Are you the owner of a foreign company operating in the territory of the Republic of Serbia? Are you wondering about your rights and obligations when it comes to collecting and processing personal data of Serbian residents? If the answers to the previous questions are affirmative, this blog is tailor-made for you.
First of all, it is important to mention that the Law on Personal Data Protection (hereinafter: the Law) is in force in Serbia. This law has introduced several new provisions, one of which is the obligation to appoint a Representative of controllers or processors who do not have a registered seat in the Republic of Serbia (hereinafter: Representative for Serbia). In the following text, we will focus on the details regarding the Representative for Serbia for personal data protection, such as who is required to appoint this person, whether there are certain exceptions, what are their authorizations and obligations, and who can be appointed to this position. If you want to get a general overview of all the obligations under the Law, we recommend reading our blog: The Law on Personal Data Protection – A Few Guidelines On How To Get Compliant.
If you have appointed a Data Protection Officer (DPO) and believe that your work is done, be cautious! The Representative for Serbia is not the same as the Data Protection Officer, and it is possible that your company is required to appoint both. More about the differences between these two roles can be found in our separate blog: Data Protection Officer vs Country Representative for Serbia.
The Law on Personal Data Protection is already in force, which means it is crucial to fulfill this obligation as soon as possible if you have not already done so. Stay updated with legal regulations to protect your business and avoid potential issues in the future.
Who is the Representative for Serbia and who is required to appoint one?
The Representative for Serbia is:
- a natural person or legal entity,
- with residence or headquarters in the territory of the Republic of Serbia,
- who is authorized in writing to represent the controller or processor of personal data regarding their obligations in the field of privacy protection.
If you are not sure whether you are considered a controller or processor of personal data, here are explanations and examples for both roles.
- Controller – a natural person or legal entity who determines the purpose and means of processing personal data.
Example A: A controller is, for instance, an employer in relation to the personal data they collect from their employees and/or job candidates since in that situation they determine the purpose and means of processing personal data. The employer usually collects the data to manage personnel, provide services to clients, and comply with all legal regulations.
Example B: A controller can also be an application owner who collects certain personal data from their users. This typically involves processing names, email addresses, home addresses, dates of birth, etc. The application owner generally collects this data to fulfill their obligations towards users (e.g., enabling account creation and the use of all application functionalities).
- Processor – a natural person or legal entity who processes data on behalf of the controller.
Example A: A processor is, for example, a service provider who does not determine the purpose of personal data processing but necessarily processes certain data while providing services to the principal. For instance, a marketing agency does not determine which data to process, but it must come into possession of certain personal data to perform its job.
Example B: It is important to note that the same person can be a controller in relation to one group of personal data and a processor concerning another group of such data. For example, an application owner may collect certain data from users of their product in a way and for a purpose they determine as a controller (e.g., data needed to create a user account). Similarly, the application may serve its users for collecting personal data (e.g., an application used by an employer to manage human resources by collecting data from employees), in which case the application serves only as a means for processing data for which users determine the means and purpose of processing. In other words, in this regard, the owner of the application has the role of processor.
If you fall into the category of controllers and/or processors, you may be required to appoint a Representative for Serbia.
A company that does not have its headquarters in the territory of the Republic of Serbia is obliged to appoint a Representative for Serbia in writing if it processes personal data of data subjects residing in the territory of the Republic of Serbia, and if it processes data in connection with:
1) the offering of goods or services to data subjects in the territory of the Republic of Serbia, regardless of whether a payment is required from the data subject for these goods or services (e.g., a platform from Germany offers services through which it is possible to purchase airline tickets worldwide, including Serbia);
2) monitoring the activities of data subjects if such activities are carried out in the territory of the Republic of Serbia (e.g., a website or application owner from China tracks the behavior of visitors/users from Serbia via cookies and other technologies and thus offers them relevant personalized advertisements).
We understand that all these conditions may seem confusing, so below is a checklist designed to help you clarify whether or not you have the obligation to appoint a Representative for Serbia. If you meet all the items, this obligation applies to you.
Even if you have answered all the above items affirmatively, the Law provides two exceptions to the general rule. Namely, you will not be obliged to appoint a Representative for Serbia if:
1) you are a controller or processor that is a public authority; or
2) the processing of personal data you perform is occasional, does not include large-scale processing of special categories of data (such as convictions for criminal and other punishable offenses, racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation of a natural person, etc.), and it is unlikely to pose a risk to the rights and freedoms of natural persons, considering the nature, circumstances, scope, and purposes of the processing. When applying this exception, there are often doubts regarding the condition that data processing is carried out occasionally since it has not yet been clarified, nor has an official stance been taken on what exactly is meant by “occasional” processing. There are opinions that a company can invoke this exception if it processes personal data of less than 5% of its clients. However, since this opinion has not yet been confirmed by the competent authorities, in case of doubt, it is safest to appoint a Representative to eliminate the potential risk of fines related to violations of the Law.
Still not clear if you are obliged to appoint a Representative? Below is an example for additional clarification:
- An e-commerce store registered and headquartered in the United States offers sales or brokerage services to citizens of the Republic of Serbia and enables them to purchase products online, collecting data such as name and surname, date of birth, passport number, personal identification number (JMBG), credit/debit card number, and the like.
