The Constitution

The Constitution of the Republic of Serbia contains several provisions relating to the protection of privacy, including on the confidentiality of letters and other means of communication (Article 41 of the Constitution) and the protection of personal data (Article 42 of the Constitution).

Under the Constitution, the confidentiality of letters and other means of communication may only be derogated from for a specified period of time and on the basis of a court decision for the purpose of conducting criminal proceedings or protecting the safety of Serbia, in a manner stipulated by the law (Article 41 of the Constitution).

The Constitutional guarantee of protection of personal data (Article 42 of the Constitution) provides that use of personal data for any purpose other than that for which it was collected is prohibited and punishable in accordance with the law, unless it is necessary to conduct criminal proceedings or protect the safety of Serbia, in a manner stipulated by the law.

The Constitution also guarantees that everyone shall have the right to be informed of the collection of personal data relating to them, in accordance with the law, as well as the right to court protection in the case of abuse of their personal data.

The Personal Data Protection Act

In August 2019, application of the new Personal Data Protection Act (PDPA) commenced. The solutions provided by the PDPA are in line with the GDPR.

The PDPA defines personal data, the different types of personal data and the manner of their collection, processing and transfer outside of the territory of Serbia. 

Sector-Specific Legislation

Provisions that are of relevance to the protection of personal data may also be found in the Electronic Communications Act (ECA), as well as in sector-specific legislation, such as the Act on Health Documents and Records, the Act on Records and Data Processing in Interior Affairs and the National DNA Registry Act.

Under Serbian legislation, the main regulator in the area of data protection is the Commissioner for Information of Public Importance and Protection of Personal Data (“the Commissioner”), whose prerogatives are defined by the PDPA. Under the PDPA, the Commissioner is a supervisory body that:

• monitors and enforces the application of the PDPA;
• advises the national parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons’ rights and freedoms with regard to processing;
• provides information to any data subject concerning the exercise of their rights under the PDPA; and
• co-operates with the supervisory authorities of other states.

The Commissioner also:

• handles complaints lodged by a data subject;
• prepares standard contractual clauses and authorises contractual clauses that would serve as an adequate safeguard for the transfer of data to a country or international organisation that does not ensure adequate levels of protection of personal data;
• establishes and maintains a list in relation to the requirements for a data protection impact assessment when required under the law; and
• accredits certification bodies, issues certifications and approves criteria of certification (Article 78 of the PDPA).

Data Protection Commissioner Powers

The Commissioner is vested with a set of investigative powers, corrective powers and advisory powers that are identical to the powers of the supervisory body prescribed by the GDPR. The Commissioner is authorised, inter alia, to:

• order the data controller or data processor to provide information it requires for the performance of its tasks;
• monitor the application of the provisions of the PDPA by exercising its inspection powers;
• carry out a review on certifications issued in accordance with the PDPA;
• obtain access to any premises of a controller or processor, including to any data-processing equipment and means;
• issue reprimands to a controller or processor where processing operations have infringed provisions of the PDPA;
• order the controller or the processor to comply with the data subject’s requests to exercise their rights pursuant to the PDPA;
• order the controller or processor to bring processing operations into compliance with the provisions of the PDPA, where appropriate, in a specified manner and within a specified period;
• order the controller to communicate a personal data breach to the data subject;
• impose a temporary or definitive limitation, including a ban on processing;
• order the rectification or erasure of personal data or restriction of processing; 
• withdraw a certification or order the certification body to withdraw an already-issued certification; 
• impose an administrative fine – in addition to, or instead of, other corrective measures – depending on the circumstances of each individual case; and
• order the suspension of data flows to a recipient in a third country or to an international organisation (Article 79 of the PDPA).

Under the PDPA, the Commissioner is authorised to exercise its powers in accordance with the Administrative Procedure Act and Inspection Act (Article 77 of the PDPA) as well as to initiate proceedings before the courts and other competent bodies in accordance with the law (Article 79 of the PDPA).

The Commissioner is obliged to act upon the complaints of a data subject and initiate the inspection procedure, as well as to inform the data subject about the outcome of the inspection and their right to initiate administrative court proceedings against the decision of the Commissioner. If the data subject is not satisfied with the decision of the Commissioner, or if the Commissioner fails to act upon the complaint within 60 days from its receipt, the data subject is authorised to initiate court proceedings against the Commissioner in accordance with the Administrative Court Proceedings Act (Articles 82 and 83 of the PDPA).

