1. Governing Texts

1.1. Legislation

• Law on Protection of Personal Data 2018 (Official Gazette of the Republic of Serbia, No. 87/2018 (only available to download in Serbian here) ('the Law')

1.2. Regulatory authority guidance

The Commissioner for Information of Public Importance and Personal Data Protection ('Poverenik') has not issued any guidance.

1.3. Regulatory authority templates

No further information.

2. Definitions

Data controller: A natural or legal person, public authority which, alone or jointly with others, determines the purposes and means of the processing of personal data. When the law determines the purposes and means of the processing, that same law may also establish the controller or the specific criteria for its nomination (Article 4(8) of the Law).

Data processor: Any natural or legal person, i.e. public authority which processes personal data on behalf of the controller (Article 4(9) of the Law).

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

The processing activity carried out by a processor must be governed by a contract or other legally binding act, that is concluded/adopted in writing, including electronic form. The contract/act binds the processor to the controller and sets out (Article 45(3) of the Law):

• the subject-matter and duration of the processing;
• the nature and purpose of the processing;
• the type of personal data and categories of data subjects; and
• the obligations and rights of the controller.

3.2. What content should be included?

The contract/act must stipulate that the processor is obliged to (Article 45(4) of the Law):

• process personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required doing so by the Law. In such a case, the processor is obliged to inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
• ensure that natural person authorised to process the personal data has committed him/herself to confidentiality or is under an appropriate statutory obligation of confidentiality;
• take all measures required pursuant to the security of processing under Article 50 of the Law;
• respect the conditions for engaging another processor, as provided under Article 45(2) and (7) of the Law;
• take into account the nature of the processing, assists the controller by appropriate technical, organisational and personnel measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down by the Law;
• assist the controller in ensuring compliance with the obligations pursuant to Articles 50 and 52-55 of the Law, taking into account the nature of processing and the information available to the processor;
• based on the controller's decision, deletes or returns all the personal data to the controller after the end of the provision of services relating to the processing, and deletes existing copies unless the law requires storage of the personal data; and
• make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 45 of the Law and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. In this regard, if the processor is also obliged to warn the controller without delay if he considers that the received written instruction from him are not in accordance with the Law or another law governing the protection of personal data (Article 45(5) of the Law).

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

As outlined in section 3.2 above, the contract/act must stipulate, among other things, that the processor is obliged to assists the controller by appropriate technical, organisational and personnel measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down by the Law (Article 45(4) of the Law).

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

The processor, as well as its representative, if appointed, must keep record of the processing operations carried out on behalf of the controller, which contain information in relation to (Article 47(3) of the Law):

• name and contact details of each processor and each controller on whose behalf the processing is carried out, as well as of their representatives, if appointed;
• type of processing carried out on behalf of the controller;
• transfers of personal data to other countries or international organisations, including the name of the country or international organisations, as well as documentation of the protection measures adopted for the transfer in accordance with Article 69(2) of the Law; and
• general description of the protection measures referred to in Article 50(1) of the Law.

In addition, the processor, as well as its representative, if appointed, must keep a record of the processing activities provided by Articles 47(1), (3), (4), and (6) of the Law. These records must be made available to Poverenik at its request (Article 47(9) of the Law).

6. Security Measures

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

The processor designated by the controller must guarantee the application of appropriate technical, organisational, and personal measures, in order to ensure that the processing is performed in accordance with the provisions of the Law, protection the rights of the data subjects (Article 45(1) of the Law).

In addition, and in accordance with the level of technological development and application costs, as well as the nature, scope, circumstances, and purpose of the processing, and the probability of risk and the level of risk for the rights and freedoms of individuals, the processor must implement appropriate technical, organisational, and personal measures regarding the level of security in relation to the risk (Article 50(1) of the Law). In particular, the measures referred above includes (Article 50(2) of the Law):

• pseudonymisation and encryption of personal data;            
• ability to ensure lasting confidentiality, integrity, availability, and resilience of processing systems and services;
• ensuring the re-availability and access to personal data in the event of physical or technical incidents as soon as possible; and
• procedures of regular testing, evaluation, and assessment of the effectiveness of the technical, organisational and personal security measures of processing. 

When assessing the appropriate level of security of the above measures, the processor must take into account the risks of processing, with specific reference to risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data transmitted, stored, or otherwise processed (Article 50(3) of the Law).

Lastly, the processor must adopt measures aimed to ensure that any natural person authorised to access personal data process the same only on the basis of his order or if required by the law. (Article 50(4) of the Law).

