A rock star among legal documents, the General Data Protection Regulation (hereinafter: GDPR), which attracted enormous media interest and an unprecedented level of lobbying, started with implementation on May 25, 2018. GDPR introduced a complete transformation of understanding of the importance of processing and protection of personal data in the digital age.
Although it is an EU regulation, under certain conditions, Serbian companies must comply with the GDPR as well. If you are not certain if you should be worried about the application of GDPR’s provisions, you can ascertain that based on instructions in our blog Territorial Scope of GDPR in Serbia.
Unfortunately for you, if you were convinced that you got away with the application of this lengthy regulation consisting of unbelievable 88 pages, which stipulates numerous obligations for companies along with enormous penalties amounting up to EUR 20,000,000.00 or 4% of the total worldwide annual turnover of the preceding financial year, whichever amount is higher, well, you were wrong.
Under the influence of GDPR, for the purpose of harmonization with the EU law, Serbia enacted the Law on personal data protection in November 2018, through which it adopted the majority of principles and standards of GDPR. Even though the new Law on personal data protection is subject to significant criticism (which we have already covered in our blog Ministry of justice got lost in translation – again?), it is certain that it introduced an incomparably higher standard of personal data protection. The higher protection standard, however, implies more obligations for everyone who processes personal data.
Just like GDPR, which was adopted in 2016, which started with implementation two years later, the new Law on Personal Data Protection (hereinafter: the new Law) provided all legal subjects with a period of 9 months to harmonize their activities and business with its provisions.
That period expired on August 21, 2019, which is when the Law started to implement.
But, better late than newer. It is useful to get introduced to the obligations that this Law imposes, so you can get your company compliant. Even though the new Law also regulates the processing of personal data concerning state organs and institutions, this text will focus solely on the private sector with an emphasis on companies.