2 min read

Share this Blog

Rate this Post

Transferring Data Across Oceans without Fear of the GDPR 4+ million fines

Jelena Djukanovic

Jelena Đukanović

Attorney at Law


In the era of information technology and constant data exchange through various applications, platforms, servers, and external service providers, keeping data within one country or organization is almost impossible.

Furthermore, global business practices are becoming increasingly prevalent, and national borders are no longer barriers to product or service deployment. This type of business inevitably leads to international data transfers.

Whether you are a B2B company collaborating with a foreign client and sharing data about your employees who will be involved in the client’s project, or you are a global provider of CRM solutions designed for the companies that will share data about their employees with you, it is clear that to establish and maintain these relationships, data sharing, including personal data, is necessary.

Learn the steps you need to take to avoid high fines for non-compliance with personal data protection regulations.


First and foremost, you need to determine which law applies to you to know which rules you need to comply with.

If your company is based in Serbia, you are required to comply with the Law on Personal Data Protection.

In addition, there is a possibility that the General Data Protection Regulation (GDPR) also applies to you if the conditions for the extraterritorial application of the GDPR are met. To determine whether the GDPR applies to you, read our blog Territorial Scope of GDPR in Serbia.

On the other hand, if your company has headquarters in the EU, the GDPR certainly applies to your business.

Of course, other personal data protection regulations that allow for extraterritorial application, such as the Swiss FADP or UK GDPR, are also in play.

Once you have determined which law applies to you, it is necessary to identify your role in the data transfer.

Your company may act as a data controller, data processor, or sub-processor, and depending on your role in the data transfer, the obligations you need to fulfill to comply with the applicable regulations will vary.


The next step is to verify whether you have entered into appropriate agreements that regulate the processing and international transfer of personal data.

Both the Serbian Law on Personal Data Protection and the GDPR require you to regulate contractual relationships with parties with whom you share personal data. Such an agreement is called a Data Processing Agreement (DPA).

The specific content of the agreement will depend on your role and the role of the other party.

Furthermore, if there is an international transfer of personal data, it is crucial to determine which countries the data will be transferred to, as this will affect the application of Standard Contractual Clauses (SCCs) or other mechanisms for adequate data transfers (more on this in the next section).

Why is it important to conclude Data Processing and International Data Transfer Agreements (DPA)?

Because hefty fines await you!

Personal data protection regulations define extremely high penalties for failing to conclude appropriate data processing agreements. For example, according to the Serbian Law on Personal Data Protection, the penalty for violating this obligation can be up to 2 million Serbian dinars, while under the GDPR, this penalty can reach up to 10 million EUR (or 20 million in the case of international transfer) or 2% of your global annual revenue (or 4% in the case of international transfer), whichever amount is higher.


As mentioned above, it is crucial to determine the countries to which you will transfer personal data and whether they are considered “risky” countries.

“Risky” or so-called “third countries” are those countries that do not provide an adequate level of data protection. From the EU perspective, these countries include the United States, China, Russia, and even Serbia. Practically, this means that any transfer of data from the EU to these countries is considered risky, and it is necessary to apply the EU Standard Contractual Clauses (SCCs) or other mechanisms defined by the GDPR for such transfers[1].

From the perspective of domestic regulations, the United States is also not considered a country that provides an adequate level of data protection, and other countries such as China fall into the same category. Therefore, if you transfer data from Serbia to any of these countries, you will need to apply the Standard Contractual Clauses of the Commissioner for Personal Data Protection of Serbia (SCC SRB)[2].


You have addressed all the previous steps, concluded appropriate agreements, and implemented the necessary SCCs, and now you can finally relax.

Or can you?

Unfortunately, you have not yet reached the end of your compliance process.

According to the GDPR and the new EU SCCs, which have been applicable since December 27, 2022, you are obliged to conduct a Data Transfer Impact Assessment (DTIA).

DTIA is a relatively new obligation in the field of personal data protection and can be considered a consequence of the well-known Schrems II judgment of the European Court of Justice[3], which deals with the transfer of data from the EU to third countries.

In this ruling, the court took the position that the application of only the EU SCCs is not sufficient for data transfers from the EU to third countries. It is also necessary to assess the risks and consequences of such transfers, whether the regulations in the recipient country are in line with EU regulations, and whether there is still a risk despite the implementation of additional measures and safeguards. This assessment is achieved through the implementation of DTIA.

What is DTIA?

Conducting DTIA in advance serves to map the risks that play or may play a role in the planned transfer of personal data to a third country.

This process must be documented, and you need to conduct it before any transfer takes place because the result of DTIA actually answers the question of whether you can transfer data outside the EU or not.

Who must conduct DTIA?

Both data controllers and data processors who export data from the EU/EEA must conduct DTIA.

This obligation arises from both the aforementioned Schrems II judgment, and the European Data Protection Board (EDPB) Guidelines on international data transfers[4], as well as the EU SCCs themselves.

Therefore, if you have concluded EU SCCs, you are obliged to conduct DTIA.

If you think that this obligation bypasses your company if it is registered in Serbia, you are mistaken.

The most common cases where you will have an obligation to conduct or at least participate in DTIA are situations when you engage in business cooperation with companies from the EU.

Since your business partner from the EU must comply with the GDPR and your Serbian company operates in a country that does not provide an adequate level of protection, the EU company will have to conduct DTIA. However, to answer the questions in DTIA related to the regulations of the Republic of Serbia and the treatment of data in Serbia, you will need to provide answers and explain the practices of our state authorities. Thus, the obligation to conduct DTIA falls on your shoulders, and the continuation of cooperation with the EU company depends precisely on your answers to DTIA.

What are the consequences of not conducting DTIA?

The consequences of not conducting DTIA can be significant.

First and foremost, you risk facing (multi-million) fines for GDPR violations, which can amount to 20 million EUR or 4% of your global annual revenue, whichever amount is higher.

In addition, individuals whose data you have processed can sue you in competent courts, seeking compensation for the breach of their personal data and privacy rights due to international transfers without adequate protective measures.

Finally, if you fail to conduct or participate in DTIA upon the request of your business partners, you risk the termination or failure to establish business cooperation

[1] In addition to SCCs, other mechanisms that can be applied are Binding Corporate Rules (BCRs), approved codes of conduct, issued certificates, etc.

[2] Or another mechanism in accordance with the Law on Personal Data Protection, such as BCRs, approved codes of conduct, issued certificates, etc.

[3] Document 62018CJ0311, Judgment of the Court (Grand Chamber) of 16 July 2020.
Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62018CJ0311

[4]European Data Protection Board – nezavisno telo EU čija je svrha da obezbedi doslednu primenu GDPR

Similar Articles

Latest Articles

Ready to get started?

If you are not sure about what the first step should be, schedule consultations with one of our experts.





Not Just Another Newsletter

Forget boring legal analysis and theory. Receive timely updates,
news and reminders that can actually help your business.