In response to the European Union’s (EU) General Data Protection Regulation (GDPR), Serbia has introduced a new data protection law that took effect on August 21, 2019. The law aims to broadly follow GDPR principles, and it marks a marked change in the way personal data must be handled in Serbia. It is expected to result in Serbian companies making many changes to their practices.
Data processing consent: new forms and stricter requirements
In contrast to the previous law, which recognized only hand-signed consent for data processing, the new law introduces other forms as well, such as online and oral consent, provided that the controller is able to demonstrate that the data subject has indeed consented.
On the other hand, the conditions for obtaining consent have become much stricter. Similar to the requirements of the GDPR, consent must be freely given, specific, informed, and unambiguous. Consent is not the only legal ground for data processing; others exist as well, such as the performance of the contract, compliance with legal obligations, and where processing is necessary for legitimate interests.
As is the case in other EU countries, consent should not be relied on as a ground for processing data in the employment context. This is because of the perceived power imbalance between employer and employee, as well as concerns that employees could be pressured into giving consent. Therefore, employers will have to rely on other legal grounds for processing personal data within the employment context.
Removal of the database registration obligation
An important change the new law specifies is the removal of the existing obligation to register personal databases with the Data Protection Authority (DPA), which was mostly ignored in practice, even in cases of companies with a high number of employees. Under the new law, controllers and processors will be required to maintain database records internally only, and, even then, only if the company has over 250 employees.
Designation of a data protection officer
Some employers will be required to designate a data protection officer (DPO), whose primary tasks will be to ensure compliance with data processing legislation and to communicate with the DPA and data subjects regarding all data protection matters. This obligation applies, among other things, if the large-scale processing of special categories of personal data is carried out, such as processing data on trade union memberships.
The DPO may be employed or engaged under a service contract and must have sufficient expert knowledge.
Liberalized data transfer concept
The data transfer regime has been completely revamped and liberalized under the new law, which is a welcomed change from the previous, overly restrictive concept, which required controllers to obtain prior approval from the DPA for transfers to non-European countries.
Written by Milena Jakšić Papac and Srđan Šijakinjić in cooperation with Karanović & Partners and Roger James of Ogletree Deakins
© 2019 Karanović & Partners and Ogletree, Deakins, Nash, Smoak and Stewart, P.C.