STANDARD TWINNING LIGHT PROJECT FICHE

1. Basic Information

1.1 Programme: IPA 2009

1.2 Twinning Number: SR/2009/IB/JH/01TWL

1.3 Title: Improvement of Personal Data Protection

1.4 Sector: Public Administration/JHA

1.5 Beneficiary country: Serbia

2. Objectives

2.1 Overall Objective(s):To contribute to the personal data protection in Republic of Serbia in line with EU

standards

2.2 Project purpose:

To enhance capacities of the Commissioner for Information of Public Importance and Personal Data Protection, as well as other identified public authorities, to efficiently perform adequate implementation and standards pertaining to personal data protection in line with the Acquis, within their respective competences

2.3 Contribution to National Development Plan/Cooperation agreement/Association Agreement/Action Plan

European Partnership (Council Decision of 18 February 2008 on the principles, priorities and conditions contained in the European Partnership with Serbia including Kosovo as defined by United Nations Security Council Resolution 1244 of 10 June 1999 and repealing Decision 2006/56/EC) envisages data protection as one of the ‘short-term priorities’. The relevant paragraph reads: “Develop a comprehensive law on the protection of personal data in line with the acquis, in particular with the Data Protection Directive (95/46/EC), and implement it. Set up an independent data protection supervisory authority, with sufficient powers and with sufficient financial and human resources.”

Stabilisation and Association Agreement stipulates in Art 81 that “Serbia shall harmonise its legislation concerning personal data protection with Community law and other European and international legislation on privacy upon the entry into force of this Agreement. Serbia shall establish one or more independent supervisory bodies with sufficient financial and human resources in order to efficiently monitor and guarantee the enforcement of national personal data protection legislation. The Parties shall cooperate to achieve this goal.”

Serbia Progress Report – 2010 EC Report; a moderate advancement was noted in personal data protection field i.e. the adoption of the Strategy for the Protection of Personal Data in August 2010 and the recruitment of additional staff. However, it was also noted that the law was “not fully in line with EU standards”, while the Commissioner’s office lacked financial and human resources.

NPI / National Plan for Integration stipulates that Serbia is to adopt a law amending the current Law on Personal Data Protection in order to comply legislative framework with the EU standards until the end of 2010. (NPI, not-translated, pg. 500-502; Anex 1 and 2, responsible ministry – Ministry of Justice)

This Project aims to further harmonise personal data protection legal framework in line with Acquis and to strengthen the capacity of the independent supervisory body to efficiently supervise the enforcement of personal data protection regulation, thereby attaining the relevant objectives identified in the aforementioned documents. Furthermore, the Project will be an important instrument for the implementation of the National Data Protection Strategy adopted by the Government in August 2010 (Official Gazette, No. 58/2010).

3. Description

3.1 Background and justification:The protection of personal data in Serbia is still at early stage. The main problems

with regard to personal data protection in Serbia are threefold: legislation and regulation are not in line with European standards; overall implementation of existing personal data protection provisions is insufficient; and thirdly, individuals and public at large are not aware of the scope and exercise of the right to personal data protection.

The purpose of the project is to enhance the capacity of the Commissioner as well as identified public authorities to efficiently perform in their respective competences adequate implementation of regulation and standards pertaining to personal data protection that are in the line with acquis communautaire.

a) regulatory framework With regard to legislation and regulation, Serbia ratified the Council of Europe

Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data and its Additional Protocol. The Serbian Constitution (2006) recognises the rights to personal data protection and privacy of communications respectively as the fundamental human rights. By the words of the Constitution, personal data processing is only allowed in cases the processing is envisaged by law adopted by the Parliament or on a voluntary bases. In addition, any limitation of confidentiality of communication needs to be approved by a court order. In August 2010, the Government adopted National Data Protection Strategy (Official Gazette, No. 58/2010).

