The National Assembly of the Republic of Serbia has enacted a new Law on Personal Data Protection (the “Law”). The Law came into force on 21 November 2018, but will take effect on 21 August 2019.

Some of the most important changes are summarized below:

Broader application of the Law

The new Law will not apply only to the processing of data by Serbian controllers and processors, but also to those that are based outside of Serbia whose processing of data is related to offers of goods or services (even gratuitous) to persons located in the territory of Serbia or monitoring activities of Serbian data subjects if such activities are performed in Serbia. For example, a company outside of Serbia selling goods to consumers in Serbia or offering online solutions to consumers in Serbia, will be subject to the Law, which has not been the case thus far. As a result, these controllers and processors will need to appoint their representatives in Serbia, who will be contacted by the DPA and the data subjects on all issues related to processing.

New definitions of the existing expressions and introduction of the new expressions

Two specific form of data processing have been introduced: (i) profiling – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements, and (ii) pseudonymisation – means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Definition of “binding corporate rules” has been introduced. Binding corporate rules means personal data protection policies which are adopted and adhered to by a controller or processor established on the territory of the Republic of Serbia for transfers of personal data to a controller or processor in one or more countries within a multinational company or group of companies.

Data processing consent: new forms and requirements

As opposed to the current law, which recognizes only the hand-signed consent, the Law expressly introduces other forms, such as consent given online or orally, or consent given by another clear affirmative action. However, the controller has to demonstrate that the data subject has indeed consented.

On the other hand, the conditions for obtaining the consent have become much stricter. Besides the usual rules that the consent must be freely given, specific, informed, and unambiguous, there is also a request that, when presented in a written document, the consent must be clearly distinguishable from all other matters, using clear and plain language or it will not be valid. In addition, consent will not be deemed freely given if the performance of a contract or provision of a service is conditional on consent to the processing of personal data that is not necessary for the performance of that contract

Rights of the Data Subjects

The Law significantly expands the existing rights of natural persons to receive information about the processing and, more importantly, access to their personal data. Data controllers must provide transparent information to data subjects in a more comprehensive manner, and must inform data subjects of, inter alia, their ability to withdraw consent, and the period for which the data will be stored. The information needs to be provided in a concise, transparent, intelligible and easily accessible way, using clear and plain language. Given the fact that the elements that need to be included in the information are quite excessive, the companies should carefully update their existing notices.

In addition, the Law introduces a new right to data portability, and provides additional details concerning the erasure of personal data. The right to data portability gives an individual the right to demand that the controller provides him with his personal data, or to transfer them directly to another controller, if the relevant processing was automatic and based on consent or the performance of a contract. The right to erasure binds the controller to erase the data without delay upon the natural person’s request if the personal data is no longer necessary for the purpose of processing, if there is no legal basis for processing – including cases where consent has been withdrawn, or if the data is otherwise processed contrary to the Law, and even requires that the controller uses reasonable measures to notify other controllers processing the same data about the received erasure request.

Removal of the Central Register of Databases

One of the important novelties under the Law is the closing of the Central Register of Databases, with immediate effect. It should be noted that the obligation of keeping and registration of database records existing under the current law will remain until the new Law becomes effective. Under the Law, controllers and processors will only be required to maintain internally the database records and, in certain cases, even that obligation will not apply to companies with less than 250 employees.

Data Protection Officer

The controllers and processors will be required to designate a data protection officer (“DPO”) if (i) the processing is carried out by a public authority, (ii) the core activities of the controller/processor require the regular and systematic monitoring of data subjects on a large scale, or (iii) the core activities of the controller/processor relate to processing of special categories of personal data or criminal convictions/offences data. DPO’s primary tasks will be to ensure compliance with the data processing legislation and to communicate with the Data Protection Authority (“DPA”) and the data subjects on all data protection matters.

The DPO may be employed or engaged under a service contract, and must have sufficient expertise. A group of companies may appoint a single data protection officer, provided that he is equally accessible by each company.

The controllers and processors are required to ensure the DPO’s independence in the performance of his tasks, meaning that no instructions may be given to him, that he reports directly to the manager of the controller/processor and that he may not be dismissed or penalized for performing his tasks.

