Data Protection Laws and Regulations in Serbia

What are the main data protection-related pieces of legislation and other regulations in the Republic of Serbia?

Data protection matter in the Republic of Serbia is governed by the Law on Personal Data Protection (Official Gazette of RS no. 87/2018) (the LPDP), and several subordinate legislations passed thereunder, including Decision on the list of states, their parts of territories, or one or more sectors within those states and international organizations where it is considered that an adequate level of protection of personal data is ensured (Official Gazette of RS no. 55/2019) and Decision on the list of types of processing activities of personal data for which an assessment of the impact on the protection of personal data must be carried out and the opinion of the Commissioner for Information of Public Importance and Personal Data Protection sought (Official Gazette of RS no. 45/2019).

In addition, it is important to note that the Serbian LPDP is modeled after the GDPR, extensively mirroring the solutions outlined in the European Regulation.

What are the other primary definitions outlined in the legislation within your jurisdiction (among others, data processing, data processor, data controller, data subject, personal data, sensitive personal data, consent, etc., or equivalent)?

Definitions of key terms pertaining to personal data protection are stipulated by the LPDP, e.g.:

• “Personal data” refers to any information relating to an identified or identifiable natural person, directly or indirectly, particularly based on identifiers such as name, identification number, location data, electronic identifiers, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
• “Data subject” is a natural person to whom personal data relates and is being processed;
• “Processing of personal data” encompasses any operation or set of operations performed, whether automated or not, on personal data or sets of personal data, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction;
• “Controller” is a natural or legal person, or governmental body, that independently or jointly with others determines the purpose and means of processing personal data. The law that regulates the purpose and means of processing may designate the controller or prescribe conditions for its designation;
• “Processor” is a natural or legal person, or governmental body, that processes personal data on behalf of the controller;
• “Consent” of the data subject is any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by clear affirmative action, signify agreement to the processing of personal data relating to them;
• “Personal data breach” is a breach of personal data security that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data that has been transmitted, stored, or otherwise processed; etc.

Which entities fall under the data privacy regulations in the Republic of Serbia?

Pursuant to the LPDP, the subject regulation applies to the processing of personal data carried out, in whole or in part, by automated means, as well as to non-automated processing of personal data that constitutes part of a data collection or is intended for a data collection.

The LPDP, however, does not apply to the processing of personal data carried out by an individual for personal or household purposes.

In addition, the LPDP applies to the processing of personal data carried out by a controller or processor with a registered office, residence, or domicile in the territory of the Republic of Serbia, within activities conducted in the territory of the Republic of Serbia, regardless of whether the processing activity is carried out within the territory of the Republic of Serbia.

Furthermore, the LPDP applies to the processing of personal data of data subjects who have a residence or domicile in the territory of the Republic of Serbia by a controller or processor who does not have a registered office, residence, or domicile in the territory of the Republic of Serbia if the processing activities are related to:

• offering goods or services to the data subject in the territory of the Republic of Serbia, regardless of whether payment for these goods or services is requested from that data subject;
• monitoring the activities of the data subject if the activities are carried out in the territory of the Republic of Serbia.

Accordingly, data privacy regulations of the Republic of Serbia bind various types of entities, i.e., both public and private organizations and individuals (e.g., public and private companies, institutions, online retailers, healthcare providers, employers, etc.).

Do specific sectors or types of data have distinct regulatory regimes within your jurisdiction? If so, which?

There are specific regulatory regimes, i.e., rules applicable to:

• data processing conducted by competent authorities for specific purposes;
• processing of special categories of personal data (revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a person's sex life or sexual orientation); and
• data regarding criminal judgments and offenses.

Namely, the LPDP prescribes that processing carried out by competent authorities for specific purposes, involving the disclosure of racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning a person's sex life or sexual orientation (data considered sensitive, i.e., special), is permitted only if necessary, with the application of appropriate measures to protect the rights of the individuals to whom the data relates, in one of the following cases:

• the competent authority is legally authorized to process these special categories of personal data;
• processing of special categories of personal data is carried out to protect the vital interests of the data subject or another natural person;
• the processing relates to special categories of personal data that the data subject has manifestly made public.

