{"id":40497,"date":"2022-06-10T14:07:00","date_gmt":"2022-06-10T12:07:00","guid":{"rendered":"https:\/\/zuniclaw.com\/territorial-scope-of-gdpr-in-serbia\/"},"modified":"2025-05-13T14:35:02","modified_gmt":"2025-05-13T12:35:02","slug":"gdpr-in-serbia","status":"publish","type":"post","link":"https:\/\/zuniclaw.com\/en\/gdpr-in-serbia\/","title":{"rendered":"Territorial Scope of GDPR in Serbia"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"40497\" class=\"elementor elementor-40497 elementor-33328\" data-elementor-post-type=\"post\">\n\t\t\t\t<div class=\"elementor-element elementor-element-11a15948 e-flex e-con-boxed e-con e-parent\" data-id=\"11a15948\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-413b6909 elementor-widget elementor-widget-text-editor\" data-id=\"413b6909\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<section class=\"av_textblock_section av-1o7xx49-467f47953f42c11cd28de630fbd7adc9\"><div class=\"avia_textblock\"><p>On 25 May 2018, the GDPR entered into force. This means that from that date, compliance with its provisions is mandatory for natural and legal persons residing or established in the European Union. However, under certain conditions, GDPR in Serbia is also applicable to natural and legal persons.<\/p><p>Given that the GDPR breach provides for extremely high penalties<a href=\"https:\/\/zuniclaw.com\/en\/representative-office-in-serbia\/\"> if you own a Serbia-based company with the establishment in the EU<\/a> (conditions are listed below), it is useful to know when your company is subject to the GDPR.<\/p><p>There are three possible case scenarios under which GDPR may apply to you:<\/p><\/div><\/section><div class=\"avia-image-container av-jnkb3czd-b2ddbaf3335d420c5f422174d1c9b9f2 av-styling- avia-align-center avia-builder-el-14 el_after_av_textblock el_before_av_textblock \"><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img fetchpriority=\"high\" decoding=\"async\" class=\"wp-image-16026 avia-img-lazy-loading-not-16026 avia_image \" src=\"https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/CASE-table.jpg\" sizes=\"(max-width: 1030px) 100vw, 1030px\" srcset=\"https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/CASE-table.jpg 1030w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/CASE-table-300x204.jpg 300w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/CASE-table-768x521.jpg 768w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/CASE-table-705x478.jpg 705w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/CASE-table.jpg 1085w\" alt=\"\" width=\"1030\" height=\"699\" \/><\/div><\/div><\/div><section class=\"av_textblock_section av-1o7xx49-467f47953f42c11cd28de630fbd7adc9\"><div class=\"avia_textblock\"><p>In this blog post, we will focus on the GDPR that applies to data controllers with a presence in Serbia (<strong>Case No. 2<\/strong>).<\/p><\/div><\/section><div class=\"av-special-heading av-25u2tue-5b1a48107c6d1c056661a58e2252b536 av-special-heading-h2 blockquote modern-quote modern-centered avia-builder-el-16 el_after_av_textblock el_before_av_textblock av-linked-heading\"><h2>\u00a0<\/h2><h2 class=\"av-special-heading-tag\">GDPR Provisions \u2013 the Guidelines<\/h2><\/div><section class=\"av_textblock_section av-1o7xx49-467f47953f42c11cd28de630fbd7adc9\"><div class=\"avia_textblock\"><p>\u00a0<\/p><p>Since GDPR provisions are wide, and therefore subject to different interpretations, the European Board for Data Protection (EDPB) issued <a href=\"https:\/\/edpb.europa.eu\/sites\/edpb\/files\/consultation\/edpb_guidelines_3_2018_territorial_scope_en.pdf\" target=\"_blank\" rel=\"noopener\">Guidelines <\/a>on the territorial scope of the GDPR, in order to clarify, among other things, in which cases GDPR applies to companies headquartered outside the EU. The Guidelines clarify the following:<\/p><ul><li>offering goods or services to data subjects who are physically in the EU,<\/li><li>monitoring of the behavior of data subjects in the EU, as far as their behavior takes place within the EU.<\/li><\/ul><p>\u00a0<\/p><p>The EDPB clarifies two frequent misconceptions:<\/p><ul><li>GDPR applies only to data controllers and data processors with the establishment in the EU,<\/li><li>GDPR always applies to data controllers and data processors that process data of a data subject who is a citizen of one of the EU Member States.