Home / Publications / Data Law Navigator | Serbia

Data Law Navigator | Serbia

Information on Data Protection and Cyber Security laws from CMS experts

<< back to Overview
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security >>

Data Protection

Last reviewed April 2020

Risk scale

Risk Scale Orange


Law on Personal Data Protection ("RS Official Gazette", No. 87/2018) (“PDP Law")


Commissioner for Information of Public Importance and Personal Data Protection (“Commissioner”)

Anticipated changes to law


If applicable: stage of legislative implementation of GDPR 

The law closely follows EU’s General Data Protection Regulation (GDPR), however it does not have obligation to implement or comply with GDPR since it is not EU member state.


The PDP Law applies to data controllers and processors with a registered seat, permanent or temporary residence in the territory of Serbia, and also to the Processing of Personal Data of Data Subjects in cases where those Data Subjects have a permanent or temporary residence in the territory of Serbia, by the Controller or Processor which does not have a registered seat i.e. permanent or temporary residence in Serbia, if the Processing activities are related to: 3 (a) the offering of goods or services to the Data Subject in the territory of Serbia, irrespective of whether a payment of the Data Subject is required for such goods/services; (b) the monitoring.


The PDP Law introduces the penalties for the legal entities and responsible persons in legal entities in case of acting contrary to the provisions of the PDP Law.

It imposes monetary fines for the violations of the legal entity in the range between RSD 50,000 and RSD 2,000,000 (app. EUR 450 to 16,000) and for the responsible person in legal entity in the range between RSD 5,000 and 150,000 (app. EUR 40 to 1,200).

Also, the legal entity may be imposed the monetary fine which amounts up to 10% of an undertaking’s income realized in Serbia in the previous year, in case of not applying or infringing data protection authority’s order of limitation on processing or suspension of data flows.

Furthermore, it is important to note that the Serbian Criminal Act prescribes the unauthorized collection of the personal data as a felony. Therefore, it cannot be excluded that natural person who acts contrary to the provisions of the PDP Law, would be imposed to potential criminal liability.

Registration / notification 


Main obligations and processing requirements

  • Maintaining the records of processing activities
  • Implementation of appropriate technical, organizational and human resources measures
  • Cooperation with Commissioner
  • Information requirement
  • Appropriate legal grounds for processing
  • Comply with the restrictions on transfers of personal data
  • Appoint a Data Protection Officer, where applicable
  • Notify personal data breaches to Data Subject and Commissioner, in accordance with PDP Law
  • Conducting Data Protection Impact Assessment, where applicable
  • To enable exercise Data Subject’s rights in accordance with PDP Law

Data subject rights

Data subject has the following rights: 

  • right to be informed, 
  • right to access, 
  • right to rectification and supplement, 
  • right to erasure of personal data, 
  • right to restriction of processing, 
  • right to personal data portability, and
  • right to object

Processing by third parties

Where the processor engages another sub-processor the same data protection obligations as set out in the PDP Law or Data Protection Agreement signed between the controller and the processor is imposed on that sub-processor by way of an agreement or other legal act signed between processor and sub-processor in particular providing sufficient guarantees to implement appropriate technical, organisational and human resources measures in such a manner that the Processing will meet the requirements of the PDP Law. In the situation where the sub-processor fails to fulfil its personal data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that sub-processor’s obligations.

Transfers out of country

Data transfer to the countries not specified in the PDP Law or in the “white list”, is allowed only if controller/processor has ensured appropriate safeguards, prescribed by the PDP Law, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. 

Following are considered to be appropriate safeguards under the PDP Law: 

  • A legally binding and enforceable instrument between public authorities or bodies;
  • Standard Data Protection clauses adopted by the Commissioner which regulate the legal relationship of the Controller and the Processor;
  • Binding corporate rules approved by the Commissioner; 
  • An approved code of conduct with binding and enforceable commitments of the controller/processor in the third country to apply the appropriate safeguards, or an approved certification mechanism.

Data Protection Officer

The controllers and processors are required to designate a data protection officer (“DPO“), if: (a) the processing is carried out by a public authority, (b) the core activities of the controller/processor require the regular and systematic monitoring of data subjects on a large scale, or the large scale processing of special categories of personal data – e.g. health data or trade union memberships, or criminal convictions/offences data.


Data controllers and data processors shall take all necessary technical, human resources and organizational measures to protect data in accordance with the established standards and procedures in order to protect data from loss, damage, inadmissible access, modification, publication and any other abuse, as well as to provide for an obligation of keeping data confidentiality for all persons who work on data processing.

Breach notification

Yes, if data breach may create a high risk to the rights and freedoms of natural person. 

Direct marketing

A prior information consent of a data subject (a natural person) is required in case of direct marketing (via mail, e-mail, phone, etc.). The data subject must be able to withdraw the consent at any time. If the data subject no longer wants to receive advertising messages, the advertiser must stop with direct marketing. 

These rules do not apply to natural persons who perform business activity in relation to such business activity.


Not regulated, so general personal data protection rules apply.

Useful links


Cyber Security

Last reviewed April 2020

Risk scale

Risk Scale Orange

Laws and regulations

  • The Law on Information Security (“Official Gazette of RS", Nos. 6/2016, 94/2017 and 77/2019”) (“Law”)


The Law specifies measures for the protection from security risks in information and communications systems, the liability of legal entities during management and use of information and communications systems, and designates competent authorities responsible for the execution of protection measures, coordination between protection factors and monitoring of the proper application of the prescribed protection measures, software and software development tools.


Regulatory Agency for Electronic Communications and Postal Services (RATEL)

Key obligations

  • Adopting an internal by-law on security of information and communication system and implementing security measures
  • Need to appoint a person or organisational unit for security supervision of information and communication system
  • Need to provide a report on internal control of information and communication system
  • Mandatory reporting of incidents related to information and communication system


Fine of up to RSD 2,000,000 (approx. EUR 16,800) for legal entity and up to RSD 50,000 (approx. EUR 400) for responsible person in the legal entity

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes. Tasks of the national CERT are assigned to the Regulatory Agency for Electronic Communications and Postal Services (RATEL).

Is there a national incident management structure for responding to cybersecurity incidents?

The Serbian Government established a body for coordination of work on information security and adopted a Decree on procedure of Notifying on Incidents relating to Information and Communication System of Particular Importance.

Useful links


<< back to Overview


Picture of Ksenija Ivetic Marovic
Ksenija Ivetić-Marlović
Jelena Đorđević
Mina Radonjic