The Law on Personal Data Protection was enacted in October 2008 (Official Gazette no. 97/08, implementation started on 1 January 2009). The act is a novelty in the Serbian system envisaging inter alia the establishment of an independent supervisory authority. However, the Law on Personal Data Protection is not fully in line with European standards, namely Directive 95/46/EC, as it was emphasised in the EC Serbia Progress Report 2009 and 2010 respectively. For example, rules on data security are

lacking and there are no clear guidelines how to monitor use or access to personal data, in particular sensitive personal data. There is only one article in the Law related to data security. Furthermore, many areas of data protection, i.e. biometric data or video surveillance, are not regulated. Organisations, both public and private, use video surveillance while keeping the individuals unaware of their use, purpose and possibility to access these data. Finally, contrary to the constitutional requirement many provisions on personal data processing are contained in a great number of bylaws, instead of laws (statutes). For example, a general law on educational system envisages the establishment of a unified database for all educational institutions leaving to the Ministry of Education to define collection and processing of personal data related to children, pupils and students in these institutions. In a number of primary schools questionnaires on personal data have been distributed to pupils requiring them to fill them out. Upon receiving complaints the Commissioner contacted the Ministry to take appropriate measures in order to inform schools and parents on the purpose of data processing while some of data required could be collected only upon obtaining written consent

In September 2010, the results of the project “Support to the office of the Commissioner for Information of Public Importance and Personal Data Protection” funded by IPA” were presented. The expert engaged identified the main area the national legislation needed to be amended in line with Acquis as well as area that still lacked regulation (i.e. video surveillance). This Project will build upon the methodology and tool developed through this project, while the finding will be used as a starting point for implementing and proposing concrete actions vis-à-vis existing regulation or drafting of new regulation in line with Acquis.

b) implementation The second facet of data protection in Serbia is the issue of the efficient

implementation of personal data regulation and standards, which is two-pronged, it concerns the issue of supervision of data protection by an independent authority, and it concerns the issue of personal data processing by various and numerous entities.

The supervision of data protection as well as the competence of an appellate authority is granted to the Commissioner for Information of Public Importance and Personal Data Protection (hereinafter Commissioner) as of 1 January 2009 by the Law on Personal Data Protection. Throughout 2009 the Commissioner lacked both financial and human resources to perform its duties, an obstacle reported in the EC Serbia Progress Report 2009. Consequently, the Commissioner’s activities were mainly limited to public appeals in cases of data protection violation, e.g. the Commissioner publicly reacted regarding the theft of computers containing personal data on tens of thousands refugees, taken from the Commissioner for Refugees’ premises in Novi Sad, due to the inadequate reaction of responsible persons, lack of understanding on serious potential consequences and possible abuse of those personal data.

In 2010, the Commissioner was approved budget and internal organisation plan with the overall number of staff of 49. In January 2010 the recruitment process commenced. National Assembly elected the Deputy Commissioner for personal data protection in March 2010. Currently (January 2011) out of total 31 staff members 13 are employed in the area of personal data protection. The recruitment of new staff for personal data is planned for 2011.

Besides resources (financial and human), the adequate expertise is of equally high importance in particular if having in mind the variety of issues pertaining to personal data protection, e.g. sensitive personal data processing and security (such as ethnicity or health), information technology, trans-border flow of personal data, adequacy of personal consent for data processing etc. It is therefore necessary to secure that the Commissioner’s staff possess required and adequate knowledge and expertise in their respective fields of work.

Personal data protection issues are novel in Serbia and national experts and practitioners in this field are very few. Thus, there is a demand to develop standards and guidelines that could be used not only as guidebooks or manuals in the work of civil servant dealing with data protection issues but as self-learning tools. The information and knowledge sharing is indispensable for institutional capacity building particularly for developing institution’s policy and everyday work. For example, inspectors should learn about what key questions to pose while screening the legality of data processing in a concrete case. Although cases regarding personal data are often dependent on specific circumstances of facts, standardised procedure will both ease and boost the processes resulting in being beneficial both to the overall work of Commissioner and protection of the right to individual. Also, developing annual working plans will result in strategic planning and rationalisation of the inspection process, therefore of the whole institution. In addition, detailed annual working plan the work of the Commissioner vis-à-vis supervision of data controller will be transparent leaving minimum possibility for any conflict of interest concerns.

