DLA Piper Intelligence

Data Protection
Laws of the World


Definition of personal data

Under the DP Law, personal data is any information about a natural person through which the respective person is identified or identifiable (for example, name, address, email address, photo, etc.).

Last modified 15 Jan 2021

In late 2018, Serbia updated its data protection law to better align with the EU General Data Protection Regulation. Serbia enacted a new Data Protection Law on 9 November 2018 (published in the Official Gazette of the Republic of Serbia, no. 87/2018) (“DP Law”). Although the DP Law entered into force 21 November 2018, its effective date was postponed until 21 August 2019 (except for the maintenance of the Central Register of Personal Databases which has already been terminated).

The DP Law was long awaited, as it has been 10 years since the previous data protection law was passed. Its content is largely harmonized with the GDPR. It is now fully effective as of 21 August 2019.

Last modified 15 Jan 2021

Definition of personal data

Under the DP Law, personal data is any information about a natural person through which the respective person is identified or identifiable (for example, name, address, email address, photo, etc.).

Last modified 15 Jan 2021

The Serbian data protection authority is the Commissioner for Information of Public Importance and Protection of Personal Data (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti) (“DPA”).

It is seated at Bulevar kralja Aleksandra 15 Belgrade and its website is www.poverenik.rs.

Last modified 15 Jan 2021

The obligation for the maintenance of the Central Register of Personal Databases by the DPA, which existed under the previous data protection law, was terminated immediately upon the entering into force of the DP Law. Under the DP Law, controllers and processors are only required to internally maintain the database records and only if they have more than 250 employees or if they are involved in certain types of processing or process certain types of personal data (such as, for example, special categories of data or personal data relating to criminal convictions and offences). The latter two conditions are applicable regardless of the number of employees a processer or controller has.

Last modified 15 Jan 2021
Data Protection Officers

According to the DP Law, controllers and processors are required to designate a data protection officer (“DPO”), whose primary task is to ensure compliance with the data processing law and regulations and to communicate with the DPA and the data subjects on all data protection matters. Similar to the GDPR, this obligation applies if the following criteria are met:

  • The processing is carried out by a public authority (with the exception of a court performing its judiciary authorizations).
  • The core activities of the controller / processor require the regular and systematic monitoring of data subjects on a large scale, or the large-scale processing of special categories of personal data — eg, health data or trade union memberships, or criminal convictions / offences data.

The DPO may be employed or engaged under a service contract, and in any case must have sufficient expert knowledge. A group of companies may appoint a single DPO, provided that he is equally accessible to each company.

Controllers and processors are required to ensure the DPO’s independence in the performance of his tasks. This means the following:

  • No instructions may be given to the DPO.
  • The DPO must report directly to the manager of the controller / processor.
  • The DPO may not be dismissed or penalized for performing his or her tasks.
Last modified 15 Jan 2021
Collection & Processing

The collection and further processing of personal data has to be legitimate and legally grounded, meaning pursuant to the data subject's consent or as specifically provided by law.

Under the DP Law, there are a few instances where a data subject's personal data may be processed without the data subject’s consent (for example, when the processing is necessary for fulfilment of the data controller's legal obligations or for the performance of an agreement concluded between a data controller and data subject) (“Exceptional Cases”).

Apart from the Exceptional Cases, prior informed consent from data subjects is generally required to collect and process personal data, meaning that any request for consent has to contain all the information on the particular processing which is explicitly prescribed by the DP Law (for example, the data subject must be notified of the purpose and legal grounds for the processing, information on other recipients of the data in cases when the data is disclosed to entities other than the data controller and information on the statutory rights of the data subjects in relation to the respective processing, etc.).

Although consent is necessary, it does not automatically mean that any processing, to which a data subject has consented will be regarded by the DPA as compliant with the DP Law. There are also other conditions which must be met under the DP Law (eg, the purpose must be legitimate and clearly determined and the type and scope of processed data must be proportionate to the respective purpose).

In addition to written consent, the DP Law explicitly introduces other forms of consent, such as online consent, oral consent or consent by other clear affirmative action provided that the controller is able to demonstrate that the data subject has indeed consented.

The conditions for obtaining consent have become much stricter under the DP Law than compared to the previous legislation. Similar to the GDPR, consent must be freely given, specific, informed and unambiguous. For example, there is a presumption that consent will not be valid unless separate consents are obtained for different processing operations, where appropriate; and the request for consent—when presented in a written document—must be clearly distinguishable from all other matters, using clear and plain language (meaning catch-all clauses will not be valid). Further, consent will not be considered freely given if the performance of a contract is conditional on the consent to the processing of personal data that is not necessary for its performance.