<\/li><\/ul><\/div><\/section><section class=\"av_textblock_section av-kk59h4i-86bdef1decbcf57c6d1793bd34733046\"><div class=\"avia_textblock\"><div><p>\u00a0<\/p><p>If a controller or a processor established in Serbia processes the data of an EU Member State citizen, that does not imply automatic application of the GDPR.<\/p><\/div><\/div><\/section><section class=\"av_textblock_section av-1o7xx49-467f47953f42c11cd28de630fbd7adc9\"><div class=\"avia_textblock\"><p>As an example, let\u2019s take a Serbian IT company that processes data of French citizens (data subjects who are EU citizens) <strong>located in Serbia<\/strong>, with the purpose of offering goods or services on the territory of the Republic of Serbia. Does this company have to comply with the GDPR?<\/p><p>The answer is: <strong>NO<\/strong><\/p><p>Now, let\u2019s assume that a Serbian IT company processes data of a data subject (any country\u2019s citizen) who is, at the moment of offering goods or services on behalf of a Serbian IT company, <strong>located on the territory of one of the EU Member States<\/strong>. Does this company have to comply with the GDPR?<\/p><p>The answer is: <strong>YES<\/strong><\/p><p>Therefore, in order for the GDPR to apply to controllers and\/or processors based outside of the EU, it doesn\u2019t matter whether the processed data belongs to data subjects who hold citizenship or temporary or permanent residence in one of the EU Member States. What is important is that the data subjects are physically located in the European Union.<\/p><p>The European Data Protection Board provides a good example that explains that GDPR applies to all individuals physically present in the EU.<\/p><\/div><\/section><div class=\"avia-image-container av-jnkb3czd-416be3ca41f4ca5c03f0a1f8df0c88fa av-styling- avia-align-center avia-builder-el-20 el_after_av_textblock el_before_av_textblock \"><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class=\"wp-image-16027 avia-img-lazy-loading-not-16027 avia_image \" src=\"https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/Table-1.jpg\" sizes=\"(max-width: 1030px) 100vw, 1030px\" srcset=\"https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/Table-1.jpg 1030w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/Table-1-300x99.jpg 300w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/Table-1-768x254.jpg 768w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/Table-1-705x233.jpg 705w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/Table-1.jpg 1198w\" alt=\"\" width=\"1030\" height=\"340\" \/><\/div><\/div><\/div><section class=\"av_textblock_section av-1o7xx49-467f47953f42c11cd28de630fbd7adc9\"><div class=\"avia_textblock\"><p>\u00a0<\/p><p>Regardless of the duration of the \u201coffering of goods or services\u201d, for the <a href=\"https:\/\/zuniclaw.com\/en\/data-protection-lawyer\/\">application of the GDPR<\/a>, it is sufficient to process the personal data of individuals who, at the moment of offering goods or services, are located on the territory of one of the EU Member States \u2013 regardless of whether they have paid for those goods or services. In other words, the data processing carried out for this purpose, without the final purchase of these goods, i.e., the payment for services, suffice for imposing rigorous penalties prescribed by the GDPR in case of non-compliance.<\/p><p>On the other hand, if a data controller or data processor based outside the EU processes the personal data of individuals located in the EU, that is not an adequate basis to apply the provisions of the GDPR. What is necessary, is that the purpose of this data processing is to offer goods or services to these individuals, or to monitor their behavior within the Union.<\/p><p><strong>But how to determine whether the data of the data subjects who are located in the EU is processed with the intention of offering goods or services, or in order to monitor the behavior of the individuals within the Union?<\/strong><\/p><p>For these reasons, the EDPB provided instructions in their Guidelines that should be followed in order to determine the answer to this question.