	Global Data Privacy Guide
	Serbia
	(Europe) Firm JPM & Partners Contributors Ivan Milosevic Andrea Cvetanovic Updated 10 Aug 2025
1. What is the key legislation?	The Law on Personal Data Protection ("Official Gazette of the Republic of Serbia", no. 87/2018) (hereinafter referred to as “Law”). This Law regulates the right of natural persons to protection in regard to personal data processing and free flow of such data, data processing principles, rights of data subjects, obligations of controllers and processors, code of conduct, transfer of personal data to other countries and international organizations, supervision of the enforcement of the law, legal remedies, liability and sanctions in case of violation of rights of data subjects in relation with personal data processing, as well as specific processing situations. This Law also regulates the right to the protection of individuals with regard to the processing of personal data by the competent authorities for the purpose of preventing, investigating and detecting criminal offenses, prosecuting offenders or committing criminal sanctions, including prevention and protection against threats to public and national security, as well as the free flow of such data. Additional laws and by-laws which regulate this area of practice are as follows: The Law on Ratification of Convention on Protection of Persons with Regard to Automatic Processing of Personal Data ("Official Gazette of SRJ- International conventions", no. 1/92 „Official Gazette of SCG – International conventions “no. 11/2005 – other law and “Official Gazette of RS – International conventions, no. 98/2008 – other law and 12/2010); The Law on Free Access to Information of Public Importance ("Official Gazette of RS" No. 120/04, 54/07, 104/09 and 36/10); The Law on Advertising ("Official Gazette of the Republic of Serbia" no.6/2016 and 52/2019 – other law); The Law on Information Security ("Official Gazette of RS" No. 6/2016, 94/2017 and 77/2019); The Law on Electronic Communications (''Official Gazette of RSJ'' no. 44/2010, 60/2013 – decision CC, 62/2014 and 95/2018 – other law); The Law on Private Security (''Official Gazette of RS", nos. 104/2013 and 42/2015 and 87/2018); The Law on Records in Employment Sector ("Official Gazette of SRJ", no. 46/96 and "Official Gazette of RS", nos. 101/2005 - other law and 36/2009 - other law); The Law on Health Documentation and Records in Health Sector ("Official Gazette of RS" Nos.123/2014,106/2015, 105/2017 and 25/2019 – other law); The Rulebook on the form and manner of keeping records of persons for protection of personal data ("Official Gazette of RS" No. 40/2019); The Rulebook on the form of a complaint ("Official Gazette of RS" No. 40/2019); The Rulebook on the form and manner of keeping internal records of violations of the Law on Personal Data Protection and the measures to be taken in the performance of inspection ("Official Gazette of RS" No. 40/2019); The Rulebook on the form of notification on violation of personal data and manner of notification of the Commissioner for Information of Public Importance and Personal Data Protection of violation of personal data ("Official Gazette of RS" No. 40/2019); The Decision on a list of countries, parts of their territories or one or more sectors of specific activities in those countries and international organizations where it is considered that an appropriate level of protection of personal data is ensured ("Official Gazette of RS" No. 55/2019); and The Decision on List of Types of Activities of Processing of Personal Data for which Personal Data Protection Impact Assessment shall be performed and for which the Commissioner for Information of Public Importance and Personal Data Protection shall be asked for Opinion ("Official Gazette of RS" Nos. 45/2019 and 112/20). Note: On November 9, 2018, the National Assembly of Serbia adopted the Law on Personal Data Protection (“the *Law”) which, inter alia, seeks to harmonize Serbia's data protection legal framework with the provisions of the General Data Protection Regulation* (Regulation (EU) 2016/679) ("GDPR"). The new law is applicable as of August 21, 2019, and introduced significant novelties and legislative changes in the sphere of personal data protection such as: cancellation of the Central Registry and cancellation of the obligation of data controllers to register with this Central Registry all personal databases that they keep and maintain; an obligation on certain data controllers and data processors to keep (internal) records on personal data processing activities in accordance with Article 47 of the Law; introduction of joint controllers; application of accountability principle, i.e., imposing obligation to controllers and processors to demonstrate compliance with data protection principles; introduction of BCRs, codes of conduct and certification mechanisms; obligation to define and implement adequate technical and organizational measures based on risk assessment; obligation to carry out data protection impact assessment and to consult the Commissioner in certain cases; introduction of privacy by design and privacy by default principle; change of legal grounds for personal data processing; and change of rules regarding the transfer of personal data abroad, namely, broadening the legal grounds that allow a transfer of personal data from Serbia. The new law foresees a maximum fine that is two times the maximum fine prescribed under the old law – up to 2.000.000 RSD, i.e. cca. 17.000, 00 EUR per misdemeanor. Further, if controllers do not comply with the measure imposed by the Commissioner, the Commissioner is authorized to impose fines of up to 10% of the revenues of the controller gained in the previous business year. The Supervisory authority is the Commissioner for Information of Public Importance and Personal Data Protection, an autonomous public authority who exercises his/her powers independently and who is responsible for the supervision of the implementation of the law and performing other tasks prescribed by law.
2. What are the key decisions applying that legislation?	Not applicable.
1. How are “personal data” and “sensitive data” defined?	"personal data" is any data relating to a natural person whose identity is determined or determinable, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity; Special categories of personal data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
2. How is the defined data protected?	Processing of special categories of personal data is prohibited, unless one of the following applies: 1) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, unless it is prescribed by law that the processing is not carried out on the basis of consent; 2) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by a law or a collective agreement providing for appropriate safeguards for the fundamental rights and the interests of the data subject; 3) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; 4) processing is carried out in the course of its registered business activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; 5) processing relates to personal data which are manifestly made public by the data subject; 6) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; 7) processing is necessary for reasons of substantial public interest established by a law, whereby such processing shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; 8) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of a law or pursuant to contract with a health professional, in case that processing is carried out by or under the supervision of a healthcare professional or other person who has an obligation to keep professional secrecy prescribed by law or professional rules; 9) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of a law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; 10) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. Further, personal data shall be lawfully processed – on the basis of consent, performance of a contract, legitimate interest, public interest, vital interest or obligation of the controller. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
