Serbia: New Law on Personal Data Protection


At the end of November 2018, the new Law on Personal Data Protection (Law) came into force but its application was postponed for nine months, until August 21, 2019. Brief overview of the Law is given in the text below, including new elements, as well as principal provisions which refer to personal data protection.

Application of the Law 

The Law shall apply to data protection done by a controller or processor with the seat, or temporary or permanent place of residence on the territory of the Republic of Serbia (Serbia) within the activities performed on the territory of Serbia, regardless whether the processing activity is done on that territory. Thus, regardless of the location of the processing, in case processing is connected with the activities done by a local controller in Serbia, new Law shall apply to such processing. Furthermore, the Law also has extraterritorial application when a controller or processor which does not have the seat or temporary or permanent place of residence u Serbia, processes personal data of a person with temporary or permanent place of residence in Serbia, in case processing activities are related to: offer of goods or services to the data subject on the territory of Serbia, regardless whether that person is requested to pay compensation for goods or services; or payment of the activities if the data subject, if the activities are performed on the territory of Serbia. That further means that the new Law shall also apply to the foreign controllers and processors with the seat, temporary or permanent place of residence abroad, in case their process the data of the citizens of Serbia for the purpose of sale of goods or offering of services, or monitoring of their activity on the territory of Serbia. 

Controller and processor 

The new Law provides clear definition of the role of the controller and other persons processing personal data, and all in accordance with the role they have towards the data they process, which includes checking of compliance with the regulations in a proceeding, during processing of personal data. That further means that in order to comply with the new Law, the controllers will have to render a relevant decision, and other types of documents to regulate internal processes and procedures for personal data protection in each individual case. In addition, new Law introduces new obligations for the personal data processor. Earlier, most of the obligations and responsibilities regarding personal data referred to the controller, and now, the Law precisely defines controller’s obligations. 

Personal data, special type of personal data, purpose of processing 

The new and the old law define personal data, as all the data which refer to an individual, based of which the identity of that individual could or is determined, directly or indirectly. Also, personal data may be collected for the specifically defined purposes which are explicit, justifiable and lawful and cannot be further processed in a way contrary to those purposes. That means that before initiation of processing, there should be a precise definition and explicit elaboration as to why the data are collected and that the data collected for the initial purposes cannot be further processes for any other, incompatible purpose. Also, it is defined that the personal data should be limited to what is necessary regarding the purpose of processing (minimizing the data) and that they must be correct and up to date. The data is kept in the form which enables identifying of persons and only within the deadline required for accomplishing of the purpose of processing. 

In accordance with the new Law, the data which refer to racial or ethnic origin, political opinion, religious and philosophic standpoints, membership in the union, genetic or biometric data, as well as the data on health status, sexual life and sexual orientation of an individual are considered as special (sensitive) type of data. 

Personal data protection 

Personal data must be processed in a way which secures personal data protection, including protection against unauthorized or unlawful processing, as well as accidental loss, destruction or damage by application of relevant technical, organizational and personnel measures. The Law does not stipulate what these measure are since they always depend on the specific situation and the type and quantity of processed data, purpose of processing, method of data retention and other, thus, the decision on the measures to be applied by the processor or controller should be rendered before initiation of processing. 

Legal basis for personal data protection 

Lawful processing of personal data means that the processing of data is done only if it is based on one of the legal bases: consent of the data subject, conclusion and enforcement of contracts, compliance with legal obligations, protection of vital interest, performance of the activities in public interest and for the purpose of achieving legitimate interest of the controller. 

Consent of the data controller must fulfill the following requirements: that it is given freely and unconditionally, that it was given for specifically defined purpose and for each individual purpose, that it is informed, unequivocal and documented. 

Obligation of the controller in cases of violation of personal data 

Controller is under obligation to inform the Commissioner of each violation of personal data. In case violation of personal data may lead to the risk for the rights and freedoms of individuals, the controller shall inform the Commissioner without unnecessary delay or if possible within 72 hours as of becoming aware of the violation. In case the controller does not inform the Commissioner within stipulated deadline, the controller must elaborate the reasons for failure to act by the deadline. Upon becoming aware of the violation, the processer shall inform the controller of the incident without unnecessary delay.

