If you believe that the new obligations and rules will not affect you because your business is Serbia-based, well – you are mistaken.
Namely, as the domestic Personal Data Protection Act (hereinafter: PDPA) has taken over almost all of the rules from the GDPR (we have discussed this in our blog 9 most common misconceptions of employers on personal data protection) all the consequences regarding data protection from the EU will be noticeable, even when it comes to data transfer from Serbia to the USA.
Thus, from here forward, whenever you transfer data from Serbia to the USA, it is necessary to provide an appropriate level of personal data protection. Since Privacy Shield was invalidated, you are required to apply other mechanisms which are at your disposal.
The Commissioner spoke about the aforementioned situation highlighting that in accordance with the decision of the European committee, the USA does not provide an appropriate level of protection under the Privacy Shield framework or under the Personal Data Protection Act.
The Commissioner pleaded to all the controllers and processors that it is necessary to find other data transfer mechanisms to the USA prescribed by the PDPA. Also, the Commissioner directed an official notice to the Government of the Republic of Serbia with the purpose to sync the Decision of the Government about the list of countries which are considered to provide an appropriate level of personal data protection, i.e. the removal of the USA from the said list.
Which are the other mechanisms?
Similarly, as in the EU, you have the Standard Contractual Clause at your disposal, but which was declared by the Commissioner for Information of Public Importance and Personal Data Protection (hereinafter: Commissioner). In other words, you are obliged to conclude appropriate contracts with your contractors from the USA if you want to be sure that you are acting in accordance with the PDPA.
you must conclude appropriate contracts with the American company and regulate the questions regarding data transfer to the USA.
On the other hand, if GDPR applies to you extraterritorially (we have written about this in Territorial Scope of GDPR in Serbia), all the obligations and rules apply to you, the same as when data is transferred from the EU to the USA.
Therefore, the same rules apply for all Serbian employers as for the rest of the European Union: during the conclusion of the agreement with processors from the USA, it will be inevitable to enforce the appropriate checks to determine whether all the conditions regarding personal data transfer were fulfilled. Otherwise, you are facing financial fines prescribed under the PDPA’s penalty clauses, as well as penalties prescribed by the GDPR (if there are conditions for extraterritorial use of GDPR). It is certain that the question of what these ’additional checks’ will look like in practice, remains unanswered.
If all of this seems too complicated, the alternative is to look for the approval of the Commissioner for each data transfer to the USA. In comparison to this option, you will agree that the Standard Contractual Clauses do not seem that bad.