According to the Constitution of Serbia, ratified international treaties and generally accepted rules of international law are part of the legal system of Serbia, and laws and other general acts enacted in Serbia have to comply with ratified international treaties and generally accepted rules of international law (Article 194 of the Constitution).

In the context of personal data protection, Serbia has ratified the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and its Additional Protocol regarding Supervisory Authorities and Transborder Data Flows (ETS No 108, Strasbourg, 28 January 1981). This Convention serves as a legal ground for transfer of data from Serbia to the UK after Brexit, since the UK is party to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and its Additional Protocol regarding Supervisory Authorities and Transborder Data Flows (the Convention) and signatories of this Convention are considered to be countries that ensure an adequate level of data protection.

Serbia is also a signatory to various international agreements that contain provisions that could be relevant for accessing or obtaining data processed in the territory of Serbia, mostly in the context of international co-operation in civil and criminal matters.

Because Serbia is in the process of accession to the EU, much Serbian legislation focuses on implementation of the standards and provisions provided by EU legislation.

Moreover, the PDPA contains solutions provided by the GDPR and the Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data (The Police Directive).

There are multiple NGOs that address issues around personal data protection in Serbia, particularly those that focus on issues relating to the protection of human rights and privacy. The SHARE foundation is an NGO worth mentioning in the context of privacy and protection of personal data, since the main goal of its activities concerns privacy protection in the online environment.

The current status of Serbian legislation regarding protection of personal data could be described as developing towards the model set by EU legislation.

The current PDPA contains provisions that are almost identical to those of the GDPR and by-laws enacted by the Commissioner are also modelled on the EU legislation.

The PDPA harmonises Serbian legislation with the solutions contained in the GDPR. In addition, by-laws that were necessary for the proper application of the PDPA, have been enacted among which are:

• the decision on the list of types of processing operations which are subject to the requirement of a data protection impact assessment and consultation with the Commissioner;
• the decision on the list of countries, parts of their territory or one or more specified sectors within those countries or international organisations which are considered to ensure the adequate level of personal data protection; and
• the decision on standard contractual clauses applicable for data controller-data processor relationship.

The Commissioner has made an announcement that, because of the CJEU decision in Schrems II, data cannot be transferred to USA on the grounds of the decision on the list of countries, parts of their territory or one or more specified sectors within those countries or international organisations which are considered to ensure the adequate level of personal data protection, which lists the USA (limited to the Privacy Shield framework) as a country which is considered to ensure the adequate level of personal data protection. The Commissioner also noted that the legislative authorities should amend this decision in order to reflect the conclusion of the Schrems II decision.

Since the new PDPA has been in application for only two years, the focus is still on assisting legal entities in Serbia to adjust to the new regime for the processing of personal data. The Commissioner has focused primarily on monitoring the implementation of the provisions of the PDPA and on providing further guidelines in relation to the proper implementation of the PDPA. Questions related to the COVID-19 pandemic remain a significant topic of discussion.

The PDPA is the main legislation relating to personal data protection.

Under the PDPA, personal data is any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4 of the PDPA).

Personal Data Processing

Personal data must be processed in accordance with the same principles that are provided by the GDPR – ie, processing must be lawful, fair and transparent, limited in accordance with the purpose of the processing, accurate and conducted in a manner that ensures confidentiality and integrity of the processed data (Article 5 of the PDPA).

Under the PDPA, processing is lawful if:

• the data subject has given consent to the processing of their personal data for one or more specific purposes;
• it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• it is necessary for compliance with a legal obligation to which the controller is subject;
• it is necessary in order to protect the vital interests of the data subject or of another natural person;
• it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
• it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where those interests are overridden by those interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child.

The Commissioner has provided several opinions on how to assess the legitimate interest emphasising that this legal ground for data processing can be used only if data processing is necessary, and only if the fundamental rights and freedoms of the data subject do not override the controller’s interests.

Processing on the grounds of legitimate interests does not apply to processing carried out by public authorities in the performance of their tasks (Article 12 of the PDPA).

