Data Protection after Lockdown

In light of the announced ending of the state of emergency in Serbia, businesses must check and ensure their compliance with data protection regulation which has been fully applicable, even in these exceptional times.


Ever since General Data Protection Regulation (GDPR) came into force on 25 May 2018, data protection landscape in Europe came into the new reality.

In EU countries, GDPR is directly applicable.

But, GDPR contains extraterritorial provisions based on which it also brings within its competence any company that offers goods or services to persons in the EU or monitors such persons’ behaviour. The latter is, in practice, usually done via online tools, when companies and other actors, through cookies on their web sites, want to track EU citizens’ behaviour on the Internet.

So, because of these extraterritorial provisions, many non-EU entities, including a large number of Serbian businesses, are exposed to GDRP application.

Serbian businesses must, nevertheless, observe the new Serbian Data Protection Act (DPA), which became applicable on 21 August 2019, and that contains almost identical rules to GDPR.

Why are these new legal acts relevant for companies? 

For various reasons, but the main one surely being the focus of new rules on business processes in which companies process any personal data.

So, previous rules are not too different in terms of general requirements.

But, the big difference lies in the brand new legislative focus which is now shifted from formal (legal documents) to factual (business processes) regulatory compliance requirements.

Therefore, this legislative change requires somewhat different methodology for achieving compliance and avoiding penalties.

And that leads us to the other important change embodied into fines for non-compliance.

Namely, for violation of GDPR, fines range up to EUR 20 M or up to 4% of the total worldwide annual turnover of the companies for preceding year, whichever in higher. In Serbia, misdemeanour fines are doubled, and now range up to RSD 2 M (approx. EUR 17,000) for a single misdemeanour.

In such context, companies that wish to avoid non-compliance risks can no longer rely on lawyers to draft a set of internal acts that will be adopted and put in the drawers.

For that reason, GDPR or DPA compliance is achieved through joint endeavour of business people and legal specialists.

How to comply?

Through process that, in our view, has five standard phases which all boil down to making sure that business activities within the company, which require the processing of personal data, are undertaken in compliance with relevant data protection principles.

So, the first goal is to seek and identify such activities, whereas drafting procedures and rulebooks comes last.

1. Data mapping 

For this reason, legal specialists have to get information about the relevant business practices from the people within the company who engage in them. This is done through data mapping analysis or data inventory practice. For this purpose, the best practices show that usage of appropriate questionnaires is most efficient. This step should also include identification of the existing internal documents that are relevant for data protection issues.

2. Gap analysis  

With the results from the above data inventory, legal specialist conducts gap analysis in order to identify the gaps in the current systems against the data protection requirements and define priorities.

3. Implementation plan

The results of the gap analysis and understanding of the risk levels are the foundation for concrete implementation plan. Based on the implementation plan, that is tailor-made for each company i.e. each implementation project, realisation phase begins.

4. Realization phase

Therefore, realization phase is highly individual and depends on each organization’s size and overall data protection level. However, implementation usually includes all or some of the following:

  • Determining the appropriate legal basis for data processing under the GDPR and/or DPA;
  • Implementing of GDPR/DPA principles in all business process that include personal data;
  • Implementing IT/Cybersecurity measures;
  • Addressing international data transfers;
  • Regulating relationship with data processors and joint controllers i.e. drafting and executing appropriate agreements;
  • Assessing the need to conduct Data Protection Impact Assessment (DPIA);
  • Assessing the need to appoint Data Protection Officer (DPO);
  • Finalizing record of processing activities, based on data inventory.

5. Drafting documents 

The last activity in data protection implementation practice is drafting the internal policies, documents and templates for the management and use of personal data. These will vary based on each company’s needs but will in principle include the following: privacy policy, privacy notice, consent form, data breach policy, data subject rights policy and procedures cookies policy, and other documents.

Thank you for reading, and please be informed that this article attempts to convey our approach in handling data protection matters. Therefore, like all other materials on this and our web site, it has been prepared for informational purposes only, and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. As a result, you should always consult your own legal advisors before engaging in any transaction.

    Ready to Achieve Your Goals? Contact us Today.

    Fill out our quick contact form below. Shortly thereafter we’ll let you know how to proceed. It’s that simple.

    By submitting your contact information, you agree that we may contact you by telephone (including text) and email in accordance with our Terms and Privacy Policy.

    Call Message