Data protection and cybersecurity laws in Serbia

Law on Personal Data Protection ("RS Official Gazette", No. 87/2018) (the “PDP Law”)

Commissioner for Information of Public Importance and Personal Data Protection (the “Commissioner”)
http://www.poverenik.rs/index.php

Amendments to the PDP Law are anticipated.

The PDP Law introduces  penalties for  legal entities and responsible persons in legal entities in case of acting contrary to the provisions of the PDP Law. It imposes monetary fines for  violations of the legal entity in the range between RSD 50,000 and RSD 2,000,000 (app.  EUR 430 to 17,000) and for the responsible person in the legal entity in the range between RSD 5,000 and 150,000 (app.  EUR 40 to 1,300).

Serbian Criminal Act prescribes  unauthorized collection of  personal data as a felony.  Therefore, it cannot be excluded that a natural person who acts contrary to the provisions of the PDP Law, would be imposed  potential criminal liability.

• Reputational risk
• Reimbursement of the potential damages (material and non-material)

N/A

• Maintaining  the records of processing activities
• Implementation of appropriate technical, organizational and human resources measures
• Cooperation with Commissioner
• Information requirement
• Appropriate legal grounds for processing
• Comply with  restrictions on transfers of personal data
• Appoint a Data Protection Officer, where applicable
• Notify personal data breaches to the data subject and Commissioner, in accordance with PDP Law
• Conduct data protection impact assessment, where applicable
• To enable exercise of data subject's rights in accordance with the PDP Law 

Data subject~ has the following rights:

• right to be informed, 
• right to access, 
• right to rectification and supplement,
• right to erasure of personal data, 
• right to restriction of processing, 
• right to personal data portability, 
• right to object, and 
• right to lodge a complaint to the Commissioner.

A controller may opt for processing to be carried out on its behalf by another natural or legal person – the processor.  In that situation the controller is obliged to use only processors which provide sufficient guarantees about implementation of appropriate technical and organisational measures in such a manner that processing will meet the requirements of the PDP Law and ensure the protection of the data subject's rights.

Processing by a processor shall be governed by an agreement or other binding legal act ("Data Processing Agreement" or "DPA"), which is concluded in writing, including the electronic form, which is binding on the processor with regard to the controller and which sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.

However, in a situation where the processor infringes the PDP Law by determining  purpose and means of processing, then such processor will be considered as  controller in respect of that specific processing.

Transfer of personal data outside of Serbia, without prior consent of the Commissioner (data protection authority), is allowed only if such country or international organization is providing an "adequate" level of data protection. The Serbian Government has issued a so-called "whitelist" (Decision on the List of States, parts of their territories or one or more sectors of specified activities in those States and international organizations where it is considered that an adequate level of protection of personal data is ensured (Official Gazette RS no.  55/19)) of countries or territories thereof where an adequate level of data protection is guaranteed. This list includes the countries which have ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ("Convention") as well as Guernsey, Israel, Japan, Canada (commercial organizations), Isle of Man, New Zealand and United States of America (limited to the Privacy Shield framework).

In other cases, data transfer to the countries not specified in the "whitelist" is allowed only if controller/processor has ensured appropriate measures, prescribed by the PDP Law, to protect the data and if exercising of rights and effective legal protection are assured to the data subject.  In the situations prescribed by the PDP Law, appropriate measures of protection may also be provided with the Commissioner’s special approval.

Following is considered to be appropriate safeguards under the PDP Law:
• A legally binding and enforceable instrument between public authorities or bodies; 
• Standard Data Protection clauses adopted by the Commissioner which regulate the legal relationship of the controller and the processor;
• Binding corporate rules approved by the Commissioner; 
• An approved code of conduct with binding and enforceable commitments of the controller/processor in the third country to apply the appropriate safeguards, or an approved certification mechanism.

The controllers and processors are required to designate a data protection officer ("DPO"), if: (a) the processing is carried out by a public authority, (b) the core activities of the controller/processor require the regular and systematic monitoring of data subjects on a large scale, or  large scale processing of special categories of personal data – e.g.  health data or trade union memberships, or criminal convictions/offences data.

Data controllers and data processors shall take all necessary technical, human resources and organizational measures to protect data in accordance with the established standards and procedures in order to protect data from loss, damage, inadmissible access, modification, publication and any other abuse, as well as to provide for an obligation of keeping data confidentiality for all persons who work on data processing. 

If a data breach may create a risk to the rights and freedoms of natural persons, the controller must notify the Commissioner without undue delay and, not later than 72 hours after becoming aware of the breach.  If the breach may create a high risk to the rights and freedoms of a natural person, the controller is obliged to notify the affected data subject without undue delay.

A prior information consent of a data subject (a natural person) is required in case of direct marketing (via mail, e-mail, phone, etc.).  The data subject must be able to withdraw that consent at any time.

If the data subject no longer wants to receive advertising messages, the advertiser must stop  direct marketing.  These rules do not apply to natural persons who perform business activity in relation to such business activity.

Not regulated, so general personal data protection rules apply.

Medium (moderate).

Commissioner for Personal Data Protection website: https://www.poverenik.rs/en/

The Law on Information Security (“Official Gazette of RS", Nos. 6/2016, 94/2017 and 77/2019”) (“Law”)

A proposal of the new law is adopted. The aim of the new law is to comply with the NIS 2 Directive. The new law is expected to be adopted soon.

The Law specifies measures for the protection from security risks in information and communications systems, the liability of legal entities during management and use of information and communications systems and designates competent authorities responsible for  execution of protection measures, coordination between protection factors and monitoring of the proper application of the prescribed protection measures, software and software development tools.

Regulatory Agency for Electronic Communications and Postal Services (RATEL)

• Adopting an internal by-law on security of information and communication system and implementing security measures
• Need to appoint a person or organisational unit for security supervision of information and communication system
• Need to provide a report on internal control of information and communication system
• Mandatory reporting of incidents related to information and communication system

Fine of up to RSD 2,000,000 (approx.  EUR 16,800) for legal entity and up to RSD 50,000 (approx.  EUR 400) for responsible person in the legal entity.

N/A

• Reputational risk
• Reimbursement of the potential damages (material and non-material)

Yes. Tasks of the national CERT are assigned to the Regulatory Agency for Electronic Communications and Postal Services (RATEL).

The Serbian Government established a body for coordination of work on information security and adopted a Decree on procedure of Notifying on Incidents relating to Information and Communication System of Particular Importance. 

N/A.

• http://www.ratel.rs/home.136.html
• https://www.trusted-introducer.org/directory/teams/srb-cert.html