Privacy by Design/Default

The PDPA adopts both the privacy by design and the privacy by default concepts introduced by the GDPR and obliges the controller to, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data protection principles in an effective manner, as well as to integrate the necessary safeguards into the processing and protect the rights of data subjects. The controller is also obliged to implement appropriate technical and organisational measures for ensuring that, by default, only personal data that is necessary for each specific purpose of the processing is processed. The data must be adequately protected from abuse, destruction, loss, unauthorised alterations or access, modification and publication; in addition, controllers and processors are obliged to take all necessary technical and organisational measures, as well as measures relating to the duty of confidentiality of persons who are processing or have access to the processed data (Articles 42 and 50 of the PDPA).

Data Protection Officers

The PDPA also contains provisions relating to the designation of a data protection officer, whom the data controller and data processor are obliged to designate if:

• the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
• the core activities of the controller or the processor consist of processing operations that – by virtue of their nature, their scope and/or their purposes – require regular and systematic monitoring of data subjects on a large scale; or
• the core activities of the controller or the processor consist of the large-scale processing of special categories of data and personal data relating to criminal convictions and offences (Article 56 of the PDPA).

Data Protection Impact Assessments

The data controller is also obliged to perform a data protection impact assessment in cases where any of the following occur:

• a systematic and extensive evaluation of personal aspects relating to natural persons that is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
• large-scale processing of special categories of data or of personal data relating to criminal convictions and offences; or
• systematic monitoring of a publicly accessible area on a large scale (Articles 54 and 55 of the PDPA).

Cross-Border Transfer of Data

Under the PDPA, the data controller may introduce binding corporate rules that are adhered to by a controller or processor established in the territory of the Republic of Serbia for the purpose of a transfer, or a set of transfers, of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity. If the Data Protection Commissioner approves the binding corporate rules, it is considered that a controller has provided adequate safeguards and that data may be transferred outside of the territory of the Republic of Serbia (Article 67 of the PDPA).

Data Subject Rights

As regards the rights of the data subject, the PDPA entitles a person to request access to their data; to request erasure, rectification and restriction of processing, and portability of their data; as well as to object to the collection, use or transfer of their data (Articles 21-37 of the PDPA).

Finally, under the PDPA, the data subject may seek compensation for pecuniary and non-pecuniary damages suffered due to the unlawful processing of their personal data (Article 86 of the PDPA). However, under the general rules, a party seeking damages would have to prove a causal link between the unlawful data processing and the harm caused to it – ie, the burden of proof lies on the plaintiff, in this case a person who claims damages due to the unlawful processing of their personal data.

Under the PDPA, sensitive data is defined as data relating to ethnicity, race, political opinions, religious or philosophical beliefs, trade union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Processing of sensitive data is prohibited except if:

• it is carried out, inter alia, with the explicit consent of the data subject;
• it is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment and social security and social protection law; and/or
• it is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent (Article 17 of the PDPA).

Processing of sensitive data by public authorities is exceptionally allowed if the public authority in question is authorised to process such data by law, if processing is carried out for the purpose of protecting the vital interests of a data subject or other natural person, or if such data is obviously made available to the public by a data subject (Article 18 of the PDPA).

Financial Data

The PDPA does not contain a special provision that relates to financial data. However, under the Bank Act (BA), data relating to personal data, financial conditions and transactions, ownership or business relations of the clients of a bank or another bank; data on balances and flows on individual deposit accounts; and other data obtained by a bank from its clients is considered a bank secret (Article 46 of the BA).

In addition, banks, their executives, shareholders and employees, as well as external auditors and other persons who, due to the nature of their activities, have access to data that is considered a bank secret, may not disclose that data to third parties, use it against the interests of the bank and its clients, or enable third parties to access it. This duty of keeping confidential data that is classified as a bank secret lasts even after termination of a relationship based on a particular person having access to the data covered by the bank secret. Client data that represents a bank secret may be disclosed to third parties only with the client’s written approval (Article 47 of the BA).

Moreover, the National Bank of Serbia, courts and other bodies vested with public authority (as well as their employees) may use data that is considered a bank secret solely for the purpose for which that data was obtained and may not disclose it to third parties or enable third parties to learn and use it, except in cases envisaged by law (Article 49 of the BA).

