Data Protection

The Law on Personal Data Protection (“Official Gazette of the Republic of Serbia”, 87/2018), effective as of August 21, 2019, signifies a substantial alignment with the EU’s General Data Protection Regulation (GDPR) within the Republic of Serbia. This legislation defines the rights of individuals regarding the processing of personal data, regulates the methodologies for data collection and transfer, establishes fundamental principles governing data processing, articulates the rights of individuals whose personal data is being processed, stipulates the obligations of data controllers and processors, and encompasses various supplementary requirements incumbent upon organizations or business entities.

Furthermore, it enunciates mechanisms for overseeing compliance with the law on personal data protection, outlines legal recourses, explains liability, and proposes penalties in cases of breaches affecting individuals’ rights concerning the processing of personal data. These provisions entail significant obligations for both the private sector, including companies, corporations, and entrepreneurs, as well as the public sector, encompassing governmental bodies, municipalities, public enterprises, institutions, and other governmental entities.

Practically, this mandates that any engagement involving personal data imposes obligations upon businesses or governmental entities acting as data controllers or processors, while concurrently presenting rights to individuals whose data is being processed or collected, including:

• The obligation to inform individuals regarding the purposes of data collection and processing.
• Maintenance of records pertaining to data and actions undertaken during the collection and processing thereof.
• Statutory duties vis-à-vis the Commissioner for Information of Public Importance and Personal Data Protection and other competent authorities, encompassing obligatory requests for opinions, provision of data, and analogous measures.

Failure to adhere to the statutory provisions entails the prospect of 38 distinct offenses, applicable to both legal entities and entrepreneurs, alongside designated penalties for responsible individuals within legal entities, governmental bodies, or local self-government units, which may extend to fines of up to 2M RSD.

Moreover, judicial remedies are available to individuals in the event of personal data misuse.

To ensure lawful and straightforward compliance, and to justify the characterization of a responsible enterprise, thereby averting substantial fines and legal entanglements, we offer a comprehensive suite of requisite activities, protocols, and templates for the implementation of personal data protection law/GDPR:

1. Conducting a gap analysis to assess organizational alignment with PDPL/GDPR regulations.
2. Provision of a comprehensive set of PDPL/GDPR documentation encompassing notices, contracts, procedures, regulations, decisions, instructions, forms, etc.
3. Formulation and implementation of organizational-technical measures and security policies pertaining to corporate security and PDPL.
4. Execution of a Data Protection Impact Assessment – (DPIA).
5. Appointment and training of data protection officers, with the option for outsourced DPO services from our firm.
6. Proffering expert consultancy and commentary concerning law application, new mandates, costs, and obligations for economic entities.
7. Dispensation of best practices and professional solutions, incorporating a wealth of verified remedies, opinions, and guidance from the Commissioner in compliance with PDPL, GDPR, and ancillary legislation impacting personal data.

Book a consultation to gain insight into the regulatory framework governing personal data protection/GDPR. Harmonize your business operations to mitigate the risk of potential liabilities and adverse ramifications for your brand and corporate reputation.