The Data Protection Officer (DPO), as defined by the General Data Protection Regulation (GDPR) of the European Union and Article 56 of the Law on Personal Data Protection (Official Gazette of the Republic of Serbia No. 87/2018), is an authorized individual responsible for ensuring compliance with data protection regulations.
Controllers and processors of personal data are obligated to appoint a Data Protection Officer (DPO) in the following situations:
- When processing is carried out by public authorities, except for processing by courts in the exercise of their judicial powers.
- When the core activities of the controller or processor involve processing operations that, by their nature, scope, or purposes, require regular and systematic monitoring of data subjects on a large scale.
- When the core activities of the controller or processor involve processing of special categories of personal data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation), or data relating to criminal convictions and offences, with the additional condition that processing referred to in this point is carried out on a large scale.
Controllers and processors who are required to appoint a Data Protection Officer and fail to do so commit an offense punishable by law including a fine ranging from 5,000 to 2,000,000 RSD, depending on whether the controller or processor is a legal entity, an entrepreneur, or a natural person, and the responsible individual within the legal entity is also subject to penalty.
The DPO must be an independent individual responsible for ensuring that the organization complies with the Law on Personal Data Protection (LPDP) and GDPR when processing personal data of clients, partners, visitors, employees, and others.
Furthermore, when a group of business entities appoints a common DPO (provided that this individual is equally accessible to each member of the group), it is still ONE natural person, as is the case when controllers or processors, as public authorities or competent authorities, determine that it is appropriate to appoint ONE common DPO, taking into account the organizational structure and size of these public authorities.
All those who appoint a Data Protection Officer, including those not obligated by the LPDP, ARE REQUIRED: 1) to PUBLISH the contact details of the Data Protection Officer and 2) to SUBMIT appointment decision to the Commissioner. Failure to do so constitutes an offense punishable by a fine of 20, 50, or 100,000 RSD, depending on the same criteria as those related to the offense due to failure to appoint a Data Protection Officer.