1. On discovering a data breach, which regulators or other government agencies should be notified?
In accordance with the Personal Data Protection Act (“Official Gazette of the Republic of Serbia”, No 87/2018), data subjects may file a complaint with the Commissioner for Information of Public Importance and Data Protection if they believe their personal data was processed contrary to the Act. The Commissioner is entitled, as the authority responsible for supervising enforcement of the Act, amongst others, to notify the data controller or processor about potential breaches of the Act, to request from and obtain, from the data controller and the processor, access to all personal data and to all information necessary for the exercise of its powers, to request and obtain access to any premises of the data controller and the processor, including any data processing equipment and means.
The Electronic Communications Act (“Official Gazette of the Republic of Serbia”, Nos 44/2010, 60/2013, 62/2014 and 95/2018) requires entities which carry on or are authorized to carry on electronic communications activities to notify the Regulatory Agency for Electronic Communications and Postal Services (RATEL), which is the competent state authority, of any security or integrity breach of public communication networks and services, that has a significant impact on their operations and in particular breaches of the protection of personal data or privacy of the respective networks, users or subscribers.
2. What legislation, relating to both criminal offences and civil wrongs, covers such a breach?
- Electronic Communications Act (“Official Gazette of the Republic of Serbia“, Nos 44/2010, 60/2013, 62/2014 and 95/2018) – Articles 124 and 125;
- Personal Data Protection Act (“Official Gazette of the Republic of Serbia“, No 87/2018) – with an emphasis on Articles 52, 53 and 86; and
- Criminal Code (“Official Gazette of Republic of Serbia“, Nos 85/2005, 88/2005, 107/2005) – Articles 146 and 240
3. What agencies have the power to conduct dawn raids on private sector companies? What legislation gives those agencies the power to undertake those inspections?
The competent authority for conductin dawn raids is the Commission for Protection of Competition of the Republic of Serbia (“Commission”).
- Protection of Competition Act (“Official Gazette of the Republic of Serbia”, Nos 51/2009 and 95/2013); and
- General Administrative Procedure Act (“Official Gazette of the Republic of Serbia”, Nos 18/2016 and 95/2018).
4. On what bases, including privilege and/or confidentiality, may organisations refuse to permit the seizure of documents?
Under Article 55 of the Protection of Competition Act, there is no basis on which a party to the proceedings may refuse to permit the seizure of documents.
On other hand, a party to the proceedings holds (amongst other rights) a right to request:
- that documents, which constitute confidential communication within the meaning of Article 51 of the Protection of Competition Act, be specially marked and separated from the documentation collected during the dawn raid; and
- copies of the record of the inspection from Commission officials, and the list of collected documentation and belongings copied or temporarily seized during the dawn raid.
Furthermore, attorney-client privileged communication (any form of communication between the party being investigated and its attorney which is directly related to the procedure) is also considered protected information in accordance with Article 51 of the Protection of Competition Act, meaning that this information cannot be seized or used in proceedings by officials conducting the investigation and procedure.
5. What are the circumstances under which an employee is entitled to protection when reporting an alleged wrongdoing?
The Whistleblowers Protection Act (“Official Gazette of Republic of Serbia”, No 128/2014), defines whistleblowers as individuals who disclose information about their work, recruitment process, use of services provided by state bodies, public officials and public utilities, business cooperation, and ownership over a company. Whistleblowing is the disclosure of information that relates to (i) breaches of regulations, (ii) breaches of human rights, (iii) misconduct by public officials, (iv) threats to life, (v) public health, (vi) safety, and (vii) the environment, as well as (viii) the prevention of large scale damage. Such disclosure may be made to the whistleblower's employer (internal whistleblowing), a competent state body (external whistleblowing), or the public. The Whistleblowers Protection Act provides specific rules for each of these types of whistleblowing.
The whistleblower is entitled to protection if: (i) whistleblowing against an employer, competent state body or making a public disclosure in the manner prescribed by law, (ii) discloses information within a year from the day of learning about the action that is being disclosed, and no later than ten years from the performance of the action, and (iii) at the moment of disclosure, an average person with similar knowledge and experience as the whistleblower would put faith in the veracity of the disclosed information.
The protection also applies to the following individuals if they prove that they have been exposed to adverse action: (i) individuals close to whistleblower, (ii) individuals exposed to adverse action because they were mistakenly marked as whistleblowers, (iii) individuals who disclosed information while performing official duties, and (iv) individuals who requested data regarding information.
6. What legislative protection does that
The Whistleblowers Protection Act expressly prohibits adverse action against whistleblowers and provides mechanisms for protecting whistleblowers’ identities. Also, whistleblowers are entitled to compensation for damages according to the rules of Serbia's Contracts and Torts Act. Furthermore, the Act expressly prohibits actions that may prevent whistleblowing. The Act defines an adverse action as any action or omission related to whistleblowing through which (i) the rights of whistleblowers or individuals enjoying protection as whistleblowers are jeopardized or violated, or (ii) these persons are put in a less favorable position. Whistleblowers enjoy identity protection: persons authorized to receive information from them are obliged to protect the whistleblower's personal data and any data that may disclose the whistleblower’s identity. This obligation extends to every person who may come into possession of the whistleblower's personal data. A whistleblower who suffered damages in relation to their whistleblowing is entitled to judicial protection according to the rules of Serbia's Civil Procedure Act. The Whistleblowers Protection Act’s implementation shall be supervised by the Labor Inspectorate.
