top of page

SERBIA - Data Protection and GDPR Review


History of Data Protection in Serbia


The history of data protection in Serbia has evolved significantly over the years, influenced by both internal reformative pressures and international influences, especially from the European Union (EU). Below is a general timeline and key milestones in Serbia's data protection journey:


Pre-2000s: Initial Stages

Before the new millennium, Serbia had no dedicated laws for data protection. Issues related to privacy and data were often covered under broader constitutional and human rights provisions, but these were not specific to data protection.


Early 2000s: Emergence of the Concept

The early 2000s saw a growing awareness of data protection as a distinct legal concept, particularly as Serbia sought closer ties with the EU. A need was felt to align Serbian laws with EU standards, including in the realm of data protection.


2008: Data Protection Law

In 2008, Serbia enacted its first significant data protection legislation, commonly referred to as the "Data Protection Law." This law laid the groundwork for the establishment of principles and norms related to personal data protection.


Commissioner for Information of Public Importance and Personal Data Protection

The 2008 Data Protection Law led to the establishment of the Commissioner for Information of Public Importance and Personal Data Protection (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti) as an independent authority responsible for overseeing data protection.


2014: The Action Plan

Serbia adopted an Action Plan for Chapter 23 in its EU accession negotiations, which included comprehensive data protection reform as one of its priorities.


2017-2018: GDPR Influence and New Law

With the adoption of the EU's General Data Protection Regulation (GDPR) in 2018, Serbia started to take steps to align its legislation further with EU standards. In November 2018, a new Law on Personal Data Protection was adopted, aimed at achieving greater harmonization with the GDPR.


Post-2018: Implementation and Compliance

After the new law's enactment, businesses and institutions had a transitional period to become compliant. The new law empowered the Commissioner with enhanced authority to impose fines and sanctions for violations.


Ongoing Challenges

One of the most pressing challenges for Serbia in the field of data protection has been the implementation and enforcement of the new laws. Issues related to public awareness, capacity building, and international data transfers remain areas for development.


The history of data protection in Serbia is characterized by an ongoing process of development and reform, driven in large part by the country’s aspirations for EU membership. The enactment of new legislation and the strengthening of the regulatory framework have been significant steps, but challenges remain, particularly in the realm of implementation and enforcement.


Serbia has been progressively aligning its data protection laws with the European Union's General Data Protection Regulation (GDPR) as part of its EU accession efforts. This guide provides an in-depth look at data protection in Serbia, its legislative alignment with GDPR, and what organizations should know for compliance.


Guide of Contents


1. Regulatory Framework

2. Key Legislation

3. Data Protection Principles

4. Data Subject Rights

5. Responsibilities of Data Controllers and Processors

6. Consent Requirements

7. Data Breach Notifications

8. International Data Transfers

9. Relationship with GDPR

10. Compliance Checklist for Businesses

11. Penalties and Sanctions

12. FAQs

13. Conclusion and Future Outlook


1. Regulatory Framework


- Regulatory Body: The Commissioner for Information of Public Importance and Personal Data Protection is responsible for overseeing data protection in Serbia.


2. Key Legislation


- **Law on Personal Data Protection (2018)**: This law is Serbia's most comprehensive piece of legislation on data protection and is aimed at aligning with GDPR standards.


3. Data Protection Principles


- Data Minimization

- Purpose Limitation

- Accuracy

- Storage Limitation

- Integrity and Confidentiality

- Lawfulness, Fairness, and Transparency


4. Data Subject Rights


- Right to be informed

- Right to access

- Right to rectification

- Right to erasure ("right to be forgotten")

- Right to data portability

- Right to object


5. Responsibilities of Data Controllers and Processors


- Data controllers are responsible for how and why data is processed.

- They must also maintain a record of data processing activities.

- Data processors act on behalf of controllers and are also bound by law to protect the data.


6. Consent Requirements


- Consent must be explicit, freely given, and informed.

- Consent can be withdrawn at any time.


7. Data Breach Notifications


- Data breaches must be reported to the Commissioner within 72 hours of becoming aware of the breach.

- Affected individuals must also be informed if there is a high risk to their rights and freedoms.


8. International Data Transfers


- Data can be transferred internationally if the receiving country ensures an adequate level of data protection.


9. Relationship with GDPR


- Although Serbia is not an EU member, its 2018 Law on Personal Data Protection is aimed at being in compliance with GDPR to facilitate business and legal cooperation with the EU.


10. Compliance Checklist for Businesses


- Assess current data protection measures

- Obtain proper consent

- Implement data protection by design and default

- Prepare for data breach response

- Maintain documentation


11. Penalties and Sanctions


- Non-compliance can result in fines up to €20,000 or 4% of the company’s annual turnover, whichever is greater.


12. FAQs


- Is GDPR applicable in Serbia?: Not directly, but the 2018 Law is designed to align Serbian law with GDPR.

- What is the main regulatory body for data protection in Serbia?: The Commissioner for Information of Public Importance and Personal Data Protection.


13. Conclusion and Future Outlook


- Serbia is keen on aligning its data protection regime with GDPR as part of its EU accession efforts.

- Companies operating in Serbia and dealing with EU citizens should be mindful of the need for dual compliance.


Disclaimer


This guide is intended for informational purposes only and should not be considered legal advice. Always consult legal experts for advice specific to your situation.

コメント


bottom of page