Personal data protection in Serbia was regulated by the provisions of the Law on Personal Data Protection and in some cases by the provisions of the General Data Protection Regulation.
The General Data Protection Regulation (hereinafter: GDPR) started with implementation within European Union on May 25, 2018. The Law on Personal Data Protection which entered into force on November 21, 22018 and started with implementation on August 21, 2019, adopt the majority of principles and standards of GDPR’s.
Application of GDPR’s provisions in Serbia
GDPR entered into force on May 25, 2018, and from then on, natural and legal persons with residency or establishment in the European Union are obliged to comply with the GDPR rules. Additionally, under certain conditions, natural and legal persons in Serbia are obliged to comply.
Provisions of GDPR’s shall be applied when the data controller or data processor do not have establishment in the EU under the condition that the data processing activities are related to:
- Offering goods or services to individuals whose data are processed in the European Union whether or not the individual should pay for these goods or services and
- Monitoring of the behavior of individuals whose data is being processed as far as that behavior takes place within the European Union.
It is important to note that if controller or processor with establishment in Serbia process data of an EU Member State citizen, that does not imply automatic application of the GDPR’s.
The European Board for Data Protection (EDPB) issued Guidelines on the territorial scope of the GDPR, in order to clarify, among other things, in which cases GDPR applies to
- offering goods or services to data subjects who are physically in the EU
- monitoring of behavior of data subjects in the EU, as far as their behavior takes place within the EU.
Application of the Law on Personal Data Protection
According to the Law on Personal Data Protection personal data is any information relating to a natural person whose identity is fixed or determinable, directly or indirectly, in particular on the basis of the designation of identity, such as name and identification number, location data, identifier in electronic communications networks or one i.e more characteristics of his physical, physiological, genetic, mental, economic, cultural and social identity.
Law on Personal Data Protection shll be applied:
- on the personal data processing that is performed, in whole or in part, in an automated manner, as well as on non-automated processing of personal data which make part of the collection of data or are intended for collection of data
- on the personal data processing that is carried out by the controller or processor who has a seat i.e. permanent or temporary residence in the territory of the Republic of Serbia, in the context of the activities which are carried out in the territory of the Republic of Serbia, regardless of whether the action of processing is performed on the territory of the Republic of Serbia
- the processing of personal data of persons to whom the data relate with permanent or temporary residence in the territory of the Republic of Serbia by the operator or processor that does not have headquarters or domicile or residence in the territory of the Republic of Serbia, if the preparatory related to:
– offer goods or services to the person whose data are processed on the territory of the Republic of Serbia, regardless of whether such person requests payment for those goods or services;
– monitoring the activities of the person whose data are processed, if the activities are carried out on the territory of the Republic of Serbia.
Law on Personal Data Protection does not apply:
- when natural persons perform processing for their own needs i.e. for the needs of their own household
- to anonymous data, i.e. data based on which it is impossible to identify a person (neither indirectly nor directly)
- when there is no personal data database, i.e., data is neither systematized nor structured.
Principles and legal grounds for processing personal data
During the procedure of complying with the new Law on Personal Data Protection, as well as when processing personal data after that, companies will constantly need to take care of six grounds of personal data processing:
- Lawfulness, fairness and transparency – obligation of personal data processing in accordance with the new law or other law which regulates processing of personal data, in a fair and transparent manner
- Limitation in relation to the purpose of processing – personal data collection needs to be conducted solely for the purpose specifically defined, explicit, justified and lawful
- Data minimization – personal data that is being processed has to be adequate, relevant and limited to what is necessary for the purpose for which it is being processed
- Accuracy – personal data has to be accurate and where necessary, kept up to date
- Storage limitation – personal data needs to be kept in a form that allows identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- Integrity and confidentiality – personal data has to be processed in a manner that ensures its appropriate security
For the processing to be lawful, it is required for the processing purpose to be one of six legal grounds:
- Protection of vital interests
- Legitimate interests
- Contractual necessity
- Compliance with legal obligations
- Doing jobs in public interests.
Update: 11. 9. 2019.