BDK Advokati has contributed the Serbia chapter in the 2020 edition of Getting the Deal Through – Data Protection & Privacy (August 2019). The chapter presents the regulatory frameworks both under the data protection law from 2008 and under the law which became applicable in August 2019. The exposition of the two laws allows the reader to understand the changes which the new law brings into the legal regime governing the processing of personal data in Serbia.

The new law is modelled under the EU General Data Protection Regulation. As the Serbia chapter shows, the law dispenses with most of the unnecessary restrictions on the processing of personal data. At the same time, the law strengthens the individuals’ rights and introduces new, but realistic, requirements from the data controllers and data processors. Advantages of the new law compared to the one from 2008 include the following:

  • the new law does not require from the data controllers to notify Serbian supervisory authority of the intent to process personal data, except where the strength of the risks arising from the processing require prior consultation with the supervisory authority;
  • the new law introduces the legitimate interests pursued by the data controller or by a third party as a ground for lawful processing;
  • individuals may now express consent to the processing of their personal data by a statement or a clear affirmative action;
  • data controllers are now obliged to notify security breaches both to individuals and to the supervisory authority;
  • data controllers and data processors must appoint data protection officers in certain specified situations;
  • the new law introduces the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, if the processing is likely to result in a high risk to the rights and freedoms of individuals;
  • the new law abandons the strict requirement that the controller must obtain written authorisation for each transfer of personal data to non-European destinations. The new law provides for several grounds for a lawful transfer without requiring any specific authorisation from the supervisory authority; and
  • the new law adds to the list of individuals’ rights the right to data portability and the right to object to processing of the personal data.

The Serbia chapter also points to some differences which exist between the new law and the GDPR.

Bogdan Ivanišević, partner, and Milica Basta, senior associate, authored the chapter. The chapter may be downloaded hereReproduced with permission from Law Business Research Ltd. This article was first published in Lexology Getting the Deal Through – Data Protection & Privacy 2020 (Published: August 2019). For further information please visit www.gettingthedealthrough.com.