1. On discovering a data breach, which regulators or other government agencies should be notified?
In accordance with the Personal Data Protection Act (“Official Gazette of the Republic of Serbia”, no. 87/2018), a data subject is entitled to file a complaint to the Commissioner for Information of Public Importance and Data Protection in case they believe that the processing of their personal data was executed contrary to said Act. The Commissioner is entitled, as an authority responsible for supervising the implementation of the Act, amongst other, to inform the data controller or the processor on potential breaches of the Act, to request and be granted access from the data controller and processor to all personal data, as well as to information required for the exertion of its authorities, request and be granted access to all premises of the data controller and the processor, including all access to all assets and equipment.
The Electronic Communications Act (“Official Gazette of the Republic of Serbia”, nos. 44/2010, 60/2013, 62/2014 and 95/2018) imposes a duty on entities which perform or are authorized to perform electronic communications’ activities to notify the Regulatory Agency for Electronic Communications and Postal Services (RATEL) which is the competent state authority, of any breach of security and integrity of public communication networks and services, that influences their work significantly and particularly for breaches that resulted in the violation of protection of personal data or privacy of the respective networks, users, or subscribers.
2. What legislation, relating to both criminal offences and civil wrongs, covers such a breach?
- Electronic Communications Act (“Official Gazette of the Republic of Serbia”, Nos. 44/2010, 60/2013, 62/2014 and 95/2018) – Articles 124 and 125;
- Personal Data Protection Act (“Official Gazette of the Republic of Serbia”, No. 87/2018) – with emphasize on Articles 52, 53 and 86; and
- Criminal Code (“Official Gazette of Republic of Serbia”, Nos. 85/2005, 88/2005, 107/2005, 72/2009, 111/2009, 121/2012, 104/2013, 108/2014, 94/2016 i 35/2019) – Articles 146 and 240.
A number of bylaws are also relevant:
- Rulebook on the manner of preliminary verification of personal data processing operations (“Official Gazette of the Republic of Serbia”, No. 35/2009);
- Decree on the form for and the manner of keeping records on the processing of personal data (“Official Gazette of the Republic of Serbia”, No. 50/2009);
- Rulebook on the form and manner of keeping records of persons for the protection of personal data (“Official Gazette of the Republic of Serbia”, No. 40/2019);
- Rulebook on the form and manner of keeping internal records on violations of the Personal Data Protection Act and measures taken in the performance of inspection supervision (“Official Gazette of the Republic of Serbia”, No. 40/2019);
- Rulebook on the form of notification of personal data breach and the manner of notifying the Commissioner for Information of Public Importance and Personal Data Protection on personal data breach (“Official Gazette of the Republic of Serbia”, No. 40/2019);
- Rulebook on the complaint form (“Official Gazette of the Republic of Serbia”, No. 40/2019).
3. What agencies have the power to conduct dawn raids on private sector companies? What legislation gives those agencies the power to undertake those inspections?
The competent authority which performs dawn raids is the Commission for Protection of Competition of the Republic of Serbia (“Commission”).
- Protection of Competition Act (“Official Gazette of the Republic of Serbia”, nos. 51/2009 and 95/2013); and
- General Administrative Procedure Act (“Official Gazette of the Republic of Serbia”, nos. 18/2016 and 95/2018).
4. On what bases, including privilege and/or confidentiality, may organisations refuse to permit the seizure of documents?
According to Article 55 of the Serbian Protection of Competition Act, there is no basis on which a party to the proceedings may refuse to permit the seizure of documents.
On the other hand, a party to the proceedings holds (amongst other rights) a right to request:
- Those documents. which represent confidential communication within the meaning of the provision of Article 51 of the Protection of Competition Act, be specially marked and separated from the documentation collected during the dawn raid; and
- Copies of the minutes of the inspection from officials of the Commission, and the list of collected documentation and belongings which are copied or temporarily seized during the dawn raid.
Furthermore, attorney-client privileged communication (any form of communication between the party against whom the procedure is conducted and its attorney which is directly related to the procedure) is also considered as protected information in accordance with Article 51 of the Serbian Protection of Competition Act, which means that this information cannot be seized nor used in the proceedings by the official person conducting the investigation and the procedure.
5. What are the circumstances under which an employee is entitled to protection when reporting an alleged wrongdoing?
In accordance with the Whistleblowers Protection Act (“Official Gazette of Republic of Serbia”, No. 128/2014), whistleblowers are individuals who disclose information about their work engagement, recruitment process, use of services provided by state bodies, incumbents of public office and public services, business cooperation, and ownership over a company. Whistleblowing is the disclosure of information that relates to (i) breaches of regulations, (ii) breaches of human rights, (iii) misconduct by incumbents of public office, (iv) threats to life, (v) public health, (vi) safety, and (vii) the environment, as well as (viii) the prevention of large-scale damage. Such disclosure may be made to the whistleblower's employer (internal whistleblowing), a competent state body (external whistleblowing), or the public. The Whistleblowers Protection Act provides specific rules for each of these types of whistleblowing.
The whistleblower is entitled to protection if he/she: (i) performs whistleblowing against the employer, competent state body, or the public in the manner prescribed by law, (ii) discloses information within a year from the day of finding out about the action that is subject to disclosure, and no later than ten years from the performance of the action, and (iii) at the moment of disclosure, an average person with similar knowledge and experience as the whistleblower would put faith in the veracity of disclosed information.
The protection also applies to the following individuals if they prove that they have been exposed to adverse action: (i) individuals close to whistleblower, (ii) individuals exposed to adverse action because they were mistakenly marked as whistleblowers, (iii) individuals who disclosed information while performing official duties, and (iv) individuals who requested data regarding information.
