Personal data protection in Serbia was regulated by the provisions of the Law on Personal Data Protection and, in some cases, by the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND COUNCIL of April 27, 2016, on the protection of individuals in the processing of personal data and the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation).
The General Data Protection Regulation (from now on GDPR) started with implementation within European Union on May 25, 2018. The Law on Personal Data Protection, which entered into force on November 21, 22018 and started with implementation on August 21, 2019, adopt the majority of principles and standards of GDPR.
Application of GDPR’s provisions in Serbia
GDPR entered into force on May 25, 2018, and from then on, natural and legal persons with residency or establishment in the European Union are obliged to comply with the GDPR rules and under certain conditions, individuals and legal entities in Serbia are obliged to comply.
Provisions of GDPR shall be applied when the data controller or data processor does not have an establishment in the European Union under the condition that the data processing activities are related to:
- Offering goods or services to individuals whose data are processed in the European Union, whether or not the individual should pay for these goods or services and
- Monitoring the behaviour of individuals whose data is being processed as far as that behaviour occurs within the European Union.
It is important to note that if a controller or processor with the establishment in Serbia processes the data of a European Union Member State citizen, that does not imply automatic application of the GDPRs.
The European Data Protection Board has published guidelines to clarify, among other things, in which cases the GDPR applies to companies whose headquarters are located outside the European Union. The European Data Protection Board’s Guidelines clarify what it means:
- Offering goods or services to data subjects who are physically in the European Union and
- Monitoring of behaviour of data subjects in the European Union, as far as their behaviour takes place within the European Union.
Application of the Law on Personal Data Protection
According to the Law on Personal Data Protection, personal data is any information relating to a natural person whose identity is fixed or determinable, directly or indirectly, in particular based on the designation of identity, such as name and identification number, location data, an identifier in electronic communications networks or one i.e. more characteristics of his physical, physiological, genetic, mental, economic, cultural and social identity.
Law on Personal Data Protection will be applied:
- On the personal data processing that is performed, in whole or in part, in an automated manner, as well as on non-automated processing of personal data which makes part of the collection of data or is intended for data collection
- On the personal data processing that is carried out by the controller or processor who has a seat, i.e. permanent or temporary residence in the territory of the Republic of Serbia, in the context of the activities which are carried out in the territory of the Republic of Serbia, regardless of whether the action of processing is performed on the part of the Republic of Serbia
- The processing of personal data of persons to whom the data relate to permanent or temporary residence in the territory of the Republic of Serbia by the operator or processor that does not have headquarters or domicile or residence in the territory of the Republic of Serbia if the preparatory related to:
a) Offer goods or services to the person whose data are processed on the territory of the Republic of Serbia, regardless of whether such person requests payment for those goods or services;
b) Monitoring the activities of the person whose data are processed if the activities are carried out on the territory of the Republic of Serbia.
Law on Personal Data Protection does not apply:
- when natural persons perform processing for their own needs, i.e. for the needs of their household
- to anonymous data, i.e. data based on which it is impossible to identify a person (neither indirectly nor directly) and
- when there is no personal data database, i.e., data is neither systematized nor structured.
Principles and legal grounds for processing personal data
During the procedure of complying with the new Law on Personal Data Protection, as well as when processing personal data after that, companies will constantly need to take care of six grounds of personal data processing:
- Lawfulness, fairness and transparency – the obligation of personal data processing following the new law or other law which regulates the processing of personal data in a fair and transparent manner
- Limitation concerning the purpose of processing – personal data collection needs to be conducted solely for specific, explicit, justified and lawful purposes
- Data minimization – personal data that is being processed has to be adequate, relevant and limited to what is necessary for the purpose for which it is being processed
- Accuracy – personal data has to be accurate and, where necessary, kept up to date
- Storage limitation – personal data needs to be kept in a form that allows identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- Integrity and confidentiality – personal data has to be processed in a manner that ensures its appropriate security.
For the processing to be lawful, it is required for the processing purpose to be one of six legal grounds:
- Protection of vital interests
- Legitimate interests
- Contractual necessity
- Compliance with legal obligations
- Doing jobs in public interests.
Last update: 15. 8. 2023.