Although it has been almost 10 months since the Law on Personal Data Protection (hereinafter referred to as the Law) entered into force, some of its provisions have only recently reached their full extent. One of the examples is Article 44 of the Law, prescribing the duty of foreign companies which are not located in the Republic of Serbia to appoint their DP representative in our country .
This provision, as well as the majority of our Law, was adopted from Article 27 of the General Data Protection Regulation (hereinafter referred to as GDPR) and refers to any personal data controller and processor who does not reside in Serbia, but has to comply with our Law without exception. Exterritorial scope includes those subjects who provide their products or services within Serbia or process personal data on its territory.
One of the examples of data controllers who promptly complied with their obligations in accordance with GDPR is eSky, a company specialized in the area of travel organization services.
This company expanded its business by forming branches in numerous countries all over the world, among which is our country, as well.
The expansion of the business created new obligations and duties. Therefore, as a responsible data controller, eSky is required to appoint its personal data protection representative in writing. All the data subjects whose data is being processed by eSky, as well as the Commissioner himself, can contact the representative in case they have any questions or dilemmas regarding personal data protection on the territory of Serbia.
To comply with their legal obligation, this company has officially appointed their representative by choosing Attorney at Law Tijana Žunić Marić , a partner at Zunic Law Firm in Novi Sad. In addition, Who’s Who Legal, one of the world’s leading independent directories of legal practitioners, recommended Tijana Žunić Marić, as one of the world’s leading experts in the field of Data Protection & Privacy in their global guide “Date: 2020”, making her the first and only lawyer from Serbia to have received such an esteemed recommendation in this particular area of law (for more information, read our previous text here).
The information about the personal data protection representative has been published as part of eSky’s Privacy Policy, including information for all interested persons who wish to contact this subject in order to direct inquiries or exercise their rights regarding personal data protection.
The importance of appointing the DP representative is immense, especially when bearing in mind the extent to which personal data processing intrudes on fundamental human rights. Although it has been a while since this obligation was prescribed on the European level, global companies have obviously experienced some difficulties in the implementation of the above-mentioned Article 27 of the GDPR; therefore, concrete measures directed to the appointment of subjects specialized in the area of the protection of data subjects’ privacy have been underway for the last few months. The Share Foundation invited global corporations to fulfill their obligations in this regard, highlighting that the fact that Serbia is currently not a State Member of the European Union does not exempt the subjects engaged in data processing on its territory from the obligation to appoint the DP representative . Furthermore, the foundation has stated eSky, besides Google, as a good example of complying with the law .
The failure of controllers and processors to comply with their legal obligations might also be a consequence of an insufficient understanding of their content. Given that our Law has practically adopted the majority of the GDPR provisions, a parallel can be drawn between the institution of the DP representative and the European institution of the Data Protection Officer (DPO). Although they might appear similar, it is crucial to distinguish these terms – we explained the differences between them in our text Data Protection Officer vs GDPR appointed country representative for Serbia .
Controllers and processors doing business on a global level very often do not consider our country as part of Europe and, therefore, neglect the regulation regarding data protection of data subjects within Serbia. That way, Serbian citizens may be denied their guaranteed rights, which can reflect negatively on legal certainty and rule of law. Data controllers who fail to fulfill their obligations may face penal liabilities and fines which, although they may not affect the financial stability of gigantic companies, surely will not have a favorable effect on their reputation. For this reason, all subjects obliged to appoint a country representative for Serbia shall comply with the law as soon as possible, thus enabling the citizens to exercise and protect their rights related to the protection of their personal data.