Additionally, the LPDP provides for several exceptions to the rules that apply to data processing when carried out by competent authorities.

As for the processing of special categories of personal data, it is in general prohibited, except in cases explicitly prescribed by the LPDP (e.g., processing occurs within a registered activity, applying suitable protections by a non-profit entity like a foundation, association, or group with political, philosophical, religious, or labor union aims, provided that processing pertains to current or past members of the organization or those in regular contact concerning its goals, and that personal data remains confidential within the organization unless explicitly approved by the individuals involved).

On the subject of the processing related to criminal judgments and offenses, the LPDP prescribes that it may only be carried out under the supervision of the competent authority or, if the processing is permitted by law, with the application of appropriate measures to protect the rights and freedoms of the data subjects. A record of criminal judgments is maintained solely by and under the supervision of the competent authority.

What rights do data subjects have under the data protection regulations in the Republic of Serbia?

The LPDP prescribes the following rights of data subjects:

• Right to information: Data subjects have the right to be informed about the processing of their personal data, including the purpose of processing, types of data processed, data retention period, and other relevant information.
• Right to access: Data subjects have the right to access their personal data being processed, as well as information about the processing methods and use of their data.
• Right to rectification: If personal data is inaccurate or incomplete, data subjects have the right to request correction of such data.
• Right to erasure: Data subjects may request the deletion of their personal data if the data has been unlawfully processed or is no longer necessary for the purpose for which it was collected.
• Right to restriction of processing: Data subjects have the right to request restriction of the processing of their personal data in certain situations, such as disputing the accuracy of the data or if the processing is unlawful.
• Right to data portability: In certain cases, data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and transmit it to another controller.
• Right to object: Data subjects have the right to object to the processing of their personal data in certain situations, such as processing for marketing purposes or processing based on legitimate interests.
• Right to lodge a complaint to the Commissioner for Information of Public Importance and Personal Data Protection: Data subjects have the right to lodge a complaint if they believe that the processing of their personal data has been carried out contrary to the provisions of the LPDP.

As regards the above-mentioned right to information, the LPDP prescribes the mandatory content of the notification on personal data processing, partially depending on whether the data is collected from the data subject or a third party.

What is the territorial application of the data privacy regime in your jurisdiction?

As previously mentioned, the LPDP applies to the processing of personal data carried out by a controller or processor with a registered office, residence, or domicile in the territory of the Republic of Serbia, within activities conducted in the territory of the Republic of Serbia, regardless of whether the processing activity is carried out within the territory of the Republic of Serbia.

Additionally, the LPDP applies to the processing of personal data of data subjects who have a residence or domicile in the territory of the Republic of Serbia by a controller or processor who does not have a registered office, residence, or domicile in the territory of the Republic of Serbia if the processing activities are related to:

• offering goods or services to the data subject in the territory of the Republic of Serbia, regardless of whether payment for these goods or services is requested from that data subject;
• monitoring the activities of the data subject if the activities are carried out in the territory of the Republic of Serbia.

What are the key factors and considerations to adhere to when engaging in the processing of personal data within your jurisdiction?

When engaging in the processing of personal data within the jurisdiction of the Republic of Serbia, key factors and considerations to adhere to in particular include:

