What is the Serbia Data Protection Act?

As a business owner operating in Serbia, you need to be aware of the key legislation governing personal data protection. The primary law you need to be familiar with is the Law on Protection of Personal Data (Official Gazette of the Republic of Serbia, No. 87/2018), often referred to as "LPDP." This law, which came into effect on August 21, 2019, was developed based on a draft published by the Ministry of Justice in November 2017. The LPDP largely mirrors the General Data Protection Regulation (GDPR), providing a foundation for improving data protection in Serbia.

Beyond the LPDP itself, you should also be aware of the various by-laws that complement it. These regulations cover a wide range of aspects, including:

• Processing of personal data: This includes the procedure for notifying and obtaining approval from the relevant authority for intended personal data processing.
• Keeping records of data processing: This outlines the form for keeping records of data, personal data processing, and the manner of keeping such records.
• Data Protection Officers (DPOs): This defines the form and manner of keeping records of DPOs.
• Data breaches: This sets out the notification form for personal data breaches and the process for informing the Commissioner about them.
• Complaints: This defines the complaint form that individuals can submit to the Commissioner if they believe their personal data has been processed improperly.
• Impact assessments: This establishes a list of personal data processing operations that require an impact assessment before processing can begin.
• International data transfers: This determines the list of countries where an adequate level of personal data protection is considered to be ensured.
• Standard Contractual Clauses (SCCs): This establishes the SCCs that must be used in contractual relationships between data controllers and processors.
• Inspection supervision: This closely regulates the form of identification card for authorized personnel performing inspection supervision.

While the LPDP and its associated regulations provide a framework for data protection in Serbia, it's important to recognize that concerns about its completeness and effectiveness have been raised. As a business owner, it's crucial to familiarize yourself with these laws, ensure your practices are compliant, and implement robust data protection measures to safeguard personal data and maintain consumer trust.

By understanding and adhering to the key provisions outlined in the legislation, you can effectively navigate the complexities of data protection in Serbia, mitigate the risks of non-compliance, and demonstrate a commitment to respecting individuals' privacy rights.

Is the Serbian Personal Data Protection Law applicable to my business?

The Law on Protection of Personal Data applies to you in several ways. It covers both automated and non-automated processing of personal data, as long as the data is part of a filing system or intended to be part of one.

Even if your business is not based in Serbia, the LPDP applies if you offer goods or services to individuals residing in Serbia or if you monitor their behavior within Serbia.

The LPDP protects any data that can be used to identify a specific individual, including names, phone numbers, addresses, and email addresses. It does not apply to data that cannot be used to identify an individual, or to personal data processed by individuals for purely personal or household activities.

What is personal data and sensitive data under the Serbian LPDP Law?

As a business owner in Serbia, you need to understand the different types of personal data covered by the Law on Protection of Personal Data.

Personal data includes any information that can be used to identify a specific individual, such as names, identification numbers, location data, and online identifiers.

Sensitive data is a special category that requires even more stringent protection and includes information about a person's race or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and sex life or sexual orientation.

What are the duties of data controllers and data processors?

It's important to understand your role in relation to personal data under the Law on Protection of Personal Data.

As a business owner, you are responsible for ensuring that all personal data you process is handled lawfully, fairly, and transparently. This means you need to have a legal basis for collecting and using data, provide clear information to individuals about how their data is used, and obtain consent when necessary. You must also limit the data you collect to what is necessary for specific, legitimate purposes and keep it accurate and secure.

If you work with other companies to process personal data, like cloud service providers or marketing agencies, they are considered data processors. You must ensure they comply with the law and have appropriate contracts in place.

Do we need consent to process personal data?

You can process personal data if you have the individual's consent, as a business owner in Serbia. This means they must freely, specifically, and knowingly agree to the processing of their data. Consent can be given through a statement or a clear affirmative action, like checking a box on a website or signing a form.

It's important to note that consent must be:

• Freely given: The individual must not be pressured or coerced into giving consent.
• Specific: The consent must be specific to the particular processing activity. You can't get broad consent for any and all processing.
• Informed: The individual must be provided with clear and concise information about the purpose of the processing, the types of data being processed, and their rights.
• Unambiguous: The individual's consent must be clear and easily understood. A simple "yes" or a checkmark is not enough.

Do we need a privacy policy?

Yes, having a privacy policy is highly recommended for businesses operating in Serbia.

Serbia's Personal Data Protection Law (PDP Law) is heavily influenced by the GDPR, and a privacy policy is a crucial component of compliance.

Key reasons for having a privacy policy:

• Transparency: It clearly communicates how you collect, use, and protect personal data.  
• Trust Building: Demonstrates your commitment to data protection, fostering trust with customers.
• Legal Compliance: A well-crafted privacy policy helps you adhere to the PDP Law's requirements.
• Risk Mitigation: Reduces the risk of legal issues and reputational damage.

What are the data subject rights under the Serbian Personal Data Protection Law?

