The PDP Law introduces penalties for legal entities and responsible persons in legal entities in case of acting contrary to the provisions of the PDP Law.
It imposes monetary fines for the violations of the legal entity in the range between RSD 50,000 and RSD 2m (EUR 450 to 16,000) and for the responsible person in legal entity in the range between RSD 5,000 and RSD 150,000 (EUR 40 to EUR 1,200).
The legal entity may also have to pay a fine of up to 10% of an undertaking’s income realised in Serbia in the previous year, in case of not applying or infringing the data protection authority’s order of limitation on processing or suspension of data flows.
The Serbian Criminal Act prescribes the unauthorised collection of the personal data as a felony. Therefore, it cannot be excluded that natural person who acts contrary to the provisions of the PDP Law, would be subject to potential criminal liability.
- Reputational risk;
- Reimbursement of potential damages (material and non-material)