A proper implementation of data protection provisions and standards also depends on public authorities and data controllers other than the Commissioner. Simultaneously with improving the capacity of the Commissioner the focus should also be placed on the data controllers – a vast number of public institutions and their civil servants that are dealing with personal data issues.

Various institutions collect and process even personal data that are not necessary for the purposes of the data collection and processing, which, on the other hand often relate to sensitive personal data (e.g. nationality or religious beliefs) and can be misused. For example, health institutions are collecting data on patients’ ethnicity and religious beliefs that are not relevant for their service. In addition, various institutions are asking for personal identification number from individuals even though it is necessary only for limited number of cases. These kinds of data processing are widely spread and turn out to be every day practice in Serbia. Great number of violations of personal data could be decreased by training civil servants and improving the overall capacity of their institutions.

The project is focused on several priority fields – police, justice, health, labour and social policy and electronic communications. The rationale behind identified priority fields is that, firstly, data processing is widespread in all of these fields, secondly, it concerns almost every member of the society; and thirdly, data that are processed are often sensitive ones. Therefore, appropriate regulation and implementation thereof in terms of necessity and proportionality of data collection and processing in these fields, as well as securing effective procedure and legal remedies for data subjects are needed. The number of requests received from public authorities regarding interpretation of data

protection regulations is high and illustrates the need for building capacity among other public authorities.

c) awareness raisingLast but not least important is the awareness of the public vis-à-vis their rights to

personal data protection. Individuals and public in general are often ignorant about their right to know or delete data relating to them, in particular if this concerns some sensitive data such as ethnicity. Citizens often provide public authorities and other entities with their personal identification number and/or ethnic origin rarely requiring information about the purpose of such data. Insofar little attention has been focused on informing the public about the importance of their privacy and their rights. While an individual should be interested in exercising their right, the state has a positive obligation to duly inform him/her about the rights and means of exercise thereof. The public awareness campaigns will result not only in informed public and increased number of (individual) cases regarding personal data protection but it will affect and improve the work of public institutions as it is expected by the public and/or individuals.

3.2 Linked activities (other international and national initiatives):

This Project is building upon the project “Support to the office of the Commissioner for Information of Public Importance and Personal Data Protection” funded by IPA (EU Funded) through a contract called “framework contract beneficiary”, indicative value €180,000 which commenced in April 2010 and was finalised in September 2010. The required outputs are to: 1) Draft amendments on the Law on Personal Data Protection, and 2) Propose methodology and tools to the Commissioner for amendments and supplements of the regulations identified in the field/sectors relevant to the personal data protection. The methodology and tool provided through this Study will serve as a starting point in further analyses and proposals of model laws and bylaws with the aim to have them approved and adopted by relevant ministries and institutions.

3.3 Results:

Result 1: Legal framework pertaining to personal data protection in identified field/sector adjusted in line with EU standards.

Results indicators:1.1. identified field/sector regulation incompliant with EU standards;1.2. number of consultative meetings/roundtables;1.3. prepared model regulation (law, bylaw or amendments to the law or

bylaws) in the field/sector (e.g. police, judiciary, health, labour and social policy and electronic communications)

Result 2: Enhanced operational capacity of the Independent Personal Data Authority (Commissioner) to efficiently monitor and guarantee the enforcement of the Law on Personal Data Protection

Results indicators:2.1. standardised procedures for the Information Commissioner’s work;2.2. procedure and obligation regarding personal data protection processing

by public authorities and other legal entities/institutions explained;

2.3. number of published guidelines;2.4. identified keys elements for personal data security protection (technical

and organisational measures in order to protect personal data against any accidental or unlawful loss, destruction, alteration, disclosure, access or any other unlawful forms of processing);

2.5. number of published manuals;2.6. exchange of best practices amongst participants.

