Privacy Law at Serbia
Serbia's data protection framework is primarily governed by the Law on Personal Data Protection (LPDP), which aligns closely with the European Union's General Data Protection Regulation (GDPR). The LPDP was adopted in November 2018 and became effective on August 21, 2019
Key Provisions of the Law on Personal Data Protection
1. Data Subject Rights
Individuals in Serbia have rights similar to those under the GDPR, including:
Right to be informed Individuals must be informed about the collection and use of their personal data.
Right of access Individuals can access their personal data held by data controller.
Right to rectification Individuals can request corrections to inaccurate or incomplete dat.
Right to erasure Individuals can request the deletion of their personal data under certain condition.
Right to restriction of processing Individuals can request limitations on the processing of their dat.
Right to data portability Individuals can obtain and reuse their personal data across different service.
Right to object Individuals can object to the processing of their personal dat.
2. Obligations of Data Controllers and Processors
Entities processing personal data must:
Implement appropriate technical and organizational measures To ensure a level of security appropriate to the risk.
Maintain records of processing activities Documenting data processing operation.
Notify data breaches Inform the Commissioner for Information of Public Importance and Personal Data Protection and affected individuals in case of a data breach.
Appoint a Data Protection Officer (DPO) When required, to oversee data protection activities.
Appoint a representative in Serbia For controllers and processors not established in Serbia but subject to the LPDP
3. Penalties for Non-Compliance
Violations of the LPDP can result in:
Fines for legal entities Ranging from RSD 50,000 to RSD 2,000,000 (approximately EUR 450 to EUR 16,000.
Fines for responsible individuals Ranging from RSD 5,000 to RSD 150,000 (approximately EUR 40 to EUR 1,200.
Criminal liability For unauthorized collection of personal dat.
Compensation for damages Data subjects can seek compensation for material and non-material damages caused by non-compliance
📈 Strategic Development
In August 2023, the Serbian government adopted the **Personal Data Protection Strategy for the period 2023–2030* This strategy aims to address existing shortcomings in the LPDP and enhance the protection of personal data Key goals include:
*Upgrading the LPDP: To fully align with the GDPR standards.
*Harmonizing sectoral laws: Adjusting other laws to be consistent with the LPP.
*Establishing regulations: For video and audio surveillance, biometrics, and genetic data
⚠️ Implementation Challenge
Despite the LPDP's alignment with the GDPR, challenges remain in its implementation:
*Lack of privacy culture: Limited public awareness about data protection rights.
*Insufficient compliance: Entities, both public and private, often lack knowledge and capacity to comply with the LPP.
*Limited enforcement: The Commissioner for Information of Public Importance and Personal Data Protection has faced challenges in effectively overseeing compliance
📝 Summary
Serbia's data protection landscape is evolving, with the LPDP providing a solid legal foundation aligned with international standard. The adoption of the Personal Data Protection Strategy for 2023–2030 signifies a commitment to enhancing privacy protection. However, successful implementation will require addressing existing challenges and fostering a culture of data protection awareness and compliance.
RELATED Blog
0 comments