	Global Data Privacy Guide
	Serbia
	(Europe) Firm JPM & Partners Contributors Ivan Milosevic Andrea Cvetanovic Updated 01 Mar 2022
What is the key legislation?	The Law on Personal Data Protection ("Official Gazette of the Republic of Serbia", no. 87/2018) (hereinafter referred to as “Law”). This Law regulates the right of natural persons to protection in regard to personal data processing and free flow of such data, data processing principles, rights of data subjects, obligations of controllers and processors, code of conduct, transfer of personal data to other countries and international organizations, supervision of the enforcement of the law, legal remedies, liability and sanctions in case of violation of rights of data subjects in relation with personal data processing, as well as specific processing situations. This Law also regulates the right to the protection of individuals with regard to the processing of personal data by the competent authorities for the purpose of preventing, investigating and detecting criminal offenses, prosecuting offenders or committing criminal sanctions, including prevention and protection against threats to public and national security, as well as the free flow of such data. Additional laws and by-laws which regulate this area of practice are as follows: The Law on Ratification of Convention on Protection of Persons with Regard to Automatic Processing of Personal Data ("Official Gazette of SRJ- International conventions", no. 1/92 „Official Gazette of SCG – International conventions “no. 11/2005 – other law and “Official Gazette of RS – International conventions, no. 98/2008 – other law and 12/2010); The Law on Free Access to Information of Public Importance ("Official Gazette of RS" No. 120/04, 54/07, 104/09 and 36/10); The Law on Advertising ("Official Gazette of the Republic of Serbia" no.6/2016 and 52/2019 – other law); The Law on Information Security ("Official Gazette of RS" No. 6/2016, 94/2017 and 77/2019); The Law on Electronic Communications (''Official Gazette of RSJ'' no. 44/2010, 60/2013 – decision CC, 62/2014 and 95/2018 – other law); The Law on Private Security (''Official Gazette of RS", nos. 104/2013 and 42/2015 and 87/2018); The Law on Records in Employment Sector ("Official Gazette of SRJ", no. 46/96 and "Official Gazette of RS", nos. 101/2005 - other law and 36/2009 - other law); The Law on Health Documentation and Records in Health Sector ("Official Gazette of RS" Nos.123/2014,106/2015, 105/2017 and 25/2019 – other law); The Rulebook on the form and manner of keeping records of persons for protection of personal data ("Official Gazette of RS" No. 40/2019); The Rulebook on the form of a complaint ("Official Gazette of RS" No. 40/2019); The Rulebook on the form and manner of keeping internal records of violations of the Law on Personal Data Protection and the measures to be taken in the performance of inspection ("Official Gazette of RS" No. 40/2019); The Rulebook on the form of notification on violation of personal data and manner of notification of the Commissioner for Information of Public Importance and Personal Data Protection of violation of personal data ("Official Gazette of RS" No. 40/2019); The Decision on a list of countries, parts of their territories or one or more sectors of specific activities in those countries and international organizations where it is considered that an appropriate level of protection of personal data is ensured ("Official Gazette of RS" No. 55/2019); and The Decision on List of Types of Activities of Processing of Personal Data for which Personal Data Protection Impact Assessment shall be performed and for which the Commissioner for Information of Public Importance and Personal Data Protection shall be asked for Opinion ("Official Gazette of RS" Nos. 45/2019 and 112/20). Note: On November 9, 2018, the National Assembly of Serbia adopted the Law on Personal Data Protection (“the *Law”) which, inter alia, seeks to harmonize Serbia's data protection legal framework with the provisions of the General Data Protection Regulation* (Regulation (EU) 2016/679) ("GDPR"). The new law is applicable as of August 21, 2019, and introduced significant novelties and legislative changes in the sphere of personal data protection such as: cancellation of the Central Registry and cancellation of the obligation of data controllers to register with this Central Registry all personal databases that they keep and maintain; an obligation on certain data controllers and data processors to keep (internal) records on personal data processing activities in accordance with Article 47 of the Law; introduction of joint controllers; application of accountability principle, i.e., imposing obligation to controllers and processors to demonstrate compliance with data protection principles; introduction of BCRs, codes of conduct and certification mechanisms; obligation to define and implement adequate technical and organizational measures based on risk assessment; obligation to carry out data protection impact assessment and to consult the Commissioner in certain cases; introduction of privacy by design and privacy by default principle; change of legal grounds for personal data processing; and change of rules regarding the transfer of personal data abroad, namely, broadening the legal grounds that allow a transfer of personal data from Serbia. The new law foresees a maximum fine that is two times the maximum fine prescribed under the old law – up to 2.000.000 RSD, i.e. cca. 17.000, 00 EUR per misdemeanor. Further, if controllers do not comply with the measure imposed by the Commissioner, the Commissioner is authorized to impose fines of up to 10% of the revenues of the controller gained in the previous business year. The Supervisory authority is the Commissioner for Information of Public Importance and Personal Data Protection, an autonomous public authority who exercises his/her powers independently and who is responsible for the supervision of the implementation of the law and performing other tasks prescribed by law.
What data is protected?	The Law provides for the protection of the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. Note: The definition of the term “personal data” is the same as in the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”). “Personal data” means any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Who is subject to privacy obligations?	Controllers and processors who have their headquarters, domicile or residence in the territory of the Republic of Serbia and within the framework of activities carried out in the territory of the Republic of Serbia, regardless of whether the processing is carried out in the territory of the Republic of Serbia. Controller means a natural or legal person, or authority, which independently or jointly with others, determines the purpose and method of processing. Processor means a natural or legal person or authority that processes personal data on behalf of the controller. The Law shall also apply to the processing of personal data of data subjects whose domicile or residence is in the territory of the Republic of Serbia by controller or processor whose headquarter, domicile or residence is not in the territory of the Republic of Serbia, in case the processing operations are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Republic of Serbia; or the monitoring of their behavior as far as their behavior takes place within the Republic of Serbia.
