A rock star among legal documents, the General Data Protection Regulation (hereinafter: GDPR), which attracted enormous media interest and an unprecedented level of lobbying, started with implementation on May 25, 2018. GDPR introduced complete transformation of understanding the importance of processing and protection of personal data in the digital age.
Although it is an EU regulation, under certain conditions, Serbian companies must comply with the GDPR as well. If you are not certain if you should be worried about the application of GDPR’s provisions, you can ascertain that based on instructions in our blog Territorial Scope of GDPR in Serbia.
Unfortunately for you, if you believe you got away with the application of this lengthy regulation consisting of unbelievable 88 pages, which stipulates numerous obligations for companies along with enormous penalties amounting up to EUR 20,000,000.00 or 4% of the total worldwide annual turnover of the preceding financial year, whichever amount is higher, such happiness will be short-lived.
Under the influence of GDPR, for the purpose of harmonization with the EU law, Serbia enacted the new Law on personal data protection in November 2018, through which it adopted the majority of principles and standards of GDPR. Even though the new Law on personal data protection is subject to significant criticism (which we have already covered in our blog Ministry of justice got lost in translation – again?), it is certain that it introduced an incomparably higher standard of personal data protection. The higher protection standard, however, implies more obligations for everyone who processes personal data.
Just like GDPR, which was adopted in 2016, which started with implementation two years later, the new Law on personal data protection (hereinafter: the new Law) provided all legal subjects with a period of 9 months to harmonize their activities and business with its provisions.