What national laws regulate the processing of personal data in your jurisdiction?
Personal data protection is regulated by the Personal Data Protection Act (“Official Gazette of the Republic of Serbia”, No. 87/2018; “PDPA”).
A number of bylaws are also relevant:
- Rulebook on the manner of preliminary verification of personal data processing operations (“Official Gazette of the Republic of Serbia”, No. 35/2009);
- Decree on the form for and the manner of keeping records on the processing of personal data (“Official Gazette of the Republic of Serbia”, No. 50/2009);
- Rulebook on the form and manner of keeping records of persons for the protection of personal data (“Official Gazette of the Republic of Serbia”, No. 40/2019);
- Rulebook on the form and manner of keeping internal records on violations of the Personal Data Protection Act and measures taken in the performance of inspection supervision (“Official Gazette of the Republic of Serbia”, No. 40/2019);
- Rulebook on the form of notification of personal data breach and the manner of notifying the Commissioner for Information of Public Importance and Personal Data Protection on personal data breach (“Official Gazette of the Republic of Serbia”, No. 40/2019);
- Rulebook on the complaint form (“Official Gazette of the Republic of Serbia”, No. 40/2019).
To whom do the laws apply?
The PDPA applies to data processing performed by controller/operator whose business seat/domicile/place of residence is in Serbia, regardless of whether the processing takes place in the territory of the Republic of Serbia.
Additionally, the PDPA applies to data processing performed by a controller/operator that does not have its business seat/domicile or a place of residence in Serbia, if the processed data pertains to a person that has domicile or residence in Serbia, and the processing is related to either: i) the offering of goods or services to the person that has domicile or residence in Serbia, irrespective of whether compensation for goods or services is required; or ii) monitoring of the activity of a natural person the data pertains to if these activities are performed in Serbia.
What type of data is covered by the law?
The PDPA covers “personal data”, which is defined as any information pertaining to a natural person who is, directly or indirectly, identified or identifiable (in particular on the basis of an identification reference such as name, identification number, or data on location).
What are the main exemptions (if any)?
The PDPA does not apply to data processing performed by a natural person for personal or household purposes.
What rights do the laws grant to the data owners?
The PDPA explicitly prescribes the following rights:
1. Right to be informed
A natural person whose personal data are being processed (“data subject”) may obtain from the controller, inter alia, the information whether his/her personal data is being processed, as well as information on the purpose of processing, the categories of personal data that are processed, the right to request the correction or deletion of personal data.
2. Right of rectification and amendment
The data subject has the right to have incorrect or incomplete personal data rectified or amended, without undue delay.
3. Right to deletion (Right to be forgotten)
The data subject has the right to have his/her personal data erased by the controller in the following cases i) personal data is not necessary to achieve the purposes it was collected for; ii) the data subject withdraws consent for the processing, and there is no other legal basis for it; iii) data subject has objected to the processing; iv) personal data was illegally processed; v) the controller is legally obliged to delete personal data; vi) personal data has been collected in relation to the use of information society services.
4. Right to restrict processing
The data subject has the right to restrict the processing of personal data if: i) data subject contests the correctness of the personal data; ii) the processing is illegal; iii) the controller no longer needs the personal data for the processing, but the data is required by the data subject for the establishment, exercise or defense of legal claims; iv) the data subject has objected to the processing and the review whether the legitimate grounds of the controller override those of the data subject is pending.
5. Right to transmit data
The data subject has the right to receive back from the controller personal data he/she has previously provided (in a structured, commonly used, and machine-readable format) and the right to transmit those data to another controller without hindrance if i) the processing is based on consent or a contract; and ii) the processing is performed by automated means.
6. Right to object
The data subject shall have the right to make an objection to the processing of his/her personal data. In such a case, the controller must stop data processing unless the controller demonstrates convincing legitimate reasons for the processing which overrides the interests, rights, and freedoms of the data subject.
7. Right not to be a subject of automated decision making and profiling
The data subject has the right not to be a subject of a decision based exclusively on automated processing, including profiling if such decision affects or produces legal effects to the data subject.
8. Right to file a complaint
The data subject is entitled to file a complaint to the Commissioner for Information of Public Importance and Personal Data Protection (“Commissioner”).
What are the lawful grounds for processing personal data or sensitive personal data (if different)?
Data processing is lawful only under one of the following conditions:
- The data subject has consented to the processing (not applicable for processing by government authority for special purposes);
- Processing is necessary for the performance of the contract concluded with the data subject, or for performing actions demanded by the data subject, before the contract was concluded (not applicable for processing by government authority for special purposes);
- Processing is necessary for fulfilling the controller’s legal duties;
- Processing is necessary for the protection of vital life interests of the data subject or other natural person;
- Processing is necessary for performing activities in the public interest or for the execution of legally prescribed powers of the operator;
- Processing is necessary for the fulfilment of the controller’s or third party’s legitimate interests unless those interests are overridden by the interests of the data subject.