What are the principles applicable to personal data processing?	The Law regulates the main principles for the collection of personal data. Each collection of personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency"), collected for purposes that are specified, explicit and legitimate and not further processed in a manner that is incompatible with those purposes ("purpose limitation") and be adequate, relevant and limited to what is necessary in relation to the purposes of processing ("data minimization"). Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ("accuracy"). The data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed (“storage limitation”). The data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental, loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”). The controller shall be responsible for and be able to demonstrate compliance with the principles set out in Article 5 of the Law. (“accountability”)
How is the processing of personal data regulated?	The manners of the processing of the personal data are any operation or set of operations that is performed on personal data or on sets of personal data whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Note: Personal data should be collected for purposes that are specified, explicit and legitimate and not further processed in a manner that is incompatible with those purposes ("purpose limitation"). In the case of personal data processed by the competent authorities for specific purposes, the competent authority is obliged, to the extent possible, to clearly distinguish personal data based on factual data from personal data based on personal evaluation.
How are storage, security and retention of personal data regulated?	Personal Data must be stored in a form that permits identification of the person only within the time necessary for the accomplishment of the processing purpose ("storage limitation"). In the case of personal data processed by the competent authorities for specific purposes, a time limit must be set for erasing such data, or a term for periodically assessing the need to store them. Personal data must be handled in such a way as to ensure adequate protection of personal data, including protection against unauthorized or unlawful processing, as well as from accidental loss, destruction or damage by appropriate technical, organizational and personnel measures ("integrity and confidentiality"). Note: Controllers and processors shall take all necessary technical, human resources and organizational measures to ensure that the processing is carried out in accordance with the law and in a manner that they are able to present it, taking into account the nature, scope, circumstances and purpose of the processing, as well as the of chances of risk occurrence and the level of risk to the rights and freedoms of individuals.
What are the data subjects' rights?	The data subject has the right to request from the controller, whether he or she processes his personal data, access to such data, and the following information: the purpose of the processing; the types of personal data being processed; the recipient or types of recipients to whom personal data have been disclosed or will be disclosed, and in particular to recipients in other countries or international organizations; the envisaged period for keeping personal data, or, if this is not possible, the criteria for determining that deadline; the existence of the right to require the controller to correct or delete his personal data, the right to restrict processing and the right to object to processing; the right to file a complaint with the Commissioner; available information on the source of the personal data, if the personal data have not been collected from the persons to whom they relate; the existence of an automated decision-making process. The data subject has the right to correct his incorrect personal data without undue delay. Depending on the purpose of the processing, the data subject has the right to supplement his/her incomplete personal data, which includes making an additional statement.
Are there restrictions on cross-border data transfers?	Any transfer of personal data undergoing processing or intended for further processing after being transferred to another country or international organization may only be made if the controller and processor act in accordance with the conditions prescribed by the Law. This also includes the further transfer of personal data from another country or international organization to a third country or international organization in order to ensure an adequate level of protection for individuals equal to the level guaranteed by the Law. If the processing is carried out by the competent authorities for specific purposes, the transfer to another country or international organization can only be carried out if the conditions are met. The appropriate level of protection shall be deemed to be provided in countries and international organizations that are parties to the Council of Europe Convention for the Protection of Individuals with regard to the processing of personal data, i.e. in countries, parts of their territories, sectors or international organizations for which was determined by the European Union to provide an adequate level of protection. The Government may determine that a country or international organization does not provide an adequate level of protection. Controller or processor may transfer personal data to another country or to an international organization for which the existence of an adequate level of protection is not established, only if the controller or processor has provided appropriate measures of protection of this data and if the data subject is assured the exercise of his rights and effective legal protection. Appropriate measures for protection may be provided upon the special approval or without the special approval of the Commissioner. Note: If the personal data is collected from the person to whom it relates, the controller must inform the data subject about the fact that the controller intends to present personal data to another country or international organization or in reference to the appropriate protection measures, as well as on how the data subject may become aware of those measures.
