Although the Law on Personal Data Protection in Serbia is in force from August 21, 2019, it seems that companies have not taken all the obligations prescribed by this Law that seriously, or they do not understand them.
The fact that many companies that do business in Serbia have not appointed a Personal Data Protection Officer (DPO) or a Representative in the Republic of Serbia, even when the Law requires them to do so, is alarming. Consequentially, Share Foundation filed misdemeanor charges agains 16 global tech companies (including Amazon, Twitter, Viber and other) for failing to comply with its obligation to appoint Representatives in Serbia to the Commissioner for Information of Public Importance and Personal Data Protection. Such an initiative has shown effect since a larger number of Representatives in Serbia were subsequently registered, which is currently 57, as published on the Commissioner’s website.
Among the companies that have fulfilled the requirements of the new Law on Personal Data Protection are eSky, a global leader in travel organization, HD-WIN which is behind the Bloomberg Adria platform, RTL Croatia, a Croatian media giant, and Lesnina S, one of the leading companies in sale of furniture.
However, this still does not mean that all obliged subjects have appointed a DPO or a Representative in the Republic of Serbia, nor that they are immune to potential misdemeanor charges in the future.
It is paramount for all entities who process personal data and who are subject to the Law to understand the difference between a Data Protection Officer (DPO) and a Representative in Serbia (Representative).
At the first glance, it seems like their roles are similar, or even identical. However, the differences between the two are very significant, and the absence of their appointment entails different consequences and potential risks of non-compliance with the provisions of the Law. Moreover, appointing the same person to perform both roles can lead to a serious conflict of interest.
In this blog, we will try to eliminate the confusion and misconceptions that exist regarding these two different institutes, as well as to help you understand if you are obliged to appoint one of these two persons or even both of them.
1. Who is the Data Protection Officer i.e. the DPO?
Data Protection Officer – a DPO is a key player in the increasingly relevant data governance system, appointed by a controller or processor.
DPO is an independent entity that ensures that the company that designated them complies with the applicable Law when collecting and/or processing the data of its customers, employees, users of services and, all other data subjects.
Additionally, the DPO must inform and educate the company and its employees on all aspects of personal data protection, monitor the implementation of regulations governing privacy and data protection, give an opinion on the data protection impact assessment, and, act as a contact point for cooperation with the Commissioner, as well as with the data subjects.
Therefore, a DPO is the person who will advise your company and make sure that you have aligned your business with the obligations imposed by the Law.
In the text below, we will go through some specific examples and legal requirements for appointing a DPO.
Whether you are a foreign or a domestic company, you must appoint a DPO if:
a) the core activities of your organization require large-scale, regular, and systematic monitoring of individuals (data subjects); or
b) the core activities of your organization consist of large-scale processing of special categories of data (especially sensitive data) or data relating to criminal convictions and offenses.
Any domestic or foreign natural person can be designated as a DPO. However, a DPO must be an expert in data protection, independent of the organization, adequately resourced, and capable of complying with the Law.
DPO can be a processor’s or controller’s employee. However, you can also appoint an external DPO.
The DPO must be independent in the performance of its tasks and duties. The controller or processor cannot penalize the DPO or terminate their employment or contract with them for performing the duties imposed on them by the Law. As a matter of fact, the controller and the processor are responsible for data processing as well as compliance with the Law, so the legal claims of the data subject and the Commissioner can only be directed towards controller and/or processor. The DPO cannot be held personally responsible.
Since the provisions of the Law are very general, we will try to simplify when it is mandatory to appoint a DPO in the following examples.
Example 1:
E-commerce store ABC (regardless of the company’s headquarters) offers and sells goods online to citizens of the Republic of Serbia. In addition, ABC E-commerce organizes a loyalty program for its customers and processes personal data for these purposes on a large scale. Also, ABC E-commerce profiles its customers and sends them personalized offers based on that. In the specific example, the E-shop ABC is required to appoint a DPO who will be responsible for personal data protection issues.
Example 2:
Private Clinic M based in Belgrade processes the personal data of its patients in its regular course of business. In this example, Clinic M is a controller whose main activity is to process a large number of sensitive data from their patients, such as health data. Clinic M must appoint a DPO.
If you do not meet the abovementioned conditions, appointing a DPO is optional. However, both the European authorities and Serbian Commissioner recommend designating a DPO even when it is not mandatory. Moreover, it is considered a good business practice.
2. What Is a Country Representative for Serbia and When Is It Mandatory?
You must have been wondering what the role of the Representative is if you already have appointed a DPO.
If you are a foreign company, which does not have a registered office (nor branches or other establishments) in the Republic of Serbia but are engaged in processing activities related to:
1) offering goods or services to individuals in the Republic of Serbia, whether or not the data subject is required to pay compensation for these goods or services;
2) monitoring the activities of data subjects, if the activities are carried out on the territory of the Republic of Serbia.
Then you must comply with the Law and appoint a Representative in the Republic of Serbia.
However, even if you meet these conditions, you will not be required to appoint a Representative if:
a) you are a public authority;
b) the data processing is occasional; it does not involve large-scale processing of special categories of data or data relating to criminal convictions; and is unlikely to result in privacy intrusions. In practice, this exemption rarely applies.
Any natural or legal person who resides in the Republic of Serbia can be appointed as a Representative.
The appointment of a Representative for companies without an office in Serbia must be made in writing.[1] The most common practice is to conclude a written agreement.
In a nutshell, the main job of the Representative is to operate as a contact point i.e. a local liaison with the data subjects and the supervisory authorities. Thus, instead of the data controller/data processor, the Representative acts as an intermediary between the business and national data protection authorities or data subjects.
The appointment of the Representative is made without prejudice to legal actions that could be initiated against the controller or processor. [2] They shall, therefore, be responsible for meeting the regulatory obligations when processing the personal data of Serbian residents. The appointment of a Representative does not replace or limit the duties of the controller/processor located in a country outside of the Republic of Serbia.
Although the Law does not explicitly prescribe, we believe that the same person cannot perform both functions. Given that they have different roles, assigning one person for both DPO and a Representative could result in a problematic conflict of interest.
Still not in the clear whether you are obliged to appoint a Representative or not? Let’s look through an example:
- XYZ Airlines is a registered and headquartered airline in Turkey offering air transport services to residents of the Republic of Serbia and enabling them to buy tickets online, collecting information such as first and last name, date of birth, passport number, unique personal ID number, credit/debit card numbers, etc.
- In the aforementioned case, XYZ Airlines is obliged to appoint a Representative in the Republic of Serbia to act as its direct contact for data subjects and supervisory authority.
3. The Differences Between a DPO and a Representative
