On 9 November 2018 the National Assembly of Serbia has adopted the long awaited new Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti, Official Gazette of the Republic of Serbia, no. 87/2018) (hereinafter: the Law).
The main reason behind the adoption of this new piece of legislation is harmonization with the European Union rules, i.e. ensuring the same level of protection of personal data as in the European Union member states. The introduction of the Law is part of Serbia’s obligations in process of the accession to the European Union. Further, the Law was adopted with the aim of facilitating the conducting of business of companies, having in mind the current level of application of modern information technology and social networks. Namely, the general assessment of the previous law on personal data protection is that it was already outdated at the time of its adoption, and therefore its application in practice was often marred by significant difficulties.
The Commissioner for Information of Public Importance and Personal Data Protection (hereinafter: the Commissioner)’s stand regarding the text of the Law is that it represents a literal translation of the General Data Protection Regulation (hereinafter: the GDPR), and therefore exhibits a high level of formal compliance with the respective regulation of the European Union, but the practical application in Serbia is highly questionable.
Further, despite the Commissioner’s numerous complaints and suggestions, the Law does not regulate video surveillance, which remains in the gray area. The Commissioner has also found Article 40 of the Law to be quite controversial as it allows the limitation of certain fundamental rights and obligations envisaged by the Law, in a rather imprecise manner and without reference to the law as a legal ground for such limitation. Therefore, there is a potential threat that authorities or companies that handle personal data may restrict citizens’ rights without explicit legal authority and at their own discretion.
The Law relies heavily on the solutions envisaged by the GDPR, and since it is a completely new law, which is significantly more extensive than its predecessor, we point out the most important provisions and key novelties which it has introduced.
Firstly, the Law is applied in cases where the data controller or the data processor with the seat or residence or temporary residence on the territory of the Republic of Serbia carries out personal data processing within the scope of activities that are carried out on the territory of the Republic of Serbia, regardless of whether the processing itself is done on the territory of the Republic of Serbia. Additionally, regardless of the seat or residence or temporary residence of the data controller or the data processor, the Law applies to cases of data processing if the persons to whom the data relates have residence or temporary residence in the Republic of Serbia, in two cases – in the case of offering goods and services, and in case of monitoring activities of persons if the activities are carried out in the Republic of Serbia.
The Law extends and specifies the competencies and powers of the Commissioner as an independent state body and harmonizes it with relevant principles of European Union. In accordance with the Law, the Commissioner primarily performs inspection tasks, but, in addition, enjoys many other competences. Thus, the Commissioner takes appropriate corrective measures, ensures the implementation of the law, prepares standard contractual clauses regarding the processing of data, approves the provisions of the agreement or contract between the authorities regarding the transfer of data, keeps internal records of violations of the Law, reviews the issued certificates, and performs international cooperation activities.
The Law envisages a range of different options for the protection of data subject’s rights. First of all, an objection to the data controller on data processing can be filed, but also a complaint with the Commissioner. Against the decision of the Commissioner, that is, if such a decision has not been made within 60 days from the date of submission of the complaint, an administrative dispute may be initiated. In addition, direct court protection can be achieved independently from all other procedures.
The Law for the first time clearly stipulates special provisions that apply only to the relevant authorities, thus ensuring the legality of their actions, and at the same time determining cases where there are exceptions from the general regime. A large part of the Law is dedicated to the collection and processing of data by the competent authorities, and many exceptions which the authorities can now rely on (over forty in number). Therefore, it seems that the criticism of the European Commission on the structure and readability of the Law itself (back then in draft form) is highly justified. Namely, the stand of the European Commission is, inter alia, that the draft Law was overly complicated and consequently less transparent.
The Law introduces the obligation of risk analysis prior to the commencement of processing operations, and if the level of risk is high, it stipulates the necessity of requesting the opinion of the supervisory authority i.e. the Commissioner.
The Law now explicitly stipulates the right to compensation, which implies that a person who suffered material or non-material damage due to a violation of the provisions of the Law has the right to financial compensation of this damage from the data controller, i.e. the data processor who caused the damage.
An important novelty is that the Central Registry of Data Collections is abolished by the Law, and it ceases to exist when the Law enters into force. There is no longer any obligation to notify the Commissioner of the intention to establish a data collection, nor the obligation to register one. Namely, in the future, the collection of data will be kept at the data controller’s level, i.e. internally, and in accordance with the Law.
The transfer of data from the Republic of Serbia is now subject to a significantly different and more detailed regime, in particular with respect to the transfer terms. The Law also introduces a number of other novelties, such as binding corporate rules, certification, determining persons for personal data protection, as well as a code of conduct and complete regulation of personal data processing carried out by the competent authorities, for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or enforcing criminal sanctions, and the the elements of an agreement or other binding act on the basis of which the processing of data is carried out by the data processor. Finally, the applicable provisions regulating penalties and fines are now much more stringent.
Application of the Law
The law enters into force on 21 November 2018, however its application will start nine months from the date of its entry into force. During this period, the relevant by-laws are to be adopted. The only exception is the article of the law which regulates the termination of the obligation to maintain the Central Registry of Data Collections that applies immediately upon the entry into force of the Law. Existing data within the Central Registry of Data Collections will be archived.
The provisions of other laws pertaining to personal data processing will be harmonized with the provisions of the Law by the end of 2020.