Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Serbia - Data Protection Overview
Back

Serbia - Data Protection Overview

September 2024

1. Governing Texts

The main piece of legislation regulating personal data protection in the Republic of Serbia is the Law on Protection of Personal Data (Official Gazette of the Republic of Serbia, No. 87/2018 (only available in Serbian here) (the Law).

1.1. Key acts, regulations, directives, bills

In November 2017, the Ministry of Justice (MoJ) published the draft of the Law (the Draft). The public debate on the Draft ran from December 1, 2017, to January 15, 2018, and certain proposals by the industry were accepted and implemented in the Draft. The Draft contained, with the exception of certain provisions stemming from the fact that Serbia is not a member of the EU, almost identical solutions as the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). Commissioner for Information of Public Importance and Personal Data Protection (the Poverenik) is the main supervisor of the Law.

On November 9, 2018, the National Assembly of the Republic of Serbia (the National Assembly) adopted the Law. The Law entered into force on November 21, 2018, but its application started nine months from the date of its entry into force, i.e. on August 21, 2019. During this period, certain relevant by-laws have been adopted, as mentioned below.

Serbian data protection legislation includes the following by-laws:

  • Rulebook on the Manner of Prior Review of Personal Data Processing (Official Gazette of the Republic of Serbia No. 35/2009) (only available in Serbian here), which governs the procedure for notifying and approval by the relevant authority of intended personal data processing;
  • Decree on the Form for and Manner of Keeping Records of Personal Data Processing (Official Gazette of the Republic of Serbia No. 50/2009) (only available in Serbian here), which regulates the form for keeping records of data, personal data processing, and the manner of keeping records of personal data processing;
  • Rulebook on the Form and Manner of Keeping Record of the Data Protection Officer ('DPO') (Official Gazette of the Republic of Serbia, No. 40/2019) (only available in Serbian here), which defines the form and manner of keeping record of the DPOs;
  • Rulebook on the Form and Manner of Keeping Internal Record of Violations of the Law on Personal Data Protection and Measures Undertaken in the Course of Inspection Supervision (Official Gazette of the Republic of Serbia, No. 40/2019) (only available in Serbian here) which prescribes the form and manner of keeping internal records of violation of the law and measures undertaken in the course of inspection supervision;
  • Rulebook on the Form of Notification on Personal Data Breach and Manner of Notifying the Commissioner for Information of Public Importance and Protection of Personal Data on Personal Data Breach (Official Gazette of the Republic of Serbia, No. 40/2019) (only available in Serbian here), which sets out the notification form on personal data breaches and the manner of informing the Poverenik on personal data breaches;
  • Rulebook on the Complaint Form (Official Gazette of the Republic of Serbia, No. 40/2019) (only available in Serbian here), which defines the complaint form that a natural person can submit to the Poverenik if they consider that the processing of their personal data has been carried out contrary to the provisions of the Law;
  • Decision on the List of Types of Personal Data Processing Operations for Which an Assessment of the Impact on the Personal Data Protection Must be Performed and the Opinion of the Commissioner for Information of Public Importance and Personal Data Protection Must be Sought (Official Gazette of the Republic of Serbia, No. 45/2019, 112/2020) (only available in Serbian here), which establishes a list of personal data processing operations for which the data controller, before commencing processing, must perform an impact assessment and must seek the Commissioner's opinion;
  • Decision on the List of Countries, Parts of Their Territories or One or More Sectors of Certain Activities in Those Countries and International Organisations where it is Considered That an Adequate Level of Protection of Personal Data is Ensured (Official Gazette of the Republic of Serbia, No. 55/2019) (only available in Serbian here), which determines the list of countries where it is considered that an adequate level of protection of personal data is ensured;
  • Decision on Determining Standard Contractual Clauses (Official Gazette of the Republic of Serbia, No. 5/2020) (only available in Serbian here), which determines the Standard Contractual Clauses (SCCs) in the contractual relation between a controller and processor (the SCC Decision); and
  • Rulebook on the Form of Identification Card of the Authorised Person for Performing Inspection Supervision in accordance with the Law on Protection of Personal Data (Official Gazette of the Republic of Serbia, No. 61/2019) (only available in Serbian here), which closely regulates the form of identification card of the authorized person for performing inspection supervision.