3. Who is subject to privacy obligations?	Controllers and processors who have their headquarters, domicile or residence in the territory of the Republic of Serbia and within the framework of activities carried out in the territory of the Republic of Serbia, regardless of whether the processing is carried out in the territory of the Republic of Serbia. Controller means a natural or legal person, or authority, which independently or jointly with others, determines the purpose and method of processing. Processor means a natural or legal person or authority that processes personal data on behalf of the controller. The Law shall also apply to the processing of personal data of data subjects whose domicile or residence is in the territory of the Republic of Serbia by controller or processor whose headquarter, domicile or residence is not in the territory of the Republic of Serbia, in case the processing operations are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Republic of Serbia; or the monitoring of their behavior as far as their behavior takes place within the Republic of Serbia.
4. How is “data processing” defined?	“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, disclosure, insight, use, disclosure by transmission, i.e. delivery, multiplication, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
5. What are the principles applicable to personal data processing?	The Law regulates the main principles for the collection of personal data. Each collection of personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency"), collected for purposes that are specified, explicit and legitimate and not further processed in a manner that is incompatible with those purposes ("purpose limitation") and be adequate, relevant and limited to what is necessary in relation to the purposes of processing ("data minimization"). Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ("accuracy"). The data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed (“storage limitation”). The data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental, loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”). The controller shall be responsible for and be able to demonstrate compliance with the principles set out in Article 5 of the Law. (“accountability”)
6. How is the processing of personal data regulated?	The manners of the processing of the personal data are any operation or set of operations that is performed on personal data or on sets of personal data whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Note: Personal data should be collected for purposes that are specified, explicit and legitimate and not further processed in a manner that is incompatible with those purposes ("purpose limitation"). In the case of personal data processed by the competent authorities for specific purposes, the competent authority is obliged, to the extent possible, to clearly distinguish personal data based on factual data from personal data based on personal evaluation.
7. How are storage, security and retention of personal data regulated?	Personal Data must be stored in a form that permits identification of the person only within the time necessary for the accomplishment of the processing purpose ("storage limitation"). In the case of personal data processed by the competent authorities for specific purposes, a time limit must be set for erasing such data, or a term for periodically assessing the need to store them. Personal data must be handled in such a way as to ensure adequate protection of personal data, including protection against unauthorized or unlawful processing, as well as from accidental loss, destruction or damage by appropriate technical, organizational and personnel measures ("integrity and confidentiality"). Note: Controllers and processors shall take all necessary technical, human resources and organizational measures to ensure that the processing is carried out in accordance with the law and in a manner that they are able to present it, taking into account the nature, scope, circumstances and purpose of the processing, as well as the of chances of risk occurrence and the level of risk to the rights and freedoms of individuals.
8. What are the data subjects' rights under the data legislation?	The data subject has the right to request from the controller, whether he or she processes his personal data, access to such data, and the following information: the purpose of the processing; the types of personal data being processed; the recipient or types of recipients to whom personal data have been disclosed or will be disclosed, and in particular to recipients in other countries or international organizations; the envisaged period for keeping personal data, or, if this is not possible, the criteria for determining that deadline; the existence of the right to require the controller to correct or delete his personal data, the right to restrict processing and the right to object to processing; the right to file a complaint with the Commissioner; available information on the source of the personal data, if the personal data have not been collected from the persons to whom they relate; the existence of an automated decision-making process. The data subject has the right to correct his incorrect personal data without undue delay. Depending on the purpose of the processing, the data subject has the right to supplement his/her incomplete personal data, which includes making an additional statement.
9. What are the consent requirements for data subjects?	The data subject has the right to request from the controller, whether he or she processes his personal data, access to such data, and the following information: a) the purpose of the processing; b) the types of personal data being processed; c) the recipient or types of recipients to whom personal data have been disclosed or will be disclosed, and in particular to recipients in other countries or international organizations; d) the envisaged period for keeping personal data, or, if this is not possible, the criteria for determining that deadline; e) the existence of the right to require the controller to correct or delete his personal data, the right to restrict processing and the right to object to processing; f) the right to file a complaint with the Commissioner; g) available information on the source of the personal data, if the personal data have not been collected from the persons to whom they relate; h) the existence of an automated decision-making process. The data subject has the right to correct his incorrect personal data without undue delay. Depending on the purpose of the processing, the data subject has the right to supplement his/her incomplete personal data, which includes making an additional statement. Further, data subject has the right to rectification, erasure, right to resctriction of processing, right to data portability, right to object, right not to be aubject to automated decision making, in accordance with the Law.