Serbia's Personal Data Protection Law (PDP Law) grants individuals several rights over their personal data.
These rights largely mirror those found in the GDPR, demonstrating the significant influence of the EU's data protection framework on Serbian legislation. 

• Right to be Informed: Individuals have the right to be informed about how their personal data is being processed.
• Right of Access: Individuals can request information about the personal data held about them.
• Right to Rectification: Individuals can request the correction of inaccurate or incomplete personal data.
• Right to Erasure (Right to be Forgotten): In certain circumstances, individuals can request the deletion of their personal data.
• Right to Restriction of Processing: Individuals can request a temporary or permanent halt to the processing of their personal data.
• Right to Data Portability: Individuals have the right to obtain and reuse their personal data for their own purposes.
• Right to Object: Individuals can object to the processing of their personal data.
• Rights Related to Automated Decision-Making and Profiling: Individuals have specific rights regarding decisions based solely on automated processing, including the right to human intervention.

What are the international data transfer requirements?

Sending customer data to other countries can be tricky. There are two main ways to do it legally:

1. Safe Countries: If the country you're sending data to has similar data protection laws as Serbia, you might be okay.There's a list of these countries you can check.
2. Extra Protections: If the country isn't on the safe list, you need to add extra security measures. This could mean using special contracts or getting specific approval from the Serbian data protection authority.

Outsourcing Matters When you hire another company to handle your customer data (like a cloud service provider), they become a "data processor." You're still responsible for making sure they protect your customers' information.

What are the data breach requirements?

If you experience a data breach, time is of the essence. You typically have 72 hours to report the incident to the Serbian data protection authority. It's also important to inform affected customers about the breach, unless doing so would cause more harm than good.

To comply with regulations, you'll need to provide details about the breach, including what kind of information was compromised and what steps you're taking to address the situation.

Do we need to conduct DPIA?

Yes, you likely need to conduct a DPIA if your business processes are likely to result in a high risk to individuals.

A Data Protection Impact Assessment (DPIA) is crucial if you plan data processing activities that could pose significant risks to individuals. Here's what you need to know:

When to Conduct a DPIA

You must conduct a DPIA if your activities involve:

• Large-scale processing of sensitive data
• Extensive use of profiling or automated decision-making
• Monitoring public areas
• Processing children's data for marketing
• Using new technology for data analysis
• Tracking individuals' location or behavior
• Using biometrics for identification
• Combining data from multiple sources

What to Include in Your DPIA

Your DPIA should detail:

• What you plan to do with the data
• Why you need to do it
• The potential risks to individuals
• How you'll protect people's rights
• Who to contact for more information

If your DPIA shows high risks, you might need approval from the Serbian data protection authority. This process can take up to 60 days, so plan ahead.

Failing to conduct a DPIA when required can lead to significant fines. It's essential to take data protection seriously and follow the guidelines outlined in the Serbian PDP Law.

Do you need a DPO?

As a business owner in Serbia, you may need to appoint a Data Protection Officer (DPO) depending on the nature of your business and the data you process. 

When You Need a DPO

You are required to appoint a Data Protection Officer if your business is a public authority or body, if your core business activities involve regularly monitoring individuals, or if you process large amounts of sensitive data, such as health data or criminal records.

Qualifying the DPO

Your DPO must possess professional qualities, including expert knowledge of data protection law and practices, and the ability to fulfill the required tasks. They can be employed by your company or work under a contract.

DPO Responsibilities

The DPO advises you and your employees on data protection obligations, monitors your company's compliance with data protection laws and regulations, provides input and monitors the Data Protection Impact Assessment (DPIA) process for high-risk processing activities, and acts as a contact point for the Poverenik (Commissioner for Information of Public Importance and Protection of Personal Data) providing advice on data processing activities.

Support for the DPO

You must provide the DPO with the necessary resources, access to data and processing activities, and opportunities for professional development, while also ensuring their independence in carrying out their duties.

Accessibility

The DPO must be accessible to both you and data subjects. Data subjects can contact the DPO with any questions or concerns about their personal data.

Penalties

You can face fines of up to RSD 2 million (approximately EUR 17,000) if you fail to appoint a DPO when required or fail to fulfill your obligations towards the DPO.

Who enforces the Serbian LPDP Law, and what are the penalties?

In serbia, the Poverenik (Commissioner for Information of Public Importance and Protection of Personal Data) has the authority to impose fines on businesses that violate the law.

If the Poverenik finds that your business has committed a misdemeanor related to data protection, they can issue a misdemeanor order and impose a fine. The maximum fine that can be imposed is approximately EUR 17,000.

How can Secure Privacy help you comply with the Serbian LPDP?

By using Secure Privacy's consent management platform, you can easily align with the requirements of the LPDP. Our solution is designed to handle various data protection laws globally, ensuring that your website or business operations meet the necessary standards.

Schedule a call with us today!