1.2. Guidelines

The Poverenik has issued several guidelines, mostly in the form of questions and answers, including:

  • Personal Data Protection: Guidelines issued in 2019, concerning video surveillance, processing of sensitive data, and other specific matters regulated in the Law (only available in Serbian here);
  • Most frequent questions concerning DPO, issued in 2019 (only available in Serbian here);
  • Personal Data Protection: Guidelines issued in 2020, presenting a review of legal framework in force concerning data protection (only available in Serbian here);
  • Personal Data Protection: Guidelines issued in 2021, concerning the application of the Law and the practice of the Poverenik (only available in Serbian here);
  • Personal Data Protection: Guidelines issued in 2022, concerning the application of the Law and the practice of the Poverenik (only available in Serbian here);
  • Personal Data Protection: Guidelines issued in 2023, concerning the application of the Law and the practice of the Poverenik (only available in Serbian here);
  • Personal Data Protection: Guidelines issued in 2024, concerning the application of the Law and the practice of the Poverenik (only available in Serbian here); and
  • Serbia DPIA Blacklist (only available in Serbian here) (Serbia Blacklist).

1.3. Case law

Although case law is not a source of law in Serbia (since current legislative solutions applicable in Serbia lack clear rules governing important issues such as video surveillance), prior decisions of the former Poverenik can be important.

For example, in certain situations, tacit acts of data subjects, after having been provided with the information on data collection and processing, may be considered as consent to such data collection and processing. These 'exemptions' were established through the former Poverenik's practice, and examples have included:

  • premises which are under video surveillance: data subjects are considered to have given their consent by walking into the premises after reading the clearly visible label or sign stating that the premises are under video surveillance; and
  • recorded telephone calls: if data subjects continue with the call after hearing the warning that the call is being recorded, it is considered that they have given consent to such data collection and processing.

2. Scope of Application

2.1. Personal scope

The Law applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Furthermore, the Law applies to the processing of personal data performed by a controller or a processor who has its business seat/place of residence in the territory of the Republic of Serbia, within the framework of activities performed in the territory of the Republic of Serbia, regardless of whether the processing takes place in the territory of the Republic of Serbia.

2.2. Territorial scope

The Law also applies to the processing of personal data of data subjects with residence in the territory of the Republic of Serbia by a controller or processor who does not have its business seat/place of residence in the territory of the Republic of Serbia, where the processing activities are related to:

  • the offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the territory of the Republic of Serbia; and
  • the monitoring of data subject's behavior as far as their behavior takes place within the territory of the Republic of Serbia.

2.3. Material scope

The factor which differentiates the data to which the Law applies and to which it does not is the possibility of identifying a person from whom or in relation to whom such data was collected. This means that data, such as name, telephone number, address, identification number, email, or any other data, through which the relevant natural person (i.e. data subject) could be identified, would be considered as personal data and it would fall under the mandatory protection of the Law. On the other hand, data which does not identify a person represents data to which the Law does not apply. In addition, the Law does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The Poverenik is the main supervisor of the Law, whilst the National Assembly acts as a lawmaker, and the MoJ acts as the competent ministry for respective law initiatives.

3.2. Main powers, duties and responsibilities

The main powers, duties, and responsibilities of the Poverenik, as the most important state body in this field are as follows.