The Data Protection Authority keeps the evidence on DPOs.

Certification

Another novelty under the Law is certification procedure. Namely, in order to demonstrate compliance with the relevant provisions of the Law, and especially taking into account the needs of small and mid-size companies, the certification procedures of data protection may be established. This means that companies that are not subject to the Law (due to the size), could obtain the certificate in order to demonstrate the existence of appropriate safeguards, within the framework of personal data transfers to third countries or international organizations. Nevertheless, holding the certificate does not impact the legal obligations of data controllers and processors under the Law.

The DPA keeps evidence of certification bodies and issued certificates and publishes it on its web page.

Data security and privacy by design & by default

Same as with the GDPR, the new law introduces various accountability obligations of data controllers, including to (i) implement, maintain and update appropriate technical and organizational measures to ensure proper security level, (ii) have in place certain documentation, such as data protection policies and records of processing activities, (iii) implement data protection by design and by default, and, (iv) conduct a data protection impact assessment for processing operations which are considered more of risk to the rights and freedoms of individuals.

Data protection by design requires the controllers to adopt, as well as maintain and update when needed, appropriate measures – such as pseudonymisation, data minimization, etc., so to adequately conduct data processing principles. Data protection by default, on the other hand, requires the controllers to adopt measures so that, by default, only the processing which is necessary for the specific purpose will be possible.

New data transfer concept

Under the Law, data transfer regime has been liberalized, which is a change from the current restrictive concept – requiring the controllers to obtain prior approval from the DPA for transfers to non-EU countries. Another novelty is that the Law expressly applies to both, direct and indirect, data transfers, unlike the current law, which was vague to that respect.

Under the Law, data controllers will be entitled to transfer personal data abroad if one of the following conditions (amongst others) is met:

• personal data is to be transferred to a country that ratified the Council of Europe Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data;
• data transfers are performed to a country included on the EU list or the Serbian Government’s list of countries providing an adequate level of data protection;
• data transfers are performed to a country which has a bilateral agreement with Serbia regulating data transfers;
• the transfer is based on the standard contractual clauses prepared by the Serbian DPA;
• the transfer is based on binding corporate rules or a code of conduct approved by the Serbian DPA, or on certificates issued in accordance with the new law;
• the Serbian DPA has issued a specific approval for the transfer to be performed on the basis of an agreement between the data exporter and the data importer; and,
• the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks.

This should give more options for the transfer of data to non-EU countries, especially once the DPA prepares the standard contractual clauses – which should be based on the ones approved by the EU Commission. In addition, it is reasonably expected that the process of obtaining the DPA’s approval for such transfers will be more efficient, and should be completed within 60 days – currently the procedure often takes more than a year.

Sanctions and Enforcement

The Law extends and specifies the competencies and powers of the DPA as an independent government body and harmonizes it with relevant principles of the European Union. In accordance with the Law, the DPA primarily performs inspection tasks, but, in addition, enjoys many other competences. The DPA is now also able to directly fine the controllers and processors in certain situations, with fines in the amount of approx. EUR 850. Under the current law, only the Misdemeanour Court has jurisdiction to impose fines.  The DPA takes appropriate corrective measures, ensures the implementation of the Law, prepares standard contractual clauses regarding processing of data, approves the provisions of the agreement or contract between the authorities regarding the transfer of data, keeps internal records of violations of the Law, reviews the issued certificates, and performs international cooperation activities.

The Law, being generally a copy of the GDPR in almost all aspects, with certain local specificities, differs therefrom when it comes to sanctions – the maximum fines which may be imposed against companies are up to approx. EUR 17,000, rather than GDPR’s EUR 20 million or 4% of the company’s global annual turnover.

What are the future steps?

The Law has copied many provisions of the GDPR, without adequate local support for their implementation; it is to be expected that the critics of the Law (including any objections raised by Serbian Data Protection Authority) will claim that much needed harmonization of the Serbian legislation with EU laws has not been achieved. Now, it remains to be seen how the data controllers and data processors will ensure the compliance of data processing operations with the Law and how the DPA will resolve a number of ambiguities raised during the public debate, prepare the standard contractual clauses, and raise the public awareness concerning the new solutions.