Health Data

Under the PDPA, health data is personal data related to the physical or mental health of a natural person, including the provision of healthcare services that reveals information about their health status. Health data is considered to be a type of sensitive data and thus the PDPA rules regarding the processing of sensitive data apply. In addition, under the Health Protection Act (HPA), medical records are confidential and medical institutions, as well as individuals working therein, are obliged not to disclose them (Article 54 of the HPA).

Communication Data

The PDPA does not directly address the question of communication data, so the general rules on data processing provided by the PDPA are applicable to all communication data.

Provisions relevant to the protection of communication data – including voice telephony, text messaging and the content of electronic communications – are contained in the Electronic Communications Act (ECA), which prohibits network operators and service providers from retaining the content of customer communications (Article 129 of the ECA). However, they are obliged to enable lawful interception of communication under the conditions set out by the law, which are explained in 3. Law Enforcement and National Security Access and Surveillance.

As regards metadata, the ECA obliges network operators and service providers to retain for a period of 12 months data:

• tracing and identifying the source of a communication;
• identifying the destination of a communication;
• determining the beginning, duration and end of a communication;
• identifying the type of communication;
• identifying users’ terminal equipment; and
• identifying the location of the users’ mobile terminal equipment.

They are also obliged to disclose retained metadata to the police, the State Prosecutor, the Security Information Agency or the Military Security Agency, dependent on one of these bodies obtaining a court decision allowing them such access for a limited period of time and for the purpose of conducting criminal proceedings or national security (Articles 128 and 129 of the ECA).

There is also an exception to this rule by which the security agencies and police may, exceptionally, in emergency situations and only temporarily, access the communication data without a court decision, such as in cases of domestic or international terrorism (see for example Article 60 of the Police Act (PA)).

However, in practice, the telecommunication companies have reported a significant number of instances of access to their systems by the security agencies and the police without prior presentation of a court decision, which raises the question of abuse of their prerogatives to intercept communications or to obtain the retained metadata without a court order only in exceptional circumstances.

Children’s Privacy

Generally, consent for data processing is valid if it is given by a person 18 years of age or older.

The PDPA recognises exceptions to this rule in relation to consent concerning information society services. Under the PDPA, 15-year-old persons are able to give consent in relation to information society services. On behalf of persons younger than 15, consent is given by their parents or other personal representative of a minor (Article 16 of the PDPA).

Internet, Streaming and Video Issues

Serbian legislation does not have special rules governing the application of cookies, beacons, the use of tracking technologies or behavioural advertising so the general rules of the PDPA apply to these topics as well.

The PDPA does not contain special provisions regarding online marketing. However, it does regulate processing for direct marketing purposes and entitles the data subject to object at any time to the processing of personal data concerning them for such marketing, which also includes profiling (Article 37 of the PDPA). Regarding other aspects of online marketing, general rules on data processing apply.

The Advertising Act (AA) also contains a provision that allows direct advertising only upon obtaining prior consent from a person to whom the advertising is sent (Articles 62 and 63 of the AA). Behavioural advertising and targeted advertising are not regulated explicitly by Serbian law.

The ECA also contains provisions that prohibit unsolicited commercial and marketing communications without the prior consent of the recipient of such communication (Articles 118-119 of the ECA).

Under the PDPA, processing of employees’ personal data is carried out in accordance with the provisions of employment law and collective agreements based on the principles set out by the PDPA. The PDPA also recognises that employment regulations and collective agreements may contain provisions related to the protection of personal data of employees, in which case they also need to specify suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights (Article 91 of the PDPA).

Under the Employment Act of the Republic of Serbia, employers are allowed to collect data regarding their employees where this is prescribed by that law and other laws related to employment matters. The Employment Act also authorises employers to monitor the work of their employees, a provision that is frequently used in practice as a ground for accessing employees’ computers and email communications. In this respect, the Commissioner has taken the position that such access is allowed if the computer and email account were provided by the employer for the purpose of work performance and if it does not invade the employees’ privacy. If an employee is using a private email account or private computer, the employer may access the data contained therein only in the presence of that employee, who will then be able to prevent the employer’s access to private communication and files. In a recent ruling the Commissioner took the position that an employer must not continue to use its former employee’s email account upon termination of employment, as it contains the employee’s name: a piece of personal data whose processing is no longer justifiable, legal and necessary.