• Compliance with principles of data processing established by the LPDP: Adherence to the principles of lawfulness, fairness, and transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality of data is of particular importance for lawful processing.
• Data security: It is necessary to implement appropriate technical, organizational, and personnel measures to ensure the security, confidentiality, integrity, and availability of personal data.
• Data subject rights: It is also important to inform data subjects of their rights pertaining to personal data protection, to respect them, and to facilitate their exercise.
• Cross-border data transfers: It is necessary to comply with legal requirements and safeguards when transferring personal data outside of the Republic of Serbia to ensure an adequate level of data protection.
• Data protection impact assessments (DPIAs): For high-risk data processing activities, i.e., which could imply a high risk to the rights and freedoms of data subjects, or which are determined as such by a decision of the Commissioner for Information of Public Importance and Personal Data Protection, it is necessary to undertake DPIA and implement necessary measures to mitigate risks to data subjects' rights and freedoms. In relation thereto, the afore-mentioned decision provides for the obligation to seek the official opinion of the Commissioner for Information of Public Importance and Personal Data Protection in the event of certain data processing activities (e.g., processing of personal data that involves tracking the location or behavior of an individual in the case of systematic processing of communication data generated using telephones, the internet, or other communication means).
• Data breach notification: It is also necessary to implement procedures for timely detection, assessment, and notification of personal data breaches to relevant authorities and affected data subjects, as required by the LPDP.

As for the above-mentioned principles of data processing established by the LPDP:

• the principle of lawfulness, fairness, and transparency means that personal must be processed lawfully, fairly, and transparently in relation to the data subject, whereby lawful processing is considered processing that complies with the LPDP or another regulation governing processing;
• the principle of purpose limitation means that personal data need to be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes;
• the principle of data minimization means that personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes of processing;
• the principle of accuracy means that personal data need to be accurate and, where necessary, kept up to date, whereby all reasonable steps must be taken to ensure that inaccurate personal data is erased or rectified without delay, considering the purposes of the processing;
• the principle of storage limitation means that personal data must be kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes of processing; and
• the principle of integrity and confidentiality of data means that personal data need to be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical, organizational, and personnel measures.

Regarding the aforementioned principle of lawfulness, the LPDP prescribes that processing of personal data is lawful only if one of the following conditions (i.e., legal grounds) is met:

• the data subject has consented to the processing of their personal data for one or more specific purposes;
• processing is necessary for the performance of a contract concluded with the data subject or for taking pre-contractual steps at the request of the data subject;
• processing is necessary for compliance with a legal obligation of the controller;
• processing is necessary to protect the vital interests of the data subject or another natural person;
• processing is necessary for the performance of tasks carried out in the public interest or in the exercise of official authority vested in the controller;
• processing is necessary for the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring personal data protection, especially when the data subject is a minor.

If processing is based on the consent of the data subject, the controller must be able to demonstrate that the individual has consented to the processing of their personal data. As previously mentioned, in order to be considered legally valid, the consent needs to be freely given, a specific, informed, and unambiguous indication of the data subject’s will, given by a statement or a clear affirmative action.

Before giving consent, the data subject must be informed of the prescribed circumstances of processing, as well as their right to withdraw consent and the effects of withdrawal. The data subject has the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Also, the withdrawal of consent must be as easy as giving consent.

In line with the practice of the Commissioner for Information of Public Importance and Personal Data Protection, consent is not considered a valid legal basis for processing personal data in employment relationships, as the hierarchical relationship between the employer and the employee does not allow for it to be considered freely given.

What are the regulations and best practices concerning the retention and deletion of personal data in the Republic of Serbia?

As mentioned above, personal data must be stored in a format that allows the identification of data subjects only for as long as necessary to fulfill the purpose of processing. In other words, once the purpose of the processing has been met, it is required to delete data.

On the subject of data deletion, the LPDP stipulates that the controller is obliged to delete the data without undue delay in the following cases:

• personal data is no longer necessary for the purposes for which they were collected or otherwise processed;
• data subject has withdrawn consent on which the processing was based (in accordance with the LPDP), and there is no other legal basis for processing;
• data subject has objected to the processing (in accordance with the LPDP);
• personal data has been processed unlawfully;
• personal data must be erased for compliance with the controller's legal obligations;
• personal data has been collected in relation to the provision of information society services (under the LPDP).

