Serbia: GDPR update
After a public hearing lasting over a year, Serbia’s National Assembly adopted a new Data Protection Law on November 9, 2018. The law takes effect on August 21, 2019, and aligns with GDPR provisions as part of Serbia’s broader EU harmonization efforts.
Extension of Territorial Application
The law applies to controllers and processors handling personal data of individuals residing in Serbia, regardless of the processor’s location. It covers processing activities related to offering goods or services to Serbian residents and monitoring their activities within Serbia.
Double Penalties
Maximum penalties doubled compared to the previous law, reaching 2 million RSD (approximately €17,000). However, this remains substantially below GDPR’s maximum of €20 million or 4% of annual global turnover.
Consent to Processing
The new law eliminates the previous requirement for handwritten consent. Individuals may now grant consent through “tick-the-box” mechanisms and online methods, reflecting “freely given, specific, informed and unambiguous expression of will.”
Rights of Data Subjects
Controllers must notify subjects of breaches posing high risks to their rights. The law establishes several new protections:
- Right to Access: Free copies of processed data, delivered electronically
- Right to Correction: Correction of inaccurate data without undue delay
- Right to Erasure: Request deletion when data becomes unnecessary or consent is revoked
- Right to Limit Processing: Restriction based on accuracy contests or illegal processing
- Right to Data Portability: Receiving data in structured, machine-readable formats
More Precise Definition of Personal Data
Personal data now includes identifiers in electronic communication networks, such as internet protocols and cookie identifiers, enabling broader protection of individuals.
Protection Measures
Controllers must implement technical, organizational, and personnel measures ensuring effective data protection principles, including data minimization and appropriate retention periods.
Transfer of Personal Data to Other Countries
Transfers require adequate protection levels, determined by Council of Europe Convention membership or EU adequacy designations. Government-published lists identify qualifying countries. Transfers to non-qualifying nations require special Commissioner consent.
Legal Remedies and Liability
Data subjects gain multiple avenues for addressing breaches: objections to controllers, complaints to the Commissioner, administrative disputes, and direct judicial review.
Personal Data Security
The law mandates documentation of breaches, including facts, consequences, and remedial actions, serving as evidence for Commissioner investigations.
Privacy Impact Assessment (PIA)
Controllers must assess processing risks before implementation when activities risk significant harm to rights, particularly involving new technologies or large-scale surveillance.
Data Protection Officer (DPO)
Organizations must appoint a DPO when core activities involve systematic monitoring of numerous subjects or processing special data categories.
Penalty Provisions
Fines range from 50,000 to 2 million RSD for legal entity violations—substantially lower than GDPR maximums.
Conclusion
While the law adopts many GDPR provisions, full harmonization remains incomplete, particularly regarding penalty enforcement mechanisms. Implementation success will determine whether Serbia matches EU privacy protections.