The Serbian Parliament has passed a new data protection law (Zakon o zaštiti podataka o ličnosti – New Data Protection Law), which entered into force on 21 November 2018 and is applicable as from 21 August 2019. Serbia has enacted this new legislation pursuant to its obligations in the European Union's (EU) accession process.
Consequently, companies either established in Serbia or intending to do business in Serbia, would be well‑advised to take the following considerations into account in their data compliance policy.
1. What's new?
Since Serbia is not an EU Member State, the General Data Protection Regulation (EU 2016/679 – GDPR) is not directly applicable in Serbia. Due to its broad territorial scope the GDPR, however, may be applicable, in addition to the New Data Protection Law, in specific circumstances (see section 3 below). The (still) applicable Serbian Personal Data Protection Act 2008 (Old Data Protection Law) is not aligned with the principles and rules regarding the protection of personal data as laid down in the GDPR. The New Data Protection Law is, in contrast, mainly based on the provisions of the GDPR. Unlike the Old Data Protection Law it is not only applicable to data controllers, but also to data processors, taking the same (broad) territorial scope into consideration as the GDPR. As a result, companies not established in Serbia may fall within the application of the New Data Protection Law, if there is any link between the data processing activity and Serbia.
The main differences between the Old and the New Data Protection Law, taking the provisions of the GDPR into account, are as follows:
- Data subject rights: The Old Data Protection Law stipulates certain data subject rights, such as the right to request access to data. The New Data Protection Law extends these rights by granting the same rights as under the GDPR and imposes additional burdens on data controllers, if a data subject requests the deletion of their personal data.
- Consent: Unlike the Old Data Protection Law, which only regards statements in writing or verbally for the record as a valid form of consent, the New Data Protection Law introduces new ways (as laid down in the GDPR) for consent to be valid (including oral and electronic means). The New Data Protection Law, like the GDPR, clarifies that consent must be freely given, and that the data subject must be informed about the data processing activities beforehand.
- Data security: The Old Data Protection Law obliges the data controller to adequately protect data without stipulating any specific security requirements. The New Data Protection Law, on the other hand, requires the implementation of appropriate technical, organizational and personal measures, including appropriate data protection policies. Like under the GDPR, this obligation also applies to the data processor.
- Data transfer: Under the Old Data Protection Law, any individual transfer of personal data outside of Serbia needs to be authorized by the Serbian data protection authority (Serbian DPA), unless the country to which such data is transferred is a member of the Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (e.g. all EU Member States). Art 63 of the New Data Protection Law extends the possibilities for legally transferring personal data outside of Serbia – without the need to obtain further authorization – by laying down the same conditions as the GDPR. Personal data may therefore be transferred to countries which provide an adequate level of data protection according to the European Commission, or which have an international agreement (regulating the international transfer of personal data) in place. Similarly, transferring personal data to countries which do not have an adequate level of data protection is legitimate in specific instances, such as if the transfer is based on standard contractual clauses issued by the Serbian DPA. Nevertheless, the Serbian Parliament may determine that a particular country does not provide an adequate level of data protection, in which case the data controller has to provide appropriate safeguards as laid down in the New Data Protection Law for transferring data to these countries. So far no such decisions or publications have been made by the Serbian DPA or Serbian Parliament.
- Data breaches: Unlike the Old Data Protection Law, which does not stipulate a requirement to notify data breaches to data subjects or to the DPA, Art 52 of the New Data Protection Law, like the GDPR, requires data controllers to notify data breaches to the Serbian DPA and data subjects within 72 hours of notice of a breach. As with the GDPR, data processors are additionally required to inform the respective data controller of a data breach which the data processor becomes aware of.
- Joint Liability: According to Art 86 of the New Data Protection Law, the data controller and the data processor are jointly liable vis-à-vis the data subject, if data processing activities have been exercised jointly. In contrast, the Old Data Protection Law is generally silent on the term "joint liability".
- Database registration: Under the Old Data Protection Law, data controllers are obliged to register personal databases with the Serbian DPA. The New Data Protection Law eliminates this requirement completely.
2. Same rules – different consequences
Since the New Data Protection Law is, in many respects, identical to the GDPR, it may appear that it does not matter whether a processing activity falls within the provisions of the GDPR or Serbia's New Data Protection Law. That is not correct. One main difference to the GDPR remains. The maximum available administrative fine for breaches of the New Data Protection Law is only RSD 2,000,000.00 (approximately EUR 17,000.00), which is significantly lower than the maximum available fine under the GDPR: EUR 20,000,000.00, or 4 % of an organizations' annual global turnover, whichever is higher.
3. The importance of case-by-case analysis
Even though the GDPR is not yet directly applicable in Serbia it may be applicable, in addition to the New Data Protection Law, in specific circumstances.
If the respective data processing activity falls within the scope of application of the GDPR, Art 27 of the GDPR requires companies, not established in the EU, to designate in writing a representative in the EU, who will act as a point of contact for data subjects and will maintain a registry of communications with the competent EU authorities in charge of data protection.
The following two examples demonstrate how tricky it may be to determine whether the GDPR is applicable or not, based on the application of the "targeting criterion" towards data subjects laid down in the Guidelines 3/2018 adopted by the European Data Protection Board on 16 November 2018 (for more details see here):
- Example 1: A company sells goods via a Serbian website and offers delivery to Germany. The website is available in German and Serbian and the company accepts Euros and Serbian Dinar. Although all personal data is processed in Serbia, the GDPR is likely to be applicable to data processing activities as well, in connection with the purchase of goods via the website. This is because the activity is targeted towards data subjects in the EU.
- Example 2: The same company has placed a job vacancy on its website stating that knowledge of German is required, without specifically addressing German citizens. In this context, the GDPR would not likely be applicable (but only Serbian national law), as the knowledge of German applies to any applicants, whether a Serbian resident or a person in the EU. The requirement for knowledge of German is not enough to indicate that data subjects in the EU are specifically targeted.
As the two examples demonstrate, the same company may fall within the scope of the GDPR (in addition to the New Data Protection Law) for one processing activity, but not another. The GDPR, however, would not only apply to companies established in Serbia. In some cases it may also apply to companies established in another country but doing business in Serbia, as soon as a link between the processing of personal data and the EU may be determined.
Hence, it is of utmost importance to identify whether the GDPR (additionally to Serbian national law) is applicable on a case-by-case basis and in case of doubt to ensure that the provisions of both data protection regimes are met.