The Poverenik:

  • supervises and ensures the implementation of the Law in accordance with its powers;
  • takes care of raising public awareness of risks, rules, safeguards, and rights related to processing, especially if it concerns processing data of a minor;
  • gives opinions to the National Assembly, the Government of Serbia (the Government), and other authorities and organizations, in accordance with the Law, on legal and other measures related to the protection of the rights and freedoms of natural persons in connection with processing;
  • takes care of the controller's awareness and process in connection with its mandatory regulations on the Law;
  • at the request of the data subjects, provide information on their rights prescribed by the Law;
  • acts on complaints of persons to whom the data relates, determines whether there has been a violation of the Law, and informs the submitter on the rules on the course and the results of the proceedings being conducted;
  • cooperates with the supervisory authorities of other countries with regard to personal data protection, in particular by sharing various information and engaging in mutual legal assistance;
  • carries out inspection supervision on the application of the Law, in accordance with the Law and the corresponding law introducing inspection supervision, and submits a request for initiating misdemeanor proceedings if it is determined that it could violate the Law, in accordance with the law that regulates misdemeanors;
  • monitors the development of information and communication technologies, as well as business and other practices relevant to the protection of personal data;
  • drafts and approves SCCs;
  • prepares and publishes lists under Article 54(5) of the Law;
  • gives a written opinion from Article 55(4) of the Law;
  • keeps records of persons for the protection of personal data;
  • encourages the development of codes of conduct and gives opinions and approval to the codes of conduct;
  • performs tasks in accordance with Article 60 of the Law;
  • encourages the issuance of a certificate for the protection of personal data and the corresponding trademarks and labels, and sets out the criteria for certification;
  • conducts periodic reviewing of certificates;
  • prescribes and publishes criteria for accreditation of the certification body;
  • approves the provisions of a contract or agreement;
  • approves binding corporate rules;
  • keeps internal records of violations of the Law and takes measures proclaimed in the performed inspection supervision; and
  • performs other tasks in accordance with the Law.

The Poverenik is authorized to:

  • instruct the controller and processor, and where appropriate, their representatives, to provide all the information it requires while exercising its authority;
  • check and evaluate the implementation of the provisions of the Law and otherwise supervise the protection of personal data by using inspection powers;
  • check the fulfillment of the requirements for certification;
  • register and publish the code of conduct, to which it has previously given its consent;
  • inform the controller or processor about possible violations of this law;
  • request and obtain access from the controller and processor to all personal data, as well as information necessary for the exercise of its authority; and
  • request and obtain access to all premises of controllers and processors, including access to all facilities and equipment.

The Poverenik is authorized to take the following corrective measures:

  • to warn the controller and the processor by submitting a written opinion that the intended processing operations may violate the provisions of the Law;
  • to issue a warning to the controller or processor if the processing violates the provisions of the Law;
  • to order the controller and the processor to act upon the request of the data subject in connection with the exercise of their rights, in accordance with the Law;
  • to order the controller and the processor to harmonize the processing operations with the provisions of this Law, in a specific manner and within a specified time;
  • to instruct the controller to inform the person to whom the personal data refers about the violation of their personal data;
  • to impose a temporary or permanent restriction on processing operation, including a prohibition on processing;
  • to order the correction or deletion of personal data or restrict the performance of the processing operation, and order the controller to inform the other controller, the data subject, and the recipients to whom the personal data have been disclosed or transferred;
  • to revoke the certificate or to order the certification body to revoke the certificate, as well as to order the certification body to refuse to issue the certificate if the conditions for its issuance are not fulfilled;
  • to impose a fine on the basis of a misdemeanour warrant if during inspection a person establishes that there was a breach for which this law prescribes a fine in a fixed amount, instead of other measures, depending on the circumstances of the particular case; and
  • to suspend the transfer of personal data to a recipient in another country or international organization.

The Poverenik is obliged to prepare an annual report on its activities, which contains information on the types of violations of the Law and the measures taken in connection with those violations, as well as to submit it to the National Assembly. This report must be submitted to the Government and made available to the general public in an appropriate manner.

4. Key Definitions

Data controller: A natural or legal person, public authority which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by the law, the controller or the specific criteria for its nomination may be provided for by the Law.

Data processor: Any natural or legal person, i.e. public authority which processes personal data on behalf of the controller. 

Personal data: Any information relating to a natural person whose identity is determined or identifiable, directly or indirectly, in particular by reference to an identifier such as a name and identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Sensitive data: Any personal data that contains information relating to a data subject's race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Health data: Data on the physical or mental health of a natural person, including those on the provision of health services, which disclose information on the natural person's health condition.

