The Law, Serbian Privacy Safety Measures for Citizens
Serbia’s Law on Protection of Personal Data, also known as the Law, is a data protection law that was recently passed in Serbia in 2018. As Serbia is not an EU member state and as such, does not fall under the jurisdiction of the General Data Protection Regulation or GDPR, the Law on Protection of Personal Data was passed to provide Serbian citizens with a similar level of data protection as is given to citizens of EU member states. Subsequently, the Law on Protection of Personal Data establishes the responsibilities that data controllers within Serbia must fulfill when collecting personal data from Serbian citizens.
What is the scope and application of the Law on Protection of Personal Data?
In terms of the personal scope of the Law on Protection of Personal Data, the law “applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Furthermore, the Law applies to the processing of personal data performed by a controller or a processor who has its business seat/place of residence in the territory of the Republic of Serbia, within the framework of activities performed in the territory of the Republic of Serbia, regardless of whether the processing takes place in the territory of the Republic of Serbia”.
Alternatively, the territorial jurisdiction of the Protection of Personal Data Law applies to the processing of the personal data of data subjects who reside in the territory of Serbia by data controllers and processors who are not physically located within the country, permitting said data processing:
- Is related to the offering of goods or services to data subjects within Serbia, regardless of if payment is required from said data subjects.
- Is related to the monitoring of the behavior of Serbian citizens living within the territory of Serbia.
With respect to the material scope of the law, the determining factor in whether specific types of data fall under the jurisdiction of the law is the possibility of said types of data being used to identify the person from whom such data was collected. To this end, data, such as name, telephone number, address, identification number, email, or any other data, through which the relevant natural person (i.e. data subject) could be identified” is considered to be personal data under the Law. Contrarily, personal data that does not have the potential to identify as an associated data subject does not constitute personal data under the law.
What are the data protection principles of the Law on Protection of Personal Data?
The Law on Protection of Personal Data states that personal data must be:
- Processed in a manner that is lawful, fair, and transparent to data subjects.
- Collected for purposes that are legal, justifiable, explicit, and specific. Personal data is prohibited from being processed in a manner that is not consistent with these purposes.
- Relevant, adequate, and limited to what is necessary with respect to the purpose for which said personal data is to be processed, also known as data minimization.
- Accurate and kept up to date where necessary, while also taking into account the purpose for data processing, as well as the measures that must be taken to ensure that personal data is found to be inaccurate, is erased, or rectified without delay.
- Is kept in a form that allows for the identification of applicable data subjects for no period longer than is needed to fulfill the purposes of data processing, also known as storage limitation.
- Is processed in a manner that ensures the appropriate security of personal data that is collected and processed, including protecting against unauthorized use or processing, against accidental loss, damage, and destruction.
Additionally, the Law on Protection of Personal Data also requires data controllers and processors to consider the level of data protection within the applicable country when conducting data transfers, maintaining data processing records, including the name and contact details of data controllers, and conducting Data Protection Impact Assessments or DPIA’s. Moreover, data controllers and processors are also responsible for appointing or designation a data protection officer or DPO to oversee the processing of personal data, as well as notifying affected parties and data subjects regarding data breaches that may occur, without undue delay.
What are the rights of data subjects under the Law on Protection of Personal Data?
In keeping the similarities between the Law on Protection of Personal Data and the EU’s GDPR Law, Serbian citizens are guaranteed the following rights in regards to their privacy and personal data:
- The right to be informed– Data subjects have to be informed about information related to the processing of their personal data, such as whether or not their personal data has been processed.
- The right to access– Data subjects have the right to access personal data that a data controller or processor may hold concerning them
- The right to rectification– Data subjects have the right to request that a data controller or processor rectify personal data pertaining to them that has been found to be inaccurate or incomplete, without undue delay.
- The right to erasure– Data subjects have the right to request that a data controller or processor erase personal data pertaining to them under certain circumstances, such as when such personal data was unlawfully collected and processed.
- The right to object or opt-out– Data subjects have the right to object to the processing of their personal data, on the grounds relating to their own personal situation or views, at any time during the processing of their personal data.
- The right to data portability– Data subjects have the right to a copy of the personal data that they have provided to the data controller or processor in “a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”.
- The right not to be subject to automated decision making– Data subjects have the right not to be subject to data processing decisions based solely on the basis of automated processing.
- The right to restriction of processing– Data subjects have the right to request that a data controller or processor restrict the processing of their personal data under certain circumstances, such as instances in which the accuracy of a data subject’s personal data is contested by them.
- The right to lodge a complaint before the Poverenik– Data subjects have the right to lodge complaints before the Poverenik, in instances where they believe their rights have been violated.
As it relates to the enforcement of the law and applicable punishments, the Law on Protection of Personal Data is enforced by The Commissioner for Information of Public Importance and Personal Data Protection, known as the Poverenik for short. As such, the Poverenik “may impose a fine on the basis of a misdemeanor order if during the inspection supervision it was established that a misdemeanor for which a fine as prescribed by this law has occurred. The fine imposed may not, in any case, exceed the maximum amounts that can be imposed on the controller or processor for a misdemeanor under the Law, i.e. up to approx. €17,000 ($19,738).
With the passing of the Law on Protection of Personal Data in 2018, Serbian citizens are provided with an enhanced level of data protection when compared to many other countries in the world, with respect to both the rights of data subjects as well as the responsibilities of data controllers and processors. As the law was created to provide data subjects with data privacy protection on par with that offered by the EU’s GDPR law and the California Privacy Rights Act or CCPA, Serbian citizens can have the peace of mind that their personal data is being safeguarded at all times, whether they are in Serbia or outside of the country.