10. How is authorization for use of data handled?	Access control shall be determined in accordance with risk assessment carried out by the controller, as one of the appropriate measures that ensure a level of security appropriate to the risk.
11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?	Yes, the Law regulates cross-border transfers of personal data. Any transfer of personal data undergoing processing or intended for further processing after being transferred to another country or international organization may only be made if the controller and processor act in accordance with the conditions prescribed by the Law. This also includes the further transfer of personal data from another country or international organization to a third country or international organization in order to ensure an adequate level of protection for individuals equal to the level guaranteed by the Law. If the processing is carried out by the competent authorities for specific purposes, the transfer to another country or international organization can only be carried out if the conditions are met. The appropriate level of protection shall be deemed to be provided in countries and international organizations that are parties to the Council of Europe Convention for the Protection of Individuals with regard to the processing of personal data, i.e. in countries, parts of their territories, sectors or international organizations for which was determined by the European Union to provide an adequate level of protection. The Government may determine that a country or international organization does not provide an adequate level of protection. Controller or processor may transfer personal data to another country or to an international organization for which the existence of an adequate level of protection is not established, only if the controller or processor has provided appropriate measures of protection of this data and if the data subject is assured the exercise of his rights and effective legal protection. Appropriate measures for protection may be provided upon the special approval or without the special approval of the Commissioner. Note: If the personal data is collected from the person to whom it relates, the controller must inform the data subject about the fact that the controller intends to present personal data to another country or international organization or in reference to the appropriate protection measures, as well as on how the data subject may become aware of those measures.
13. Are there any notification requirements for incidents and/or data breaches?	The controller is obliged to notify the Commissioner of a violation of personal data which may create a risk to the rights and freedoms of natural persons without undue delay, or, if possible, within 72 hours of finding out about the violation. If the controller does not act within 72 hours of finding out about the injury, he is obliged to explain the reasons for not acting within that period. The processor is obliged, after finding out about the violation of personal data, without undue delay inform the controller about the injury. If a personal data breach can create a high risk to the rights and freedoms of natural persons, the controller is obliged to inform the data subject without undue delay of the breach. In the notification, the controller is obliged to describe in a clear and understandable manner the nature of the data breach and to provide the information required by the Law. The Law on Information Security requires notification of regulators in case of ICT systems of special importance, in accordance with this law. Note: The Law on Information Security requires notification of regulators in case of ICT systems of special importance, i.e. systems which are used: in implementation of competencies of public authorities; for processing of data, which are, in accordance with the Law, considered as sensitive personal data; in performance of activities in the public interest pursuant to this law. The notification is limited to significant breaches. In accordance with the nature, scope and complexity of its business, the operator of ICT systems of special importance is obliged, within its organizational structure, to define and implement measures of protection of ICT systems, in accordance with the Law on Information Security, national and international standards implemented in specific of fields of industries.
14. Who is/are the privacy regulator(s)?	Commissioner for Information of Public Importance is established by The Law on Free Access to Information of Public Importance as an autonomous state body, independent in exercising its jurisdiction. Note: The Commissioner for Information of Public Importance and Personal Data Protection is an autonomous public authority, who exercises his/her powers independently and whose competencies are set by Article 77 of the Law. The data subject has the right to file a complaint to the Commissioner if he/she considers that the processing of personal data has been carried out contrary to the provisions of the law. Filing a complaint to the Commissioner does not affect the data subject’s right to initiate other administrative or judicial protection proceedings The Commissioner acts upon complaints of data subjects, determines whether there has been a violation of the law, notifies the data subject on the course and results of the proceedings and supervises and ensures the implementation of the law in accordance with its powers.
15. What are the consequences of a data breach?	As abovementioned, the controller and processor have the obligation of notification without undue delay about data breaches, as soon as they notice the violation of personal data which may create a risk to the rights and freedoms of natural persons. If the controller does not act within 72 hours of finding out about the injury, he is obliged to explain the reasons for not acting within that period. A person who has suffered material or immaterial damage as a result of a violation of the provisions of the Law is entitled to monetary compensation for this damage from the controller or processor who caused the damage. The Law prescribes that a fine in the amount of RSD 50,000 to 2,000,000 shall be charged for infringement to a controller and a processor with the status of a legal entity for privacy breaches determined by the law. Note: If violations of the provisions of the Law on Protection of Personal Data pertaining to processing are identified in the course of supervision, the commissioner shall caution the controller against any irregularities in processing. The Commissioner is authorized to take the following corrective measures: to warn the controller and the processor by submitting a written opinion that the intended processing operations may violate the provisions of the law; to issue a warning to the controller or processor if the processing violates the provisions of the law; to order the controller and the processor to act upon the request of the data subject in connection with the exercise of his rights, in accordance with this Law; to order the controller and the processor to harmonize the processing operations with the provisions of the law, in a specific manner and within a specified time; to instruct the controller to inform the data subject about a violation of the personal data; impose a temporary or permanent restriction on the performance of a processing operation, including a prohibition on processing; to order the correction or deletion of personal data or to restrict the performance of a processing operation, as well as to order the controller to inform about it the other controller, the data subject and the recipients to whom the personal data have been disclosed or transferred; revoke the certificate or order the certification body to revoke the issued certificate; to impose a fine on the basis of a misdemeanor warrant if during the inspection supervision it was established that a misdemeanor for which a fine has been prescribed by this law; and suspend the transfer of personal data to a recipient in another country or international organization. A fine from RSD 5,000 to 150,000 will be imposed on a natural person who does not keep as confidential personal information that has to find out while performing their business activities. If controllers do not comply with the measure imposed by the Commissioner, the Commissioner is authorized to impose a fine of up to 10% of the revenues of the controller gained in the previous business year. The implementation of measures is governed by an enactment of the commissioner.
