The Serbian Parliament enacted the new Law on Personal Data Protection in November 2018 (published in the “Official Gazette of the Republic of Serbia" no. 87/2018), which will be applicable as of 21 August 2019 (hereinafter: the "New DP Law"). Moreover, the Serbian data protection authority (hereinafter: the "DPA") has just adopted several by-laws that further elaborate on certain rights and obligations of data controllers under the New DP Law (e.g. when there is an obligation to perform personal data protection impact assessment).
As of 21 August 2019, the New DP Law shall replace and derogate the currently applicable Law on Personal Data Protection from 2008 (hereinafter: the "Old DP Law") that caused a number of ambiguities and uncertainties in practice for market participants intending to comply with this Old DP Law to the maximum extent possible.
The long-awaited New DP Law has been enacted as part of the process of accession of the Republic of Serbia to the European Union and harmonization of the Serbian regulations with the acquis communautaire as well as for the purpose of more efficient protection of personal data in the Republic of Serbia.
Although the New DP Law reflects numerous principles envisaged under the EU General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter: the "GDPR"), and a number of its provisions are a translation of GDPR provisions, it must be noted that this is a completely new piece of legislation that is different from the GDPR in certain aspects (e.g. the New DP Law does not include recitals from the GDPR, it does not provide for enormous fines that are prescribed under the GDPR, etc.).
The New PDP Law introduced significant novelties and legislative changes in the sphere of personal data protection that commercial entities in the Serbian market will need to comply with. It is expected that implementation of the New DP Law will resolve some of the issues that the market participants were facing due to the outdated Old DP Law. Some of the novelties brought in by the New DP Law are:
- Cancellation of the Central Registry kept by the DPA and a cancellation of the obligation of data controllers to register with this Central Registry all personal data bases that they keep and maintain;
- An obligation on data controllers and data processors to keep (internal) records on personal data processing activities if they employ 250 or more persons and/or if other prescribed conditions under the law are met (e.g. processing may cause significant risk to rights and freedoms of respective data subjects; if processing includes special categories of personal data (e.g. health data));
- Change of legal grounds for personal data processing; namely, beside the law and an informed written data subject's consent, the New DP Law sets several legal grounds on which personal data of a data subject can be processed;
- Data subject's rights to data portability and the so-called "right to be forgotten";
- A possibility for a commercial entity to appoint a data protection officer;
- Change of rules regarding the transfer of personal data abroad, namely, broadening the legal grounds that allow a transfer of personal data from Serbia and recognising the possibility to enter into model contractual clauses to be prepared by the DPA and allowing a Serbian company that is part of an international group of companies to be subject to the Binding Corporate Rules adopted at the group level, if the DPA approves such Binding Corporate Rules.
The penalties for non-compliance with these and other provisions of the New DP Law are in the range of RSD 55,000 to RSD 2,150,000 (i.e. approx. up to EUR 18,000) for the controller/processor and the responsible person. The New DP Law foresees a maximum fine that is two times the maximum fine prescribed under the Old DP Law. This is however still significantly lower than the enormous fines under the GDPR.
Despite the novelties and changes introduced by the New DP Law, which are expected to improve the level of protection of personal data in the Republic of Serbia and add more clarity on the rules that the market participants must abide by, it has to be noted that issues in the interpretation of the New DP Law are likely, especially due to the fact that a number of bylaws are yet to be adopted (especially in the sphere of transfer of personal data to other countries, e.g. a list of countries which the Serbian Government deems to have an adequate level of protection; model clauses to be prepared by the DPA, etc.). Furthermore, other national provisions should be aligned with the New DP Law by 2020 relating to the protection of personal data. There are also some aspects that the New DP Law does not regulate e.g. video surveillance.