Government introduces a Centralized Database of Personal Data to Monitor COVID-19 spread

April 07, 2020

Government introduces a Centralized Database of Personal Data to Monitor COVID-19 spread

April 07, 2020

In order to monitor and successfully combat the spread of COVID-19 disease, the Serbian Government adopted a Conclusion 05 number 53-2926/2020 („Conclusion“) to introduce the Centralized Database of Personal Data (“IS COVID-19”) which will be formed and maintained by the Institute of Public Health of Serbia “Dr. Milan Jovanović Batut” (“the Institute”) with technical support from the Office for Information Technologies and eGovernment and National Health Insurance Fund.

All healthcare institutions that treat patients infected by SARS-CoV-2 virus, public health institutes, laboratories that perform testing, as well as other competent authorities and organizations must record and process the following data:

  • data about cured patients;
  • data about patients diseased as a result of COVID-19;
  • data about persons that have been tested for COVID-19 (whether the results were positive or negative);
  • data about persons that are under an order to self-isolate or be quarantined in facilities for safe accommodation of the population as a preventive measure;
  • location of the persons listed above.

The aforementioned data (“Patients’ personal data”) must be kept on IS COVID-19 and updated daily by 2 pm with data from the previous day.

The Institute will be obliged to provide Ministry of Health with Patients’ personal data to prepare reports and publish pseudonymized data daily by 2 pm with data from the previous day, while information about the date, local government unit, gender, age, type of treatment of patients and other statistical data will be delivered in an anonymized form to the Office for Information Technologies and eGovernment in the same deadline.

Besides that, the Institute will provide the Ministry of Internal Affairs, Serbian Military, and other competent authorities with data from IS COVID-19 in order to aid in fulfilling their duties of enforcing preventive measures established by government decisions and regulations.


How does it relate to Personal Data Protection

From the standpoint of personal data protection, this Conclusion will shift the basis for the lawfulness of processing from “the processing being necessary for reasons of public interest” to “the processing being necessary for fulfilling statutory obligations”. This is an important distinction, as the institutions that are obliged to act in accordance with this Conclusion will now have solid legal ground on which to conduct the processing, as well as clear instructions on which data ought to be processed and for what purpose.

Additionally, under Article 50 of the Personal Data Protection Act, the Institute is obliged to implement a measure that ensures the security of data processing – pseudonymization of personal data. Thus, it implies that this Conclusion should ensure the safety of Patients’ personal data.   


This text is for informational purposes only and should not be considered legal advice. Should you require any additional information, feel free to contact us.



What Is a Data Protection Officer (DPO)?

What Is a Data Protection Officer (DPO)?

 Data Protection Officer (“DPO”) is a person overseeing a company’s data protection strategy and implementation in order to ensure compliance with General Data Protection Regulation (“GDPR”) requirements. Any company that processes or stores personal data is...

read more

Let's connect

Let us know how we can help you and your business.