KARANOVIĆ & PARTNERS
What law(s) specifically govern personal data / information?
Personal data protection is regulated by Law on Personal Data Protection (the “Law”). The Law started to apply as of 21 August 2019.
What are the key data protection principles in this jurisdiction?:
The Law sets out seven key principles applicable to data protection:
- lawfulness, fairness and transparency;
- purpose limitation;
- data minimisation;
- accuracy;
- storage limitation;
- integrity and confidentiality; and
- accountability.
However, even though the seven principles laid down by the Law seem to mirror the ones from the EU General Data Protection Regulation, the Law failed to include the recitals, which may create issues in interpretation of both these principles and other provisions of the Law.
What is the supervisory authority / regulator in charge of data protection?
The supervisory authority is the Commissioner for Information of Public Importance and Personal Data Protection (“Commissioner”).
Is there a requirement to register with a supervisory authority / regulator?
No registration is necessary.
Is there a requirement to notify the supervisory authority / regulator?
No notification to the Commissioner or any other authority is necessary. This applies both in situations when processing activities are to commence and when data is transferred to another jurisdiction. However, please note that transfer to another jurisdiction may be subject to Commissioner’s approval (see answer to question 8 below).
Controllers and processors are required to internally maintain the records of processing activities.
Is it possible to register with / notify the supervisory authority / regulator online?
N/A
What are the key data subject rights under the data protection laws of this jurisdiction?
Data subjects enjoy the following eight key rights:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object to processing; and
- the rights to not be subject to automated decision-making and profiling.
Is there a requirement to appoint a data protection officer (or equivalent)?
An appointment of a data protection officer is required only in specific circumstances, when:
- the processing is carried out by a public authority;
- the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data (e.g. health data) or personal data relating to criminal convictions and offences.
The contact details of the data protection officer need to be published and submitted to the Commissioner, who keeps evidence of such appointments.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Yes, the controller is required to carry out a data protection impact assessment (“DPIA”) prior to the processing whenever the intended processing (in particular by using new technologies) is likely to result in a high risk to the rights and freedoms of natural persons.
The DPIA is in particular required in the case of:
- a systematic and extensive evaluation of personal aspects relating to individuals which is based on automated processing and decision-making, including profiling, which may significantly affect the individual;
- processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences; or
- a systematic monitoring of a publicly accessible area on a large scale.
If the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller would be required to request the opinion of the Commissioner prior to processing.
Additional cases requiring a DPIA to be performed are listed in the Commissioner’s bylaw, but in practice it is advisable to carry out a DPIA before any major project which involves broad data protection flow.
Does this jurisdiction have any specific data breach notification requirements?
In the case of a personal data breach, the controller must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the breach to the Commissioner, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the Commissioner is not made within 72 hours, it needs to be accompanied by reasons for the delay.
The notification must at least:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach; and
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The Commissioner has published the data breach notification form . Together with the notification, the controller must also deliver its records of processing activities related to the data affected by the breach.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must also communicate the breach to the data subjects without undue delay. The communication to the data subject must describe in clear and plain language the nature of the personal data breach and contain at least the same information as provided in the notification to the supervisory authority (described in the indents above). Exceptionally, the controller does not need to notify the data subjects if:
- it has implemented and applied appropriate data protection measures, particularly those that render the data unintelligible to unauthorised persons (such as encryption);
- it has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; or
- it would involve disproportionate effort (in which case, there should instead be a public communication or similar measure).
In any case, the Commissioner may order the controller to notify the data subject regardless of the measures taken.
What restrictions apply to the international transfer of personal data / information?
The Law imposes restrictions on the transfer of personal data abroad, in order to ensure that the level of protection of individuals guaranteed by the Law is not undermined. In order to convey a lawful transfer, controller or processor may rely on following mechanisms:
- Transfer based on adequate level of protection – A transfer of personal data to another country may be performed without prior approval if it is determined that the other country provides an adequate level of protection of personal data. In short, this includes all European countries, as well as the ones which are included on the EU’s or the Serbian Government’s list of countries providing an adequate level of data protection.
- The EU Commission has issued decisions concerning an adequate level of protection on the basis of Article 45 para 3 GDPR for the following countries: Andorra; Argentina; Canada; Faroe Islands; Guernsey; Isle of Man; Israel; Japan; Jersey; New Zealand; Republic of Korea, Switzerland; and Uruguay. The United Kingdom has been recognised by EU Commission as providing adequate protection under the GDPR and the Law Enforcement Directive.
