Agency for Personal Data Protection in friendly instead of control visit to the SEC

The Agency for Personal Data Protection and Free Access to Information was sent to the Centre for Civic Education (CCE) Minutes on the performed inspection supervision in the State Election Commission (SEC). The CCE has previously submitted to the Agency the initiative to conduct the oversight process in the SEC, due to the suspicion that the employee of the Parliament of Montenegro, Vuko Perišić, whose software solution is used by the SEC to verify signatures, processes citizens’ data without a legal basis.

This record also points to the concerningly unprofessional approach of the Agency in the application of the legal obligation to protect the personal data of citizens. Neither any disputable fact was noted nor any recommendation given. Furthermore, the protection of the SEC was done directly, which should be the subject of interest of other competent bodies.

The CCE expresses a reasonable suspicion that the Agency has exceeded its authority and put into question the legality of its work in an attempt to convince everyone of the SEC’s infallibility in this case, which is far from the facts. The Rulebook on the manner of performing supervision in the field of personal data protection prescribes that the controller is authorized to take statements from the person in charge and other persons from the subject of supervision. However, we have an unprecedented approach in the field of inspection, as it follows from the Minutes most of the “facts” were established “over coffee” with the President of the SEC, Aleksa Ivanović, and the employee of the Parliament, Vuk Perišić, instead of two separate official statements were taken.

The Agency controllers also note that Ivanović and Perišić stated that a mistake was made in the minutes from the 116th session of the SEC that it was a software solution of Perišić, intended for checking the signatures of support for electoral lists, and that it was a service contract concluded with the employees of the Parliament based on the Agreement on professional and technical cooperation between the SEC and the Parliament. Such an amateurish attempt to get out of an awkward situation should prompt the controllers to establish the facts in more detail, and perhaps even take statements from all SEC members as to whether these were service contracts that they mistakenly interpreted as Vuk Perišić’s software solution. Instead, the controllers simply believed Ivanović and Perišić’s word.

Moreover, the Agency controllers claim that citizens’ data were processed legally. However, they further note that the service contracts with the employees of the Parliament were concluded on 13 August, after the confirmation of the electoral lists, which was preceded by the verification of signatures. It is clear that the signature verification service was available to citizens before, and the CCE called on the citizens to check if their signature may have been misused already on 6 August. Therefore, it is clear today that 11 employees of the Parliament performed this check without authorization for some time because they did not have appropriate contracts that would regulate their obligations, including the manner of handling personal data. We remind that the Law on Personal Data Protection prescribes that “the manager of the personal data collection may entrust certain tasks related to the processing of personal data within its scope to the processor of personal data by a contract, which must be in writing.”

The Agency controllers also did not determine how employees of the Parliament could be given a CD with an excerpt from the voter list without having any contracts with the SEC, who has the right to use this personal data. Article 20 of the Law on Voters’ List states for which cases an excerpt from the voter list is issued. This article does not recognize such a case, so the basis on which the Ministry of Interior provided the employees of the Parliament with the CD with an excerpt from the voter list, which the Agency controllers intentionally or accidentally missed in the supervision procedure, remains unknown. It is also not clear which act prescribes the procedure for handling and destroying that CD, which is described in detail in the minutes without citing the source, and hence we express doubts about the veracity of these allegations.

Finally, the provision of the Law on Election of Councilors and MPs stating that other state bodies are obliged to provide professional and technical assistance to election administration bodies does not automatically provide a basis for concluding service contracts and paying an unknown amount of money to the employees of the Parliament. It also remains unclear how these employees of the Parliament were elected and how their labor costs were determined, as well as whether they were paid in the Parliament for the same period, i.e. received double compensation.

From everything stated in the Minutes full of ambiguities, it seems only clear that this supervision was not aimed at checking the basis for the processing of personal data of citizens, but that it went into the direction of fulfilling the formalities. Thus, it turned out to be a more friendly visit of Agency officers to a former colleague and boss who is nowadays the SEC’s president, than control of the legality of the processing of personal data of citizens. The approach according to which the law is applied differently depending on the subject is anything but legal and therefore the CCE calls on the new majority in the Parliament to consider personnel changes in the Agency Council as a priority because there are frequent examples of incompetence and lack of independence in this body.

Tamara Milaš, Human Rights Programme Coordinator