The Commissioner for Information of Public Importance and Personal Data Protection (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti) (the “Commissioner”) has adopted the Decision on Determining Standard Contractual Clauses, which was published in the “Official Gazette of the Republic of Serbia” no. 5/2020 on 22 January 2020, and will enter into force on 30 January 2020 (the “Decision”).
The Decision established the Standard Contractual Clauses, which further regulate the legal relationship between the controller and the processor in accordance with Article 45 of the Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti, “Official Gazette of RS”, no. 87/2018) (the “LPDP”).
The main purpose of Standard Contractual Clauses is to ensure adequate protection of personal data that is being transferred abroad.
If the contracting parties do not apply in whole or choose to amend any of the provisions of the Standard Contractual Clauses, such clauses will not be deemed to represent standard contractual clauses within the meaning of Articles 45 and 65 of the LPDP. Standard Contractual Clauses have to be concluded in writing, including electronic form.
According to Article 65 paragraph 1 of the LPDP, if personal data is being transferred to another country, to a part of its territory, or to one or more sectors of certain activities in that country or to an international organization for which the Serbian Government did not determine the existence of an adequate level of protection, such transfer is possible only if the controller or processor has provided appropriate safeguards of this data and if the data subject is provided with the option to exercise his or her rights and is afforded effective legal protection.
Appropriate safeguards can be provided, without special approval from the Commissioner, inter alia, through the application of standard contractual clauses issued by the Commissioner.
Therefore, Standard Contractual Clauses should be incorporated into every contract between the controller and the processor if the personal data is being transferred to another country, to a part of its territory, or to one or more sectors of certain activities in that country or to an international organization that according to the Government’s Decision on the List of Countries, Parts of Their Territories or One or More Sectors of Certain Activities in Those Countries and International Organizations Where it is Considered That an Adequate Level of Protection of Personal Data is Ensured does not ensure an adequate level of protection for personal data.