Biometric data: Personal data obtained by special technical processing related to physical characteristics, physiological characteristics, or behavioral characteristics of a natural person, which enables or confirms the unique identification of that person, such as a picture of their face or dactyloscopic data.

Pseudonymization: Processing in a way that prevents the attribution of personal data to a particular person without the use of additional data, provided that such additional data is stored separately and that technical, organizational, and personnel measures are taken to ensure that personal data cannot be attributed to a particular or identifiable person.

Data subject: The natural person whose personal data is processed. A natural person in the context of the Law is a person whose personal data is processed, whose identity is determined or determinable, directly or indirectly, in particular by reference to an identifier such as a name and identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data processing: The definition of data processing is very broad and means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

5. Legal Bases

5.1. Consent

Data processing may be carried out when the data subject provides prior consent to such processing. Consent is defined as any freely given, specific, informed, and unambiguous indication of the data subject's will by which they, by a statement or by clear affirmative action, signify agreement to the processing of personal data relating to them.

5.2. Contract with the data subject

Data processing may be carried out when necessary for execution of a contract concluded with the data subject or for taking actions, per request of the data subject, before the contract is concluded.

5.3. Legal obligations

Data processing may be carried out when necessary in order for the controller to comply with its legal obligations.

5.4. Interests of the data subject

Data processing may be carried out when necessary in order to protect the vital interests of the data subject or other natural persons.

5.5. Public interest

Data processing may be carried out when necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

5.6. Legitimate interests of the data controller

Data processing may be carried out when necessary for the purposes of the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, and in particular when the data subject is a child.

5.7. Legal bases in other instances

Not applicable.

6. Principles

The Law prescribes that personal data must be:

  • processed lawfully, fairly, and in a transparent manner in relation to the data subject (i.e. lawfulness, fairness, and transparency);
  • collected for purposes that are specified, explicit, justified, and legal and cannot be processed in a manner that is not compliant to such purposes (i.e. purpose limitation);
  • adequate, relevant, and limited to what is necessary in relation to the purpose of processing (i.e. data minimization);
  • accurate and, when necessary, kept up to date. Taking into consideration the purpose of processing, every reasonable step must be taken to ensure that personal data that are inaccurate, are erased or rectified without delay (i.e. accuracy);
  • kept in a form that allows identification of data subject only for the time period that is necessary for the fulfilment of the purpose of processing (i.e. storage limitation); and
  • processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, as well as against accidental loss, destruction, or damage, using appropriate technical or organizational measures (i.e. integrity and confidentiality).

7. Controller and Processor Obligations

Taking into account the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller must implement appropriate technical, organizational, and personnel measures to ensure and to be able to demonstrate that processing is performed in accordance with the Law.

Where the processing is to be carried out on behalf of a controller, the controller must use only processors providing sufficient guarantees to implement appropriate technical, organizational, and personnel measures in such a manner that processing will meet the requirements of the Law and ensure the protection of the rights of the data subject.

7.1. Data processing notification

The obligation of notification has been abolished under the Law in the sense that the online registry maintained by the Poverenik has ceased to exist (Article 98 of the Law).

7.2. Data transfers

There are two relevant grounds for exceptions based on which personal data may be transferred to third countries without the approval of the Poverenik: an adequate level of protection or adequate or appropriate safeguards.

A transfer of personal data to another country, to a part of its territory, or to one or more sectors of certain activities in that country or to an international organization, without prior approval, may be performed if it is determined that such other country, part of its territory or one or more than one sector of specific activities in that country or that international organization provides an adequate level of protection of personal data. It is considered that the appropriate level of protection is provided in countries and international organizations that are members of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108), i.e. in countries, parts of their territories or in one or more sectors of certain activities in those countries or international organizations for which the EU established that they provide an adequate level of protection.

In this respect, the Government has adopted a Decision on the List of Countries, Parts of Their Territories or One or More Sectors of Certain Activities in Those Countries and International Organisations where it is Considered that an Adequate Level of Protection of Personal Data is Ensured (only available in Serbian here).