16. How is electronic marketing regulated?	Electronic marketing is regulated by the Law on Advertising ("Official Gazette of the Republic of Serbia" no.6/2016 and 52/2019 – other law) which prescribes that individuals shall give prior consent in order to participate in direct advertising. Note: According to the Law on Advertising, direct advertising to individuals require their prior consent. The said given consent may be revoked at any time. The advertiser or transferor of the ad message must allow this. Direct advertising to individuals is carried out in accordance with the rules on advertising by means of distance communication in accordance with the regulations governing consumer protection.
17. Are there sector-specific or industry-specific privacy requirements?	Yes. Legislation regulating sectors and industries such as healthcare, employment, telecommunications, education provide for privacy requirements related to e.g. data retention periods, specific security measures, confidentiality obligations etc.
18. What are the requirements for appointing Data Protection Officers or similar roles?	DPO shall be designated based on professional qualities – his/her expert knowledge, practices and the ability to fulfill the tasks stipulated by the Law, that are: - to inform and advise the controller or the processor and the employees who carry out processing of their obligations related to personal data protection; - to monitor compliance with this Law, other regulations and with internal policies of the controller or processor in relation to the protection of personal data; - to provide advice where requested as regards the data protection impact assessment (“DPIA“) and monitor its performance; - to cooperate with the Commissioner.
19. What are the record-keeping and documentation obligations?	Records of processing activities shall be kept by any controller who has more than 250 employees. Entities with less than 250 employees with high-risk, continuous, or sensitive data processing are also obliged to keep records of processing activities. In addition, in accordance with the accountability principle, the controller shall be able to demonstrate compliance with the Law.
20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?	DPIA shall be required in case of: 1) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; 2) processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences; 3) a systematic monitoring of a publicly accessible area on a large scale. DPIA shall contain at least: a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; c) an assessment of the risks to the rights and freedoms of data subjects; and d) the measures envisaged to address the risks, including safeguards, techical, organisational and personnel measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Law taking into account the rights and legitimate interests of data subjects and other persons concerned.
21. What are the requirements for third-party vendor management and data sharing?	The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Law and ensure the protection of the rights of the data subject. Processing by a processor shall be governed by a contract or other legal act, concluded in writing or by electronic means, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. The contract shall, among other, stipulate audits, including inspections conducted by the controller or another auditor mandated by the controller. Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor shall be imposed on that other processor by way of a contract or other legal act, concluded in writing or by electronic means in particular providing sufficient guarantees to implement appropriate technical, organisational and personnel measures in such a manner that the processing will meet the requirements of the Law.
22. What are the penalties and enforcement mechanisms for non-compliance?	The Law prescribes monetary fines for misdemeanours for non-compliance ranging from RSD 50,000 (cca. EUR 400) to RSD 2,000,000 (cca. EUR 17,000) for legal entities and between RSD 5,000 (cca. EUR 40) and RSD 150,000 (cca. EUR 1,300) for responsible persons within legal entities. For entrepreneurs, fines are ranging from from RSD 20,000 (cca. EUR 170) to RSD 500,000 (cca. EUR 4,200). Data subject has the right to file a complaint with the Commissioner. Further, a data subject may initiate: • an administrative dispute, by filing a lawsuit against the Commissioner’s decision in the complaint procedure; • a civil dispute, by filing a claim for the protection of rights; • a civil dispute, by filing a claim for damages; or • misdemeanour proceedings, by submitting a request for initiation of misdemeanour proceedings, which can be initiated by the Commissioner, as well as the injured party. Unauthorised collection of personal data is a criminal offence and criminal prosecution is initiated by a private action unless the offence is committed by an authorised state official.
23. What are the ongoing compliance and audit requirements?	Appropriate technical, organizational, and personnel measures shall be assessed and updated on a regular basis, depending on the dynamics of each organization to remain compliant with the Law. The best practice for audits and updates related to information security standards is on an annual basis.
24. Are there any recent developments or expected reforms?	In June 2021, the Serbian Government formed a Working Group for Preparation of Data Protection Strategy in Accordance with the Action Plan. The task of the Working Group is to define the strategic direction of development in the field of protection of personal data. This includes amendments of the Law Personal Data Protection in the context of its application for more than two years, aligning other system laws with the Law on Personal Data Protection, including rendering special laws governing the use of video surveillance, processing of biometric data, use of artificial intelligence, etc. In August 2023, the Serbian Government adopted the Personal Data Protection Strategy for the period 2023-2030. The main goals of this Strategy are: - Improved functional mechanisms for personal data protection; - Improved awareness of the importance of personal data protection and manners of exercising rights; - Improved personal data protection system during the development and application of information and communication technologies in digitization processes. In March 2025, the Government adopted the Action Plan for the implementation of the said Strategy for the period 2025-2027.

