{"id":40425,"date":"2022-06-13T09:59:00","date_gmt":"2022-06-13T07:59:00","guid":{"rendered":"https:\/\/zuniclaw.com\/basic-concepts-of-the-law-on-personal-data-protection-in-serbia-is-your-company-compliant-after-almost-3-years-of-its-adoption\/"},"modified":"2025-05-12T13:37:42","modified_gmt":"2025-05-12T11:37:42","slug":"serbia-personal-data-protection-law","status":"publish","type":"post","link":"https:\/\/zuniclaw.com\/en\/serbia-personal-data-protection-law\/","title":{"rendered":"Serbia Personal Data Protection Law: Are You Compliant 5 Years Later?"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

A rock star among legal documents, the General Data Protection Regulation (hereinafter: GDPR<\/strong>), which attracted enormous media interest and an unprecedented level of lobbying, started with implementation on May 25, 2018. GDPR introduced a complete transformation of understanding of the importance of processing and protection of personal data in the digital age.<\/p>

Although it is an EU regulation, under certain conditions, Serbian companies must comply with the GDPR as well. If you are not certain if you should be worried about the application of GDPR\u2019s provisions, you can ascertain that based on instructions in our blog Territorial Scope of GDPR in Serbia<\/a>.<\/p>

Unfortunately for you, if you were convinced that you got away with the application of this lengthy regulation consisting of unbelievable 88 pages, which stipulates numerous obligations for companies along with enormous penalties amounting up to EUR 20,000,000.00 or 4% of the total worldwide annual turnover of the preceding financial year, whichever amount is higher, well, you were wrong.<\/p>

Under the influence of GDPR, for the purpose of harmonization with the EU law, Serbia enacted the Law on Personal Data Protection<\/a> in November 2018, through which it adopted the majority of principles and standards of GDPR. Even though the new Law on personal data protection is subject to significant criticism (which we have already covered in our blog Ministry of Justice got lost in translation \u2013 again?<\/a>), it is certain that it introduced an incomparably higher standard of personal data protection. The higher protection standard, however, implies more obligations for everyone who processes personal data.<\/p>

Just like GDPR, which was adopted in 2016, and started with implementation two years later, the new Law on Personal Data Protection (hereinafter: the new<\/strong> Law<\/strong>) provided all legal subjects with a period of 9 months to harmonize their activities and business with its provisions.<\/p>

That period expired on August 21, 2019, which is when the Law started to be implemented.<\/strong><\/p>

But, better late than newer. It is useful to get introduced to the obligations that this Law imposes, so you can get your company compliant. Even though the new Law also regulates the processing of personal data concerning state organs and institutions, this text will focus solely on the private sector with an emphasis on companies.<\/p><\/div><\/section>

That period expires on August 21, 2019, which is when the new Law will start to implement.<\/strong><\/p><\/div><\/div><\/section>

Some of the novelties, which you may be interested in, will be further explained in the blog. Nevertheless, even though the new Law also regulates the processing of personal data concerning state organs and institutions, this text will focus solely on the private sector with the emphasis on companies.<\/p><\/div><\/section>

\u00a0<\/h2>

Does the Serbia Personal Data Protection Law Affect My Company?<\/h2><\/div>

\u00a0<\/p>

The Law on Personal Data Protection applies to everyone who processes personal data. Processing means any automated or non-automated action related to personal data, such as collection, recording, organization, consultation, erasure, and storage, as well as all other actions relating to personal data.<\/p>

For example, it is sufficient that you just store personal data on a server, without having insight into that database, for you to be processing personal data, thus being subject to the Law\u2019s application.<\/p>

We frequently come across statements of our clients who claim they do not process personal data. This misinterpretation is incredibly widespread. In fact, almost every company processes personal data.<\/p>

If it does not process the personal data of third parties in the course of the main (basic) business activity of the company (for example, processing of consumers\u2019 personal data), certainly every company processes personal data concerning its employees and job candidates.<\/p>

If you are an employer and would like to find out what you should pay attention to, please see our blog 9 Most Common Misconceptions of Employers on Personal Data Protection<\/a>.<\/p>

The provisions of the Law apply to the processing of personal data performed by a controller, or a processor whose seat (in case of a legal entity) or residence is in the territory of Serbia, in the course of activities that are performed on the territory of Serbia, whether or not the action of processing is performed on the territory of Serbia.<\/p><\/div><\/section>

\u00a0<\/h2>

Does the Law Affect Foreign Companies Without Seat in Serbia?<\/h2><\/div>

\u00a0<\/p>

Just like it is possible, under certain conditions, to apply the GDPR provisions to companies that do not have any business presence within the EU, the new Law can be also applied to the processing of personal data of data subjects by a controller or a processor without a seat in Serbia. For the extra-territorial application, one of the following two requirements has to be fulfilled:<\/p>

  1. The action of processing is related to an offer of goods or services to a data subject in the territory of Serbia, regardless of whether that person is paying compensation for such goods or services;<\/li><\/ol>

    \u00a0<\/p>

    Hence, if your company engages in electronic commerce and offers goods and\/or services in the territory of Serbia, as well, with an option of shopping in Serbia and marketing activities directed towards buyers from Serbia, you are obliged to harmonize with the Law, despite the fact that your seat is not in Serbia.<\/p>

    1. The processing action is related to monitoring the activities of a data subject, and the activities are conducted in the territory of the Republic of Serbia.<\/li><\/ol>

      \u00a0<\/p>

      Therefore, foreign companies, that monitor the behavior of citizens in the territory of Serbia (for example, through cookies \u201ctrackers\u201d), will have to act in accordance with the Law, even if their seat is not in Serbia.<\/a><\/p><\/div><\/section>

      \u00a0<\/h2>

      Are There Any Exemptions?<\/h2><\/div>

      \u00a0<\/p>

      There are several cases in which the Law does not apply:<\/p>