- Whistleblowers Protection Act (“Official Gazette of Republic of Serbia”, No 128/2014);
- Contracts and Torts Act (“Official Gazette of the Socialist Federal Republic of Yugoslavia”, Nos 29/78, 39/85, 45/89 – Constitutional Court Ruling, 57/89; “Official Gazette of the Socialist Republic of Yugoslavia”, No 31/93; “Official Gazette of the Serbia and Montenegro”, No 1/2003- Constitutional Charter and (“Official Gazette of the Republic of Serbia”, No 18/20); and
- Civil Procedure Act (“Official Gazette of the Republic of Serbia”, Nos 72/2011, 49/2013 – Constitutional Court Ruling, 74/2013 – Constitutional Court Ruling, 55/2014 and 18/2020).
Anti-bribery and corruption
7. What are the main anti-corruption laws and regulations in your jurisdiction?
- Criminal Code (“Official Gazette of Republic of Serbia”, Nos 85/2005, 88/2005, 107/2005, 72/2009, 111/2009, 121/2012, 104/2013, 108/2014, 94/2016 and 35/2019);
- Anti-Corruption Act (“Official Gazette of Republic of Serbia”, No 35/2019);
- Anti-Corruption Agency Act (“Official Gazette of Republic of Serbia”, Nos 97/2008, 53/2010, 66/2011 – Constitutional Court Ruling, 67/2013 – Constitutional Court Ruling, 112/2013 – authentic interpretation, 8/2015 – Constitutional Court Ruling and 88/2019);
- Public Procurement Act (“Official Gazette of Republic of Serbia”, Nos 124/2012, 14/2015 and 68/2015);
- Anti-Money Laundering and Counter Terrorist Financing Act (“Official Gazette of Republic of Serbia”, Nos 113/2017 and 91/2019); and
- Decision establishing the Anti-Corruption Council (“Official Gazette of Republic of Serbia”, Nos 59/2001, 3/2002, 42/2003, 64/2003 and 14/2006).
8. Does the legislation have extra-territorial effect?
Criminal legislation of the Republic of Serbia applies to:
- Anyone who commits a criminal offence abroad if committed against the Republic of Serbia or a citizen thereof;
- Anyone who commits the criminal offence of forgery where the forgery relates to the national currency;
- Any Serbian citizen when he or she commits a criminal offence abroad if found in the territory of Serbia or is extradited to Serbia (also applies to perpetrators of a criminal offence who became Serbian citizens after the fact);
- Foreign nationals who commit a criminal offence outside the territory of the Republic of Serbia against the Republic of Serbia or Serbian citizens if those persons are found in the territory of the Republic of Serbia or are extradited to the Republic of Serbia; and
- Foreign nationals who commit a criminal offence outside Serbia against a foreign state or a foreign national, where such offence carries a sentence of five years' imprisonment or a heavier penalty under the laws of the country where the crime was committed, and in the event that person is found in the territory of Serbia and is not extradited to the foreign state.
9. What are the main enforcement bodies?
Main enforcement bodies:
- The Anti-Corruption Agency
- The Public Procurement Office
- The Republic Commission for Protection of Rights in the Public Procurement Procedures
- The State Audit Institution
- The Anti-Corruption Council
- The Administration for the Prevention of Money Laundering
- The Tax Administration (Tax police sector)
10. Is there any duty to report the issue, for example
to a regulator?
Serbian legislation requires that a disclosure should be made to the enforcement authorities immediately if an internal investigation detects a criminal offence while it is still being committed, since it could be stopped and/or prevented, or if an immediate threat to people or property exists, which can and must be prevented. In such cases, the internal investigation engages with the entity it has been in contact with, and advises to immediately inform the enforcement authorities with different demands, such as obtaining a freezing order, stopping the money transaction, employment or construction inspection, etc.
11. What is the protection from disclosure for documents generated as part of the investigation (for example, privilege)?
Entities will protect privileged documents during an internal investigation by furnishing them to outside counsel for inspection and selection. If outside counsel does not share the documents with anyone, client attorney privileged communication is fully secured. If there is a need for part of the documents to undergo forensic examination, outside counsel will select the documents to be disclosed and protect them by invoking the laws concerning business secrets. In that case, the third party will have witness status without any limitation or protection.
12. Is the advice given by an in-house lawyer in relation to the investigation privileged and/or confidential?
Legal privileges apply differently depending on whether in-house counsel or outside counsel directs the internal investigation. In-house counsel are classed as employees, hence legal privilege shall not apply. Only outside counsel has the right of legal privilege under the law and Bar rules governing the status of lawyers.
This guide contains summaries of general principles of law. It is not a substitute for specific legal advice and should not be relied upon in relation to the application of the law or subject matter covered.