Global Data Privacy Guide

Back XLS

1. What is the key legislation?

The Law on Personal Data Protection ("Official Gazette of the Republic of Serbia", no. 87/2018) (hereinafter referred to as “Law”).

This Law regulates the right of natural persons to protection in regard to personal data processing and free flow of such data, data processing principles, rights of data subjects, obligations of controllers and processors, code of conduct, transfer of personal data to other countries and international organizations, supervision of the enforcement of the law, legal remedies, liability and sanctions in case of violation of rights of data subjects in relation with personal data processing, as well as specific processing situations.

This Law also regulates the right to the protection of individuals with regard to the processing of personal data by the competent authorities for the purpose of preventing, investigating and detecting criminal offenses, prosecuting offenders or committing criminal sanctions, including prevention and protection against threats to public and national security, as well as the free flow of such data.

Additional laws and by-laws which regulate this area of practice are as follows:

The Law on Ratification of Convention on Protection of Persons with Regard to Automatic Processing of Personal Data ("Official Gazette of SRJ- International conventions", no. 1/92 „Official Gazette of SCG – International conventions “no. 11/2005 – other law and “Official Gazette of RS – International conventions, no. 98/2008 – other law and 12/2010);
The Law on Free Access to Information of Public Importance ("Official Gazette of RS" No. 120/04, 54/07, 104/09 and 36/10);
The Law on Advertising ("Official Gazette of the Republic of Serbia" no.6/2016 and 52/2019 – other law);
The Law on Information Security ("Official Gazette of RS" No. 6/2016, 94/2017 and 77/2019);
The Law on Electronic Communications (''Official Gazette of RSJ'' no. 44/2010, 60/2013 – decision CC, 62/2014 and 95/2018 – other law);
The Law on Private Security (''Official Gazette of RS", nos. 104/2013 and 42/2015 and 87/2018);
The Law on Records in Employment Sector ("Official Gazette of SRJ", no. 46/96 and "Official Gazette of RS", nos. 101/2005 - other law and 36/2009 - other law);
The Law on Health Documentation and Records in Health Sector ("Official Gazette of RS" Nos.123/2014,106/2015, 105/2017 and 25/2019 – other law);
The Rulebook on the form and manner of keeping records of persons for protection of personal data ("Official Gazette of RS" No. 40/2019);
The Rulebook on the form of a complaint ("Official Gazette of RS" No. 40/2019);
The Rulebook on the form and manner of keeping internal records of violations of the Law on Personal Data Protection and the measures to be taken in the performance of inspection ("Official Gazette of RS" No. 40/2019);
The Rulebook on the form of notification on violation of personal data and manner of notification of the Commissioner for Information of Public Importance and Personal Data Protection of violation of personal data ("Official Gazette of RS" No. 40/2019);
The Decision on a list of countries, parts of their territories or one or more sectors of specific activities in those countries and international organizations where it is considered that an appropriate level of protection of personal data is ensured ("Official Gazette of RS" No. 55/2019); and
The Decision on List of Types of Activities of Processing of Personal Data for which Personal Data Protection Impact Assessment shall be performed and for which the Commissioner for Information of Public Importance and Personal Data Protection shall be asked for Opinion ("Official Gazette of RS" Nos. 45/2019 and 112/20).

Note:

On November 9, 2018, the National Assembly of Serbia adopted the Law on Personal Data Protection (“the Law”) which, inter alia, seeks to harmonize Serbia's data protection legal framework with the provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"). The new law is applicable as of August 21, 2019, and introduced significant novelties and legislative changes in the sphere of personal data protection such as:

cancellation of the Central Registry and cancellation of the obligation of data controllers to register with this Central Registry all personal databases that they keep and maintain;
an obligation on certain data controllers and data processors to keep (internal) records on personal data processing activities in accordance with Article 47 of the Law;
introduction of joint controllers;
application of accountability principle, i.e., imposing obligation to controllers and processors to demonstrate compliance with data protection principles;
introduction of BCRs, codes of conduct and certification mechanisms;
obligation to define and implement adequate technical and organizational measures based on risk assessment;
obligation to carry out data protection impact assessment and to consult the Commissioner in certain cases;
introduction of privacy by design and privacy by default principle;
change of legal grounds for personal data processing; and
change of rules regarding the transfer of personal data abroad, namely, broadening the legal grounds that allow a transfer of personal data from Serbia.

The new law foresees a maximum fine that is two times the maximum fine prescribed under the old law – up to 2.000.000 RSD, i.e. cca. 17.000, 00 EUR per misdemeanor.

Further, if controllers do not comply with the measure imposed by the Commissioner, the Commissioner is authorized to impose fines of up to 10% of the revenues of the controller gained in the previous business year.

The Supervisory authority is the Commissioner for Information of Public Importance and Personal Data Protection, an autonomous public authority who exercises his/her powers independently and who is responsible for the supervision of the implementation of the law and performing other tasks prescribed by law.

2. What are the key decisions applying that legislation?

Not applicable.