6. What legislative protection does that
The Whistleblowers Protection Act expressly prohibits adverse action against whistleblowers and provides mechanisms for protecting whistleblowers’ identities. Also, whistleblowers are entitled to compensation for damages according to the rules of Serbia's Contracts and Torts Act. Furthermore, the Act expressly prohibits actions that may prevent whistleblowing. The Act defines an adverse action as any action or omission related to whistleblowing through which (i) the rights of whistleblowers or individuals enjoying protection as whistleblowers are jeopardized or violated, or (ii) these persons are put in a less favorable position. Whistleblowers enjoy identity protection: persons authorized to receive information from them are obliged to protect the whistleblower's personal data and any data that may disclose the whistleblower’s identity. This obligation extends to every person who may come into possession of the whistleblower's personal data. A whistleblower who suffered damages in relation to their whistleblowing is entitled to judicial protection according to the rules of Serbia's Civil Procedure Act. The Whistleblowers Protection Act’s implementation shall be supervised by the Labor Inspectorate.
- The Whistleblowers Protection Act (“Official Gazette of Republic of Serbia”, no. 128/2014);
- The Contracts and Torts Act (“Official Gazette of the SFRY” nos. 29/78, 39/85, 45/89 - decision by CCY, 57/89; “Official Gazette of the SRY” no. 31/93; “Official Gazette of the Serbia and Montenegro” no. 1/2003- Constitutional Charter and (“Official Gazette of the Republic of Serbia” no. 18/20); and
- The Civil Procedure Act (“Official Gazette of the Republic of Serbia”, nos. 72/2011, 49/2013 – decision by CCS, 74/2013 – decision by CCS, 55/2014 and 18/2020).
Anti-bribery and corruption
7. What are the main anti-corruption laws and regulations in your jurisdiction?
- The Criminal Code (“Official Gazette of Republic of Serbia”, nos. 85/2005, 88/2005, 107/2005, 72/2009, 111/2009, 121/2012, 104/2013, 108/2014, 94/2016 and 35/2019);
- The Anti-Corruption Act (“Official Gazette of Republic of Serbia”, nos. 35/2019, 88/2019 and 11/2021 – authentic interpretation);
- The Public Procurement Act (“Official Gazette of Republic of Serbia”, nos. 124/2012, 14/2015, 68/2015 and 91/2019);
- Prevention of Money Laundering and Terrorist Financing Act (“Official Gazette of Republic of Serbia”, nos. 113/2017, 91/2019 and 153/2020);
- Decision on the Establishment of the Anti-Corruption Council (“Official Gazette of Republic of Serbia”, nos. 59/2001, 3/2002, 42/2003, 64/2003 and 14/2006);
- Liability of Legal Entities for Criminal Offences Act (“Official Gazette of the Republic of Serbia”, no. 97/2008);
- Lobbying Act (“Official Gazette of the Republic of Serbia”, Nos. 87/2018 and 86/2019);
- Financing Political Activities Act (“Official Gazette of the Republic of Serbia”, Nos. 43/2011, 123/2014 and 88/2019).
8. Does the legislation have extra-territorial effect?
Criminal legislation of the Republic of Serbia shall apply to:
- Anyone who commits a criminal offence abroad if committed against the Republic of Serbia or its citizen;
- Anyone who commits a criminal offence of forgery in case the forgery relates to domestic money;
- Any Serbian citizen when he or she commits a criminal offence abroad if found in the Serbian territory or is extradited to Serbia (also applied to the perpetrator of a criminal offence who became a Serbian citizen after having committed the criminal offence);
- A foreigner who commits a criminal offence outside Serbian territory against the Republic of Serbia or a Serbian citizen if that person is found on the Serbian territory or is extradited to the Republic of Serbia; and
- A foreigner who commits a criminal offence against a foreign country or a foreign citizen, outside the Serbian territory, when such offence is punishable by five-year imprisonment or a heavier penalty, pursuant to laws of the country of commission, and in case such person is found on the Serbian territory and is not extradited to the foreign state.
9. What are the main enforcement bodies?
Main enforcement bodies:
- The Anti-corruption Agency
- The Public Procurement Office
- The Republic Commission for Protection of Rights in the Public Procurement Procedures
- The State Audit Institution
- The Anti-corruption Council
- The Administration for the Prevention of Money Laundering
- The Tax Administration (Tax police sector).
10. Is there any duty to report the issue, for example
to a regulator?
According to Serbian laws, during an internal investigation, a disclosure should be made to the enforcement authorities immediately if the internal investigation discovers a criminal offence while it is still happening, since it could be stopped and/or prevented, or if an immediate threat to people or property exists, which can and has to be prevented. In such cases, the internal investigation engages with the entity it has been in contact with, and advises to immediately inform the enforcement authorities with different demands, such as obtaining a freezing order, stopping the money transaction, employment, or construction inspection, etc.
11. What is the protection from disclosure for documents generated as part of the investigation (for example, privilege)?
Entities will protect privileged documents during an internal investigation by giving them to outside counsel for inspection and selection. If outside counsel does not share the documents with anyone, client attorney privileged communication is fully secured. If there is a need for part of the documents to be subjected to forensic expertise, outside counsel will carry out the selection of the documents that will be disclosed and will protect them by the laws concerning business secrets. In that case, the third party will have the status of a witness without any limitation or protection.
12. Is the advice given by an in-house lawyer in relation to the investigation privileged and/or confidential?
Legal privileges apply differently whether in-house counsel or outside counsel directs the internal investigation. If in-house counsel is an employee, legal privilege benefit shall not apply. Only outside counsel, which is an attorney at law has the right of legal privilege according to law and Bar rules which regulate the status of lawyers.
This guide contains summaries of general principles of law. It is not a substitute for specific legal advice and should not be relied upon in relation to the application of the law or subject matter covered.