Are there any notification requirements for data breaches?	The controller is obliged to notify the Commissioner of a violation of personal data which may create a risk to the rights and freedoms of natural persons without undue delay, or, if possible, within 72 hours of finding out about the violation. If the controller does not act within 72 hours of finding out about the injury, he is obliged to explain the reasons for not acting within that period. The processor is obliged, after finding out about the violation of personal data, without undue delay inform the controller about the injury. If a personal data breach can create a high risk to the rights and freedoms of natural persons, the controller is obliged to inform the data subject without undue delay of the breach. In the notification, the controller is obliged to describe in a clear and understandable manner the nature of the data breach and to provide the information required by the Law. The Law on Information Security requires notification of regulators in case of ICT systems of special importance, in accordance with this law. Note: The Law on Information Security requires notification of regulators in case of ICT systems of special importance, i.e. systems which are used: in implementation of competencies of public authorities; for processing of data, which are, in accordance with the Law, considered as sensitive personal data; in performance of activities in the public interest pursuant to this law. The notification is limited to significant breaches. In accordance with the nature, scope and complexity of its business, the operator of ICT systems of special importance is obliged, within its organizational structure, to define and implement measures of protection of ICT systems, in accordance with the Law on Information Security, national and international standards implemented in specific of fields of industries.
Who is the privacy regulator?	Commissioner for Information of Public Importance is established by The Law on Free Access to Information of Public Importance as an autonomous state body, independent in exercising its jurisdiction. Note: The Commissioner for Information of Public Importance and Personal Data Protection is an autonomous public authority, who exercises his/her powers independently and whose competencies are set by Article 77 of the Law. The data subject has the right to file a complaint to the Commissioner if he/she considers that the processing of personal data has been carried out contrary to the provisions of the law. Filing a complaint to the Commissioner does not affect the data subject’s right to initiate other administrative or judicial protection proceedings The Commissioner acts upon complaints of data subjects, determines whether there has been a violation of the law, notifies the data subject on the course and results of the proceedings and supervises and ensures the implementation of the law in accordance with its powers.
What are the consequences of a privacy breach?	As abovementioned, the controller and processor have the obligation of notification without undue delay about data breaches, as soon as they notice the violation of personal data which may create a risk to the rights and freedoms of natural persons. If the controller does not act within 72 hours of finding out about the injury, he is obliged to explain the reasons for not acting within that period. A person who has suffered material or immaterial damage as a result of a violation of the provisions of the Law is entitled to monetary compensation for this damage from the controller or processor who caused the damage. The Law prescribes that a fine in the amount of RSD 50,000 to 2,000,000 shall be charged for infringement to a controller and a processor with the status of a legal entity for privacy breaches determined by the law. Note: If violations of the provisions of the Law on Protection of Personal Data pertaining to processing are identified in the course of supervision, the commissioner shall caution the controller against any irregularities in processing. The Commissioner is authorized to take the following corrective measures: to warn the controller and the processor by submitting a written opinion that the intended processing operations may violate the provisions of the law; to issue a warning to the controller or processor if the processing violates the provisions of the law; to order the controller and the processor to act upon the request of the data subject in connection with the exercise of his rights, in accordance with this Law; to order the controller and the processor to harmonize the processing operations with the provisions of the law, in a specific manner and within a specified time; to instruct the controller to inform the data subject about a violation of the personal data; impose a temporary or permanent restriction on the performance of a processing operation, including a prohibition on processing; to order the correction or deletion of personal data or to restrict the performance of a processing operation, as well as to order the controller to inform about it the other controller, the data subject and the recipients to whom the personal data have been disclosed or transferred; revoke the certificate or order the certification body to revoke the issued certificate; to impose a fine on the basis of a misdemeanor warrant if during the inspection supervision it was established that a misdemeanor for which a fine has been prescribed by this law; and suspend the transfer of personal data to a recipient in another country or international organization. A fine from RSD 5,000 to 150,000 will be imposed on a natural person who does not keep as confidential personal information that has to find out while performing their business activities. If controllers do not comply with the measure imposed by the Commissioner, the Commissioner is authorized to impose a fine of up to 10% of the revenues of the controller gained in the previous business year. The implementation of measures is governed by an enactment of the commissioner.
How is electronic marketing regulated?	Electronic marketing is regulated by the Law on Advertising ("Official Gazette of the Republic of Serbia" no.6/2016 and 52/2019 – other law) which prescribes that individuals shall give prior consent in order to participate in direct advertising. Note: According to the Law on Advertising, direct advertising to individuals require their prior consent. The said given consent may be revoked at any time. The advertiser or transferor of the ad message must allow this. Direct advertising to individuals is carried out in accordance with the rules on advertising by means of distance communication in accordance with the regulations governing consumer protection.
Are there any recent developments or expected reforms?	In June 2021, the Serbian Government formed a Working Group for Preparation of Data Protection Strategy in Accordance with the Action Plan. The task of the Working Group is to define the strategic direction of development in the field of protection of personal data. This includes amendments of the Law Personal Data Protection in the context of its application for more than two years, aligning other system laws with the Law on Personal Data Protection, including rendering special laws governing the use of video surveillance, processing of biometric data, use of artificial intelligence, etc.