Administrative Enforcement

As stated in 1.3 Administration and Enforcement Process and 2.1 Omnibus Laws and General Requirements, the enforcement of personal data protection is the remit of the Commissioner, which is authorised to investigate whether data processing is lawful, including the right to request access to the premises of the data controller and means of data processing, as well as to order rectification of identified irregularities in data processing within a specified period of time, or to render a temporary ban on any processing carried out contrary to the provisions of the PDPA (Article 79 of the PDPA).

Data processing contrary to the provisions of the PDPA represents a misdemeanour punishable with a fine between RSD50,000 and RSD2 million for a legal entity, RSD20,000 and RSD500,000 for an entrepreneur, and RSD5,000 and RSD150,000 for both a natural person and the responsible person in a legal entity (Article 95 of the PDPA).

Criminal Enforcement

The Serbian Criminal Code (CC) also recognises the criminal offence of unauthorised processing of personal data, which is punishable with a fine or imprisonment, depending on the particularities of the specific case (Article 146 of the CC).

Civil Enforcement

The data subject is also authorised to initiate court proceedings against the data controller and data processor if the data is processed unlawfully, as well as to request compensation for material or non-material damage suffered as a result of an infringement of the PDPA (Articles 84–86 of the PDPA). However, the burden of proof for the damages suffered from unlawful data processing lies on the plaintiff – ie, on the person to whom the unlawfully processed data relates. Class actions are not allowed in the Serbian legal system.

The data subject’s rights provided by the PDPA may be limited as long as those limitations do not infringe basic human rights and freedoms and if they are necessary and proportionate in a democratic society for the purposes of protecting, inter alia, national security, defence, public safety, judicial independence, other vital public interests and particularly important financial interests of the Republic of Serbia, as well as for the prevention and investigation of criminal acts and offenders (Article 40 of the PDPA). This provision has been criticised as too broad and prone to misuse by public authorities.

The relevant provisions for data processing by the public authorities can be found in the Criminal Procedure Code (CPC), the Electronic Communication Act (ECA) and laws relating to the powers of the police force, secret service agency and military security agencies.

Criminal Procedure Code

The CPC authorises the State Prosecutor to conduct activities, for the purpose of prosecution of persons suspected of committing a criminal offence, which encompass the collection of personal data.

The CPC also contains provisions relating to so-called special investigation measures, among which are interception and surveillance of electronic communications, computer searches of processed personal and other data, and the collection of communication data (including metadata). These measures may be employed, as special investigation measures, in the pre-formal and formal investigation stages of criminal proceedings, and ordered against a person suspected of committing or preparing a war crime, organised crime, cybercrime or one of various listed serious crimes (stated in Article 162 of the CPC), if evidence of that crime cannot be collected in any other way, or if gathering evidence by regular investigation measures would cause significant difficulties (Article 161 of the CPC).

The order for interception is issued by the competent criminal court. The interception may be performed by the police, the Security Information Agency or the Military Security Agency (Article 168 of the CPC). If, during the interception, the relevant government agency obtains information indicating that a person uses another phone number or address, the interception may be extended to include that phone number or address by a decision of the director of that government agency, who will also notify the State Prosecutor. The State Prosecutor subsequently files the request for extension with the competent criminal court, which will render a new decision approving the extension or order the destruction of the materials collected (Article 169 of the CPC).

Police Act

Under the Police Act, the police are authorised to intercept electronic communications if that interception is necessary to arrest or apprehend a person under reasonable suspicion of having committed an offence punishable with imprisonment of four or more years and for whom an international arrest warrant is issued, if the police cannot apprehend such a person by other means or when other means would involve disproportionate difficulties. The request for interception is submitted by the director of the police and approved by the president of the Supreme Court of Cassation or, in the absence of the president of the Supreme Court of Cassation, by a judge of the Supreme Court of Cassation authorised to rule on such a request.