Result 3: Developed human resources in Commissioner and identified public authorities to implement personal data protection regulation and standards in line with Acquis and best practices

Results indicators:3.1. identified training needs in priority areas for efficient work of

Commissioner’s staff;3.2. training programme ensuring relevant competences of the

Commissioner’s staff;3.3. number and quality of implemented trainings;3.4. identified institutional units/sectors (as well as their tasks and duties)

responsible for personal data protection and security;3.5. number and quality of implemented trainings for identified target groups

Result 4: Public at large informed about the right to personal data protection

Results indicators:4.1.number of round tables, public discussions on personal data protection

rights;4.2.number of round tables, public discussions on sensitive personal data

protection;4.3.number of leaflets and other printed promotional materials aiming at giving

essential information on rights of individuals regarding personal data protection;

4.4.interactive, user-friendly internet presentations

3.4 Activities:

Activities related to the result 1: Legal framework pertaining to personal data in identified field/sector in line with EU standards

1.1. Analyses of regulation in the field/sector (e.g. police, health, labour and social policy and electronic communications) regarding personal data protection and compliance thereof with EU standards 1.2. Organisation of consultative process with relevant public institutions/ministries during the drafting procedure of laws, bylaws and/or amendments to law/s or bylaw/s in their respective field/sector 1.3. Preparation of draft/proposal laws, bylaws and/or amendments to law/s or bylaw/s in order to comply with EU standards

Activities related to the result 2: Operational Capacity of the Commissioner

2.1. Preparation of manual/s, procedure/s, tool/s (e.g. annual action plan) for efficient work of the Commissioner (inspection and personal data transfer) 2.2. Development and publication of guideline/s for public authorities and other legal entities/institutions identified as data processors/controllers in order to fulfil legal obligations vis-à-vis personal data processing and databases and their registration within the Central Register maintained by the Commissioner2.3. Preparation and publication of manual/s with tools for data controllers to implement appropriate technical and organisational measures in order to protect personal data against any accidental or unlawful loss, destruction, alteration, disclosure, access or any other unlawful forms of processing.

Activities related to the result 3: Development of human resources in Commissioner and identified public authorities to implement personal data protection regulation and standards in line with Acquis and best practices

3.1. Training need analysis to identify training area fields for the Commissioner’s staff 3.2. Development of training programme for Commissioner’s staff 3.3. Training of the Commissioner’s staff 3.4. Identification of target group/s (sectors/units) within the respective relevant ministries/institutions as well as their tasks and duties pertaining to personal data protection and security (e.g. Ministry of the Interior, Ministry of Justice, Ministry of Health, Ministry of Labour and Social Policy and Ministry of Telecommunications and Information Society)3.5. Organisation of trainings for identified target groups/civil servants on their duties and responsibilities vis-à-vis personal data protection and security

Activities related to the result 4: Informing the public on the right to personal data protection

4.1. Organisation of public awareness campaigns on personal data protection rights4.2. Preparation of public awareness campaign on sensitive personal data protection (in respect of ethnic origin, political opinion, religious or philosophical beliefs, trade-union membership, or data concerning health or sex life)4.3. Preparation of promotion materials to inform general public about their rights regarding personal data protection 4.4. Improvement of the Commissioner’s internet presentation

3.5 Means/ Input from the MS Partner Administration:

3.5.1. Profile and tasks of the Project Leader

The project staff will consist of a non-resident Project Leader and a team of short-term experts.

