If your company does not have a business presence formed in the Republic of Serbia but processes the personal data of individuals who live or reside in Serbia, in many cases, you are obliged to appoint a “Data Protection Representative for Serbia.”
This is a local natural person or a legal entity in Serbia, formally authorized to represent you in data protection matters and to whom the Commissioner and data subjects may turn.
When the obligation usually applies:
There is no obligation if you are a public authority, or if the processing is occasional, does not involve large-scale special categories of data/criminal conviction data, and is unlikely to pose a risk to the rights and freedoms of individuals, taking into account the nature, circumstances, scope, and purposes of processing.
Important note – representative office in Serbia: If a foreign company has a registered representative office through which it actually and stably operates in Serbia, in practice it is considered that there is no obligation to appoint a separate data protection representative.
The Representative is your local contact to whom the Commissioner and data subjects can turn instead of, or in addition to, you in all matters of data protection. Their role is to ensure compliance with the Serbian Data Protection Act (ZZPL) regarding communication, availability of documentation, and cooperation with the supervisory authority.
Typical responsibilities include:
Liability: Complaints and lawsuits are still directed against the controller/processor, regardless of whether a representative is appointed. The representative is a contact point and intermediary, not a “shield” from liability.
These two roles serve different purposes. The Representative (Serbia) is a local contact point for the supervisory authority and data subjects; they act under company authorization and do not make independent decisions. The obligation to appoint arises from the extraterritorial application and criteria under the ZZPL (service offering/monitoring activities in Serbia).
The DPO (Data Protection Officer) is an independent function within the organization or as an external advisor; they monitor compliance, advise on impact assessments, train staff, and cooperate with the supervisory authority. A DPO appointment is mandatory in typical EU practice cases (e.g., regular and systematic large-scale monitoring or large-scale processing of special categories).
Unlike the DPO, the Representative does not “monitor compliance” but ensures accessibility and communication in Serbia.
Answer “yes” or “no” to the following statements:
If most answers are “yes,” you are very likely required to appoint a Data Protection Representative for Serbia.
If you do not have an establishment in the EU but offer goods/services to or monitor the behavior of individuals in the EU, you are often required to appoint an EU representative in one of the Member States. Exemptions are similar, e.g., occasional processing, no large-scale processing of special categories, and low risk to rights and freedoms.
Additional guidance: European practice elaborates in detail when territorial scope applies and when an EU representative is required; in practice, we rely on these guidelines in assessing obligations.
End-to-end support in Serbia, with legal expertise and operational efficiency:
Beyond reputational risk and hindered cooperation with the supervisory authority, misdemeanor proceedings and fines under the ZZPL are also possible.
Civil society organizations and media have already pointed out global companies failing to appoint a representative in Serbia and filed complaints with the competent authority.
The amounts of fines and other rules are set out in the penalty provisions of the ZZPL.
A specialized privacy and IT team working daily with global platforms, SaaS, e-commerce, fintech, and health research.
Proven track record: we have helped numerous international brands meet ZZPL obligations, including appointing Representatives for Serbia and establishing processes for communication with the Commissioner.
Clear cooperation model (SLA, KPIs, dedicated contact, bilingual SR/EN support).
Scalability: service tailored for startups, scale-ups, or corporations; integration with your DPO and EU/UK representative.
Send us a short description of your business model and processing activities related to Serbia.
Based on ZZPL and your processing practices, you will receive a quick assessment of whether you must appoint a Data Representative and a step plan for compliance (agreement, publication of contact, records, operational protocols).
Yes. The law allows a representative to be a natural person or a legal entity with a residence/seat in Serbia.
Expertise in data protection is advisable for the proper fulfillment of obligations.
A DPO is an independent function that advises and monitors compliance internally, while the Representative is a local contact point for external communication and handling of requests in Serbia.
The difference comes from the distinct rules and purposes: the DPO is an internal/external compliance advisor, the Data Protection Representative is an external contact.
Yes, the Representative’s identity and contact details must be published transparently so that the Commissioner and data subjects can reach out.
Most commonly, this is in the privacy policy and on the contact page.
If the representative office is used for actual and stable operations, the usual approach is that a separate Representative is not required.
We recommend reviewing your specific case (business model, contracts, data flows).
The primary responsibility remains with the controller/processor.
The Representative is a contact point and acts on instructions; complaints and lawsuits are directed against the controller/processor.
If you target individuals in the EU or monitor their behavior, Article 27 of GDPR typically requires appointing an EU representative, unless an exemption applies (occasional processing, no large-scale special categories, low risk).
Yes, if you delegate this and if you meet the criteria for mandatory records (e.g., 250+ employees, high-risk processing, non-occasional processing, special categories).
In any case, the Representative must have access to the necessary information.
23/09/2025
23/09/2025
30/05/2025
22/05/2025
20/02/2025
05/02/2025
02/12/2024
22/10/2024
