Personal Data Protection in Serbia

On 9 November 2018, the National Assembly of the Republic of Serbia adopted the Personal Data Protection Act, which is published in the Official Gazette of the Republic of Serbia No. 87/18 on 13 November 2018 which will come into force on 21 November 2018, and it starts to apply on 21 August 2019.

This Act has been enacted from more than one reason, the most important being that existing regulation cannot adequately provide unhindered exercising of rights in all areas, and compliance with EU regulations, which is an obligation of Serbia because of its EU accession process.

Since the enacting of personal data protection legislation (2008), EU regulative has significantly changed, new relevant rules had been enacted, such as Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and the Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.

Main goal of this Act is to ensure a respect of basic rights and freedoms of individuals, according to the standards that are set by world’s most advanced jurisdictions.

The Act regulates personal data processing, procedure of individual’s rights protection regarding data processing, rights, obligations and responsibilities of data processor and handler of data and receiver of the data, and a competence and standing of independent body for protection of personal data.

The Act, inter alia, regulates:

  • In more broad sense basic notions which are used in the Act and some new terms were added too;
  • Procedure for exercising rights on protection of personal data in more details;
  • Extended number of different cases in which the procedure of taking the data abroad is fully regulated, which significantly accelerates such transmissions (to bring factual circumstances more closely to the information technology advancements, social networks etc.);
  • Responsibility in case of violation of personal data rights, and in case of non-fulfillment of legal requirements of data processor, handler or their representatives;
  • Security of personal data by stipulating larger number of protection measures, and the procedure if it comes to the violation;
  • Mandatory risk analysis prior to starting of the data processing, and if it is high-level risk, compulsory opinion of acting authority is required;
  • New institutes, such as binding business rules, certification, appointing a person for protection of personal data and acting code;
  • Personal data processing done by acting authorities in order to prevent, investigate, detect or prosecute criminal wrongdoings;
  • Competence and powers of Commissioner for Information of Public Importance and Personal Data Protection which are widened and set more precise.