1. How are “personal data” and “sensitive data” defined?

"personal data" is any data relating to a natural person whose identity is determined or determinable, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity;

Special categories of personal data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

2. How is the defined data protected?

Processing of special categories of personal data is prohibited, unless one of the following applies:
1) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, unless it is prescribed by law that the processing is not carried out on the basis of consent;

2) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by a law or a collective agreement providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

3) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

4) processing is carried out in the course of its registered business activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

5) processing relates to personal data which are manifestly made public by the data subject;

6) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

7) processing is necessary for reasons of substantial public interest established by a law, whereby such processing shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

8) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of a law or pursuant to contract with a health professional, in case that processing is carried out by or under the supervision of a healthcare professional or other person who has an obligation to keep professional secrecy prescribed by law or professional rules;

9) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of a law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

10) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Further, personal data shall be lawfully processed – on the basis of consent, performance of a contract, legitimate interest, public interest, vital interest or obligation of the controller.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

3. Who is subject to privacy obligations?

Controllers and processors who have their headquarters, domicile or residence in the territory of the Republic of Serbia and within the framework of activities carried out in the territory of the Republic of Serbia, regardless of whether the processing is carried out in the territory of the Republic of Serbia.

Controller means a natural or legal person, or authority, which independently or jointly with others, determines the purpose and method of processing.

Processor means a natural or legal person or authority that processes personal data on behalf of the controller.

The Law shall also apply to the processing of personal data of data subjects whose domicile or residence is in the territory of the Republic of Serbia by controller or processor whose headquarter, domicile or residence is not in the territory of the Republic of Serbia, in case the processing operations are related to:

the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Republic of Serbia; or
the monitoring of their behavior as far as their behavior takes place within the Republic of Serbia.

4. How is “data processing” defined?

“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, disclosure, insight, use, disclosure by transmission, i.e. delivery, multiplication, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

5. What are the principles applicable to personal data processing?

The Law regulates the main principles for the collection of personal data.

Each collection of personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency"), collected for purposes that are specified, explicit and legitimate and not further processed in a manner that is incompatible with those purposes ("purpose limitation") and be adequate, relevant and limited to what is necessary in relation to the purposes of processing ("data minimization").

Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ("accuracy"). The data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed (“storage limitation”).

The data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental, loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).

The controller shall be responsible for and be able to demonstrate compliance with the principles set out in Article 5 of the Law. (“accountability”)

6. How is the processing of personal data regulated?

The manners of the processing of the personal data are any operation or set of operations that is performed on personal data or on sets of personal data whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Note: Personal data should be collected for purposes that are specified, explicit and legitimate and not further processed in a manner that is incompatible with those purposes ("purpose limitation").

In the case of personal data processed by the competent authorities for specific purposes, the competent authority is obliged, to the extent possible, to clearly distinguish personal data based on factual data from personal data based on personal evaluation.

7. How are storage, security and retention of personal data regulated?

Personal Data must be stored in a form that permits identification of the person only within the time necessary for the accomplishment of the processing purpose ("storage limitation").

In the case of personal data processed by the competent authorities for specific purposes, a time limit must be set for erasing such data, or a term for periodically assessing the need to store them.

Personal data must be handled in such a way as to ensure adequate protection of personal data, including protection against unauthorized or unlawful processing, as well as from accidental loss, destruction or damage by appropriate technical, organizational and personnel measures ("integrity and confidentiality").

Note: Controllers and processors shall take all necessary technical, human resources and organizational measures to ensure that the processing is carried out in accordance with the law and in a manner that they are able to present it, taking into account the nature, scope, circumstances and purpose of the processing, as well as the of chances of risk occurrence and the level of risk to the rights and freedoms of individuals.

8. What are the data subjects' rights under the data legislation?

The data subject has the right to request from the controller, whether he or she processes his personal data, access to such data, and the following information:

the purpose of the processing;
the types of personal data being processed;
the recipient or types of recipients to whom personal data have been disclosed or will be disclosed, and in particular to recipients in other countries or international organizations;
the envisaged period for keeping personal data, or, if this is not possible, the criteria for determining that deadline;
the existence of the right to require the controller to correct or delete his personal data, the right to restrict processing and the right to object to processing;
the right to file a complaint with the Commissioner;
available information on the source of the personal data, if the personal data have not been collected from the persons to whom they relate;
the existence of an automated decision-making process.

The data subject has the right to correct his incorrect personal data without undue delay. Depending on the purpose of the processing, the data subject has the right to supplement his/her incomplete personal data, which includes making an additional statement.

9. What are the consent requirements for data subjects?

The data subject has the right to request from the controller, whether he or she processes his personal data, access to such data, and the following information:
a) the purpose of the processing;
b) the types of personal data being processed;
c) the recipient or types of recipients to whom personal data have been disclosed or will be disclosed, and in particular to recipients in other countries or international organizations;
d) the envisaged period for keeping personal data, or, if this is not possible, the criteria for determining that deadline;
e) the existence of the right to require the controller to correct or delete his personal data, the right to restrict processing and the right to object to processing;
f) the right to file a complaint with the Commissioner;
g) available information on the source of the personal data, if the personal data have not been collected from the persons to whom they relate;
h) the existence of an automated decision-making process.
The data subject has the right to correct his incorrect personal data without undue delay. Depending on the purpose of the processing, the data subject has the right to supplement his/her incomplete personal data, which includes making an additional statement.
Further, data subject has the right to rectification, erasure, right to resctriction of processing, right to data portability, right to object, right not to be aubject to automated decision making, in accordance with the Law.

