The General Data Protection Regulation ("GDPR"), which is expected to create a high-level and uniform framework for data protection in the European Union, becomes applicable on 25 May 2018.

Under the conditions set by the GDPR, its application will extend to non-EU West Balkan countries as well.

In view of the high fines, which amount to 4 % of global annual turnover for the preceding financial year or EUR 20 million, companies in Serbia, Montenegro, Bosnia and Herzegovina, and Macedonia are struggling to determine whether the GDPR applies to them, and if so, what their obligations are and how they will be enforced.

Does the GDPR apply to you?

The application of the GDPR will extend to companies outside the EU (controllers / processors), and hence includes companies in the West Balkan region if:

  • they offer goods or services to individuals in the EU (irrespective of whether payment is required); or
  • if they monitor the behaviour of individuals within the EU.

Example: A company in the West Balkans that develops a mobile application for the EU market / EU citizens or has an e-shop for the EU market will most likely have to apply the GDPR.

What should West Balkan companies know about the GDPR?

West Balkan companies falling under the application of the GDPR should pay attention to the following:

  • Online identifiers are personal data;
  • Rights of data users:
    • Right to data portability: the data subject will have the right to receive his/her data from the controller in a commonly used machine-readable format, and to transmit it to another controller;
    • Right to erasure ("right to be forgotten"): if the data controller has made the personal data public (eg on the internet), it will take all reasonable measures to inform controllers that the data subject has requested the erasure of any links to, or copy or replication of published data.
  • Data protection measures by design and by default: data subjects should make sure to minimise the processed data by pseudonymisation; measures must be implemented to ensure that only data necessary for the purpose is processed by default (no access to an indefinite number of persons).
  • A privacy impact assessment (PIA) should be carried out before the data processing if it is likely to result in a high risk to rights and freedoms due to the technologies used or the nature, scope, context and purpose of the processing. Typical cases in which a PIA is necessary are enumerated in the GDPR, eg in case of profiling/automatic processing of personal data, systematic and wide-ranging public monitoring (CCTV or public places) or when processing sensitive data.  
  • Notification of personal data breach to supervisory authority: controllers are obliged to report personal data breaches to the competent authority within 72 hours after the incident.  
  • Data Protection Officer (DPO): is designated by controllers and processors if their core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale (when profiling is the core activity), or when the core activities of the controller or the processor consist of large-scale processing of special categories of data.  
  • EU Representative: when the application of the GDPR extends outside the EU, the controller or the processor shall designate the representative in the EU, but only when systematically processing personal data on a larger scale and when there is greater risk to individual rights and freedoms.

What next?

Although there is no official information available at the moment, new and harmonised local data protection laws can be expected in the West Balkan countries between 2018 and 2019.

Be prepared

Notwithstanding the compliance race that has started globally, all West Balkan countries are currently having the same issues, given that local data protection laws are not fully harmonised with the upcoming GDPR.

International companies operating in the West Balkans are thus faced with the question of how to harmonise their businesses with two non-harmonised legal frameworks (the local framework and the GDPR), while at the same time being pressured by their EU headquarters to comply by 25 May 2018. Non-compliance by any of the West Balkan affiliates of the EU companies could present a serious threat to the business operations of the whole group (exposure to fines of up to 4 % of global annual turnover). To avoid this, West Balkan companies should first analyse the GDPR to identify if it applies to them, and if it does, start analysing their internal data processing activities in order to harmonise them as far as possible with the provisions of the GDPR.