<\/p><\/div><\/section><div class=\"av-special-heading av-5emy0m-0627b9922b1985af259fe2aca0f8bcd5 av-special-heading-h2 blockquote modern-quote modern-centered avia-builder-el-22 el_after_av_textblock el_before_av_hr av-linked-heading\"><h2>\u00a0<\/h2><h2 class=\"av-special-heading-tag\">Data Processing to Offer Goods and Services<\/h2><\/div><div class=\"hr av-k0cmdopt-4998cd37a928fdc0de3321774ffc0abb hr-invisible avia-builder-el-23 el_after_av_heading el_before_av_image \">\u00a0<\/div><section class=\"av_textblock_section av-1o7xx49-bdbb47ae29ccb1aa361a3992f913ac4f\"><div class=\"avia_textblock\"><p>The EDPB provided instructions in their Guidelines that indicate that the data of these data subjects are processed precisely for these reasons.<\/p><\/div><\/section><div class=\"av-special-heading av-1c9scuu-300f45033ac87a678651c5607b1a608b av-special-heading-h2 blockquote modern-quote modern-centered avia-builder-el-26 el_after_av_textblock el_before_av_image av-linked-heading\"><h2>\u00a0<\/h2><h2 class=\"av-special-heading-tag\">Terms<\/h2><\/div><div class=\"avia-image-container av-jnkb3czd-7190edae1e05e770b95fa8de99c462d4 av-styling- avia-align-center avia-builder-el-27 el_after_av_heading el_before_av_textblock \"><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class=\"wp-image-16029 avia-img-lazy-loading-not-16029 avia_image \" src=\"https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/CONTROLLER.jpg\" sizes=\"(max-width: 946px) 100vw, 946px\" srcset=\"https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/CONTROLLER.jpg 946w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/CONTROLLER-300x271.jpg 300w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/CONTROLLER-768x692.jpg 768w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/CONTROLLER-705x636.jpg 705w\" alt=\"\" width=\"946\" height=\"853\" \/><\/div><\/div><\/div><section class=\"av_textblock_section av-1o7xx49-467f47953f42c11cd28de630fbd7adc9\"><div class=\"avia_textblock\"><p>\u00a0<\/p><p>In the event of several of the above-mentioned criteria, the EDPB holds the opinion that data of data subjects located within the European Union are processed precisely for the purpose of offering goods or services. In other words, the GDPR applies to such controllers and\/or processors.<\/p><p>As one example when it is considered that a controller with an establishment outside the EU processes the data of the individuals located within the EU member state in order to offer the goods or services, EDPB published the following:<\/p><\/div><\/section><div class=\"avia-image-container av-jnkb3czd-330ed90603c939b2b3b89f5d01964dbc av-styling- avia-align-center avia-builder-el-29 el_after_av_textblock el_before_av_textblock \"><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-16030 avia-img-lazy-loading-not-16030 avia_image \" src=\"https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/Table-2.jpg\" sizes=\"(max-width: 991px) 100vw, 991px\" srcset=\"https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/Table-2.jpg 991w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/Table-2-300x124.jpg 300w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/Table-2-768x317.jpg 768w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/Table-2-705x291.jpg 705w\" alt=\"\" width=\"991\" height=\"409\" \/><\/div><\/div><\/div><section class=\"av_textblock_section av-1o7xx49-467f47953f42c11cd28de630fbd7adc9\"><div class=\"avia_textblock\"><p>On the other hand, data processing of EU Member State citizens who are <a href=\"https:\/\/zuniclaw.com\/en\/personal-data-protection-law-serbia\/\">employed in a company in Serbia<\/a>, for the purpose of paying salaries is not considered data processing with the purpose of offering goods or services. Hence, such a company is not required to comply with the GDPR.<\/p><\/div><\/section><div class=\"av-special-heading av-uw62dy-8ec5eeb285af2998ea35b217b5059cdd av-special-heading-h2 blockquote modern-quote modern-centered avia-builder-el-31 el_after_av_textblock el_before_av_hr av-linked-heading\"><h2>\u00a0<\/h2><h2 class=\"av-special-heading-tag\">Data Processing for the Purpose of Monitoring Behavior<\/h2><\/div><div class=\"hr av-k0cme3x2-c297df0ae0c3be4adc7c86fbc0da87cf hr-invisible avia-builder-el-32 el_after_av_heading el_before_av_image \">\u00a0<\/div><section class=\"av_textblock_section av-1o7xx49-467f47953f42c11cd28de630fbd7adc9\"><div class=\"avia_textblock\"><p>The European Data Protection Board has provided an interpretation of when it is considered that a controller, or processor, monitors the behavior of individuals in the EU and the behavior that takes place within the Union.