10. How is authorization for use of data handled?

Access control shall be determined in accordance with risk assessment carried out by the controller, as one of the appropriate measures that ensure a level of security appropriate to the risk.

11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?

Yes, the Law regulates cross-border transfers of personal data.

Any transfer of personal data undergoing processing or intended for further processing after being transferred to another country or international organization may only be made if the controller and processor act in accordance with the conditions prescribed by the Law. This also includes the further transfer of personal data from another country or international organization to a third country or international organization in order to ensure an adequate level of protection for individuals equal to the level guaranteed by the Law.

If the processing is carried out by the competent authorities for specific purposes, the transfer to another country or international organization can only be carried out if the conditions are met.

The appropriate level of protection shall be deemed to be provided in countries and international organizations that are parties to the Council of Europe Convention for the Protection of Individuals with regard to the processing of personal data, i.e. in countries, parts of their territories, sectors or international organizations for which was determined by the European Union to provide an adequate level of protection.

The Government may determine that a country or international organization does not provide an adequate level of protection.

Controller or processor may transfer personal data to another country or to an international organization for which the existence of an adequate level of protection is not established, only if the controller or processor has provided appropriate measures of protection of this data and if the data subject is assured the exercise of his rights and effective legal protection.

Appropriate measures for protection may be provided upon the special approval or without the special approval of the Commissioner.

Note: If the personal data is collected from the person to whom it relates, the controller must inform the data subject about the fact that the controller intends to present personal data to another country or international organization or in reference to the appropriate protection measures, as well as on how the data subject may become aware of those measures.

13. Are there any notification requirements for incidents and/or data breaches?

The controller is obliged to notify the Commissioner of a violation of personal data which may create a risk to the rights and freedoms of natural persons without undue delay, or, if possible, within 72 hours of finding out about the violation.

If the controller does not act within 72 hours of finding out about the injury, he is obliged to explain the reasons for not acting within that period.

The processor is obliged, after finding out about the violation of personal data, without undue delay inform the controller about the injury.

If a personal data breach can create a high risk to the rights and freedoms of natural persons, the controller is obliged to inform the data subject without undue delay of the breach.

In the notification, the controller is obliged to describe in a clear and understandable manner the nature of the data breach and to provide the information required by the Law.

The Law on Information Security requires notification of regulators in case of ICT systems of special importance, in accordance with this law.

Note: The Law on Information Security requires notification of regulators in case of ICT systems of special importance, i.e. systems which are used:

in implementation of competencies of public authorities;
for processing of data, which are, in accordance with the Law, considered as sensitive personal data;
in performance of activities in the public interest pursuant to this law.

The notification is limited to significant breaches.

In accordance with the nature, scope and complexity of its business, the operator of ICT systems of special importance is obliged, within its organizational structure, to define and implement measures of protection of ICT systems, in accordance with the Law on Information Security, national and international standards implemented in specific of fields of industries.

14. Who is/are the privacy regulator(s)?

Commissioner for Information of Public Importance is established by The Law on Free Access to Information of Public Importance as an autonomous state body, independent in exercising its jurisdiction.

Note: The Commissioner for Information of Public Importance and Personal Data Protection is an autonomous public authority, who exercises his/her powers independently and whose competencies are set by Article 77 of the Law.

The data subject has the right to file a complaint to the Commissioner if he/she considers that the processing of personal data has been carried out contrary to the provisions of the law. Filing a complaint to the Commissioner does not affect the data subject’s right to initiate other administrative or judicial protection proceedings

The Commissioner acts upon complaints of data subjects, determines whether there has been a violation of the law, notifies the data subject on the course and results of the proceedings and supervises and ensures the implementation of the law in accordance with its powers.

15. What are the consequences of a data breach?

As abovementioned, the controller and processor have the obligation of notification without undue delay about data breaches, as soon as they notice the violation of personal data which may create a risk to the rights and freedoms of natural persons. If the controller does not act within 72 hours of finding out about the injury, he is obliged to explain the reasons for not acting within that period.

A person who has suffered material or immaterial damage as a result of a violation of the provisions of the Law is entitled to monetary compensation for this damage from the controller or processor who caused the damage.

The Law prescribes that a fine in the amount of RSD 50,000 to 2,000,000 shall be charged for infringement to a controller and a processor with the status of a legal entity for privacy breaches determined by the law.

Note: If violations of the provisions of the Law on Protection of Personal Data pertaining to processing are identified in the course of supervision, the commissioner shall caution the controller against any irregularities in processing.

The Commissioner is authorized to take the following corrective measures:

to warn the controller and the processor by submitting a written opinion that the intended processing operations may violate the provisions of the law;
to issue a warning to the controller or processor if the processing violates the provisions of the law;
to order the controller and the processor to act upon the request of the data subject in connection with the exercise of his rights, in accordance with this Law;
to order the controller and the processor to harmonize the processing operations with the provisions of the law, in a specific manner and within a specified time;
to instruct the controller to inform the data subject about a violation of the personal data;
impose a temporary or permanent restriction on the performance of a processing operation, including a prohibition on processing;
to order the correction or deletion of personal data or to restrict the performance of a processing operation, as well as to order the controller to inform about it the other controller, the data subject and the recipients to whom the personal data have been disclosed or transferred;
revoke the certificate or order the certification body to revoke the issued certificate;
to impose a fine on the basis of a misdemeanor warrant if during the inspection supervision it was established that a misdemeanor for which a fine has been prescribed by this law; and
suspend the transfer of personal data to a recipient in another country or international organization.

