Personal data protection in Serbia – the legal framework

Law on Personal Data Protection

BlogCommercial law

Add comment

Personal data protection in Serbia was regulated by the provisions of the Law on Personal Data Protection and, in some cases, by the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND COUNCIL of April 27, 2016, on the protection of individuals in the processing of personal data and the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation).

The General Data Protection Regulation (from now on GDPR) started with implementation within European Union on May 25, 2018. The Law on Personal Data Protection, which entered into force on November 21, 22018 and started with implementation on August 21, 2019, adopt the majority of principles and standards of GDPR.

Application of GDPR’s provisions in Serbia

GDPR entered into force on May 25, 2018, and from then on, natural and legal persons with residency or establishment in the European Union are obliged to comply with the GDPR rules and under certain conditions, individuals and legal entities in Serbia are obliged to comply.

Provisions of GDPR shall be applied when the data controller or data processor does not have an establishment in the European Union under the condition that the data processing activities are related to:

  • Offering goods or services to individuals whose data are processed in the European Union, whether or not the individual should pay for these goods or services and
  • Monitoring the behaviour of individuals whose data is being processed as far as that behaviour occurs within the European Union.

It is important to note that if a controller or processor with the establishment in Serbia processes the data of a European Union Member State citizen, that does not imply automatic application of the GDPRs.

The European Data Protection Board has published guidelines to clarify, among other things, in which cases the GDPR applies to companies whose headquarters are located outside the European Union. The European Data Protection Board’s Guidelines clarify what it means:

  • Offering goods or services to data subjects who are physically in the European Union and
  • Monitoring of behaviour of data subjects in the European Union, as far as their behaviour takes place within the European Union.

Personal data protection in Serbia - the legal framework

Application of the Law on Personal Data Protection

According to the Law on Personal Data Protection, personal data is any information relating to a natural person whose identity is fixed or determinable, directly or indirectly, in particular based on the designation of identity, such as name and identification number, location data, an identifier in electronic communications networks or one i.e. more characteristics of his physical, physiological, genetic, mental, economic, cultural and social identity.

Law on Personal Data Protection will be applied:

  • On the personal data processing that is performed, in whole or in part, in an automated manner, as well as on non-automated processing of personal data which makes part of the collection of data or is intended for data collection
  • On the personal data processing that is carried out by the controller or processor who has a seat, i.e. permanent or temporary residence in the territory of the Republic of Serbia, in the context of the activities which are carried out in the territory of the Republic of Serbia, regardless of whether the action of processing is performed on the part of the Republic of Serbia
  • The processing of personal data of persons to whom the data relate to permanent or temporary residence in the territory of the Republic of Serbia by the operator or processor that does not have headquarters or domicile or residence in the territory of the Republic of Serbia if the preparatory related to:
    a) Offer goods or services to the person whose data are processed on the territory of the Republic of Serbia, regardless of whether such person requests payment for those goods or services;
    b) Monitoring the activities of the person whose data are processed if the activities are carried out on the territory of the Republic of Serbia.

Law on Personal Data Protection does not apply:

  • when natural persons perform processing for their own needs, i.e. for the needs of their household
  • to anonymous data, i.e. data based on which it is impossible to identify a person (neither indirectly nor directly) and
  • when there is no personal data database, i.e., data is neither systematized nor structured.

Principles and legal grounds for processing personal data

During the procedure of complying with the new Law on Personal Data Protection, as well as when processing personal data after that, companies will constantly need to take care of six grounds of personal data processing:

  1. Lawfulness, fairness and transparency – the obligation of personal data processing following the new law or other law which regulates the processing of personal data in a fair and transparent manner
  2. Limitation concerning the purpose of processing – personal data collection needs to be conducted solely for specific, explicit, justified and lawful purposes
  3. Data minimization – personal data that is being processed has to be adequate, relevant and limited to what is necessary for the purpose for which it is being processed
  4. Accuracy – personal data has to be accurate and, where necessary, kept up to date
  5. Storage limitation – personal data needs to be kept in a form that allows identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  6. Integrity and confidentiality – personal data has to be processed in a manner that ensures its appropriate security.