<\/p><p>Primarily, it should be noted that monitoring involves monitoring people via the Internet or profiling them in order to analyze or predict their personal preferences, behaviors, and attitudes.<\/p><p>Monitoring can take the form of:<\/p><p>\u2013 advertising, based on the person\u2019s behavior,<\/p><p>\u2013 monitoring geo-location for marketing purposes,<\/p><p>\u2013 online tracking through the use of cookies or other tracking techniques,<\/p><p>\u2013 Personalized diet and health analytics online services,<\/p><p>\u2013 CCTV,<\/p><p>\u2013 Market surveys and other behavioral studies based on individual profiles,<\/p><p>\u2013 Monitoring or regular reporting on an individual\u2019s health status.<\/p><p>The European Data Protection Board also cites an example where a retailer, or a processor with an establishment outside the European Union, is processing personal data of data subjects who are in the EU in order to monitor their behavior within the Union.<\/p><\/div><\/section><div class=\"avia-image-container av-jnkb3czd-dc5d63a7716d2b67a1dcd51f3abd9333 av-styling- avia-align-center avia-builder-el-35 el_after_av_textblock el_before_av_textblock \"><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-16032 avia-img-lazy-loading-not-16032 avia_image \" src=\"https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/table-3.jpg\" sizes=\"(max-width: 983px) 100vw, 983px\" srcset=\"https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/table-3.jpg 983w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/table-3-300x84.jpg 300w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/table-3-768x214.jpg 768w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/table-3-705x197.jpg 705w\" alt=\"\" width=\"983\" height=\"274\" \/><\/div><\/div><\/div><section class=\"av_textblock_section av-1o7xx49-467f47953f42c11cd28de630fbd7adc9\"><div class=\"avia_textblock\"><p>\u00a0<\/p><p>It should be mentioned that when each of these criteria is taken separately, it does not indicate that goods or services are offered to people who are in the European Union, i.e., that their behavior is being monitored. Nevertheless, a combination of several of these criteria leads to the conclusion that they are the target group.<\/p><\/div><\/section><div class=\"av-special-heading av-l4ck8l92-df10646b57097911298b6a2c052fbbbc av-special-heading-h2 blockquote modern-quote modern-centered avia-builder-el-37 el_after_av_textblock el_before_av_hr av-linked-heading\"><h2>\u00a0<\/h2><h2 class=\"av-special-heading-tag\">GDPR in Serbia: Controller vs Processor<\/h2><\/div><div class=\"hr av-k0cmg18v-3c2671a1feaebfa926f8ea5e36b70aa1 hr-invisible avia-builder-el-38 el_after_av_heading el_before_av_image \">\u00a0<\/div><section class=\"av_textblock_section av-1o7xx49-467f47953f42c11cd28de630fbd7adc9\"><div class=\"avia_textblock\"><p>If, within your business operations, you conduct any of the following activities:<\/p><ul><li>Process information about data subjects physically present in the European Union in order to offer the goods or services, regardless of whether the data subject whose data is being processed should pay for those goods or services,<\/li><\/ul><p>OR<\/p><ul><li>Monitor the behavior of these data subjects, as far as their behavior takes place within the EU,<\/li><\/ul><p>\u00a0<\/p><p>it is necessary to <a href=\"https:\/\/zuniclaw.com\/en\/data-protection-lawyer\/\">comply with the GDPR procedures<\/a> in order to avoid paying astronomical fines.<\/p><p>This means that it is necessary, in accordance with GDPR, to <a href=\"https:\/\/zuniclaw.com\/en\/data-protection-officer-serbia\/\">hire a person who will act on your behalf and for your account as your representative<\/a> in the European Union and enable you to comply with the provisions of the GDPR. A representative can be either a natural or a legal person. The representative\u2019s data must be available to data subjects whose data are being processed, for example, it may be listed in your privacy policy. The representative should be established in the EU Member State in which the data subjects whose data are being processed are located.