The Commissioner for Information of Public Importance and Personal Data Protection (“Commissioner”) issued the Standard Contractual Clauses (“SCCs”) applicable to the relationship between the Serbian data controllers and non-European data processors which will enter into force on 30 January 2020. The Commissioner’s decision comes five months after the new Law on Data Protection became applicable in Serbia.
Companies from Serbia will now be free to transfer personal data to countries outside of Europe based solely on the SCCs with their processors as a part of a wider and general agreement between the parties, and without prior approval of the Serbian Data Protection Authority. In practice the companies that transfer data to the entities in China, India, USA, Singapore, Philippines, etc. will have the most benefit.
Similar to the rules set by GDPR, the SCCs represent an agreement between a data controller and a data processor that contains a standard set of contractual terms and conditions regarding the provision of sufficient protection of personal data that is transferred to the territories that are not considered to offer adequate protection of rights and freedoms of data subjects. The SCCs are intended to provide appropriate safeguards for international data transfers under Articles 45 and 65 of the Law on Data Protection, provided that the SCCs are adopted completely and without any amendments by the parties.
The clauses should be used as a valid legal base for international data transfers when data is transferred to territories that are not signatories of the Council of Europe’s Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data or the countries which are not on the Serbian/EU list of countries providing adequate level of data protection.
However, the Commissioner is not able to issue similar SCCs applicable within the realm of the controller to controller relationships, since the Law on Data Protection, by omission, does not provide such a possibility.
The adoption of the current SCCs still represents a milestone for the Serbian data transfer rules, and it should significantly regulate and liberalize the existing data transfers to processors outside of Europe.