The Project Leader will be in charge of the overall coordination of the team of experts and the project activities, the compliance with the set deadlines as well as be in charge of assuring the achieving of the project results.The requested Project Leader profile follows:

- University degree- At least five years of professional experience carried out in a Public

Administration/Body working in the field of human rights/data protection- At least three years of experience within a Public Authority Supervisory Body- Excellent knowledge in the field of data protection- Familiarity process of harmonisation of national legislation with EU acquis- Excellent analytic, organisational and communication skills (including command

of written and spoken English)- Experience working with EC funded projects.

3.5.2. Profile and tasks of the short-term experts

The team of short-term experts (civil servants or mandate body internal personnel) must be able to provide specialist advice and carry out the specified planned activities.The standard profile of the short-term experts should be as follows:

- University degree in the field of law, social studies or information and communication technologies or other human rights or data protection related fields

- At least three years of professional experience in the field of data protection at a senior management level carried out as civil servant or within a mandated body

- At least one year of experience within some public authority supervisory body- Knowledge of relevant international instruments and mechanisms of data

protection- Prior work experience in an international context- Excellent command of English.

The working language of the project will be English. Please note that, in order to facilitate communication with the Beneficiaries and involved Institutions, it is advisable to engage interpreting services.

4. Institutional Framework

Main Beneficiary:Commissioner for Information of Public Importance and Personal Data Protection (Sector for Central Register and Condition of Data Treatment, Sector for personal data rights protection, Section for Supervision)Other Beneficiaries: Ministry of the Interior, Ministry of Justice, Ministry of Health, Ministry of Labour and Social Policy, Ministry of Telecommunications and Information Society (also, Telecommunications Agency)

5. Budget

Total budget is EUR 250 000. Total amount is covered by EU contribution. Interpretation and translation costs will be reimbursed from the budget costs.

6. Implementation Arrangements

6.1 Implementing Agency responsible for tendering, contracting and accounting (AO/CFCU/PAO/ Commission), including contact person and full contact details.

6.2 Main counterpart in the BC, including contact person and contact details. Also include RTA counterpart and the BC Project leader

Project Leader:Mr. Aleksandar Resanovic, Deputy Commissioner Commissioner for Information of Public Importance and Personal Data ProtectionSvetozara Markovica 42 11000 Belgrade, SerbiaPhone: +381 11 3408900E-mail: aleksandar.resanovic@poverenik.rs

Contact person:Ms. Nevena Ruzic, Head of Commissioner’s CabinetCommissioner for Information of Public Importance and Personal Data ProtectionSvetozara Markovica 42 11000 Belgrade, SerbiaPhone: +381 11 3408900E-mail: nevena.ruzic@poverenik.rs

6.3 Contracts

All activities will be conducted under single Twinning Light contract in the amount of EUR 250.000.

7. Implementation Schedule (indicative)

7.1 Launching of the call for proposals: June 2011

7.2 Start of project activities: October 2011

7.3 Project completion: April 2012

7.4 Duration of the execution period (number of months): 6 months + 3 months for the inception and final report.

8. Sustainability

Sustainability of the Project is mainly reflected through the transfer of expertise and best practices. The work of the Commissioner will be secured through annual budget which reflects the needs of the Commissioner with regard to its tasks and duties pertaining to personal data protection. Upon the completion of the Project the Commissioner is expected to efficiently perform its tasks in accordance with the law and European standards. Moreover, staff members working in the identified public authorities’ are expected to, once trained, transfer the knowledge and practices gained to newly employed

staff. In addition, the Commissioner’s staff is expected to continue providing other institutions with professional expertise and opinions on data protection related queries.

9. Crosscutting issues (equal opportunity, environment, etc…)

Cross-cutting issues will be addressed throughout the project. Personal data protection standards are well developed in the area of personal data related to one’s gender, race, ethnicity, religion, sexual orientation, political or other views, health or other sensitive personal data. Having in mind the purpose of the project, non-discrimination policy is the basis for implementation of all project activities. Equal opportunities for all will be ensured during the project implementation. Equal opportunities for men and women to participate in the project will be taken into account throughout engagement of experts and consultants in the project.