For the processing to be lawful, it is required for the processing purpose to be one of six legal grounds:

  1. Protection of vital interests
  2. Consent
  3. Legitimate interests
  4. Contractual necessity
  5. Compliance with legal obligations
  6. Doing jobs in public interests.

Last update: 15. 8. 2023.

Read more:
Compensation »
Debt collection »

Your comment

Your email address will not be published. Required fields are marked with an asterisk .

Read other related texts »
Law on Central Records of Beneficial Owners

Central records of beneficial owners

The Law on Central Records of Beneficial Owners (“Official Gazette of the RS”, nos. 19/2025, 51/2025 and 60/2025 – corr.) governs the establishment, content, grounds for registration, and manner of maintaining the Central Records of Beneficial Owners of legal entities, other entities registered in the Republic of Serbia in accordance with the law, trusts and…
More info »
Law on Healthcare

Conditions for the establishment and termination of private healthcare institution

Pursuant to the provisions of the Law on Healthcare (“Official Gazette of RS”, no. 25/2019, 92/2023 – authentic interpretation, and 29/2025 – Constitutional Court decision), healthcare providers in the Republic of Serbia are: Healthcare institutions in public and private ownership; Higher education institutions in healthcare and other legal entities authorised by a special law to…
More info »
Law on Primary Education and Upbringing

Registration of a private primary school

Primary education is an activity of direct social interest and is carried out as a public service. Primary education and upbringing are carried out in accordance with the Constitution, the Law on the Foundations of the System of Education and Upbringing (“Official Gazette of the RS”, Nos. 88/2017, 27/2018 – other law, 10/2019, 27/2018 –…
More info »
Law on Factoring

Requirements for Conducting Factoring

Law on Factoring (“Official Herald of the Republic of Serbia”, Nos. 62/2013 and 30/2018) regulates the concept and subject of factoring, factoring participants, conditions and manner of factoring, types of factoring, rights and obligations of factoring participants, factoring contract, reverse factoring, and supervision of factoring. According to provisions of the Law on Factoring (“Official Herald…
More info »
Law on Foreigners

Permanent residence of the foreigner in Serbia

Permanent residence is the approval of long-term residence of a foreign national in the Republic of Serbia. Conditions for approval of permanent residence, decision-making authority and the procedure for issuing approval, as well as the termination of approval for permanent residence of a foreign citizen in the Republic of Serbia are regulated by the provisions…
More info »
Companies Act

Legal aspects of the contract of the company members

The contract of the company’s members is a named corporate law contract. Unlike the founding act, a mandatory document of every company, the members’ agreement is optional. However, the absence of a legal obligation to conclude a contract for the members of a company, the complexity of relations in multi-member companies, and the great practicality…
More info »
Rulebook on registration in the Register of Agricultural Holdings

Requirements for enrollment in the register of agricultural holdings and the passive status of the Agricultural Holding

To implement and monitor agricultural policy, record agricultural holdings and family holdings, and conduct analytics and statistics for the needs of the Ministry responsible for agriculture affairs, the Directorate for Agricultural Payments maintains the Register of Agricultural Holdings. Rulebook on registration in the Register of Agricultural Holdings, data changes and renewal of registration, electronic processing,…
More info »
Law on Trade

Dropshipping as a form of electronic trade

The Law on Trade (“Official Gazette of RS,” No. 52/2019) governs dropshipping as a method of conducting electronic commerce in Serbia. Following the provisions of Article 17 of the Law on Trade (“Official Gazette of RS”, No. 52/2019), dropshipping is defined as a form of electronic commerce in which a retailer sells goods through an…
More info »
Copyright 2025. © Attorney Dragana Djordjevic | Izrada CodeBay doo