The Law gives precise definition of the information such notice should contain: description of the nature of personal data, approximate number of persons those data refer to, description of possible consequences of the violation, description of the measures undertaken by the controller, etc. In addition, based on the Law, the obligation of the controller is to also document each violation of personal data, including the facts on violation, its consequences and measures undertaken for its remedy.

Along with the notice to the Commissioner, the Law also stipulates the obligation to notify the data subject without delay. This obligation refers to the controllers in the situations when the violation of the personal data may cause high risk for the rights and freedoms of individuals, and in its notice, the controller must provide clear and understandable description of the nature of data violation and provide the individual with the contact information for personal data protection, description of possible consequences of violation and to list the measures proposed or undertaken in regards to violation, including the measures undertaken in order to decrease harmful consequences of the violations. 

Records of processing 

In accordance with the old Law on Personal Data Protection, before establishing a database, the controller must deliver a notice to the Commissioner of the intention to establish such a database. However, new Law terminates the obligation of keeping a Central Registry, including the obligation of the controller to notify the Commissioner of the intention to establish a database. 

Now, the Law stipulates the obligation to keep the records of processing which refer to controllers and processors. These records include the following data: data on the controller and processor, purpose and type of processing, type of data subject, transfer of data, etc. The records are permanently kept in written and/or electronic form. 

The obligation to keep the records does not apply to commercial entities and organizations with less than 250 employees, except in the cases when: processing may cause high risk for the rights and freedoms of data subjects; processing is not occasional; processing includes special type of personal data or data which refer to criminal verdicts, punishable acts and security measures. 

Evaluation of impact on personal data protection 

The Law introduces the obligation of evaluation of impact on personal data protection, thus, the controller is ordered to evaluate the impact of the activities of processing on personal data protection before initiation of processing and particularly the cases when it is probable that some type of processing would cause high risk for rights and freedoms of individuals due to use of new technology, considering the nature, scope, circumstances and purpose of processing. The Law envisions the possibility of joint evaluation of impact, but only in case of several similar processing activities. 

Transfer of data 

According to the rules on transfer of data from Serbia, each transfer of personal data, where the processing is ongoing or is intended for further processing after their export from Serbia to another country or international organization, may be done only if the controller and processor act in accordance with defined conditions. Also, controller and processor that intend do transfer personal data may do so only if they have relevant legal basis for that transfer. 

Legal basis requested for export of data is suitable level of data protection which applies in the country where the data is transferred. The Law considers that the suitable level of protection exists in the countries and international organizations which are the members of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, in countries and international organizations for which the European Union confirmed suitable level of protection, or with which Serbia concluded international agreement on personal data transfer. Practically, that would mean that export of data from Serbia is permitted to all the member states of the European Union, as well as other countries signatories of the Convention of the Council of Europe. 

In regards to the export of personal data to the USA, the transfer is permitted, that is, import of data may be done only with those companies included in the list of safe data recipients from the EU. 

The Law provides explicit definition of the situations when transfer of data is permitted, if it is impossible to implement any of the mechanisms for application of relevant protective measures. Those are the following situations: data subject gave explicit consent for export, after being informed of possible risks associated with export of data due to lack of suitable level of protection or relevant protective measures; transfer is required for implementation of contract between the data subject and controller or for application for relevant measures undertaken at the request of the data subject; export is required for conclusion and implementation of the contract concluded in the interest of data subject and when the export is required for submission, achieving or defense of the legal request. 

Rights of data subject 

The Law stipulates the list of rights of data subjects, where the controller has the obligation to secure their application. In case the controller fails to act in line with these rules or does not respond to the requests for their achieving as defined by the Law, those persons have series of available legal means and remedies: right to appeal to the Commissioner or right to a lawsuit. 

