Personal data is any information based on which one’s identity can be determined, directly or indirectly. This includes, for example, name and surname, personal identification number, location or movement data, data from phone listings and logs, bank account number, recordings from surveillance cameras with facial recognition software, as well as any other information that point out to someone's physical, physiological, genetical, mental, economic, cultural and societal characteristics. 

Special category data is data that indicates racial or ethnic origin, political orientation, religious or philosophical beliefs or union membership, as well as processing of genetic data, biometric data aimed at unique identification of persons, data concerning health, data regarding person’s sexual orientation and sexual preferences. 

Personal data processing is each action or number of actions, performed automatically or non-automatically over personal data, such as collection, recording, classification, grouping (or structuring), storage, modification or change, publication, insight, usage, detection by transmission, or by delivery, multiplication, dissemination or making it available by any other means, comparison, restriction, deletion or destruction. 

The data subject is a natural person whose personal data is being processed. 

Data controller is a natural or legal person, or, respectively, a public institution that, independently or in cooperation with other entities, determines the purpose and means of data processing. The law that determines the purpose and the ways of data processing, may also appoint the data controller, or set up terms for his appointment. 

Data processor is a natural or legal person, or, respectively, a public institution, which processes data for data controller. 

The recipient is a natural or legal entity, or, respectively, a public institution, to which personal data has been disclosed, whether it is a third party or not, unless it is a matter in which public authorities receive personal data in accordance with the law, for the purpose of investigating a specific case, and process this data in accordance with the legal framework.   

Joint controllers are two or more data controllers who jointly determine the purpose and means of data processing.

The General Data Protection Regulation (GDPR) was adopted in 2016 and entered into force on May 25^th, 2018. It applies to personal data processing conducted by data controllers/data processors based in the EU, but also to data processing of EU citizens by data controllers/data processors located outside of the EU. 

The new Law on Personal Data Protection (the PDP Law) was adopted in November 2018 and entered into force on August 21^st, 2019. This Law represents the most important legal act in the field of personal data protection in the Republic of Serbia, and the data controllers and data processors’ procedures must be in accordance with the above-mentioned Law. The Law applies on controllers and processors from both the private and the public sector, as well as on all citizens living in the Republic of Serbia.

All data controllers and processors are obliged to harmonize their businesses with the new Law on Personal Data Protection. The Law stipulates specific provisions which must be respected during each and every personal data processing, and those include:

• Legality, credibility, transparency
• Pre-defined (legal) purpose of processing
• Minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality

The above-mentioned principles also oblige controllers and processors to:

• Make sure each and every personal data processing is based on legal regulations of the Republic of Serbia, meaning there has to be legal basis for any processing of personal data.
• Make sure controllers keep in mind the interest of persons whose data they are processing, as well as that the person to whom the data relates has the right, at any given moment, to know how the data is handled, what type of data is processed, for what purposes, who processes the data, etc.
• Collect data for specific, explicit, justified, and lawful purposes,  as well as not to process the data in a manner inconsistent with those purposes.
• Keep the data appropriate, relevant, and limited&nbspto only what is necessary in relation to the purpose of the processing.
• Keep the data accurate and up-to-dateand enable for inaccurate data to be deleted or edited.
• Limit the storage.
• Keep personal data only in a form that allows the identification of a person, and only within the period necessary to achieve the purpose of processing.
• Process personal data only in a way that provides adequate protection of personal data, including protection against unauthorized or illegal processing, accidental loss, destruction, or damage by using appropriate technical, organizational or personnel measures.

The Law on Personal Data Protection provides for a number of rights for the citizens. At the same time, these rights also represent obligations for controllers, meaning that the person to whom the data relates has the right to, at any given moment, to know how the data is handled, what type of data is processed, for what purposes, who processes the data, etc. In addition, the person may also request the controller to correct, edit, delete, limit, or transfer their personal data. The person has also the right to withdraw the consent given for the processing of personal data (in case the processing was based on the person's consent). 

The controller is obliged to take appropriate measures to provide the data subject with all information related to personal data processing, i.e. information related to the exercise of rights provided by the law, in a concise, transparent, easily understandable and easily accessible way, using simple terminology, especially in situations when the information relates to a minor. 

For information about processing of their personal data, the natural person directly addresses the controller with a request, asking to exercise one of their above-mentioned rights, and the controller is obliged to provide the data subject with information, without delay, and no later than 30 days from receiving the request. In case the controller fails to act upon the request of the data subject, they are obliged to inform the data subject about the reasons for non-action without delay, and no later than within 30 days from the day the request was received, as well as to inform them about their right to file a complaint to the Commissioner, or a lawsuit in a court.

