, according to the minutes of controllers Ljiljana Brajović and Mladen Prelević, APDP asked for the help of their colleagues from the Republic of Serbia.
“In order to undisputedly establish the factual situation in part of the oral and written allegations that ‘Prozone’, when monitoring the functioning of the system, has accesses to data that are not personal data of the officials of the Agency for Prevention of Corruption or third parties, and due to the fact that the head office of ‘Prozone’ LLC is located outside of Montenegro, on 20.04.2022, the Agency sent a request to the Commissioner for Information of Public Importance and Personal Data Protection, as the competent supervisory authority for the personal data in the Republic of Serbia, to perform supervision in ‘Prozone'”, it is stated in the minutes of the APDP’s controller.
The control established that from the collected material “… two facts clearly and unequivocally arise: that the subject of supervision, as the controller of personal data collections, entrusted the business company ‘Prozone’, to perform tasks related to the processing of personal data, i.e. conducting insight (availability) into them, revealing through transfer from its scope which company in the specific case has the status of processor in terms of the Law on Personal Data Protection, as well as that the processor has its seat outside the territory of Montenegro, in the Republic of Serbia”.
“That authorized persons from ‘Prozone’ and Mina Krstić (authorized person according to the statements of ‘Prozone’ from the Minutes on the inspection carried out by the commissioner), as users of the information system (IS) of the subject of supervision, in accordance with the subject contracts, have VPN access to the APC’s application from the APC’s information system, which was established on the basis of the legal competence of this subject of supervision, and they process the personal data of public officials and members of the family household, in the manner that they were disclosed to them through transmission, i.e. they have an insight into personal and other related data in connection with this category of persons, namely: their first and last name, personal identification number, permanent residence, i.e. place of residence and residential address, educational background and title, and for public officials, the name of father and mother, mother’s maiden name and contact phone number, as well as information regarding the office they hold, membership in working bodies, management bodies and supervisory bodies of companies, public institutions and other legal entities, data on the property and income of officials and members of the joint household, i.e. all data reported in accordance with the Law on Prevention of Corruption, as well as data on political entities (evidence: Minutes on the performed inspection made by the Commissioner from 01.07.2022, notification of the Commissioner’s authorized controller from 05.08. 2022…)”, it is stated in the minutes of the controller.
On October 3, APC filed an objection to those minutes, in which, among other things, it was stated that the APDP controllers ignored “the relevant fact that the Ministry of Justice of Montenegro and the Agency for Prevention of Corruption of the Republic of Serbia signed the Protocol on the Assignment of the “Source code” in order to establish the APC’s information system, and that the protocol represents an international bilateral agreement based on the principles of the United Nations Convention on International and Regional Cooperation in the Field of Prevention and Fight Against Corruption.
Furthermore, according to the decision of the APDP Council, they also state that UNDP provided logistical support for the implementation of the protocol, and that as part of the support, it hired a company from Novi Sad, which was the author of the software design for the needs of the Agency for Prevention of Corruption of the Republic of Serbia. They claim that because of all this, the APC had no obligation to obtain the opinion of the APDP, and they also point out that the controllers did not review the signed Protocol, which would have properly established the factual situation…
According to information obtained by “Vijesti”, the APDP Council discussed the complete material related to the APC in at least two sessions from the beginning of October to December 22. The Council of the APDP rejected the complaint of the APC and stood by the position of its controllers. APC is prohibited from entrusting the processing and disclosing of personal data from the information system to the company “Prozone” from Novi Sad contrary to the law.
Milovac: Mass violation of the law may cost the state budget
Milovac points out that in the control procedure, APDP confirmed the suspicions of MANS that the authorities in APC, contrary to the law, provided unimpeded access to personal data of thousands of Montenegrin public officials, their spouses and children, and other related persons.
“In this particular case, it is a mass violation of the Law on Personal Data Protection, and it can potentially expose the APC, i.e. the state budget, to lawsuits by those whose data were taken outside the borders of Montenegro without authorization”, Milovac warns.
According to him, MANS has previously warned that Director Jelena Perović and the Council of the APC are not able to ensure the lawful conduct of that institution, and the latest example of violation of the Law on Personal Data Protection once again calls into question its credibility.
“Unfortunately, so far, have had the opportunity to see that the sense of personal and professional responsibility does not reside at the address of Director Perović or any member of the Council which has so far silently supported all the violations of the law that we witnessed in previous years. There is no doubt that the changes in this institution must be radical and result in change in personnel that would ensure full compliance with laws and regulations, Milovac concluded.