The Law on Personal Data Protection from 2008 prescribes that personal data is any information related to a natural person, regardless of the form it is expressed in and the information carrier (paper, tape, film, electronic media etc.), upon whose request, in whose name or in whose account that information is stored, date of creation, the location where it is stored, means of acquiring the information (directly, by listening or watching etc., or indirectly, by viewing the document containing the information etc.) or regardless of other properties of the information.
However, since this Law does not adequately regulate the subject matter of personal data protection, the need to adopt a new law dates back to 2012, and all of this with the purpose of aligning our legislation with the EU legislation. The European Commission confirmed this in the report from 2016, in which they state that it is necessary to urgently adopt a new law which will be in accordance with the EU standards. The adoption of the new law on personal data protection is one of the conditions of the negotiations between Serbia and the European Union, by virtue of opening Chapter 23.
The Serbian Government committed to adopt the new law by the end of 2015, on the basis of the Model prepared by the Commissioner for Information of Public Interest. However, this project has still not been realized, and the deadlines to adopt the new law have been postponed several times.
The last progress made in the realization of this project was the adoption of the Draft law on Personal Data Protection, prepared by the Ministry of Justice of the Republic of Serbia. However, this Draft was criticized by the expert public, and the European Commission and Eurojust filed their complaints. Specifically, the criticism of the domestic and public opinion addresses the need for a more adequate regulation of video-surveillance, prevention of potential abuse of the citizen’s unique identification number, and establishing more effective data protection in the public sector.
According to the aforementioned Draft law, personal data is “any data that refers to the natural person, whose identity is determined or can be determined, directly or indirectly, especially on the basis of an identity label, such as a name and ID number, location data, identifiers in electronic communication networks or one or more properties of their physical, physiological, genetic, mental, economic, cultural and social identity”.
Since the Draft law does not specifically mention IP addresses but mentions “an identifier in electronic communication networks”, it can be concluded that the new law is compliant with GDPR on this matter.