Serbia does not currently have any separate regulations in place in respect of protection of "personal data" pertaining to legal entities. It does regulate the protection of natural persons' data, however, without any particular mention of entrepreneurs. Although it is clear that the Data Protection Act does not apply to company data, the issue is more complex when it comes to entrepreneurs, as they are in essence natural persons performing business activities.
Unlike in some European jurisdictions, privacy of legal entities in the Republic of Serbia is not regulated by any separate legislation, except for the aspect of data secrecy in some specific sectors of business such as banking, and protection of information which could be qualified as a business secret. In principle a business secret is commercial information which if disposed of by third parties could bring them an economic benefit. Clearly this does not refer to some usual corporate identification data such as address of seat, corporate ID number etc. On the other hand the data protection of natural persons is regulated under the provisions of the Data Protection Act ("the DP Act") and its by-laws.
The Serbian DP Act regulates the protection of personal data defining personal data as "data relating to a natural person". From the general provisions, definitions and principles of the DP Act, it is clear that this act does not apply to the protection of pure company data, and thus such data falls outside the scope of application of the DP Act.
Are Entrepreneurs Natural Persons
Pursuant to the Companies Act, an entrepreneur is a natural person performing a business activity and possessing business capacity. Thus, there is a difference between a "natural person" and "a natural person performing business activities – an entrepreneur".
Is Personal Data related to Entrepreneurs protected under the DP Act?
Entrepreneurs can start their business activities only once they are registered with the Companies Registry, after which they will be assigned corporate identification and other data such as a corporate ID number, and a tax identification number (TIN) ("Company Data"). Apart from the abovementioned, data such as bank account numbers, swift codes etc, which typically relate only to business activities of entrepreneurs, also fall outside of the scope of the DP Act.
The Serbian DP Act does not explicitly regulate whether the data related to entrepreneurs enjoys protection under the rules of the DP Act. In addition, the Serbian Data Protection Authority ("DPA") has not issued any official opinion which would provide any clear guidelines in this respect. Therefore, the question of whether personal data relating to entrepreneurs falls under the provisions of the DP Act is rather more complex than it seems.
Pursuant to available legal opinions on the topic, the general interpretation existing in practice confirms that the data of entrepreneurs falls outside the scope of the DP Act, if such data is only correlated to an entrepreneur's business activity, and not to an entrepreneur's private life. Still there are certain marginal cases which need to be assessed on a case-by-case basis.
For instance, if an entrepreneur's private telephone number is also being processed by a data controller within for example business data records, such business data records could be considered to be personal data records at the same time, and therefore should be registered with the DPA in accordance with data protection rules.
Exception from Application of DP Act
Most company data in Serbia is publicly available information (such as business name, registered address, corporate ID no., TIN, bank account number) since such data is published at and in the online Serbian Business Registers Agency, and the registry of the National Bank of Serbia.
Pursuant to the DP Act, data which is available to every person and published in archives, official gazettes, and other publications or organisations, falls outside the scope of the DP Act. Thus, even if one would interpret the DP Act differently, and were to conclude that data of entrepreneurs is in fact personal data, still, based on the aforementioned provisions, such data should be excluded from application of the DP Act unless the interests of a natural person predominantly prevail.
Although there is a lack of official opinion and written guidelines regarding the DPA on this subject, the DPA recently reached the unique unofficial standpoint, which fully confirms our view on the issue at hand. Since data protection practice is still relatively undeveloped in Serbia, this area should be closely monitored as the DPA's practice will quite probably change in time.