Territorial Scope of GDPR in Serbia

We know that data controllers and data processors from the EU must comply with the General Data Protection Regulation (GDPR), but, under certain conditions, subjects in Serbia must comply as well. In this blog post, we will clarify situations in which your company is subject to the GDPR regulations.

10
Jan 2019

GDPR entered into force on May 25, 2018, and from then on, natural and legal persons with residency or establishment in the European Union are obliged to comply with the GDPR rules. Additionally, under certain conditions, natural and legal persons in Serbia are obliged to comply.

Given that the GDPR breach provides for extremely high penalties, if you own a Serbia-based company with establishment in the EU (conditions are listed below), it is useful to know when your company is subject to the GDPR.

There are three possible case scenarios under which GDPR may apply to you:

In this blog post, we will focus on the GDPR application to data controllers with establishment in Serbia (Case No. 2).

GDPR PROVISIONS – THE GUIDELINES

Since GDPR provisions are formulated very wide, and therefore are subject to different interpretations, the European Board for Data Protection (EDPB) issued Guidelines on the territorial scope of the GDPR, in order to clarify, among other things, in which cases GDPR applies to companies headquartered outside the EU.

The Guidelines clarify the following:

  • offering goods or services to data subjects who are physically in the EU,
  • monitoring of behavior of data subjects in the EU, as far as their behavior takes place within the EU.

The EDPB clarifies two frequent misconceptions:

– GDPR applies only to data controllers and data processors with establishment in the EU,

– GDPR always applies to data controllers and data processors that process data of a data subject who is a citizen of one of the EU Member States.

If controller or processor with establishment in Serbia process data of an EU Member State citizen, that does not imply automatic application of the GDPR.

As an example, let’s take a Serbian IT company that processes data of data subjects who are EU citizens but are located in Serbia, with the purpose of offering goods or services on the territory of the Republic of Serbia. Does this company have to comply with the GDPR?

The answer is: NO

However, let’s assume that a Serbian IT company processes data of data subjects who are, at the moment of offering goods or services on behalf of a Serbian IT company, located on the territory of one of the EU Member States. Does this company have to comply with the GDPR?

The answer is: YES

In fact, if controllers and processors outside of the EU to wish to comply with the GDPR, it doesn’t matter whether the data of data subjects whose data are being processed hold citizenship or temporary or permanent residence in one of the EU Member States. What is important is that the data subjects are physically in the European Union.

The European Data Protection Board provides a good example that explains that GDPR applies to all individuals physically present in the EU.

It is important that data subjects whose data are being processed are located within the European Union at the moment of offering goods or services, or at the moment of monitoring their behavior, regardless of the duration of these actions.

For the application of the GDPR, it is sufficient to process personal data of individuals who, at the moment of offering goods or services, are on the territory of one of the EU Member States, regardless of whether they have paid for goods or services. Hence, the processing of data for the purpose of offering goods or services without the purchase of these goods, or the payment of these services, is sufficient to apply the rigorous penalties prescribed by the GDPR.

On the other hand, the personal data processing of individuals located in the EU itself is not sufficient to apply the provisions of the GDPR to data processor or controller with establishment outside the EU, but it is necessary that the purpose of this data processing be to offer goods or services to these individuals or monitoring their behavior within the Union.

But how to establish whether the data of data subjects who are located in the EU are processed in order to offer goods or services, or in order to monitor their behavior within the Union?

DATA PROCESSING WITH THE PURPOSE OF OFFERING GOODS AND SERVICES

The EDPB provided instructions in their Guidelines that indicate that the data of these data subjects are processed precisely for these reasons.

TERMS

In the event of several of the above-mentioned criteria, the EDPB holds the opinion that data of data subjects located within the European Union are processed precisely for the purpose of offering goods or services. In other words, the GDPR applies.

Here is an example (according to the EDPB) of data processing of data subjects who are on the territory of the EU Member States, on behalf of the data controller with establishment outside the EU, with the purpose to offer goods or services:

On the other hand, data  processing of EU Member State citizens who are employed in a company in Serbia, for the purpose of paying salaries is not considered as data processing with the purpose of offering goods or services, and hence, does not have to comply under the GDPR provisions.

DATA PROCESSING FOR THE PURPOSE OF MONITORING BEHAVIOR

The European Data Protection Board has provided an interpretation of when it is considered that controller, or processor monitors the behavior of individuals in the EU and their behavior that takes place within the Union.

First of all, it should be noted that monitoring involves monitoring people via the Internet or profiling them in order to analyze or predict their personal preferences, behaviors and attitudes.

It states that monitoring can be in the form of:

– advertising based on the behavior of a person,

– monitoring geo-location for marketing purposes,

– online tracking through the use of cookies or other tracking techniques,

– Personalized diet and health analytics services online

– CCTV,

– Market surveys and other behavioral studies based on individual profiles,

– Monitoring or regular reporting on an individual’s health status – video surveillance through the camera.

The European Data Protection Board also cites an example where a retailer, or a processor with establishment outside the European Union, is processing personal data of data subjects who are in the EU in order to monitor their behavior within the Union.

It should be mentioned that each of these criteria is taken separately, does not indicate that goods and services are offered to people who are in the European Union, and that their behavior is being monitored. Nevertheless, a combination of several of these criteria leads to the conclusion that they are the target group.

WHAT IF YOU ARE SUBJECT TO THE GDPR AS DATA CONTROLLER OR DATA PROCESSOR IN SERBIA?

If you do any of the following through your business:

  • Process information about data subjects physically present in the European Union in order to offer them goods or services, regardless of whether the data subject whose data is being processed should pay for those goods or services,

OR

  • Monitor behavior of these data subjects, as far as their behavior takes place within the EU,

it is necessary to comply with the GDPR procedures in order to avoid paying for astronomical fines.

This means that it is necessary, in accordance with GDPR, to hire a person who will act on your behalf and for your account as your representative in the European Union and allow you to comply with the provisions of the GDPR. A representative can be both a physical and legal person. The representative’s data must be available to data subjects whose data are being processed, for example, they may be listed in the privacy policy. The representative should be established in the EU Member State in which the data subjects whose data are being processed are located.

One of the proofs of the implementation of the GDPR is certainly the decision of the French Data Protection Authority (CNIL) to fine Google in the amount of 50,000,000.00 euros, which we talked about in detail in our news section. This decision should be a warning to data controllers and data processors established in Serbia, who are subject to the GDPR, to harmonize their business with the provisions of the GDPR in due time, as its non-compliance entails serious sanctions.

1   European Data Protection Board, Guidelines 3/18 on the territorial scope of GDPR (Article 3), of November 16, 2018, page 13, example 8;
2   European Data Protection Board, Guidelines 3/18 on the territorial scope of GDPR (Article 3), of November 16, 2018, page 13, example 12.
3   European Data Protection Board, Guidelines 3/18 on the territorial scope of GDPR (Article 3), of November 16, 2018, page 18, example 15.
4   European Data Protection Board, Guidelines 3/18 on the territorial scope of GDPR (Article 3), of November 16, 2018, page 22, example 20.

Latest Post

NEWSLETTER

NEWSLETTER

CONTACT

CONTACT