10. Conditionality and sequencing

The main precondition for the success of the project is related to the overall resources (both human and financial) of the Commissioner for Information of Public Importance and Personal Data Protection. Despite the obstacles encountered in the early stage of Commissioner’s work regarding the human resources since the beginning 2010 the overall situation has improved. The Deputy Commissioner for personal data protection was elected on 23 March 2010. The process of recruiting staff for personal data protection competences commenced. Currently (January 2011) out of current 31 staff members 13 are employed in the area of personal data protection. The recruitment of new staff for personal data is planned for 2011.

Following the implementation of the project staff members engaged during the implementation of the project will continue to transfer the knowledge and expertise gained to newly recruited staff members as well as other civil servants both working in the Office of the Commissioner and other public authorities on data protection issues.

ANNEXES TO PROJECT FICHE

1. Logical framework matrix in standard format

2. Organisation Chart of the Commissioner

ANNEX I: Logical framework Improvement of Personal Data Protection

Overall objective Objectively verifiable indicators Sources of VerificationTo contribute to the personal data protection in Republic of Serbia in line with EU standards

Positive findings regarding personal data protection progress in Serbia

EC Progress Report

Project purpose Objectively verifiable indicators Sources of Verification AssumptionsEnhancement of capacities of The Commissioner for Information of Public Importance and Personal Data Protection, as well as identified public authorities to efficiently perform within their respective competences adequate implementation of regulation and standards pertaining to personal data protection that are in line with Acquis.

1.Proposals of laws and/or bylaws pertaining to personal data protection in relevant field/sector in line with EU standards prepared2.1.Number of supervisions performed by the Commissioner2.2.Reduced duration of Commissioner’s supervisory, appellative and other procedures2.3.Number of enforced Commissioner’s decisions 2.4.Number of complaints/cases regarding personal data security 3.1.Number of complaints on the work of identified public authorities regarding personal data protection4.1.Number of individual complaints to the Commissioner regarding violation of personal data protection rights

1.Commissioner’s Report 2.Commissioner’s Report 3.Commissioner’s Report

Commitment of the Government to personal data protection and EU accession

4.2.Number of individual complaints to the Commissioner regarding violation of sensitive personal data protection 4.3.Number of visits to the Commissioner’s Internet presentation

Results Objectively verifiable indicators Sources of Verification Assumptions1 - Legal framework pertaining to personal data protection in identified field/sector adjusted in line with EU standards

1.1. Identified field/sector regulation incompliant with EU standards. 1.2. number of consultative meetings/roundtables 1.3. prepared model regulation (law, bylaw or amendments to the law or bylaws) in the field/sector (e.g. police, judiciary, health, labour and social policy and electronic communications)

1.1. Analysis report with recommendation1.2. Model regulation1.3. Reports on consultative meetings/roundtables, list of participant

Identified public authorities aware of importance of and committed to improving the protection of personal data

2 - Enhanced operational capacity of the Independent Personal Data Authority (Commissioner) to efficiently monitor and guarantee the enforcement of the Law on Personal Data Protection

2.1.Standardised procedures for the Information Commissioner’s work 2.2. Procedure and obligation regarding personal data protection processing by public authorities and other legal entities/institutions explained. 2.3. Number. of published guidelines. 2.4.Identified keys elements for personal data security protection (technical and organisational measures in order to protect personal data against any accidental or unlawful loss, destruction, alteration, disclosure, access or any other unlawful forms of processing) 2.5. Number of published manuals. 2.6. Exchange of best practices amongst

2.1. Procedure/s, manual/s and tool/s2.2. Published guideline/s 2.3. Published manual/s2.4. List of participants, report, media coverage/press clipping

