New Data Protection Law adopted

On November 13, 2018, the National Assembly of the Republic of Serbia adopted the new Data Protection Law that came into force on November 21, 2018, but its effective date has been postponed until August 21, 2019 (except for the clauses related to maintenance of the Central Register of Personal Databases which has already been terminated).

Serbian Data Protection Law closely follows EU’s General Data Protection Regulation (GDPR).

The new regulation establishes a higher level of responsibility for organizations that collect and process personal data.

Very high fines up to EUR 20 million or 4% of the organization’s total annual turnover in the previous year are a sufficient reason for Serbian companies and public entities to immediately start harmonizing their operations with the GDPR.

The new Data Protection Law applies to:

• Data controllers and processors in the Republic of Serbia,
• Data controllers and processors outside the Republic of Serbia who process the personal data of Serbian citizens, in the following cases:
• offering goods or services;
• monitoring activities of persons if the activities are carried out in the Republic Serbia.

The Serbian Data Protection Law is not applicable to personal data processing performed by natural persons for personal needs or for the needs of their household.

The organizations that collect personal data of citizens must upgrade their current procedures for managing personal data through a series of new, more stringent requirements.