On 6 March 2017, the Commissionaire for information of public importance and personal data protection (the "Serbian DPA") published on its website the model of the law on protection of personal data (the "Model"). Pursuant to the information presented by the Serbian DPA, the Model has been prepared in line with the current standard of European "documents”, most importantly, the European General Data Protection Regulation.
Currently the general legal framework for the protection of personal data in Serbia is provided by the "Law on protection of personal data" (the "Law") which came in effect on 1 January 2009. Eight years later with sufficient practice in implementation of the current Law and taking into account the dynamic changes of both the relevant data protection legal landscape in the EU and the importance of personal data for the economy, the Serbian DPA took the initiative and prepared the Model.
This is not the first time that the Serbian DPA initiated changes of the Law. During 2014 the Serbian DPA prepared, and delivered to the Government of the Republic of Serbia, the model of the Law on protection of personal data. Although the Government of the Republic of Serbia accepted the proposed model as the basis for planned changes of the new Law on protection of personal data, the Ministry of Justice prepared an alternative and competing version in the form of the "Draft of the Law on protection of personal data" which was criticised by the Serbian DPA as a step back in the protection of personal data.
Overview of the Model
The Model consists of 93 articles in total that are separated into eleven chapters with separate chapters regulating data processing. Currently, data processing is not regulated sufficiently or not regulated at all (e.g. processing of biometric data, video surveillance, direct marketing, processing of ID numbers and personal identification documents). For this article the following basic themes of the Model are highlighted:
Consent – liberalised approach
Instead of the rather rigid definition of 'consent' in current Law, which states in Article 10.2 that “A person’s valid consent can be given in writing or verbally for the record.”, the Model provides that consent can be given verbally, in writing or implied, i.e. implied conduct. The Model also provides the legal standard of what constitutes implied conduct that is deemed valid for the purpose of data processing.
Various categories of data controllers
Instead of the current regime regarding the obligations of data controllers (which does not separate between various categories of data controllers but sets up a general approach to all data controllers), the Model has taken a more nuanced approach by introducing additional and separate obligations to “major” data controllers, such as controllers processing sensitive data, public authorities and controllers processing data of more than 250 persons. These “major” data controllers are, pursuant to Article 71 of the Model, obligated to keep the records of databases, to register with the Serbian DPA, to incorporate internal procedures regulating data protection, to appoint a DPO and to notify the Serbian DPA and data subjects in certain cases of data security breaches.
Export of personal data – further liberalisation
The current regime for the export of personal data was two tiered. Pursuant to Article 46.1 of the current Law on protection of personal data, the transfer of personal data to countries that are signatories to the Council of Europe’s Data Protection Convention (CoE's Convention) is restriction free, meaning that no prior approval of the Serbian DPA is required for such transfer. A different legal regime is applied to the transfer of personal data to: (i) countries that are not signatories to the CoE’s Convention; and (ii) international organisations. In such transfer cases prior approval of the Serbian DPA is required.
The Model further liberalises the export of personal data in the sense that no prior approval by the Serbian DPA is needed for the export of personal data to countries in the EU and EEA. Prior approval is also not required for the export of personal data to countries and international organisations from which the EU has established that they have an adequate level of protection of personal data, and to other countries and international organisations in case the person whose personal data is being exported has approved such export. Prior approval of the Serbian DPA for export of personal data is needed in all other cases.
Although at this moment it is not clear whether the Model is going to be the basis for the future data protection legislation, the Model is a step in the right direction towards a more relevant data protection regulatory landscape that provides more legal certainty, especially when dealing with data processing.
The text of the Model can be accessed here (Serbian).
The Law can be accessed here (Serbian).
Submitted by Aleksa V. Andjelkovic of WALK Attorneys at Law │Advokati – Belgrade, Serbia