Personal data protection in Serbia – the legal framework

Law on Personal Data Protection

BlogCommercial law

Add comment

Personal data protection in Serbia was regulated by the provisions of the Law on Personal Data Protection and, in some cases, by the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND COUNCIL of April 27, 2016, on the protection of individuals in the processing of personal data and the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation).

The General Data Protection Regulation (from now on GDPR) started with implementation within European Union on May 25, 2018. The Law on Personal Data Protection, which entered into force on November 21, 22018 and started with implementation on August 21, 2019, adopt the majority of principles and standards of GDPR.

Application of GDPR’s provisions in Serbia

GDPR entered into force on May 25, 2018, and from then on, natural and legal persons with residency or establishment in the European Union are obliged to comply with the GDPR rules and under certain conditions, individuals and legal entities in Serbia are obliged to comply.

Provisions of GDPR shall be applied when the data controller or data processor does not have an establishment in the European Union under the condition that the data processing activities are related to:

  • Offering goods or services to individuals whose data are processed in the European Union, whether or not the individual should pay for these goods or services and
  • Monitoring the behaviour of individuals whose data is being processed as far as that behaviour occurs within the European Union.

It is important to note that if a controller or processor with the establishment in Serbia processes the data of a European Union Member State citizen, that does not imply automatic application of the GDPRs.

The European Data Protection Board has published guidelines to clarify, among other things, in which cases the GDPR applies to companies whose headquarters are located outside the European Union. The European Data Protection Board’s Guidelines clarify what it means:

  • Offering goods or services to data subjects who are physically in the European Union and
  • Monitoring of behaviour of data subjects in the European Union, as far as their behaviour takes place within the European Union.

Personal data protection in Serbia - the legal framework

Application of the Law on Personal Data Protection

According to the Law on Personal Data Protection, personal data is any information relating to a natural person whose identity is fixed or determinable, directly or indirectly, in particular based on the designation of identity, such as name and identification number, location data, an identifier in electronic communications networks or one i.e. more characteristics of his physical, physiological, genetic, mental, economic, cultural and social identity.

Law on Personal Data Protection will be applied:

  • On the personal data processing that is performed, in whole or in part, in an automated manner, as well as on non-automated processing of personal data which makes part of the collection of data or is intended for data collection
  • On the personal data processing that is carried out by the controller or processor who has a seat, i.e. permanent or temporary residence in the territory of the Republic of Serbia, in the context of the activities which are carried out in the territory of the Republic of Serbia, regardless of whether the action of processing is performed on the part of the Republic of Serbia
  • The processing of personal data of persons to whom the data relate to permanent or temporary residence in the territory of the Republic of Serbia by the operator or processor that does not have headquarters or domicile or residence in the territory of the Republic of Serbia if the preparatory related to:
    a) Offer goods or services to the person whose data are processed on the territory of the Republic of Serbia, regardless of whether such person requests payment for those goods or services;
    b) Monitoring the activities of the person whose data are processed if the activities are carried out on the territory of the Republic of Serbia.

Law on Personal Data Protection does not apply:

  • when natural persons perform processing for their own needs, i.e. for the needs of their household
  • to anonymous data, i.e. data based on which it is impossible to identify a person (neither indirectly nor directly) and
  • when there is no personal data database, i.e., data is neither systematized nor structured.

Principles and legal grounds for processing personal data

During the procedure of complying with the new Law on Personal Data Protection, as well as when processing personal data after that, companies will constantly need to take care of six grounds of personal data processing:

  1. Lawfulness, fairness and transparency – the obligation of personal data processing following the new law or other law which regulates the processing of personal data in a fair and transparent manner
  2. Limitation concerning the purpose of processing – personal data collection needs to be conducted solely for specific, explicit, justified and lawful purposes
  3. Data minimization – personal data that is being processed has to be adequate, relevant and limited to what is necessary for the purpose for which it is being processed
  4. Accuracy – personal data has to be accurate and, where necessary, kept up to date
  5. Storage limitation – personal data needs to be kept in a form that allows identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  6. Integrity and confidentiality – personal data has to be processed in a manner that ensures its appropriate security.

For the processing to be lawful, it is required for the processing purpose to be one of six legal grounds:

  1. Protection of vital interests
  2. Consent
  3. Legitimate interests
  4. Contractual necessity
  5. Compliance with legal obligations
  6. Doing jobs in public interests.

Last update: 15. 8. 2023.

Read more:
Compensation »
Debt collection »

Your comment

Your email address will not be published. Required fields are marked with an asterisk .

Read other related texts »
Companies Act

Incorporation of a joint stock company

A joint stock company is a company whose share capital is divided in stocks held by one or more stockholders who are not liable for the company’s obligations, except based on piercing the corporate veil in the cases prescribed by Article 18 of the Companies Act as well as in the case of deletion of…
More info »
Companies Act

Simplified procedure for implementing a status change

According to the provisions of the Companies Act, a merger by acquisition is a status change whereby one or more companies are merged into another company through the transfer of all assets and liabilities to that company, as a result of which the acquired company ceases to exist without undergoing liquidation. A merger by acquisition…
More info »
Companies Act

Acquisition and disposal of high-value assets

The concept of acquisition and disposal of high-value assets, the procedure for acquisition, i.e. disposal of high-value assets, as well as the consequences of breaching provisions on the disposal of high-value assets, are regulated by the provisions of Articles 470 to 473 of the Companies Act. The cited provisions of the Companies Act apply to…
More info »
Law on Resolving Conflicts of Laws with the Regulations of Other Countries

Conditions for the recognition and enforcement of a foreign court judgment in the Republic of Serbia

A foreign court judgment takes legal effect in the Republic of Serbia after the recognition procedure has been completed by the competent authorities of the Republic of Serbia. The procedure for the recognition and enforcement of foreign court judgments shall be conducted in accordance with: a bilateral treaty, where the procedural rules are contained in…
More info »
Law on Endowments and Foundations

Establishment of endowments and foundations

The Law on Endowments and Foundations (“Official Gazette of the Republic of Serbia”, No. 88/2010, 99/2011 – other law and 44/2018 – other law) (hereinafter: the Law on Endowments and Foundations) regulates the establishment and legal status of endowments and foundations, their assets, internal organisation, registration and deletion from the register, activities, status changes, supervision…
More info »
Employment Act

Contract with a director who is a foreign national

In certain specialised industries that are focused on international or specific foreign markets, companies often choose to appoint a foreign national to the position of director. Some of the most common questions that arise when making this decision include: Can I freely decide whether the director will be a domestic or foreign national? What are…
More info »
Law on Healthcare

Mandatory conditions for registering a polyclinic

A polyclinic, as a form of private practice, is established in accordance with the Law on Healthcare (“Official Gazette of RS”, nos. 25/2019, 92/2023 – authentic interpretation, and 29/2025 – Constitutional Court decision – hereinafter: the Law on Healthcare) for at least two different fields of medicine or dental medicine. In addition to the provisions…
More info »
Law on Foreigners

Temporary residence in Serbia based on family reunification

Temporary residence in Serbia based on family reunification allows foreign nationals to legally reside in the Republic of Serbia together with their family members. This type of residence is of particular importance because it protects the right to family life, recognised both by domestic legislation and international standards, and helps prevent families from being separated…
More info »
Copyright 2025. © Attorney Dragana Djordjevic | Izrada CodeBay doo
💬
Find the fast answer