Serbia: The First Two Years of the GDPR - Aligned Data Protection Law’s Application

Serbia: The First Two Years of the GDPR - Aligned Data Protection Law’s Application

Serbia
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The Serbian Data Protection Law that was adopted in November 2018 to align Serbia’s data protection laws with the GDPR has now been in force for almost two years (its application commenced nine months after its date of adoption, in August 2019).

Although the past year and a half has been unusually challenging due to the COVID-19 pandemic, which has certainly affected the development and enforcement of, among other things, rights related to privacy and personal data protection, certain conclusions regarding the current state of affairs can be made.

First, a number of international companies that are not locally registered have appointed their local data protection representatives (“Local Representatives”) for the territory of Serbia. This is based on the extraterritorial applicability of Serbia’s Data Protection Law, which is substantially the same as the respective rule in the GDPR.

It is explicitly envisaged by the Data Protection Law that its extraterritorial effect exists towards foreign data controllers/processors when, subject to certain exceptions, their processing activities are related to: (1) offering goods or services to a data subject in the territory of Serbia, regardless of whether a payment from the data subject is required; or (2) monitoring that part of the data subject’s behavior that takes place in Serbia. In both cases, foreign entities are obliged to appoint Local Representatives.

For now, based on the information published on the website of the Serbian data protection authority – the Commissioner for Information of Public Importance and Protection of Personal Data – the affected companies include Yahoo, Viber, Netflix, Spotify, Upwork Inc., Alibaba, and Booking, among others.

Penalties prescribed for non-compliance with the aforementioned obligation are primarily symbolic, amounting only to RSD 100,000 (approximately USD 1,040). The penal policy envisaged by the Data Protection Law, in general, is also very mild, with non-compliance with statutory rules potentially leading to liability for misdemeanors and fines in the amount of up to RSD 2 million (approximately USD 20,600) for a legal entity and up to RSD 150,000 (approximately USD 1,550) for a legal entity’s representative. Additionally, the Serbian Criminal Code prescribes criminal liability for data processing carried out in contravention to the Data Protection Law, but, in practice, this risk is generally of theoretical importance only.

In our opinion, this penal policy is, along with the still-generally-low level of enforcement, one of the main reasons why the level of compliance with the Data Protection Law in Serbia is still generally low. The fact that this law is primarily a copy of the GDPR, along with the possibility of extraterritorial applicability of the GDPR to local entities as well, has raised the level of the law’s implementation compared to the previous data protection law (originating from 2008). However, this is still not enough, and further intensive development should definitely follow.

The Commissioner has a crucial role in the process of this further development – it should continue (or better yet intensify) its work on raising public awareness of personal data protection, monitoring the implementation of the law actively, insisting relentlessly on the enforcement of the statutory rules towards all entities/persons who act contrary to the law, and taking clear and firm positions when it comes to relevant data protection issues which may occur in practice.

It should also be emphasized (as the Commissioner does these days as well) that, regardless of the explicit statutory rule that all Serbian laws containing provisions related to personal data processing should become compliant with the Data Protection Law by the end of 2020, such compliance has not been achieved yet.

Overall compliance should be eagerly pursued in the near future, as only a fully compliant regulatory framework can lead to a fully compliant environment, in which privacy and data processing rights can be duly and effectively protected.

By Goran Radosevic, Partner, and Sanja Spasenovic, Special Advisor, Independent Attorneys at Law in Cooperation with Karanovic & Partners

This Article was originally published in Issue 8.6 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.