Impact of the GDPR in Serbia

The umbrella regulation in the field of personal data protection in Serbia is the Personal Data Protection Act 1 Official Gazette of the Republic of Serbia, No. 87/2018 (“PDP Act”). The PDP Act regulates both the protection of natural persons regarding the processing of personal data and the free movement of personal data. It came into force with effect as of 21 August 2019.

Like the GDPR, the PDP Act distinguishes between (usual) Personal Data and special categories of Personal Data. It is important to bear in mind that processing the Special Categories of Personal Data is generally forbidden, unless otherwise prescribed by the PDP Act.

Like the GDPR, the PDP Act distinguishes between controller and processor. If a person determines the purposes for which data is processed and the means of processing, such a person is a data controller.

Under the PDP Act a data controller has the same obligations as under the GDPR. The main obligations of a Data Controller under the PDP Act are:

1. Compliance with principles of personal data protection stipulated in the PDP Act;
2. Implementation of appropriate technical and organizational security measures;
3. Keeping records of processing activities in accordance with the PDP Act;
4. Cooperation with data protection authorities;
5. Notification of security breaches in accordance with the PDP Act;
6. Compliance with the restrictions on transfers of personal data in accordance with the PDP Act;
7. Appointment of a Data Protection Officer (“DPO”), where applicable;
8. Appointment of a representative in Serbia where the controller is based outside Serbia, but is subject to PDP Act;
9. Ensuring the extension of rights to data subjects in accordance with the PDP Act;
10. Informing data subjects about processing in accordance with the PDP Act.

Under the PDP Act, a processor has the same obligations as under the GDPR.

Under the PDP Act, data subjects have the same rights as under the GDPR, i.e. Data Subjects have the following rights:

• the right to be informed,
• the right to access,
• the right to rectification and supplement,
• the right to erasure of personal data,
• the right to restriction of processing,
• the right to personal data portability, and
• the right to object.

In order to comply with the obligations set forth in the PDP Act and to provide an appropriate level of security, both Controller and Processor have to implement appropriate technical, organizational, and human resources measures to ensure a level of security appropriate to the risk, which especially include:

• The pseudonymization and encryption of Personal Data;
• The ability to ensure the permanent confidentiality, integrity, availability, and resilience of processing systems and services;
• The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

This obligation is the same as the one stipulated in GDPR. 

The requirements for appointing a Data Protection Officer (“DPO”) and a Representative of controllers and processors not established in Serbia (“Representative”) are similar to those set in the GDPR. However, whether a controller or processor should appoint the DPO and/or Representative depends on the circumstances of each specific situation. 

The remedies in the PDP Act are the same as those in the GDPR. Namely, the PDP Act stipulates the following remedies:

• The right to lodge a complaint with a supervisory authority (Commissioner for Information of Public Importance and Personal Data Protection (the “Commissioner”))
• The right to an effective judicial remedy against a decision of the Commissioner
• The right to an effective judicial remedy against a controller or processor

The PDP Act introduces the penalties for the legal entities and responsible persons in legal entities if they breach the provisions of the PDP Act.

However, upper thresholds for monetary fines stipulated in the PDP Act are far lower than those in the GDPR. 

The PDP Act imposes monetary fines for the violations of the legal entity in the range between RSD 50,000 and RSD 2,000,000 (app. EUR 450 to 16,000) and for the responsible person in legal entity in the range between RSD 5,000 and 150,000 (app. EUR 40 to 1,200).

Beside monetary fines, the PDP Act imposes various non-monetary fines e.g., the deletion of data collected without proper legal grounds.

Criminal liability:

The unauthorized collection of personal data is a felony under the Serbian Criminal Act. Therefore, a natural person who breaches the provisions of the PDP Act may be held criminally liable.

Others:

• Reputational risk
• Reimbursement of potential damages (material and non-material)

One of the ways to provide appropriate safeguards and circumvent the prior approval procedure before the Commissioner when transferring Personal Data to third countries, is to incorporate Serbian Standard Contractual Clauses, adopted by the Commissioner (“Serbian SCC”), into contract(s) between the controller and the processor. The Serbian SCC must be incorporated in their integral form and in their entirety.

The PDP Act provisions represent a mixture of the GDPR and Directive EU 2016/680. It is still necessary other regulations which are regulating the processing of personal data in specific fields to be aligned with the PDP Act.

At this moment no new legislation has been announced and no changes to the current legislation are anticipated.

It is necessary to bear in mind that even if the PDP Act provisions represent a mixture of the GDPR and Directive EU 2016/680, compliance with the GDPR does not necessarily mean one is compliant with the PDP Act. Thus, it is necessary to review existing policies and data protection documents to check whether they comply with the obligations and requirements set by the PDP Act. Should you require any additional information or assistance in that regard, please feel free to contact us.