Global Data Privacy Guide

Back XLS

What is the key legislation?

The Law on Personal Data Protection ("Official Gazette of the Republic of Serbia", no. 87/2018) (hereinafter referred to as “Law”).

This Law regulates the right of natural persons to protection in regard to personal data processing and free flow of such data, data processing principles, rights of data subjects, obligations of controllers and processors, code of conduct, transfer of personal data to other countries and international organizations, supervision of the enforcement of the law, legal remedies, liability and sanctions in case of violation of rights of data subjects in relation with personal data processing, as well as specific processing situations.

This Law also regulates the right to the protection of individuals with regard to the processing of personal data by the competent authorities for the purpose of preventing, investigating and detecting criminal offenses, prosecuting offenders or committing criminal sanctions, including prevention and protection against threats to public and national security, as well as the free flow of such data.

Additional laws and by-laws which regulate this area of practice are as follows:

The Law on Ratification of Convention on Protection of Persons with Regard to Automatic Processing of Personal Data ("Official Gazette of SRJ- International conventions", no. 1/92 „Official Gazette of SCG – International conventions “no. 11/2005 – other law and “Official Gazette of RS – International conventions, no. 98/2008 – other law and 12/2010);
The Law on Free Access to Information of Public Importance ("Official Gazette of RS" No. 120/04, 54/07, 104/09 and 36/10);
The Law on Advertising ("Official Gazette of the Republic of Serbia" no.6/2016 and 52/2019 – other law);
The Law on Information Security ("Official Gazette of RS" No. 6/2016, 94/2017 and 77/2019);
The Law on Electronic Communications (''Official Gazette of RSJ'' no. 44/2010, 60/2013 – decision CC, 62/2014 and 95/2018 – other law);
The Law on Private Security (''Official Gazette of RS", nos. 104/2013 and 42/2015 and 87/2018);
The Law on Records in Employment Sector ("Official Gazette of SRJ", no. 46/96 and "Official Gazette of RS", nos. 101/2005 - other law and 36/2009 - other law);
The Law on Health Documentation and Records in Health Sector ("Official Gazette of RS" Nos.123/2014,106/2015, 105/2017 and 25/2019 – other law);
The Rulebook on the form and manner of keeping records of persons for protection of personal data ("Official Gazette of RS" No. 40/2019);
The Rulebook on the form of a complaint ("Official Gazette of RS" No. 40/2019);
The Rulebook on the form and manner of keeping internal records of violations of the Law on Personal Data Protection and the measures to be taken in the performance of inspection ("Official Gazette of RS" No. 40/2019);
The Rulebook on the form of notification on violation of personal data and manner of notification of the Commissioner for Information of Public Importance and Personal Data Protection of violation of personal data ("Official Gazette of RS" No. 40/2019);
The Decision on a list of countries, parts of their territories or one or more sectors of specific activities in those countries and international organizations where it is considered that an appropriate level of protection of personal data is ensured ("Official Gazette of RS" No. 55/2019); and
The Decision on List of Types of Activities of Processing of Personal Data for which Personal Data Protection Impact Assessment shall be performed and for which the Commissioner for Information of Public Importance and Personal Data Protection shall be asked for Opinion ("Official Gazette of RS" Nos. 45/2019 and 112/20).