In circumstances in which waiting for the Court’s approval might jeopardise a police investigation, the interception may be ordered by a decision of the director of the police, with prior written approval of the president of the Supreme Court of Cassation or the authorised judge of that court. In such cases, the director of the police is obliged to submit to the Court a written request for continued interception within 24 hours from obtaining prior approval. The Court will decide on the continuation or suspension of the interception within 72 hours of receipt of the request (Article 60 of the PA).

Similar provisions are also contained in the Security Information Agency Act and the Military Intelligence Agency Act.

Electronic Communication Act

Articles 37 and 127 of the ECA provide that network operators and service providers have an obligation to enable the lawful interception of electronic communications. Interceptions of electronic communications that reveal the content of a communication are allowed only for a limited period of time and on the basis of a court decision, if such interception is necessary to conduct criminal proceedings or for the protection of national security (Article 126, paragraph 1 of the ECA). The interception of electronic communications must be authorised by a decision of the competent court, which will specify the government agency designated to conduct the interception. Under Article 129 of the ECA, network operators and service providers must not retain the content of customer communications. Since, however, Article 128, paragraph 2 of the ECA allows interception of electronic communications on the basis of a court decision, if that court decision contains an order for the retention of the content of electronic communications then network operators and service providers would be obliged to act upon it.

According to Article 128, paragraph 2 of the ECA, network operators and service providers are obliged to disclose retained metadata to government agencies (the police, the State Prosecutor, the Security Information Agency and the Military Security Agency) that obtain a court decision allowing them such access for a limited period of time and for the purpose of conducting criminal proceedings or national security.

According to Article 128, paragraph 6 and Article 129 of the ECA, network operators and service providers are obliged to retain for a period of 12 months data:

• tracing and identifying the source of a communication;
• identifying the destination of a communication;
• determining the beginning, duration and end of a communication;
• identifying the type of communication;
• identifying users’ terminal equipment; and
• identifying the location of the users’ mobile terminal equipment.

Article 27, paragraph 3 of the ECA prevents network operators and service providers from publishing records of requests for interception or access to metadata that provides information on the identity of the persons conducting the interception or who gained access to the metadata, the identity of the people whose communications were intercepted or whose metadata was accessed, the purpose of the interception or access, or the time and place of the interception or access.

According to the Defence Act (DA), in a state of emergency or a state of war, legal entities in the postal-telegraph-telephone sector and other carriers of telecommunications systems must prioritise the delivery of their services as specified by the Ministry of Defence (Article 73, paragraph 1 of the DA).

Article 202 of the Constitution allows for the introduction of measures that would provide derogation from the general protection given to confidentiality of letters and other means of communication and protection of personal data (under Article 41 of the Constitution) in a state of emergency or war. Government agencies may, on the basis of such measures, require access to a network operator’s or service provider’s customer communications data and/or network, without adhering to the procedure prescribed for obtaining this data in regular circumstances (described in 3.1 Laws and Standards for Access to Data for Serious Crimes); that is, without presenting a court decision authorising the interception of electronic communications or access to the retained data.

Measures providing for derogation from Article 41 of the Constitution are adopted by the National Assembly or, if the National Assembly is not in a position to convene, by government decree with the President of the Republic as a co-signatory in the case of a national emergency (Article 200, paragraph 6 of the Constitution) or by the President of the Republic, together with the President of the National Assembly and the Prime Minister in the case of a state of war (Article 201, paragraph 4 of the Constitution).

Measures providing for derogation from Article 41 of the Constitution in a state of emergency are effective for a maximum of 90 days, with the possibility of extension under the same terms. Measures providing for derogation from Article 41 of the Constitution in a state of war may continue as long as necessary, as decided by the National Assembly or the government if the National Assembly is not in a position to convene.

Under the PA, in emergencies, the disclosure of metadata relating to electronic communications may be ordered by a decision of the director of the police, with the prior written approval of the president of the Cassation Court or, in the absence of the president of the Cassation Court, by an authorised judge of the Cassation Court, in which case the director of the police is obliged to submit a written request to the court allowing continued collection of that metadata within 24 hours of obtaining prior approval (Article 60).