The controller is under obligation to provide defined information to the data subject in a concise, transparent, understandable and easily accessible way. The controller is under obligation to provide the information to the processor on the actions based of his request not later than 30 days as of the receipt of the request. That deadline may be extended for additional 60 days if necessary. In case the controller fails to act based on the request, the controller must inform the applicant about the reasons not later than 30 days as of the date the request was received, as well as about the right to submit the complaint to the Commissioner, or the lawsuit before the court. 


In Serbia, the activities of the controllers are regulated by the Law, as well as the GDPR in case those actions are within the activities under competence of the GDPR. Penalties defined by the Law are lower than the penalties envision by the GDPR. 

Along with non-pecuniary sanctions against the controllers violating regulations on personal data protection, other measures may be undertaken as well. The Commissioner may apply his authorization to perform inspections and to request to access the data of the controller, to warn the controller of violations of the Law, to issue a warning, to order the controller to act based on the request of the data subject, to order compliance of the processing activity with the Law, to issue temporary of permanent limitation of the processing of data or to ban processing, to order correction or deletion of personal data and to suspend transfer of personal data to another country. 

Along with the appeals to the Commissioner, the citizens may also address the court in a litigation proceeding in order to protect their rights. 

Individuals violating regulations on personal data protection may also be held criminally liable. 

Novelties in the Law 

The Law introduces several new elements which have not existed before, as follows: possibility to prepare code of conduct, possibility to issue certificates, as well as application of binding business rules. 

Code of conduct is introduced as a possibility in order for the groups of controllers or processors to apply the Law more efficiently, as well as all other regulations on personal data protection. In accordance with the Law, preparation of the code of conduct is a possibility and not the obligation, and the code could contain the provisions enabling supervision over application of the codes of the controller or processor they undertake to apply. The Commissioner shall issue opinion and consent for the proposal and amendments to the code. 

Certification provides for the possibility to establish a procedure for issuing of certificates on personal data protection. The Commissioner stipulates the criteria for certification, checks fulfilment of conditions and undertake periodical re-examination of issued certificates. 

In accordance with the Law, internal rules on personal data protection are considered as binding business rules. They are adopted and applied by the controller or processor with the temporary or permanent place of residence or the seat on the territory of Serbia, and all for the purpose of regulating of the transfer of personal data to the controller or processor in one or more countries within multinational company or group of commercial entities. This would further mean that several companies which belong to one group or have one end owner in several different countries may establish ther internal rules of personal data protection in order to regulate transfer of data to the controller or processor outside of the territory of Serbia, but within that corporate group. 

Binding business rules are approved by the Commissioner if they fulfill the following conditions: they are legally binding, applied and implemented by each member of a multinational company or group of commercial entities, including their employees; they explicitly enable exercising of the right of data subject regarding processing of their data; define structure, contact data of multinational company or group of commercial entities, transfer of personal data, type of personal data, processing activities, purpose, data subjects. 

In case binding business rules meet legal conditions, the Commissioner shall approve them within 60 days as of the date of submission of the request for their approval. 


The new Law and the newly introduced elements taken over from the European legislation require from the companies, state institutions and the entire environment in Serbia to comply with them, and with time and practice it will be possible to see how and to which extent that is successfully done. 

In the upcoming period, the Commissioner should sign the criteria for certification, as well as standard contractual clauses which would enable and explain application of the Law, particularly in the segment of data transfer from Serbia. Also, there is another dilemma and that is the fact that the practice of local civil and criminal courts in Serbia has not been developed in this subject matter. 

The Commissioner has primary role in the process of implementation of the Law, because through many years of application of already old law, he has established comprehensive practice which will provide great help in implementation of the new regulation. 

Thus, final evaluation of the new Law in Serbia, where the awareness of the people of personal data protection is very low, could be expected after certain period during which the actions of the Commissioner and all other stakeholders included in the work and application of the Law will be crucial.


Article provided by: Ljiljana Urzikic Stankovic (Serbia)


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö


What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.