We hereby inform you that a new Law on Personal Data Protection is adopted, while full implementation will begin as of 21st August 2019. Exceptionally, the provision concerning the end of keeping the Central Register of Databases is applicable as of 21st November 2018, which provision already started discussions and different interpretations.

The nine-month period is given for the purpose of getting familiar and aligned with the provisions of the Law, all bearing in mind that these are long-awaited and comprehensive changes in the personal data protection legislation in Serbia, with the aim of harmonizing it with the EU regulations, that is, the General Data Protection Regulation (the “GDPR”), applicable as of May 2018.

Below we summarize the most important novelties:

  1. Territorial application – The Law applies to the processing of personal data carried out by the controller or processor with registered office or permanent or temporary residence on the territory of Serbia, within the activities carried out on the territory of Serbia, regardless of the processing being performed on the territory of Serbia or not. In addition, the Law applies to controllers and processors from abroad provided that they carry out the processing of data belonging to persons with permanent or temporary residence in Serbia, in two cases:
    • offering goods or services to a person to whom the data are related to on the territory of Serbia, regardless of the person being required to pay compensation for goods or services or not;

    • monitoring of activities of persons to whom the data are related to, provided that the activities are carried out on the territory of Serbia.

  2. Acquiring consent for processing of personal data – In context of practical problems that accompanied obtaining of consent for personal data processing under the current legal regulation, the new Law offers a completely different definition of consent that is exempt from mandatory written form, whereby the legislator finally catches up with the trends of the modern digital world.

    New technologies carry higher risks of data misuse, so despite the abolition of mandatory written form, in the context of content, the consent to processing must meet significantly higher requirements. Consent must be voluntary, determined, informative and unambiguous, and a will of a person expressed in form of a statement or a clear affirmative action.

    Other than the consent, other legal grounds for data processing are envisaged, such as execution of the contract, compliance with the legal obligations of the controller, exercising the legitimate interests of the controller, etc .

  3. Informing persons on their rights – The new Law significantly broadens the rights of the persons to whom the data are related to. Controllers are obliged, in particular, to take the persons rights to be informed on data processing into the account, transparency of data processing and informing the persons on their rights,. A novelty is certainly the right to data portability. A person to whom the data are related to is entitled to get his/her personal data, which he/she had previously supplied the controller with, in a structured, commonly used and digitally readable form, and has the right to transfer these information to another controller without interference by the controller to whom the data were given, as long as the processing is automatized and based on a consent or execution of the contract.

    In addition, the right to correction, amendment, and especially the deletion of personal data from the controller’s records is regulated in more detail.

    Data protection officer – Controller and processor of personal data, in any case, have the possibility to appoint the data protection officer, bearing in mind that in some cases this is an obligation.

    If the controller or the processor operates within groups of companies, then they can designate a joint data protection officer, provided that this person is equally accessible to each member of the group.

    A data protection officer may be employed with the controller or processor or may perform the work on the basis of a contract.

  4. Transferring personal data to other countries and international organizations – The transfer of personal data is largely liberalized according to the new Law, similar to the GDPR.
  5. Informing the Commissioner on personal data breach – The controller is obliged to notify the Commissioner about a data breach which can produce a risk to rights and freedoms of natural persons without any undue delay or, if possible, within 72 hours from becoming aware of the breach.
  6. Legal remedies, liability and sanctions – Persons have the right to a direct remedy – a complaint to the Commissioner if they consider that the processing of their data is not carried out in accordance with the provisions of the Law, which is not the case to this moment. The maximum sanction that can be imposed to the controller for the misdemeanor under this Law is 2 million dinars.
  7. End of keeping the Central Registry and the obligation to register a database before the Commissioner – The provision concerning the end of keeping the Central Register of databases with the Commissioner, the only provision of the new law applicable as of 21st November 2018 has caused a lot of confusion in the academic community due to obvious conflict with the provisions of the previous law regulating the Central Register of databases. Although the keeping of the Central Registry is no longer envisaged, in our opinion, the obligation to report the databases and register the databases to the Commissioner is not abolished by entry into force of this provision, but is technically -formally modified, and the reason for concern due to vague interpretation and reach can lead to problems or arbitrariness in the case of misdemeanor liability. The obligation to evidence and register before the Commissioner will become history upon the start of application of the new Law in August 2019. From that moment on, the responsibility to keep records of databases is transferred from the Commissioner to the controllers, which should enable the Commissioner to better control the application of the law.

This summary represents an overview of the most important changes and solutions (or problems) intruduced by the new Law on Personal Data Protection.

We remain at your disposal for all questions and clarifications, as well as for assisting you in harmonizing your business with the obligations set forth under the new law.