<\/p><\/div><\/section><div class=\"avia-image-container av-jnkb3czd-7e76f8b12e5d96b390cb7c488a24b118 av-styling- avia-align-center avia-builder-el-41 el_after_av_textblock el_before_av_textblock \"><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-16034 avia-img-lazy-loading-not-16034 avia_image \" src=\"https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/table-4.jpg\" sizes=\"(max-width: 982px) 100vw, 982px\" srcset=\"https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/table-4.jpg 982w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/table-4-300x131.jpg 300w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/table-4-768x335.jpg 768w, https:\/\/zuniclaw.com\/wp-content\/uploads\/2019\/07\/table-4-705x307.jpg 705w\" alt=\"\" width=\"982\" height=\"428\" \/><\/div><\/div><\/div><section class=\"av_textblock_section av-1o7xx49-467f47953f42c11cd28de630fbd7adc9\"><div class=\"avia_textblock\"><p>\u00a0<\/p><p>An indicator of how important it is to comply with the GDPR certainly is the decision of the French Data Protection Authority (CNIL) to impose a fine of 50,000,000.00 euros on Google, which we talked about in detail in our <a href=\"https:\/\/zuniclaw.com\/en\/gdpr-breach-france-sanctioned-google\/\">news<\/a> section.<\/p><p>This decision should be a warning to data controllers and data processors established in Serbia, especially those to whom the GDPR applies \u2013 to honor their obligations under the GDPR on time and in total, as non-compliance entails serious sanctions.<\/p><\/div><\/section><div><p>One of the simplest ways to facilitate the GDPR compliance is by using specialized software like <a href=\"https:\/\/whisperly.ai\/\" target=\"_blank\" rel=\"noopener\">Whisperly<\/a>, which automates key data protection processes.<\/p><\/div><section class=\"av_textblock_section av-1o7xx49-bdbb47ae29ccb1aa361a3992f913ac4f\"><div class=\"avia_textblock\"><h6>1 European Data Protection Board, Guidelines 3\/18 on the territorial scope of GDPR (Article 3), of November 16, 2018, page 13, example 8;<\/h6><h6>2 European Data Protection Board, Guidelines 3\/18 on the territorial scope of GDPR (Article 3), of November 16, 2018, page 13, example 12.<\/h6><h6>3 European Data Protection Board, Guidelines 3\/18 on the territorial scope of GDPR (Article 3), of November 16, 2018, page 18, example 15.<\/h6><h6>4 European Data Protection Board, Guidelines 3\/18 on the territorial scope of GDPR (Article 3), of November 16, 2018, page 22, example 20.<\/h6><\/div><\/section>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>On 25 May 2018, the GDPR entered into force. This means that from that date, compliance with its provisions is mandatory for natural and legal persons residing or established in the European Union. However, under certain conditions, GDPR in Serbia is also applicable to natural and legal persons. Given that the GDPR breach provides for [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":66755,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[126],"class_list":["post-40497","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-privacy-data-protection-en"],"_links":{"self":[{"href":"https:\/\/zuniclaw.com\/en\/wp-json\/wp\/v2\/posts\/40497","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zuniclaw.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zuniclaw.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zuniclaw.com\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/zuniclaw.com\/en\/wp-json\/wp\/v2\/comments?post=40497"}],"version-history":[{"count":6,"href":"https:\/\/zuniclaw.com\/en\/wp-json\/wp\/v2\/posts\/40497\/revisions"}],"predecessor-version":[{"id":66768,"href":"https:\/\/zuniclaw.com\/en\/wp-json\/wp\/v2\/posts\/40497\/revisions\/66768"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zuniclaw.com\/en\/wp-json\/wp\/v2\/media\/66755"}],"wp:attachment":[{"href":"https:\/\/zuniclaw.com\/en\/wp-json\/wp\/v2\/media?parent=40497"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zuniclaw.com\/en\/wp-json\/wp\/v2\/categories?post=40497"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}