- Transfer with appropriate safeguards – In order to undertake a lawful transfer in territories which do not fulfil adequate level of protection, the controller and/or processor will have to ensure that any of the following safeguards are implemented: (i) the standard contractual clauses prepared by the Commissioner (“SCCs”); (ii) the binding corporate rules or a code of conduct approved by the Commissioner, or the certificate mechanism issued in accordance with the Law; (iii) legally binding instrument between public authorities; or (iv) a specific approval from the Commissioner for the transfer to be performed.
Transfer in specific situations – Finally, if conditions for lawful transfer cannot be met with respect to point 1. and 2., other alternatives may be considered (such as the data subject’s explicit consent, necessity for the establishment, exercise or defence of legal claims, or even the company’s compelling legitimate interests).
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, the Law has a specific extra-territorial effect spanning outside of the jurisdiction. The Law applies to the processing of personal data of data subjects with residence in the territory of Serbia by a controller or processor who does not have its business seat/residence in the territory of Serbia, when the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in Serbia; or
- the monitoring of the data subject's behaviour if it takes place within Serbia.
For example, websites of a foreign company in the Serbian language whose prices for goods are denoted in dinars will likely be considered as sufficient to establish extra-territorial effect.
What rules specifically deal with marketing?
Advertising Law contains general rules relating to marketing, and certain specific aspects are also regulated in the Consumer Protection Law and Law on Electronic Communications.
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes – generally business-to-consumer marketing has stricter rules, always requiring prior consent for performing direct marketing and introducing protective mechanisms for consumers in case of unfair commercial practices etc., whereas this is not typically the case with business-to-business marketing.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
The Law on Electronic Communications regulates problem areas such as traffic data processing for marketing purposes, unwanted messages, direct marketing etc. As a general rule under this law, the use of automated calling systems, fax machines, e-mail or other types of electronic messages for the purpose of direct advertising may only be allowed with the prior consent of the user/subscriber, and this covers both business-to-consumer and business-to-business marketing.
The Consumer Protection Law also contains some electronic marketing relevant provisions, besides regulating marketing activities in a general manner (i.e., irrespective of the communication channel). Most interestingly, the Consumer Protection Law introduced the so-called Do Not Call Registry, a public registry of consumers who declared themselves as unwilling to receive telemarketing calls or messages on their designated phone numbers, which companies engaging in such marketing activities would need to check before contacting the consumers. The registry is not yet operable, as the rulebook governing its implementation and operation is not yet adopted (but is expected to be in the near future).
What rules specifically deal with cookies?
The Law on Electronic Communications briefly deals with cookies as well. It sets forth that cookies may be stored in the user/subscriber’s equipment only if they are provided with clear and comprehensive information about the purpose of data collection and processing, in line with the Law, and are also given an opportunity to refuse such processing. However, the above does not apply to technical storage or access to data for the purpose of transmission of communication over electronic communications networks or provision of services explicitly requested by the user/subscriber.
In any case, the Law applies to cookies as well, resulting in the requirement to notify the data subjects and obtain their consent prior to placing any cookies, with the exception of the strictly necessary ones - for which no consent is required (but the notice requirement still remains for them as well).
What are the consequences of non compliance with data protections laws (including marketing laws)?
Non-compliance with the data protection and marketing laws may result in fines for companies up to approximately EUR 17,000. Apart from fines, the Commissioner and other supervisory authorities are also authorised to undertake a set of corrective measures in order to eliminate any violations.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
One of the specific obligations to keep in mind applies to foreign data controllers and processors in case they are processing data of Serbian data subjects in connection with offering goods or services to them or monitoring their behaviour.
These companies are required to appoint a local data protection representative in Serbia, unless: (i) their processing is occasional, (ii) does not include, on a large scale, processing of special categories of data or data relating to criminal convictions and offences, and (iii) is unlikely to result in a risk to the rights and freedoms of natural persons.
What upcoming data protection developments should multinational organisations be aware of?
The above described requirement to appoint a local data protection representative is still quite important for the Commissioner, following the misdemeanour complaint submitted in October 2020 by a local NGO (Share Foundation) against 16 global tech companies for breach of this obligation. A number of global companies have appointed their local representatives in Serbia, including Google, Booking, Netflix, Viber, Spotify, Yahoo, Alibaba and Disney. More companies are expected to do so soon as well.
Another important development to watch out for in the times to come for Serbia is the adoption of the SCCs which would follow the EU example and regulate the situations where processors act as data exporters and introduce a modular structure adjustable to all transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller. The current Serbian SCCs only cover the controller-to-processor scenario and are already falling back behind the EU example.