Controllers and processors can have or designate a person in charge of personal data protection. it may determine place that will be in charge for personal data protection. However, there are a large number of controllers and processors, explicitly obliged by the law to have a data protection officer. Controllers/processors must designate a data protection officer:

• If the processing is performed by a public authority.
• If the controllers’ or processors’ basic activities consist of processing which, within its nature, scope, or purpose, requires regular and systematic supervision of a large number of persons to whom the data relate.
• If the controllers’ or processors’ basic activities consist of processing special types of personal data referred to in Article 17, paragraph 1, or personal data related to criminal convictions and offenses referred to in Article 19 of this Law, on a large scale.

Data protection officer may, but does not have to, be employed by controller/processor. The data protection officer is determined on the basis of professional qualifications, and especially professional knowledge and experience in the field of personal data protection. Controller or processor is obliged to publish the data protection officer’s contact information and submit them to the Commissioner. Data protection officer must be included in all activities related to personal data protection, and controllers/processors are obliged to timely and appropriately involve data protection officer in all tasks related to personal data protection.

Data protection officer is, at least, obliged to:

1. Inform and give opinions to controllers and processors, as well as the employees who perform processing operations about their legal obligations regarding the protection of personal data.
2. Monitor the implementation of provisions of this Law , other laws and internal regulations of controllers/processors relating to personal data protection, including the issues such as division of responsibility, awareness raising and training of employees participating in processing operations, as well as control.
3. Give an opinion, when requested, on the assessment of the impact of processing on the protection of personal data, and monitor the conduct of that assessment, in accordance with the Article 54 of this Law.
4. Cooperate with the Commissioner, represent a contact point for cooperation with the Commissioner and consult with the Commissioner regarding issues related to processing of personal data.  

Controllers are obliged to perform an impact assessment in cases when a specific type of processing, for example by using new technologies, and taking into account the nature, scope, circumstances and  purpose of the processing, may cause a high risk for the rights and freedoms of individuals. Article 54 of the Law prescribes the situations when it is obligatory to make an assessment of the impact of such processing on the personal data of natural persons, before initiating personal data processing. Also, should the assessment indicate that such processing will produce high risk in case no risk mitigation measures are undertaken, then the controller is obliged to ask for the Commissioner’s opinion, prior to initiating the data processing.

Controllers and processors are obliged to maintain records about activities regarding the processing of personal data, in writing, which also includes electronic form. These records are to be kept permanently.

This obligation is not implemented on legal entities and organizations which have less than 250 employed, unless:

• The processing their perform may pose a high risk to rights and freedoms of the data subjects.
• The processing is not occasional.
• The processing includes special types of personal data or for personal data relating to criminal convictions, criminal offences, and security measures.

The new Law on Personal Data Protection provides more detailed and flexible rules regarding the  international transfer of data to another country or international organization. 

The transfer of personal data to another country, a part of its territory, or an international organization, without prior approval, is possible only if determined that the other state/international organization provides an appropriate level of personal data protection. 

An appropriate level of protection is considered to be provided in countries/international organizations, members of the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, i.e. in countries, parts of their territories, or in one or more sectors of determined activities in those countries, or in international organizations that have been determined by the European Union to provide an adequate level of protection. 

Transfer with appropriate protection measures 

Controllers or processors may transfer personal data to another country/international organization for which no adequate level of protection has been established, only if the controller or processor has provided appropriate measures to protect this data and if the data subject has been enabled to exercise their rights and was provided effective legal protection.

Personal data breach is the breach of the security of personal data which results in an accidental or unlawful destruction, loss, editing, unauthorized disclosure, or access to personal data that has been transmitted, stored or otherwise processed. Violation of personal data can be, for example, intrusion into computer system (hack) or loss of computer containing personal data, unintentional publication of database, etc.

The controller is obliged to inform the Commissioner about the violation of personal data which may pose a risk to rights and freedoms of natural persons without undue delay, or, if possible, within 72 hours of becoming aware about the violation.

If the data breach can cause a high less risk to the rights and freedoms of natural persons, the controller is obliged to notify the data subject about the breach, without any undue delay.

In case of non-compliance with the provisions of the Law, a fine of 50.000 to 2.000.000 RSD may be imposed on the controller/processor with the status of a legal entity, and the responsible person with a fine of 5.000 to 150.000 RSD. 

A fine of 5.000 to 150.000 RSD may also be imposed on a natural person who does not keep personal data as a professional secret, and who became aware of the said data while performing their duties. 

Criminal Code 

Article 146 of the Criminal Code provides for the criminal offense of Unauthorized Collection of Personal Data: 

“Whoever without authorization obtains, communicates to another or otherwise uses information that is collected, processed and used in accordance with law, for purposes other than those for which they are intended, shall be punished with a fine or imprisonment up to one year.”

If the criminal offense was committed by an official, while performing their duties, they shall be punished by imprisonment for a term between three months and three years.

The Law on Personal Data Protection  

The Commissioner for Information of Public Importance and Personal Data Protection

The Commissioner’s Publication on Frequently Asked Questions regarding Data Protection Officers (available in Serbian)

The Commissioner’s Publication Listing Legislation related to Personal Data Protection (available in Serbian)

Controllers’ Self-evaluation Control Lists (available in Serbian)