The Law lists as many as 32 offenses under which the data controller, i.e. the processor may be punished, and among the listed offenses are the personal data processing that is not in accordance with the key principles of data processing, data processing for purposes contrary to the Law if personal data are not deleted in accordance with the Law if the Commissioner is not notified on the breach of a data breach.
The Misdemeanor Court may impose a fine on the data controller, or the processor acting as a legal person due to the stated offenses within a range from RSD 50,000 to RSD 2,000,000. If it is established that the data controller or the processor simultaneously committed several offenses, they may be fined up to RSD 4,000,000.
Moreover, a natural person who does not keep personal data confidential, which they acquired through employment, may be fined from RSD 5,000 to RSD 150,000 for the committed offense.
In addition to the stated fines, if the data controller, or processor as a legal person violates the obligations provided by the Law, the Commissioner may fine them with a misdemeanor report with a fine amounting to RSD 100,000. The stated obligations entail, among other things, the following:
- to proceed with the processing for the purpose of direct marketing, and the data subject filed an objection to such processing;
- not to appoint a representative in the Republic of Serbia;
- not to announce the contact data of the DPO (Data Protection Officer) and not deliver them to the Commissioner, etc.