Note:

On November 9, 2018, the National Assembly of Serbia adopted the Law on Personal Data Protection (“the Law”) which, inter alia, seeks to harmonize Serbia's data protection legal framework with the provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"). The new law is applicable as of August 21, 2019, and introduced significant novelties and legislative changes in the sphere of personal data protection such as:

cancellation of the Central Registry and cancellation of the obligation of data controllers to register with this Central Registry all personal databases that they keep and maintain;
an obligation on certain data controllers and data processors to keep (internal) records on personal data processing activities in accordance with Article 47 of the Law;
introduction of joint controllers;
application of accountability principle, i.e., imposing obligation to controllers and processors to demonstrate compliance with data protection principles;
introduction of BCRs, codes of conduct and certification mechanisms;
obligation to define and implement adequate technical and organizational measures based on risk assessment;
obligation to carry out data protection impact assessment and to consult the Commissioner in certain cases;
introduction of privacy by design and privacy by default principle;
change of legal grounds for personal data processing; and
change of rules regarding the transfer of personal data abroad, namely, broadening the legal grounds that allow a transfer of personal data from Serbia.

The new law foresees a maximum fine that is two times the maximum fine prescribed under the old law – up to 2.000.000 RSD, i.e. cca. 17.000, 00 EUR per misdemeanor.

Further, if controllers do not comply with the measure imposed by the Commissioner, the Commissioner is authorized to impose fines of up to 10% of the revenues of the controller gained in the previous business year.

The Supervisory authority is the Commissioner for Information of Public Importance and Personal Data Protection, an autonomous public authority who exercises his/her powers independently and who is responsible for the supervision of the implementation of the law and performing other tasks prescribed by law.

What data is protected?

The Law provides for the protection of the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

Note: The definition of the term “personal data” is the same as in the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

“Personal data” means any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Who is subject to privacy obligations?

Controllers and processors who have their headquarters, domicile or residence in the territory of the Republic of Serbia and within the framework of activities carried out in the territory of the Republic of Serbia, regardless of whether the processing is carried out in the territory of the Republic of Serbia.

Controller means a natural or legal person, or authority, which independently or jointly with others, determines the purpose and method of processing.

Processor means a natural or legal person or authority that processes personal data on behalf of the controller.

The Law shall also apply to the processing of personal data of data subjects whose domicile or residence is in the territory of the Republic of Serbia by controller or processor whose headquarter, domicile or residence is not in the territory of the Republic of Serbia, in case the processing operations are related to:

the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Republic of Serbia; or
the monitoring of their behavior as far as their behavior takes place within the Republic of Serbia.

What are the principles applicable to personal data processing?

The Law regulates the main principles for the collection of personal data.

Each collection of personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency"), collected for purposes that are specified, explicit and legitimate and not further processed in a manner that is incompatible with those purposes ("purpose limitation") and be adequate, relevant and limited to what is necessary in relation to the purposes of processing ("data minimization").

Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ("accuracy"). The data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed (“storage limitation”).

The data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental, loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).

The controller shall be responsible for and be able to demonstrate compliance with the principles set out in Article 5 of the Law. (“accountability”)

How is the processing of personal data regulated?

The manners of the processing of the personal data are any operation or set of operations that is performed on personal data or on sets of personal data whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Note: Personal data should be collected for purposes that are specified, explicit and legitimate and not further processed in a manner that is incompatible with those purposes ("purpose limitation").