A fine from RSD 5,000 to 150,000 will be imposed on a natural person who does not keep as confidential personal information that has to find out while performing their business activities.

If controllers do not comply with the measure imposed by the Commissioner, the Commissioner is authorized to impose a fine of up to 10% of the revenues of the controller gained in the previous business year.

The implementation of measures is governed by an enactment of the commissioner.

16. How is electronic marketing regulated?

Electronic marketing is regulated by the Law on Advertising ("Official Gazette of the Republic of Serbia" no.6/2016 and 52/2019 – other law) which prescribes that individuals shall give prior consent in order to participate in direct advertising.

Note: According to the Law on Advertising, direct advertising to individuals require their prior consent. The said given consent may be revoked at any time. The advertiser or transferor of the ad message must allow this.

Direct advertising to individuals is carried out in accordance with the rules on advertising by means of distance communication in accordance with the regulations governing consumer protection.

17. Are there sector-specific or industry-specific privacy requirements?

Yes. Legislation regulating sectors and industries such as healthcare, employment, telecommunications, education provide for privacy requirements related to e.g. data retention periods, specific security measures, confidentiality obligations etc.

18. What are the requirements for appointing Data Protection Officers or similar roles?

DPO shall be designated based on professional qualities – his/her expert knowledge, practices and the ability to fulfill the tasks stipulated by the Law, that are:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations related to personal data protection;
- to monitor compliance with this Law, other regulations and with internal policies of the controller or processor in relation to the protection of personal data;
- to provide advice where requested as regards the data protection impact assessment (“DPIA“) and monitor its performance;
- to cooperate with the Commissioner.

19. What are the record-keeping and documentation obligations?

Records of processing activities shall be kept by any controller who has more than 250 employees.
Entities with less than 250 employees with high-risk, continuous, or sensitive data processing are also obliged to keep records of processing activities.
In addition, in accordance with the accountability principle, the controller shall be able to demonstrate compliance with the Law.

20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?

DPIA shall be required in case of:
1) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
2) processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences;
3) a systematic monitoring of a publicly accessible area on a large scale.

DPIA shall contain at least:
a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
c) an assessment of the risks to the rights and freedoms of data subjects; and
d) the measures envisaged to address the risks, including safeguards, techical, organisational and personnel measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Law taking into account the rights and legitimate interests of data subjects and other persons concerned.

21. What are the requirements for third-party vendor management and data sharing?

The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Law and ensure the protection of the rights of the data subject.
Processing by a processor shall be governed by a contract or other legal act, concluded in writing or by electronic means, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
The contract shall, among other, stipulate audits, including inspections conducted by the controller or another auditor mandated by the controller.
Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor shall be imposed on that other processor by way of a contract or other legal act, concluded in writing or by electronic means in particular providing sufficient guarantees to implement appropriate technical, organisational and personnel measures in such a manner that the processing will meet the requirements of the Law.

22. What are the penalties and enforcement mechanisms for non-compliance?

The Law prescribes monetary fines for misdemeanours for non-compliance ranging from RSD 50,000 (cca. EUR 400) to RSD 2,000,000 (cca. EUR 17,000) for legal entities and between RSD 5,000 (cca. EUR 40) and RSD 150,000 (cca. EUR 1,300) for responsible persons within legal entities. For entrepreneurs, fines are ranging from from RSD 20,000 (cca. EUR 170) to RSD 500,000 (cca. EUR 4,200).
Data subject has the right to file a complaint with the Commissioner. Further, a data subject may initiate:
• an administrative dispute, by filing a lawsuit against the Commissioner’s decision in the complaint procedure;
• a civil dispute, by filing a claim for the protection of rights;
• a civil dispute, by filing a claim for damages; or
• misdemeanour proceedings, by submitting a request for initiation of misdemeanour proceedings, which can be initiated by the Commissioner, as well as the injured party.
Unauthorised collection of personal data is a criminal offence and criminal prosecution is initiated by a private action unless the offence is committed by an authorised state official.

23. What are the ongoing compliance and audit requirements?

Appropriate technical, organizational, and personnel measures shall be assessed and updated on a regular basis, depending on the dynamics of each organization to remain compliant with the Law.
The best practice for audits and updates related to information security standards is on an annual basis.

24. Are there any recent developments or expected reforms?

In June 2021, the Serbian Government formed a Working Group for Preparation of Data Protection Strategy in Accordance with the Action Plan. The task of the Working Group is to define the strategic direction of development in the field of protection of personal data. This includes amendments of the Law Personal Data Protection in the context of its application for more than two years, aligning other system laws with the Law on Personal Data Protection, including rendering special laws governing the use of video surveillance, processing of biometric data, use of artificial intelligence, etc.
In August 2023, the Serbian Government adopted the Personal Data Protection Strategy for the period 2023-2030. The main goals of this Strategy are:
- Improved functional mechanisms for personal data protection;
- Improved awareness of the importance of personal data protection and manners of exercising rights;
- Improved personal data protection system during the development and application of information and communication technologies in digitization processes.
In March 2025, the Government adopted the Action Plan for the implementation of the said Strategy for the period 2025-2027.