- In this case, the e-commerce store is obliged to appoint a Representative for Serbia to enable the Commissioner and the individuals whose data it processes to contact them with requests related to personal data protection.
What are the Authorizations and Responsibilities of the Representative for Serbia?
The role of the Representative for Serbia includes the following:
- The company authorizes the Representative for Serbia as the person to whom, instead of the company itself, individuals can address their requests and queries regarding the processing of personal data. These individuals can be:
- Data subjects;
- The Commissioner for Information of Public Importance and Personal Data Protection; or
- Other subjects.
The purpose of this authorization is to ensure compliance with the provisions of the Personal Data Protection Law.
It should be noted that complaints, lawsuits, and other legal claims related to personal data protection can be filed against the controller or processor, regardless of whether their Representative for Serbia is appointed. The rationale behind this rule is that in case of non-compliance with the Personal Data Protection Law, the controller/processor will be held responsible, not their Representative for Serbia.
- The Representative for Serbia enters into a legal relationship with the controller/processor based on written authorization (usually in the form of a contract). In such a relationship, the Representative is not authorized to act independently but is obliged to follow the instructions of the controller/processor related to the processing of personal data.
- Additionally, the Representative for Serbia is obliged to cooperate with the Commissioner in exercising his powers. Accordingly, the identity and contact details of the Representative for Serbia must be transparently published so that the Commissioner and data subjects can easily contact the Representative if necessary.
- The company may entrust its Representative for Serbia with maintaining records of processing activities for which the company is responsible if the company:
- has 250 or more employees,
- the processing may pose a high risk to the rights and freedoms of data subjects;
- conducts non-occasional processing; or
- the processing involves particularly sensitive types of personal data.
Even if the company (i.e., the controller/processor) maintains these records itself, it is necessary that all data from the records are made available to the appointed Representative so that they can fulfill their obligations in accordance with the Law. These records should include information such as details about the controller/processor, the purpose of the processing, the type of data subjects, the type of personal data, data protection measures, any data transfers to countries outside the Republic of Serbia, etc.
Who Can Be Appointed as Representative for Serbia?
- Residence or Headquarters in Serbia – The Representative for Serbia can be a natural person or legal entity with residence or headquarters in the territory of the Republic of Serbia.
- Written Authorization – The Representative must be authorized in writing (usually by contract) to represent the controller/processor concerning its obligations under the Personal Data Protection Law.
- Knowledge and Qualifications – The law does not require additional professional qualifications for this role, but it is implied that the Representative for Serbia should be familiar with personal data protection regulations to perform their duties adequately.
- Serbian Language Skills – Although the law does not explicitly require the Representative to be fluent in Serbian, it is recommended to ensure the Representative can fulfill their duties, including communication with the Commissioner and individuals from Serbia whose data is being processed.
It is important to note that the Representative for Serbia can, but does not have to be employed by the controller or processor. Thus, the existence (or lack) of an employment relationship is not relevant to the appointment of the Representative.
What if your company does not have a headquarters but has a branch office in Serbia?
As explained above, the law stipulates that in certain situations, legal entities without headquarters in the Republic of Serbia are required to appoint a Representative for Serbia. However, what happens with this obligation if a legal entity has a registered branch office in Serbia?
While a strict interpretation of the law would lead to the conclusion that having a branch office in Serbia does not exempt a legal entity from the obligation to appoint a Representative for Serbia, the answer to this question is different.
Namely, the Commissioner has taken the position[1] that a foreign company, that has established its branch office in the Republic of Serbia through which it operates effectively, genuinely, and stably, is not obliged to appoint a Representative for Serbia.
The Commissioner reached this opinion by interpreting the General Data Protection Regulation (GDPR) of the European Union, which served as a model for the Serbian Personal Data Protection Law. Since the GDPR does not require legal entities with branches in the EU to appoint a Representative for the EU, the Commissioner, by adopting a different stance, would impose more obligations on controllers and processors than necessary according to European standards.
Consequences of Not Appointing a Representative for Serbia
If you fail to fulfill your obligation to appoint a Representative for Serbia, the consequences can be both financial (fines for offenses) and reputational. The reputational risk particularly applies to companies that collaborate with individuals from countries with stricter data protection penalty policies, as these individuals can easily terminate cooperation with companies that do not comply with all their contractual and legal obligations related to data protection.
The fact that these consequences are not just theoretical is demonstrated by the fact that the Share Foundation (a non-profit organization aiming to promote human rights and freedoms in the online sphere) has already filed misdemeanor charges against many global companies for not appointing their Representatives for Serbia, despite appeals from the foundation and the Commissioner.
Among the companies Zunic Law team has helped comply with the Personal Data Protection Law requirements are eSky, a global leader in providing travel organization services, HD-WIN, behind the Bloomberg Adria platform, as well as RTL Croatia, leading broadcaster in the region.
[1] Publication no. 9 – Data protection – Positions, opinions and practice of the Commissioner (Translated from Serbian: Publikacija br. 9 – Zaštita podataka – Stavovi, mišljenja i praksa Poverenika), page 164