In addition, if the controller has publicly disclosed personal data, their obligation to erase the data also encompasses taking all reasonable measures, including technical measures, in line with available technologies and cost considerations, to inform other controllers processing such data that the data subject has requested the deletion of all copies of this data and references or electronic links to this data.

However, the right to erasure, i.e., data deletion is limited by the LPDP, which prescribes that it shall not be applied to the extent that processing is necessary for:

• exercising the right to freedom of expression and information;
• compliance with a legal obligation of the controller requiring processing or for the performance of tasks carried out in the public interest or in the exercise of official authority vested in the controller;
• exercising a public interest in the field of public health (in accordance with the LPDP);
• archiving purposes in the public interest, scientific or historical research purposes, and statistical purposes (in accordance with the LPDP), where it is reasonably expected that exercising this right could render impossible or seriously impair the achievement of the purposes of such processing;
• submitting, exercising, or defending a legal claim.

Who serves as the regulatory authority(s) in your jurisdiction regarding data protection?

The regulatory authority in the Republic of Serbia regarding data protection is the Commissioner for Information of Public Importance and Personal Data Protection (the Commissioner).

The Commissioner is appointed by the National Assembly of the Republic of Serbia, and it is completely independent in exercising their powers and duties under the LPDP, i.e., free from any direct or indirect external influence, and cannot seek or accept instructions from anyone.

To ensure the effective exercise of the powers prescribed by the LPDP, the necessary financial resources for work, and office space, as well as the necessary technical, organizational, and personnel conditions for the work of the Commissioner, are provided from the budget.

In exercising their powers, the Commissioner acts in accordance with the law regulating general administrative procedure, as well as with the relevant provisions of the law regulating inspection supervision.

Is the appointment of a Data Protection Officer mandatory for certain organizations or sectors in the Republic of Serbia, and under what conditions?

As a rule, the controller and processor may designate a data protection officer (DPO).

However, the controller and processor are required to designate a DPO if:

• the processing is carried out by a public authority, except for processing by a court in the performance of its judicial duties;
• the core activities of the controller or processor consist of processing operations which, by their nature, scope, or purposes, require regular and systematic monitoring of a large number of data subjects;
• the core activities of the controller or processor consist of processing special categories of personal data (as defined by the LPDP), or personal data relating to criminal convictions and offenses (in terms of the LPDP), on a large scale.

Appointed DPOs are subject to registration with the Commissioner, and the controller is obliged to publish their contact details.

A DPO may be an employee of the controller or processor or may perform duties based on a contract, and they are appointed based on their professional qualifications, especially their expertise and experience in the field of personal data protection, as well as their ability to fulfill the obligations prescribed under the LPDP.

How should data breaches be handled in your jurisdiction?

Pursuant to the LPDP, the controller is obliged to inform the Commissioner without undue delay of any personal data breach that may pose a risk to the rights and freedoms of individuals, or, if possible, within 72 hours from becoming aware of the breach. On the other hand, the processor is obligated to inform the controller, without undue delay, after becoming aware of a personal data breach.

The notification to the Commissioner must contain at least the following information:

• description of the nature of the personal data breach, including the types of data and the approximate number of individuals whose data of that type is affected, as well as the approximate number of personal data affected by the breach;
• name and contact details of the data protection officer or information on another way to obtain information about the breach;
• description of the potential consequences of the breach;
• description of the measures taken by the controller or proposed measures related to the breach, including measures taken to mitigate harmful consequences.

The controller is also required to document every personal data breach, including facts about the breach, its consequences, and measures taken to rectify it.

In addition, if a personal data breach may pose a high risk to the rights and freedoms of individuals, the controller must inform the data subjects without undue delay about the breach.

In the subject notification, the controller must clearly and understandably describe the nature of the data breach and provide at least the information on:

• name and contact details of the data protection officer or information on another way to obtain information about the breach;
• description of the potential consequences of the breach;
• description of the measures taken by the controller or proposed measures related to the breach, including measures taken to mitigate harmful consequences.