In addition, an adequate level of protection is deemed to have been provided if an international agreement on the transfer of personal data has been concluded with another country or international organization.

Appropriate safeguards include SCCs as a result of the SCC Decision, as well as Binding Corporate Rules (BCRs), an approved code of conduct, or an issued certificate. If a transfer of personal data is planned to a country that is not on the list of countries providing an adequate level of protection, the transfer can only be carried out with the special consent of the Poverenik.

Outsourcing companies need to further strengthen security and privacy and align their practices with the Law. Outsourcing services providers play the role of the data processors and the companies that outsource are the data controllers. The relationship between controller and processor is described under the section on controller and processor obligations above.

7.3. Data processing records

The controller (and its representative, if determined) is obliged to maintain records of processing activities under its responsibility, which contain the following information:

  • the name and contact details of the controller, the joint controllers, the controller's representative, and the DPO, if they exist, i.e. if they are appointed;
  • the purpose of processing;
  • categories of data subjects and categories of personal data;
  • categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
  • transfers of personal data to a third country or an international organization, including the identification of that third country or international organization, as well as the documents concerning the implementation of security measures, when applicable; and
  • general description of prescribed security measures.

The processor (and its representative, when appointed) is obliged to maintain records of all categories of processing activities carried out on behalf of a controller, containing the following information:

  • the name and contact details of each processor and of each controller on behalf of which the processor is acting, i.e. the DPO, if they are appointed;
  • categories of processing carried out on behalf of the controller;
  • transfers of personal data to a third country or an international organization provided that the controller explicitly requests it, including the identification of that third country or international organization, if such transfer of personal data is carried out; and
  • general description of prescribed security measures, if possible.

7.4. Data protection impact assessment

When it is likely that a certain type of processing, in particular using new technologies and taking into account the nature, scope, context, and purposes of the processing, will result in a high risk to the rights and freedoms of natural persons, the controller is obliged to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, prior to the processing (Article 54 of the Law).

The controller is obliged to seek advice from the DPO if one is appointed.

A DPIA is mandatory in the following cases under the Serbia Blacklist:

  • a systematic and extensive evaluation of state and personal aspects of natural persons which is performed through automated processing, including profiling, based on which the decisions that produce legal effects for the natural person or in a similar manner significantly affect the natural person are made;
  • processing of prescribed special categories of data or personal data relating to criminal convictions and offenses, on a large scale;
  • systematic monitoring of a publicly accessible area on a large scale;
  • processing children's data for the purpose of profiling, automated decision-making, or marketing;
  • use of new technologies, or technological solutions to process data for analysis or predicting economic situation, health, behavior, location, or movement of individuals;
  • processing personal information in a way that involves location or behavior tracking in the case of systematic processing of communication data generated using a telephone, the internet, or other means of communication;
  • processing biometric data to uniquely identify employees, and in other cases of processing employee data using apps or systems to monitor their work, movement, communication, and so on;
  • processing personal data by matching and combining data from multiple sources; or
  • processing special categories of data for profiling or automated decision-making.

The DPIA must contain at least:

  • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects; and
  • a description of measures envisaged to address the risks, including safeguards, as well as technical, organizational, and personnel measures to ensure the protection of personal data and to demonstrate compliance with the Law, taking into account the rights and legitimate interests of data subjects and other persons; and
  • the contact details of the DPO.

The Poverenik has not issued a list of activities that do not require a DPIA ('Whitelist'), however, it may issue a Whitelist in the future (Article 54 of the Law).

Notably, a fine of RSD 50,000 to RSD 2,000,000 (approx. $450 to $18,000) must be imposed on the data controller or processor, if it fails to perform a DPIA as provided for in Article 54 of the Law (Article 95(26) of the Law).

Prior consultation

If the DPIA indicates that the intended processing activities will produce a high risk if no mitigation measures are going to be adopted, the controller is obliged to request the opinion of the Poverenik prior to the commencement of the processing activities (Article 55 of the Law). In this regard, the Poverenik may compile and publish on its website a list of the types of processing activities for which the Poverenik's opinion must be sought (Article 55 of the Law).

When requesting the opinion of the Poverenik, the data controller must provide the Poverenik with the following information (Article 55 of the Law):

  • the duties of the data controller and, if applicable, of the joint controllers and processors involved in the processing, especially if the processing is carried out within a group of undertakings;
  • the purposes and methods of the intended processing;
  • the technical, organizational, and personnel measures, as well as the mechanisms for the protection of the rights and freedoms of persons to whom the data relate in accordance with the Law;
  • the contact details of the data protection officer, if they are appointed;
  • the DPIA carried out in accordance with Article 54 of the Law; and
  • any other information requested by the Poverenik.

If the Poverenik maintains that the intended processing may violate the provisions of the Law, and especially if the controller has not adequately assessed or reduced the risk, the Poverenik must submit a written opinion to the controller/processor within 60 days from the date of receipt of the request, and, if necessary, may use the powers provided by Article 79 of the Law (Article 55 of the Law).

The 60 days deadline provided by Article 55 of the Law may be extended by 45 days, taking into account the complexity of the intended processing, and the Poverenik must inform the controller/processor of the delay and of the reasons for the same within 30 days from the receipt of the request for the opinion (Article 55(5) of the Law).

7.5. Data protection officer appointment

The controller and the processor are obliged to designate a DPO where (Article 56(2) of the Law):

  • the processing is carried out by a public authority or body;
  • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope, and/or their purposes, require regular and systematic monitoring of data subjects; or
  • the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses.

With regard to the DPO's required qualifications, they shall be designated on the basis of professional qualities and, in particular, expert knowledge and experience of data protection law and practices and the ability to fulfill the relevant tasks. The DPO may be employed by the controller or processor, or fulfill the tasks on the basis of a contract.

Additionally, the controller/processor must publish the contact details of the DPO and submit them to the Poverenik (Article 56(10) of the Law).

Support for the DPO

The controller/processor is obliged to provide the DPO with the necessary means for the fulfillment of their obligations in accordance with Article 58 of the Law and access to personal data and processing activities, as well as their professional development (Article 57(2) of the Law).

The controller/processor shall ensure the independence of the DPO in the performance of their obligations (Article 57(3) of the Law).

Accessibility

A group of business organizations may designate a joint DPO, provided that they are equally accessible to each member of the group (Article 56(5) of the Law).

The data subjects may contact the DPO for any issue relating to the processing of their personal data, as well as in relation to the exercise of their rights under the Law (Article 57(6) of the Law). In this regard, the information notice to the data subject, either if the data is collected from them or from other parties, shall contain the contact details of the DPO, if one is appointed (Articles 23(1)(2) and 24(1)(2) of the Law).

The DPO can also be contacted by the data subjects in relation to all matters concerning the processing of their personal data and the exercise of their rights under the Law (Article 57(6) of the Law).

Role

The DPO has to be involved by the controller/processor in all matters related to the protection of personal data (Article 57(1) of the Law).

More specifically, the DPO has the obligation to (Article 58(1) of the Law):

  • inform and give opinions to the controller and the processor, as well as to employees who carry out processing of their obligations regarding the protection of personal data;
  • monitor the application of the provisions of the Law, other laws, and internal regulations of the controller/processor related to the protection of personal data, including issues relating to shared responsibilities, and training and awareness-raising of employees taking part in processing activities;
  • give their opinion, when requested, on the DPIA and monitor the procedure of the same, in accordance with Article 54 of the Law; and
  • cooperate with the Poverenik, represent a contact point with the same, and advise the same on issues related to the processing activities, including the notification and the opinion referred to in Article 55 of the Law.

In the exercise of their obligations, the DPO shall pay particular attention to the risks related to the processing activity, taking into account the nature, the scope, the circumstances, and the purpose of the processing (Article 58(5) of the Law).

The DPO may perform other duties, whether the controller/processor ensures that the performance of other duties and obligations does not lead the DPO in a conflict of interest position (Article 57(8) of the Law).

The DPO is directly responsible to the controller/processor for the fulfillment of their obligations under Article 58 of the Law (Article 57(5) of the Law).

Penalties

Notably, a fine from RSD 50,000 (approx. $450) to RSD 2 million (approx. $18,000) shall be imposed on the controller/processor if:

  • they fail to appoint the DPO in those cases referred to in Article 56(2) of the Law (Article 95(1)(28) of the Law); or
  • they fail to fulfill their obligations towards the DPO referred to in Article 57(1), (2), and (3) of the Law (Article 95(1)(29) of the Law).

7.6. Data breach notification

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Poverenik, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Where the notification to the Poverenik is not made within 72 hours, it shall be accompanied by an explanation of the reasons for such delay.

The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

The notification shall at least:

  • describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • communicate the name and contact details of the data protection officer or another contact point where more information can be obtained;
  • describe the likely consequences of the personal data breach; and
  • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall notify the personal data breach to the data subject without undue delay.

The notification to the data subject shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in the second, third, and fourth bullet points.

The notification to the data subject shall not be required if any of the following conditions are met:

  • the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
  • the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize, or
  • it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

7.7. Data retention

One of the basic principles of the Law is storage limitation. Personal data has to be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

There are no specific retention periods (i.e. specific time limits) for different types of personal data set under the Law. In addition, the Law prescribes that where personal data relating to a data subject is collected from the data subject, the controller shall, at the time when personal data is obtained, provide the data subject with all relevant information, inter alia, the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.

7.8. Children's data

The Law only prescribes that a minor, who is at least 15 years old, may independently give consent for processing their personal data in relation to information society services. If the minor is below 15 years of age, the consent must be given by the parent holding the parental responsibility, i.e. other legal guardian of the minor. The controller must take reasonable measures to verify whether the consent was given by the parent (i.e. other legal guardian), taking into consideration available technology.

7.9. Special categories of personal data

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation is prohibited.

The prohibition does not apply when:

  • the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except when it is prescribed that the consent is not a legal basis for such processing;
  • processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, if such processing is prescribed by law or collective agreement that prescribes the application of appropriate safeguards for the fundamental rights and the interests of the data subject;
  • processing is necessary to protect the vital interests of the data subject or of another natural person if the data subject is physically or legally incapable of giving consent;
  • processing is carried out within the registered business activity and with the implementation of appropriate safeguards by a foundation, association any other not-for-profit body with a political, philosophical, religious, or trade union aim and provided that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
  • processing relates to personal data which are manifestly made public by the data subject;
  • processing is necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity;
  • processing is necessary for reasons of substantial public interest envisaged by law, if such processing is proportionate to the aim pursued, respecting the essence of the right to data protection and provided that the implementation of suitable and specific measures to safeguard the fundamental rights and the interests of the data subject is ensured;
  • processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, and the provision of health or social protection services, i.e. the management of health or social care systems and services in accordance with laws or pursuant to a contract with a health professional, if the processing is done by or under the surveillance of health professional or other person subject to the duty to keep the professional secret prescribed by law or professional rulebook;
  • processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of a law that ensures appropriate and specific measures to safeguard the fundamental rights and the interests of the data subject, particularly when it comes to professional secrecy; or
  • processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with the Law, if such processing is proportionate to the aim pursued, respecting the essence of the right to data protection and provided that the implementation of suitable and specific measures to safeguard the fundamental rights and the interests of the data subject is ensured.

Processing of personal data relating to criminal convictions, offenses, and security measures may be carried out based on the legal basis prescribed by the Law (listed in the section on legal bases), only under the surveillance of the relevant authority or, if processing is permitted by law, using the appropriate specific measures for the protection of rights and freedoms of data subjects. Any comprehensive register of criminal convictions must be kept only under the control of official authority.

7.10. Controller and processor contracts

Processing by a processor shall be governed by a contract or other legally binding act, that is concluded, i.e. adopted in writing, including electronic form, that is binding on the processor with regard to the controller and that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller.

The contract or other legally binding act must stipulate, in particular, that the processor:

  • processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by the Law. In such a case, the processor is obliged to inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
  • ensures that the natural person authorized to process the personal data has committed themselves to confidentiality or is under an appropriate statutory obligation of confidentiality;
  • takes all measures required pursuant to the security of processing under Article 50 of the Law;
  • respects the conditions for engaging another processor;
  • taking into account the nature of the processing, assists the controller by appropriate technical, organizational, and personnel measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to requests for exercising the data subject's rights laid down by the Law;
  • assists the controller in ensuring compliance with the obligations pursuant to Articles 50 and 52 to 55 of the Law taking into account the nature of processing and the information available to the processor;
  • based on the controller's decision, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless the law requires storage of the personal data; and
  • makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

8. Data Subject Rights

The controller shall facilitate the exercise of data subject rights. In certain cases, the controller shall not refuse to act on the request of the data subject for exercising their rights, unless the data controller demonstrates that it is not in a position to identify the data subject. The controller shall provide information on action taken on a request of the data subject without undue delay and in any event within 30 days of receipt of the request.

8.1. Right to be informed

The controller is obliged to take appropriate measures to provide the data subjects and prescribed information, i.e. information concerning the exercise of rights, in concise, transparent, intelligible, and easily accessible form, using clear and plain language in particular if the information is intended for a minor. The information is provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is indisputably proven by other means.

The data subject has the right to request from the controller the information whether their personal data is processed or not, access to that data, as well as the following information:

  • the purposes of the processing;
  • the categories of personal data that are processed;
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
  • the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority (the Poverenik);
  • any available information as to their source when the personal data are not collected from the data subject; and
  • the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Where personal data is transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

The data subject has the right to request from the controller access to personal data. 

8.3. Right to rectification

The data subject has the right to have their inaccurate personal data rectified without undue delay. Depending on the purpose of processing, the data subject has the right to have their incomplete data completed, which includes providing a supplementary statement.

8.4. Right to erasure

The data subject has the right to have their personal data deleted by the controller in the following cases:

  • the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
  • the data subject objects to the processing there are no overriding legitimate grounds for the processing;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation; or
  • the personal data have been collected in relation to the offer of information society services.

Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

8.5. Right to object/opt-out

The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them,  including profiling. The controller can no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims. When personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. In addition, when personal data are processed for scientific or historical research purposes or statistical purposes the data subject, on grounds relating to their particular situation, has the right to object to the processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

8.6. Right to data portability

The data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, provided that:

  • the processing is based on consent or on a contract; and
  • the processing is carried out by automated means.

The data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

8.7. Right not to be subject to automated decision-making

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, if such a decision produces legal effects concerning the data subject or in a similar manner significantly affects the data subject.

This right does not apply if the decision:

  • is necessary for entering into, or performing of, a contract between the data subject and a data controller;
  • is based on a law, if that law prescribes appropriate measures to safeguard the data subject's rights and freedoms and legitimate interests; or
  • is based on the data subject's explicit consent.

8.8. Other rights

The right to restriction of processing

The data subject has the right to request from the controller restriction of processing, in the following cases:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; and 
  • the data subject has objected to processing and the verification of whether the legitimate grounds of the controller override those of the data subject is pending.

When processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

The right to lodge a complaint before the Poverenik

The data subject has the right to lodge a complaint before the Poverenik if they believe that the processing of their personal data was performed contrary to the Law. Lodging a complaint before the Poverenik does not affect the data subject's right to initiate other administrative or judicial proceedings.

The Poverenik is obliged to keep the data subject informed concerning the status of the proceedings.

9. Penalties

The Poverenik may impose a fine on the basis of a misdemeanor order if, during the inspection supervision, it was established that a misdemeanor for which a fine was prescribed by this law has occurred. The fine imposed may not, in any case, exceed the maximum amounts that can be imposed on the controller or processor for a misdemeanor under the Law, i.e. up to approx. $18,000.

9.1 Enforcement decisions

There have been no notable enforcement decisions yet.