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

The processor must notify the controller without undue delay after becoming aware of a personal data breach (Article 52(3) of the Law).

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

As outlined in section 3.2 above, the contract/act must stipulate that the processor is obliged to respect the conditions for engaging another processor, as provided under Article 45(2) and (7) of the Law (Article 45(4) of the Law).

The processor may entrust the processing to another processor only if the controller authorises the same on the basis of a general or special written authorisation. If the processing is performed on the basis of a general authorisation, the processor is obliged to inform the controller about its intention of choosing another sub-processor, so that the controller has the opportunity to oppose such a choice (Article 45(2) of the Law).

In addition, if the processor appoints a sub-processor to perform special processing operations on behalf of the controller, the same obligations of personal data protection prescribed by the contract between the controller and the processor referred to in Article 45(3) and (4) of the Law also oblige the sub-processor, on the basis of a special contract or other legally binding act, which is concluded or adopted in writing, including electronic form, prescribing sufficient relations between the processor and the sub-processor, ensuring the application of appropriate technical, organisational, and personal measures that guarantee that the processing is performed in accordance with the Law. If the sub-processor fails to fulfil its obligations in relation to the protection of personal data, the processor is responsible before the controller (Article 45(7) of the Law).

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

Chapter V of the Law regulates data transfers and applies to data transfers carried out by both to controllers and processors (Article 63(1) of the Law).

Transfers may be carried out without the previous authorisation of Poverenik on the basis if the third country of international organisation provides for an appropriate level of protection (Article 64(1) of the Law). It is considered that the appropriate level of protection is provided in countries and international organisations that are members of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data ('Convention 108') (Article 64(2) of the Law).

In this regard, the Government of the Republic of Serbia has adopted a Decision on the List of Countries, Parts of Their Territories or One or More Sectors of Certain Activities in Those Countries and International Organisations where it is Considered that an Adequate Level of Protection of Personal Data is Ensured (only available in Serbian here). Transfers to this country are allowed, in accordance with Article 64 of the Law.

An adequate level of protection is also deemed to have been provided if an international agreement on the transfer of personal data has been concluded with another country or international organisation (Article 64(4) of the Law).

If the third country or international organisation does not provide an adequate level of protection, the transfer may be carried out on the basis of appropriate protection measures, in accordance with Article 65 of the Law.

10. Regulatory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

As outlined in the section on the Contractual Requirement above, the contract/act must stipulate that the processor is obliged to make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 45 of the Law and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller (Article 45(4) of the Law).

Poverenik is in fact authorised to, among other things, order the processor and, if necessary, its representative, to provide all the information it requires (Article 79(1) of the Law).

11. Processor DPO / Representative

11.1. Are processors required to appoint a DPO / representative?

Data protection officer ('DPO')

The processor may in general appoint a DPO (Article 56(1) of the Law).

However, the processor must designate a DPO where (Article 56(2) of the Law):

• the processing is carried out by a public authority or body;
• the core activities of the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects; and
• the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

On the same, the processor must publish the DPO's contact details and submit them to Poverenik (Article 56(10) of the Law).

The processor must appoint the DPO on the basis of his professional qualifications, and in particular his/her professional knowledge and experience in the field of personal data protection, as well as his/her ability to perform the obligations set out in Article 58 of the Law (Article 56(8) of the Law).

In addition, the DPO has to be involved by the controller/processor in all matters related to the protection of personal data (Article 57(1) of the Law).

The processor is obliged to provide the DPO with the necessary means for the fulfilment of his/her obligations in accordance with Article 58 of the Law and access to personal data and processing activities, as well as his/her professional development (Article 57(2) of the Law).

The processor must ensure the independence of the DPO in the performance of his obligations (Article 57(3) of the Law).

Representative

In relation to the processing activities carried out by a processor who does not have a registered office or a permanent or temporary residence in the Republic of Serbia ('the Republic') on personal data of a person who has a permanent or temporary residence in the Republic, as outlined in Article 3(4) of the Law, the processor must appoint in writing a representative in the Republic, unless (Article 44(1) of the Law):

• the processing is occasional, does not relate to special categories of personal data, ad is unlikely to cause risks for the rights and freedoms of individuals, taking into account the nature, circumstances, scope, and purposes of processing; or
• the processor is a public authority.

The processor authorises the representative as a person to whom, in addition to the processor, or instead of him, data subjects and Poverenik can reach out in relation to personal data processing issues, in order to ensure compliance with the Law (Article 44(2) of the Law).

For further information see Serbia - Data Protection Officer Appointment.

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

No further information.

Authored by OneTrust DataGuidance

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.