In addition, one important novelty introduced by the DP Law (and similar to the GDPR), is that it does not apply only to the processing of data carried out by Serbian controllers and processors, but also to the processing of data by controllers and processors based outside of Serbia whose processing activities relate to the offering of goods or services (even if offered for free) or monitoring the behavior of Serbian data subjects within Serbia. As a result, a number of these controllers and processors will need to appoint representatives in Serbia for correspondence with the DPA and the data subjects on all issues related to processing.

Last modified 15 Jan 2021

Under the previous data protection law, the DPA’s prior approval was a precondition for a legitimate data transfer whenever a transfer was to be made to any country which had not signed and ratified the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ("Relevant Convention"). The data transfer regime has now been completely revamped and liberalized under the DP Law, which is a much-welcomed change from the previous overly restrictive concept. The DP Law explicitly applies to both direct and indirect data transfers, unlike the previous law for which it was not fully clear whether it covers indirect transfers at all.

Under the DP Law, controllers will be entitled to transfer personal data abroad if one of the following conditions (among others) is met:

  • Personal data is to be transferred to a country that ratified the Relevant Convention.
  • Data transfers are to a country included on the Serbian government’s list of countries providing an adequate level of data protection (EU Countries, other countries which are member states of the Relevant Convention and some other countries such as, for example, Canada (for business subjects only) and Japan).
  • Data transfers are performed to a country which has a bilateral agreement with Serbia regulating data transfers.
  • The transfer is based on the standard contractual clauses prepared by the Serbian DPA.
  • The transfer is based on binding corporate rules or a code of conduct approved by the Serbian DPA, or on certificates issued in accordance with the law.
  • The Serbian DPA has issued a specific approval for the transfer to be performed on the basis of an agreement between the data exporter and the data importer.
  • The data subject has explicitly consented to the proposed transfer, after having been informed on the possible risks.

This should create more options for the transfer of data to non-European countries, especially since the DPA has prepared the aforementioned standard contractual clauses, which are adopted and applicable as of 30 January 2020 (keeping however in mind that, under the DP Law, the respective SCC mechanism will be available only when a data importer is a data processor). In addition, it is expected that the process of obtaining the DPA’s approval for data transfers will be more efficient, and should be completed within 60 days.

Last modified 15 Jan 2021

Similar to the GDPR, the DP Law introduces burdensome accountability obligations on data controllers, which are required to "demonstrate compliance”. This includes an obligation to all of the following:

  • Implement, maintain and update appropriate technical, organizational and human resources measures to ensure a level of security appropriate to the risk involved by taking into account state of the art and associated implementation costs etc.
  • Have in place certain documentation, such as data protection policies and records of processing activities.
  • Implement data protection by design and by default.
  • Conduct a data protection impact assessments for those processing operations that are considered higher risk to the rights and freedoms of individuals.

Data protection by design requires the controllers to adopt, as well as maintain and update when needed, appropriate measures (such as pseudonymization, data minimization) which will implement the safeguards necessary for processing. Data protection by default, on the other hand, requires the controllers to adopt measures so that, by default, only the processing which is necessary for the specific purpose will be possible (eg, that, by default, privacy settings on one’s social network profile do not make the data public).

Last modified 15 Jan 2021
Breach Notification

The DP Law imposes data breach notification obligations that largely track the GDPR. Furthermore, the Law on Electronic Communications ('Official Gazette of the Republic of Serbia', nos. 44/2010, 60/2013, 62/2014 and 95/2018) (“EC Law”) imposes a duty on entities which perform or are authorized to perform electronic communications' activities (Operators) to notify the Regulatory Agency for Electronic Communications and Postal Services (“RATEL”) as the competent state authority, of any breach of security and integrity of public communication networks and services, which have influenced their work significantly and particularly for breaches which resulted in the violation of protection of personal data or privacy of the respective networks / services' users / subscribers.

Nonperformance of this statutory obligation can lead to liability and fines of up to EUR 17,000 for a legal entity, and up to EUR 1,275 for a responsible person in a legal entity. Protective measures may also be implemented. For a legal entity, a prohibition against performing business activities for a duration of up to three years and for a responsible person in a legal entity, a prohibition against performing certain duties for a duration of up to one year.

According to the DP Law, the data breach obligations present a significant responsibility, as data controllers will generally be required to document each data breach as well as to notify the DPA of such breach (if it is likely to result in a risk to the rights and freedoms of individuals) without undue delay and, when feasible, within 72 hours after becoming aware of the breach. In addition, data processors will have to notify the controllers of the breach without undue delay.

If the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller is also required to communicate the personal data breach to the individual concerned without undue delay. However, this does not apply if the controller has implemented appropriate technical and organizational measures, such as encryption that has rendered the relevant data unintelligible to any unauthorized person or, if the notification would involve disproportionate efforts, a public communication or a similar measure must be made in order to properly inform the individuals.