Commissioner adequately staffed (number of staff and their individual competence)

participants.3 - Developed human resources in Commissioner and identified public authorities to implement personal data protection regulation and standards in line with Acquis and best practices

3.1.Identified training needs in priority areas for efficient work of Commissioner’s staff 3.2.Training programme ensuring relevant competences of the Commissioner’s staff3.3.Number and quality of implemented trainings3.4.Identified institutional units/sectors (as well as their tasks and duties) responsible for personal data protection and security3.5.Number and quality of implemented trainings for identified target groups

3.1. Report 3.2. Training programme/curriculum3.3. List of participants, training material evaluation report3.4. Report with list and contacts of units/sectors responsible for personal data protection and security and report on their tasks and duties. 3.5. List of participants, training material evaluation report

Willingness of institutions to make chances and apply improved practices

4 - Public at large informed about the right to personal data protection

4.1 Number of round tables, public discussions on personal data protection rights

4.2 Number of round tables, public discussions on sensitive personal data protection

4.3 Number of leaflets and other printed promotional materials aiming at giving essential information on rights of individuals regarding personal data protection.

4.4 Interactive, user-friendly internet presentations

4.1. Commissioner’s report, list of participants, press clipping

4.2. Commissioner’s report, list of participants, press clipping

4.3. Promotion materials 4.4. WebPages

Individuals interested in exercising their rights

Activities Means Costs Assumptions1.1. Analyse regulation in the field/sector (e.g. police, judiciary, health, labour and social policy, electronic communications, and trade and banking sector) regarding personal data protection and compliance thereof with EU standards 1.2. To organise consultative process with relevant public institutions/ministries during the drafting procedure of laws, bylaws and/or amendments to law/s or bylaw/s in their respective field/sector 1.3. To prepare draft/proposal laws, bylaws and/or amendments to law/s or bylaw/s in order to comply with EU standards2.1. To prepare manual/s, procedure/s, tool/s (e.g. annual action plan) for efficient work of the Commissioner (inspection and personal data transfer) To develop and publish guideline/s for public authorities and other legal entities/institutions identified as data processors/controllers in order to fulfill legal obligations vis-à-vis personal data processing and databases and their registration within the Central Register maintained by the Commissioner2.2. To prepare and publish manual/s with tools for data controllers to implement appropriate technical and organisational measures in order to protect personal data against any accidental or unlawful loss, destruction, alteration, disclosure, access or any other unlawful forms of processing.3.1. Training need analysis to identify training area fields for the Commissioner’s staff

Relevant laws and by-laws availableRelevant ministries/institutions committed and their staff available Exchange of information with all relevant stakeholders and their commitment to cooperate (i.e. Commissioner, Ministry of the Interior, Ministry of Justice, Ministry of Health, Ministry of Labour and Social Policy, Ministry of Telecommunications and Information Society)Identified staff available for trainingOperational website

3.2. To develop training programme for Commissioner’s staff 3.3. Trainings of the Commissioner’s staff 3.4. Study visits to the data protection authorities in the EU member states 3.5. To identify target group/s (sectors/units) within the respective relevant ministries/institutions as well as their tasks and duties pertaining to personal data protection and security (e.g. Ministry of the Interior, Ministry of Justice, Ministry of Health, Ministry of Labour and Social Policy, Ministry of Telecommunications and Information Society, Ministry of Trade and Services, Ministry of Finance, and National Bank)3.6. To organise trainings for identified target groups/civil servants on their duties and responsibilities vis-à-vis personal data protection and security4.1. To organise public awareness campaigns on personal data protection rights4.2. To prepare public awareness campaign on sensitive personal data protection (in respect of ethnic origin, political opinion, religious or philosophical beliefs, trade-union membership, or data concerning health or sex life)4.3. To prepare promotion materials to inform general public about their rights regarding personal data protection To improve the Commissioner’s internet presentation

Pre-conditions: Commissioner staffed and operational

Organisational Chart: