The General Data Protection Regulation (GDPR) was approved by the European Parliament on 14 April 2016, but shall be directly applied in the EU member states starting from 25 May 2018. The GDPR replaces Data Protection Directive no. 95/46/EC and it represents a long-awaited result of years of negotiation, adjustments and attempts to produce legislation which would be applicable in all EU members states, taking into consideration differences in local personal data and privacy legislation, and incorporating changes which would reflect the fact that we now all live in a digital age.
With financial markets now trading over the internet and so many other transactions taking place online, the danger of cyber terrorism, which vastly relies on personal data misuse, is now higher than ever.
GDPR introduces major changes into this legal area, in an attempt to strengthen EU citizens’ personal data protection and privacy and impose harsher punishment against entities which do not adhere to stipulated obligations.
One of the biggest changes is the introduction of extra-territorial applicability of GDPR. Namely, GDPR applies to all personal data processing entities regardless of the location of these entities, as long as they are processing personal data of persons residing in the EU. Also, the fines for violation of GDPR’s stipulations are imposed on a much larger scale – the harshest one amounts up to 4% of annual turnover or up to 20 million EUR, whichever of the two is higher. The fines apply both to data controllers and data processors, which is bad news to cloud provider companies – they no longer have the possibility to avoid responsibility as they find convenient.
One of the rights stipulated in the GDPR and relating to data subjects is the right to be forgotten. The right to be forgotten is the right of the data subject to require that the data controller erases his/her personal data and discontinue further spreading of the data. For the information to be deleted, it is necessary that it is no longer relevant for the main purpose of processing, or that the data subject withdraws the given consent.
Given the changes GDPR introduced, it is of utmost importance that Serbia adopts a new Data Protection Act, reflecting the GDPR changes and novelties. Needless to say, Serbia will, sooner or later, have to harmonize personal data protection legislation with GDPR as part of its EU accession path.
However, there seem to be a number of issues related to adopting a new Personal Data Protection Act. Namely, the Government’s working group was initially formed back in 2012 with a task to draft a new Personal Data Protection Bill. Even though the Action Plan for Chapter 23 stipulated that the new Personal Data Protection Act is to be adopted until the end of 2015, this never happened.
In the context of new developments – the adoption of GDPR – Serbian Commissioner for Personal Data Protection prepared a new model draft of the Personal Data Protection Bill reflecting novelties introduced by the GDPR, and submitted it to the Government in July 2017. It remains to be seen when the new Personal Data Protection Act in Serbia will be adopted and whether it will be in accordance with the GDPR.