Serbia: The New Law on Personal Data Protection

On 9 November 2018 the National Assembly of Serbia has adopted the long awaited new Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti, Official Gazette of the Republic of Serbia, no. 87/2018) (hereinafter: the Law).

The main reason behind the adoption of this new piece of legislation is harmonization with the European Union rules, i.e. ensuring the same level of protection of personal data as in the European Union member states. The introduction of the Law is part of Serbia’s obligations in process of the accession to the European Union. Further, the Law was adopted with the aim of facilitating the conducting of business of companies, having in mind the current level of application of modern information technology and social networks. Namely, the general assessment of the previous law on personal data protection is that it was already outdated at the time of its adoption, and therefore its application in practice was often marred by significant difficulties.

The Commissioner for Information of Public Importance and Personal Data Protection (hereinafter: the Commissioner)'s stand regarding the text of the Law is that it represents a literal translation of the General Data Protection Regulation (hereinafter: the GDPR), and therefore exhibits a high level of formal compliance with the respective regulation of the European Union, but the practical application in Serbia is highly questionable.

Further, despite the Commissioner’s numerous complaints and suggestions, the Law does not regulate video surveillance, which remains in the gray area. The Commissioner has also found Article 40 of the Law to be quite controversial as it allows the limitation of certain fundamental rights and obligations envisaged by the Law, in a rather imprecise manner and without reference to the law as a legal ground for such limitation. Therefore, there is a potential threat that authorities or companies that handle personal data may restrict citizens' rights without explicit legal authority and at their own discretion.



Key novelties

The Law relies heavily on the solutions envisaged by the GDPR, and since it is a completely new law, which is significantly more extensive than its predecessor, we point out the most important provisions and key novelties which it has introduced.

Firstly, the Law is applied in cases where the data controller or the data processor with the seat or residence or temporary residence on the territory of the Republic of Serbia carries out personal data processing within the scope of activities that are carried out on the territory of the Republic of Serbia, regardless of whether the processing itself is done on the territory of the Republic of Serbia. Additionally, regardless of the seat or residence or temporary residence of the data controller or the data processor, the Law applies to cases of data processing if the persons to whom the data relates have residence or temporary residence in the Republic of Serbia, in two cases - in the case of offering goods and services, and in case of monitoring activities of persons if the activities are carried out in the Republic of Serbia. 

The Law extends and specifies the competencies and powers of the Commissioner as an independent state body and harmonizes it with relevant principles of European Union. In accordance with the Law, the Commissioner primarily performs inspection tasks, but, in addition, enjoys many other competences. Thus, the Commissioner takes appropriate corrective measures, ensures the implementation of the law, prepares standard contractual clauses regarding the processing of data, approves the provisions of the agreement or contract between the authorities regarding the transfer of data, keeps internal records of violations of the Law, reviews the issued certificates, and performs international cooperation activities.