Last modified 15 Jan 2021

The DPA is responsible for the enforcement of the DP Law. Namely, the DPA is authorized and obliged to monitor whether the law is implemented and it conducts such monitoring both on its own accord and based on any complaints it receives. If it establishes, when performing the respective monitoring, that a particular person / entity which processes personal data has acted in contravention to the statutory rules on processing, the DPA shall issue a warning to the particular data controller. It may also issue a decision by which it can, among other things:

  • Order the data controller to eliminate the existing irregularities within a certain period of time.
  • Temporarily forbid particular processing.
  • Order deletion of the data collected without a legal ground.

The DPA's decision cannot be appealed, but an administrative dispute can be initiated against the respective decision before a competent Serbian court.

Depending on the gravity of the particular misconduct and the data controller's behavior with respect to the same, the DPA can initiate an offence proceeding against the respective data controller before the competent court. The offences and sanctions for such are explicitly prescribed by the DP Law. The respective sanctions are fines up to EUR 17,000 for a legal entity and up to EUR 1,275 for a responsible person in a legal entity. Additionally, the DPA is now also able to directly fine controllers and processors in certain situations, with fines in the amount of EUR 850. Prior to the adoption of the DP Law, only the Court of Offences was entitled to impose fines.

Criminal liability is also a possibility since the Serbian Criminal Code prescribes a criminal offence of unauthorized collection of personal data. The prescribed sanctions are a fine (of an amount to be determined by the court) or imprisonment of up to one year. Both natural persons and legal entities can be subject to the respective liability.

Formally speaking, under the Law on Administrative Procedure ('Official Gazette of the Republic of Serbia', nos. 18/2016 and 95/2018), the DPA is also authorized to enforce its orders by threatening a company with a fine of up to 10% of its annual income in Serbia in case it fails to comply with the order. This is a relatively new option for Serbian authorities that has not yet been tested in practice, to the best of our knowledge.

Last modified 15 Jan 2021
Electronic Marketing

Electronic marketing is only mentioned in the DP Law in the context of the data subjects' right of complaint. The rules on this subject are envisaged by the Law on Electronic Trade ('Official Gazette of the Republic of Serbia', nos. 41/2009, 95/2013 and 52/2019), EC Law (as defined above in the section on Breach Notification), the Law on Advertising ('Official Gazette of the Republic of Serbia', nos. 6/2016 and 52/2019) and the Consumer Protection Law (Official Gazette of the Republic of Serbia, nos. 62/2014, 6/2016 and 44/2018) (together, the "Relevant Legislation").

In brief, based on the Relevant Legislation, electronic marketing is only allowed if it is covered by an explicit, prior written consent of the person to whom the respective marketing is directed. Additionally, recipients should always be:

  • Clearly informed of the identity of the sender and commercial character of the communication (this information should be provided in the Serbian language prior to commencing the marketing).
  • Provided with a way to opt out of future marketing messages, at any time and free of charge.

For the sake of completeness, it should be noted that, under the most recent changes from July 2019 of the aforementioned Law on Electronic Trade, the same principle that previous consent is necessary for electronic marketing, i.e. for electronic commercial communication, remained, but it is also envisaged now that certain types of electronic communication shall not be regarded as commercial communication and, consequently, should not be subject to previous consent. Such exempt communications include (1) providing information which enables direct access to business activities of a particular entity such as information on its e-address or e-mail and (2) providing information on a particular entity's goods, services or business reputation if such information is obtained by research or in some other similar way and if it is provided free of charge.

Last modified 15 Jan 2021
Online Privacy

There are no specific regulations explicitly governing online privacy (including cookies). Accordingly, the general data protection rules, as introduced by the DP Law are, to the extent applicable, relevant for online privacy as well.

On the other hand, it should be noted that the EC Law, as defined in the section on Breach Notification above, introduces rules on the processing of traffic data and location data, which are obligatory for entities which are the Operators (as defined above in the section on Breach Notification) of public communication networks and publicly available electronic communication services. Under these rules, these Operators are allowed to do the following:

  • Process traffic data only as long as such data is necessary for a communication’s transmission and thus, when such necessity ceases to exist, the Operators are obliged (unless in the case when they have obtained prior consent of the data subjects for using the respective data for marketing purposes) to delete such data or to keep the data only if they take measures to make the data anonymous.
  • Generally process location data only if the persons to which the data relates are made unrecognizable or if they have such persons’ prior consent for the purpose of providing them with value added services (but even if such consent does exist, only in the scope and for the time during which the processing is needed for the respective purpose's realization).

Violations are subject to the fines set forth in Breach notification.

Last modified 15 Jan 2021
Sanja Spasenovic
Sanja Spasenovic
Attorney at law in cooperation with Karanovic & Partners
T +381 11 3094 200/ +381 11 3955 413
Last modified 15 Jan 2021