In the case of personal data processed by the competent authorities for specific purposes, the competent authority is obliged, to the extent possible, to clearly distinguish personal data based on factual data from personal data based on personal evaluation.

How are storage, security and retention of personal data regulated?

Personal Data must be stored in a form that permits identification of the person only within the time necessary for the accomplishment of the processing purpose ("storage limitation").

In the case of personal data processed by the competent authorities for specific purposes, a time limit must be set for erasing such data, or a term for periodically assessing the need to store them.

Personal data must be handled in such a way as to ensure adequate protection of personal data, including protection against unauthorized or unlawful processing, as well as from accidental loss, destruction or damage by appropriate technical, organizational and personnel measures ("integrity and confidentiality").

Note: Controllers and processors shall take all necessary technical, human resources and organizational measures to ensure that the processing is carried out in accordance with the law and in a manner that they are able to present it, taking into account the nature, scope, circumstances and purpose of the processing, as well as the of chances of risk occurrence and the level of risk to the rights and freedoms of individuals.

What are the data subjects' rights?

The data subject has the right to request from the controller, whether he or she processes his personal data, access to such data, and the following information:

the purpose of the processing;
the types of personal data being processed;
the recipient or types of recipients to whom personal data have been disclosed or will be disclosed, and in particular to recipients in other countries or international organizations;
the envisaged period for keeping personal data, or, if this is not possible, the criteria for determining that deadline;
the existence of the right to require the controller to correct or delete his personal data, the right to restrict processing and the right to object to processing;
the right to file a complaint with the Commissioner;
available information on the source of the personal data, if the personal data have not been collected from the persons to whom they relate;
the existence of an automated decision-making process.

The data subject has the right to correct his incorrect personal data without undue delay. Depending on the purpose of the processing, the data subject has the right to supplement his/her incomplete personal data, which includes making an additional statement.

Are there restrictions on cross-border data transfers?

Any transfer of personal data undergoing processing or intended for further processing after being transferred to another country or international organization may only be made if the controller and processor act in accordance with the conditions prescribed by the Law. This also includes the further transfer of personal data from another country or international organization to a third country or international organization in order to ensure an adequate level of protection for individuals equal to the level guaranteed by the Law.

If the processing is carried out by the competent authorities for specific purposes, the transfer to another country or international organization can only be carried out if the conditions are met.

The appropriate level of protection shall be deemed to be provided in countries and international organizations that are parties to the Council of Europe Convention for the Protection of Individuals with regard to the processing of personal data, i.e. in countries, parts of their territories, sectors or international organizations for which was determined by the European Union to provide an adequate level of protection.

The Government may determine that a country or international organization does not provide an adequate level of protection.

Controller or processor may transfer personal data to another country or to an international organization for which the existence of an adequate level of protection is not established, only if the controller or processor has provided appropriate measures of protection of this data and if the data subject is assured the exercise of his rights and effective legal protection.

Appropriate measures for protection may be provided upon the special approval or without the special approval of the Commissioner.

Note: If the personal data is collected from the person to whom it relates, the controller must inform the data subject about the fact that the controller intends to present personal data to another country or international organization or in reference to the appropriate protection measures, as well as on how the data subject may become aware of those measures.

Are there any notification requirements for data breaches?

The controller is obliged to notify the Commissioner of a violation of personal data which may create a risk to the rights and freedoms of natural persons without undue delay, or, if possible, within 72 hours of finding out about the violation.

If the controller does not act within 72 hours of finding out about the injury, he is obliged to explain the reasons for not acting within that period.

The processor is obliged, after finding out about the violation of personal data, without undue delay inform the controller about the injury.

If a personal data breach can create a high risk to the rights and freedoms of natural persons, the controller is obliged to inform the data subject without undue delay of the breach.

In the notification, the controller is obliged to describe in a clear and understandable manner the nature of the data breach and to provide the information required by the Law.

The Law on Information Security requires notification of regulators in case of ICT systems of special importance, in accordance with this law.

Note: The Law on Information Security requires notification of regulators in case of ICT systems of special importance, i.e. systems which are used:

in implementation of competencies of public authorities;
for processing of data, which are, in accordance with the Law, considered as sensitive personal data;
in performance of activities in the public interest pursuant to this law.