The PDPA forbids the processing of special personal data, i.e., the data that reveals race or ethnic origin, political opinion, religious or philosophical conviction, union membership. It is also forbidden to process gene data, biometrical data for identification of a person, health condition data, or data about sexual activity or sexual orientation of a person.
However, the PDPA provides for an exhaustive list of exceptions for processing special personal data including, inter alia: i) consent of the data subject; ii) protection of vital interests of the data subject; iii) compliance with legal obligations or execution of legal powers of the controller; iv) public interest; v) the data subject already made the data publicly available.
What are the main obligations imposed by the law?
The controller is obliged to:
- Implement appropriate technical, organizational, and personnel measures to ensure that the processing is performed in accordance with the PDPA;
- Keep record of processing actions for which he or she is responsible;
- Cooperate with the Commissioner;
- Inform the Commissioner about the personal data breach which puts at risk rights and freedoms of natural persons, without undue delay;
- When it is likely that a certain type of processing, in particular one using new technologies, and considering the nature, scope, context, and purposes of the processing, will put at risk the rights and freedoms of natural persons, the controller is obliged to carry out an impact assessment (Data Protection Impact Assessment – “DPIA”) prior to processing.
- Appoint the Data Protection Officer.
Do the laws establish a data retention period to be observed?
No, there is no specific data retention period. However, personal data must not be retained (in a form that allows the identification of data subjects) for longer than is necessary for the purposes for which the personal data is processed.
Must the data processing activities be recorded under the law?
Yes, data processing activities must be recorded under the PDPA.
Is there a Data Protection National Authority? If so, what is the National Authority main role?
The competent authority is the Commissioner for Information of Public Importance and Personal Data Protection. The main role of the Commissioner, related to personal data protection is to, inter alia: i) supervise and ensure application of PDPA; ii) provide opinions to the National Assembly, Government, other public authorities, and organizations; iii) provide information to the data subjects on their rights; iv) handle complaints of the data subjects, determine whether or not there has been an infringement of the PDPA, and inform the complainant of the status and the outcomes of the proceedings; v) perform inspections regarding the application of the PDPA; vi) draw up standard contractual clauses and DPIA; vii) provide opinions in writing; viii) keep records of the data protection officers.
Does the law impose the obligation of designating a data protection officer (DPO)? If so, what is the role of the DPO under the law?
The controller and operator must appoint the data protection officer if i) the processing is carried out by a public authority or body; ii) the core activities of the controller or the operator consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects; iii) the core activities of the controller or the operator consist of the processing of special categories of data or personal data relating to criminal convictions and offenses, on a large scale. In other cases, the appointment is not mandatory.
DPO must be i) informed by the controller and operator about all relevant activities; ii) independent in performing the work. DPO shall not be sanctioned for performing his duties in accordance with the PDPA. DPO must keep the personal data secret or confidential.
DPO must at least i) inform and give opinions to the controller or operator, as well as employees performing processing, on their legal obligations related to data protection; ii) monitor the application of the PDPA and other legislation related to data protection; iii) give opinions, when requested; iv) cooperate with the Commissioner.
What rules regulate the transfer of data outside your jurisdiction?
Part V of the PDPA regulates data transfer outside Serbian jurisdiction (Articles 63 – 72).
Is it necessary to notify the National Authority prior to the international transfer?
Do the laws impose any information security standards and/or requirements?
Considering the level of technological achievements and expenses of their application, nature, scope, circumstances, and purpose of processing, as well as the probability of risk occurrence, the controller and operator are obliged to conduct appropriate technical, organizational, and personnel measures to reach an appropriate level of safety. In particular, these measures consist of i) pseudonymization and crypto protection of personal data; ii) capability of ensuring permanent confidentiality, integrity, availability, and resilience of the processing system and service; iii) ensuring the recovery of availability and access to personal data in cases of a physical or technical incident, as soon as possible; iv) process of regular testing, evaluation, and estimation of the effectiveness of technical, organizational, and personnel measures.
Do the laws establish any kind of mandatory notification duty?
The obligation to notify has been abolished under the PDPA. The online registry of the controllers has ceased to exist.
What are the sanctions for noncompliance with data protection laws?
The sanctions are as follows:
- The person that has sustained material or non-material damage, can claim financial damages from the controller, operator, or competent authority that caused damage;
- Noncompliance with the PDPA is treated as misdemeanor. Fines ranging from Din 500,000 to 2,000,000 are prescribed for most misdemeanors conducted by the controller, or operator who is a natural person;
- Serbian Criminal Code sanctions an unauthorized collection of personal data. The prescribed sanctions are a fine or imprisonment of up to one year, or 3 years if the offense is made by a public official.
This guide contains summaries of general principles of law. It is not a substitute for specific legal advice and should not be relied upon in relation to the application of the law or subject matter covered.