The LPDP also stipulates several situations in which the controller is not obligated to inform the data subject of the data breach (e.g., if notifying the data subject would involve disproportionate effort in terms of time and resources, in which case the controller must provide the notification to the data subject through public notification or by other effective means).

What are the potential penalties and fines for non-compliance with data protection regulations in the Republic of Serbia?

The LPDP prescribes a misdemeanor liability for non-compliance with data protection regulations, i.e., that a fine shall be imposed, ranging:

• from RSD 50,000 to RSD 2 million (approximately from EUR 425 to EUR 16,950), if the controller or processor is a legal entity;
• from RSD 20,000 to RSD 500,000 (approximately from EUR 170 to EUR 4,240), if the controller or processor is an entrepreneur; and
• from RSD 5,000 to RSD 150,000 (approximately from EUR 43 to EUR 1,275), to an individual or a responsible person of a controller/processor (who is a legal entity).

Are there any noticeable patterns or trends in how enforcement is carried out in the Republic of Serbia?

There is indeed a noticeable trend of increasing awareness regarding personal data protection rules lately in the Republic of Serbia, meaning that businesses and individuals are paying more attention to their rights and obligations in this respect. On the other hand, the Commissioner for Information of Public Importance and Personal Data Protection has a respectable practice, following the example of EU data protection bodies, which includes not only monitoring and enforcement measures but also annual publication containing official viewpoints of the respective authority, which serve as guidelines for businesses and individuals regarding data protection issues.

How do emerging technologies such as AI, IoT, and blockchain impact data protection considerations in the Republic of Serbia?

Emerging technologies like AI, IoT, and blockchain have a significant impact on data protection considerations in Serbia. Some key points are given below:

• Increased data volume: These technologies lead to a massive increase in the volume of data collected, processed, and stored. This poses challenges in terms of data security, privacy, and the ability to manage and protect such vast amounts of information effectively.
• The complexity of data processing: Furthermore, the respective technologies gather and process data in real-time, often without direct human intervention. This dynamic and continuous data processing requires robust security measures and privacy safeguards to prevent unauthorized access or misuse.
• Data privacy concerns: With the extensive use of such complex algorithms, there are concerns about how personal data is collected, used, and shared. It raises questions about transparency, consent, and ensuring that individuals have control over their data.
• Cybersecurity challenges: As these technologies become more interconnected and data-driven, the risk of cybersecurity threats such as data breaches, hacking, and malware attacks also increases. As previously mentioned, robust cybersecurity measures and proactive monitoring are essential to mitigate these risks.

In summary, while emerging technologies offer numerous benefits and advancements, they also bring forth complex challenges related to data protection, privacy, cybersecurity, and ethical use of data. Adapting regulatory frameworks, implementing robust security measures, promoting transparency, and fostering awareness are crucial steps in addressing these challenges effectively.

Are there any expected changes in data protection on the horizon in the next 12 months in the Republic of Serbia?

On August 25, 2023, the Government of the Republic of Serbia adopted the Personal Data Protection Strategy for the 2023-2030 period.

The subject enactment emphasizes the need to improve the LPDP, but also to harmonize other regulations with the provisions thereof, i.e., rules regarding personal data protection, and regulating the use of equipment for audio and video surveillance, as well as the use of genetic and biometric data.

In addition to the above, it has announced a harsher penal policy for breaching obligations concerning personal data protection, emphasizing that the model used by the Commission for the Protection of Competition should be applied in this regard, according to which, in the event of a violation of regulations in the respective matter, the commission itself can impose a fine, whereby the amount thereof depends on the company’s income.

It has also been announced that the institutional capacities of the Commissioner shall be strengthened, by providing additional regional offices, and by increasing the number of persons specialized for personal data protection in the bodies dealing with the subject issues, through their education.

Nevertheless, it cannot be said with certainty whether any of the above will be implemented in the next 12 months.