Law on Personal Data Protection

Personal data protection

Personal data means any information relating to a natural person, regardless of the form of its presentation or the medium used (paper, tape, film, electronic media etc.), regardless on whose order, on whose behalf or for whose account such information is stored, regardless of the date of its creation or the place of its storage, regardless of the way in which such information is learned (directly, by listening, watching etc., or indirectly, by accessing a document containing the information etc.) and regardless of any other characteristic of such information.

Law on Personal Data Protection (“Official Herald of the Republic of Serbia”, No. 97/2008, 104/2009 – other Law, 68/2012 – Decision of the Constitutional Court and 107/2012) shall set out the conditions for personal data collection and processing, the rights and protection of the rights of persons whose data are collected and processed, limitations to personal data protection, proceedings before an authority responsible for data protection, data security, data filing, data transfers outside the Republic of Serbia and enforcement of this Law.

Every natural person shall be entitled to personal data protection regardless of their nationality and residence, race, age, gender, language, religion, political and other affiliations, ethnicity, social background and status, wealth, birth, education, social position or any other personal characteristic.

The duties of personal data protection shall be carried out by the Commissioner for Information of Public Importance and Personal Data Protection, as an autonomous public authority who exercises his/her powers independently.


Confidentiality Duty

The Commissioner, the Deputy Commissioner and the staff of the expert service shall keep the confidentiality of all data they learn during the performance of their duties, in accordance with the law and other regulations governing data confidentiality, unless provided otherwise. This duty shall subsist even after the Commissioner and the Deputy Commissioner have left office and after the staff of the expert service terminated their employment.

Controllers shall inform processors and persons who have access to data with the data confidentiality safeguards.

Organizational and Technical Measures

Personal data must be adequately protected from abuse, destruction, loss, unauthorized alterations or access.

Controllers and processors shall take all necessary technical, human resources and organizational measures to protect data in accordance with the established standards and procedures in order to protect personal data from loss, damage, inadmissible access, modification, publication and any other abuse, as well as to provide for an obligation of keeping data confidentiality for all persons who work on data processing.


Data Processing Records

Controllers shall establish and maintain records containing the following information:

  • type of data and name of data file
  • type of processing activities
  • business name, name, head office and address of the controller
  • date of commencement of data processing or date of data file creation
  • the purpose of processing
  • the legal grounds for data processing or creation of data file
  • the category of personal data subjects
  • the type and degree of data confidentiality
  • the method of data collection and keeping
  • the time limit for data keeping and use
  • business name, name, head office and address of the data user
  • the mark under which data are transferred in or out of the Republic of Serbia, with an indication of the state or international organization and the foreign data user, the legal grounds and the purpose of transborder transfer in or out of the country
  • safeguards put in place to protect data
  • requests concerning data processing.

Controllers shall not be required to set up and maintain records for the processing of:

  • personal data collected solely for family purposes and other personal purposes
  • data processed for the purpose of maintaining registers required by the law
  • data in data files that contain only publicly available personal data
  • and data relating to persons whose identity remains undisclosed and the controller, the processor or the user is not authorized to establish such person’s identity.

Controllers shall update the records whenever a change occurs in relation to the basic data within 15 days of the date when such change occurs.

The format of records and the manner of keeping of records shall be specified by the Government.

Notification of the Commissioner

Before the commencement of data processing or creation of data files, as the case may be, controllers shall notify the Commissioner of their intent to form a data file, with enclosed personal data, as well as of any intended subsequent processing, such notification being due before the processing takes place and in any case not later than 15 days before the formation of the data file or before data processing.

The notification shall be entered in the Central Register.

The notification duty shall not apply to the commencement of data processing or creation of data files in cases where special regulations govern the purpose of processing, the type of data processed, the categories of users with access to the personal data and the period during which such personal data will be retained.

Prior Verification

Upon receipt of a notification and before the formation of a data file, the Commissioner shall verify any processing activities that could significantly prejudice the rights of data subjects. The method in which verifications are to be carried out shall be specified in an enactment passed by the Commissioner.

Duty to Submit

Controllers shall submit to the Commissioner records of data files or changes in data records at the latest within 15 days of the date of data file formation or change. The records shall be entered in the Central Register.

Central Register

The Commissioner shall form and maintain the Central Register.

The Central Register shall comprise a register of data files and a catalogue of data files.

The Central Register shall be public and has to be published on the Internet.

The Commissioner shall once a year publish an inventory of data files in the “Official Gazette of the Republic of Serbia”.

The Commissioner shall deny access to the record of data files upon request of a data controller, provided this is necessary for the achievement of a prevailing interest of national or public safety, national defence, crime prevention, detection, investigation and prosecution, or economic or financial interests of the state, or if a law or another regulation or enactment adopted pursuant to a law provide for the confidentiality of the record of data files.

Personal data protection


Personal data can be transferred from the Republic of Serbia to a state party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.

Personal data may be transferred from the Republic of Serbia to a state that is not a party to the Convention for the Protection of Individuals or an international organization if such state or international organization has a regulation or a data transfer agreement in force which provides a level of data protection equivalent to that envisaged by the Convention. In this case the Commissioner shall determine whether the requirements are met and safeguards put in place for the transfer of data from the Republic of Serbia and shall authorize such transfer.


The implementation of and compliance with the Law on Personal Data Protection shall be supervised by the Commissioner through authorized officers.

The Commissioner shall ex officio file petitions for institution of infringement proceedings in cases of violation of the provisions of the Law on Personal Data Protection.

The Law on Personal Data Protection provides fines for infringement because of the violations of the provisions of the Act as follows:

  • a fine in the amount of RSD 50,000 to 1,000,000 shall be charged a collector, a processor or a user with the status of a legal entity
  • a fine in the amount of RSD 20,000 to 500,000 shall be charged an entrepreneur and
  • a fine in the amount of RSD 5,000 to 50,000 shall be charged a natural person or the responsible officer of a legal entity, public authority, body or territorial autonomy and local self-government unit.

Read more:
Compensation »
Debt collection »

Leave a Reply

Your email address will not be published. Required fields are marked *