The notification is limited to significant breaches.

In accordance with the nature, scope and complexity of its business, the operator of ICT systems of special importance is obliged, within its organizational structure, to define and implement measures of protection of ICT systems, in accordance with the Law on Information Security, national and international standards implemented in specific of fields of industries.

Who is the privacy regulator?

Commissioner for Information of Public Importance is established by The Law on Free Access to Information of Public Importance as an autonomous state body, independent in exercising its jurisdiction.

Note: The Commissioner for Information of Public Importance and Personal Data Protection is an autonomous public authority, who exercises his/her powers independently and whose competencies are set by Article 77 of the Law.

The data subject has the right to file a complaint to the Commissioner if he/she considers that the processing of personal data has been carried out contrary to the provisions of the law. Filing a complaint to the Commissioner does not affect the data subject’s right to initiate other administrative or judicial protection proceedings

The Commissioner acts upon complaints of data subjects, determines whether there has been a violation of the law, notifies the data subject on the course and results of the proceedings and supervises and ensures the implementation of the law in accordance with its powers.

What are the consequences of a privacy breach?

As abovementioned, the controller and processor have the obligation of notification without undue delay about data breaches, as soon as they notice the violation of personal data which may create a risk to the rights and freedoms of natural persons. If the controller does not act within 72 hours of finding out about the injury, he is obliged to explain the reasons for not acting within that period.

A person who has suffered material or immaterial damage as a result of a violation of the provisions of the Law is entitled to monetary compensation for this damage from the controller or processor who caused the damage.

The Law prescribes that a fine in the amount of RSD 50,000 to 2,000,000 shall be charged for infringement to a controller and a processor with the status of a legal entity for privacy breaches determined by the law.

Note: If violations of the provisions of the Law on Protection of Personal Data pertaining to processing are identified in the course of supervision, the commissioner shall caution the controller against any irregularities in processing.

The Commissioner is authorized to take the following corrective measures:

to warn the controller and the processor by submitting a written opinion that the intended processing operations may violate the provisions of the law;
to issue a warning to the controller or processor if the processing violates the provisions of the law;
to order the controller and the processor to act upon the request of the data subject in connection with the exercise of his rights, in accordance with this Law;
to order the controller and the processor to harmonize the processing operations with the provisions of the law, in a specific manner and within a specified time;
to instruct the controller to inform the data subject about a violation of the personal data;
impose a temporary or permanent restriction on the performance of a processing operation, including a prohibition on processing;
to order the correction or deletion of personal data or to restrict the performance of a processing operation, as well as to order the controller to inform about it the other controller, the data subject and the recipients to whom the personal data have been disclosed or transferred;
revoke the certificate or order the certification body to revoke the issued certificate;
to impose a fine on the basis of a misdemeanor warrant if during the inspection supervision it was established that a misdemeanor for which a fine has been prescribed by this law; and
suspend the transfer of personal data to a recipient in another country or international organization.

A fine from RSD 5,000 to 150,000 will be imposed on a natural person who does not keep as confidential personal information that has to find out while performing their business activities.

If controllers do not comply with the measure imposed by the Commissioner, the Commissioner is authorized to impose a fine of up to 10% of the revenues of the controller gained in the previous business year.

The implementation of measures is governed by an enactment of the commissioner.

How is electronic marketing regulated?

Electronic marketing is regulated by the Law on Advertising ("Official Gazette of the Republic of Serbia" no.6/2016 and 52/2019 – other law) which prescribes that individuals shall give prior consent in order to participate in direct advertising.

Note: According to the Law on Advertising, direct advertising to individuals require their prior consent. The said given consent may be revoked at any time. The advertiser or transferor of the ad message must allow this.

Direct advertising to individuals is carried out in accordance with the rules on advertising by means of distance communication in accordance with the regulations governing consumer protection.

Are there any recent developments or expected reforms?

In June 2021, the Serbian Government formed a Working Group for Preparation of Data Protection Strategy in Accordance with the Action Plan. The task of the Working Group is to define the strategic direction of development in the field of protection of personal data. This includes amendments of the Law Personal Data Protection in the context of its application for more than two years, aligning other system laws with the Law on Personal Data Protection, including rendering special laws governing the use of video surveillance, processing of biometric data, use of artificial intelligence, etc.

Global Data Privacy Guide

Serbia

Global Data Privacy Guide

Serbia

Members