Under the Military Security Agency and Military Intelligence Agency Act (MSA), in emergencies, and particularly in cases of domestic and international terrorism, the secret collection of data may be ordered by a decision of the director of the Military Security Agency, with the interim prior approval of a judge of the Court of Cassation. The decision will subsequently be assessed in more detail and the judge will grant a continuation of the measure or terminate the measure within 24 hours of its commencement (Article 15 of the MSA).

A foreign government request for access to personal data is not recognised as a separate ground for collection and processing of data. Such a request is governed by the multilateral and bilateral conventions on co-operation in criminal matters signed by the Republic of Serbia. Serbia does not participate in a Cloud Act agreement with the USA.

The key privacy issue in this area is control over the law enforcement agencies’ access to personal data for the purpose of preventing the abuse of powers conferred to them by the law. As stated in 2.2 Sectoral and Special Issues, the telecommunication companies have reported a significant number of instances of access to their systems by the security agencies and the police without prior presentation of a court decision, particularly in relation to the collection of metadata. This topic has also been addressed by the Commissioner and the ombudsman. 

Under the PDPA, international transfers of data to a country, a territory or one or more specified sectors within that country, or an international organisation that ensures an adequate level of protection does not require any prior authorisation (Articles 63 and 64 of the PDPA).

Transfer of data to a country, a territory or one or more specified sectors within that country, or an international organisation that does not ensure an adequate level of protection is also possible if the data controller and data processors provide the appropriate safeguards to ensure an adequate level of protection (Article 65 of the PDPA).

The Serbian government has rendered the decision on the list of countries, parts of their territory or one or more specified sectors within those countries or international organisations which are considered to ensure the adequate level of personal data protection, which specifies the countries to which transfer of data is free.

Nonetheless, each international transfer of data has to be lawful – ie, it must be based on one of the legal grounds mentioned in 2.1 Omnibus Laws and General Requirements.

Transfers to Countries/Institutions Regarded as Ensuring Adequate Protection

Transfer of data to a country, a territory of, or one or more specified sectors within, that country, or an international organisation that ensures an adequate level of protection does not require any prior authorisation.

It is assumed that an adequate level of protection exists in:

• countries and international organisations that are parties to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and its Additional Protocol regarding Supervisory Authorities and Transborder Data Flows (the Convention);
• countries and international organisations that are considered by the European Union to ensure adequate levels of protection of personal data; and 
• countries with which the Republic of Serbia has concluded international treaties regarding the transfer of personal data (Article 64 of the PDPA).

Appropriate Safeguards

Furthermore, under the PDPA, transfer of personal data is also allowed to a country, a territory of, or one or more specified sectors within, that country, or an international organisation that do not have an adequate level of protection if the controller or processor provides appropriate safeguards, and if enforceable data subject rights and effective legal remedies for data subjects are available in that country, a territory of, or one or more specified sectors within, that country, or the relevant international organisation.

The appropriate safeguards may be provided by a controller without requiring any specific authorisation from the data protection commissioner by:

• a legally binding instrument between public authorities or bodies;
• standard data protection clauses prepared by the data protection commissioner that regulate the legal relationship between the controller and processor;
• binding corporate rules that regulate processing of personal data by a controller and the group of companies to which the controller belongs;
• approved code of conduct, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
• an approved certificate issued in accordance with the PDPA, together with binding and enforceable commitments on the part of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

The appropriate safeguards may also be provided through contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation, or through provisions inserted into administrative arrangements between public authorities or bodies that include enforceable and effective data subject rights, but only with the specific authorisation of the Commissioner, which is obliged to give such an authorisation within 60 days from the day of receipt of the request for authorisation (Article 65 of the PDPA).

Under the PDPA, prior approval of the data protection commissioner may be required if data is to be transferred to a country that does not ensure an adequate level of protection (Article 65 of the PDPA). For more details see 4.2 Mechanisms or Derogations that Apply to International Data Transfers.

Under the current Serbian legislation, there is no requirement for data localisation. However, each instance of data processing, including the transfer of data, has to be made on one of the grounds for data processing stipulated by the PDPA and must ensure adequate levels of data protection (Articles 12 and 65 of the PDPA).

The current Serbian legislation does not impose an obligation to share technical details such as software code or algorithms with the government.

The PDPA provides that any judgment of a court or tribunal, and any decision of an administrative authority of a third country, requiring a controller or processor to disclose or transfer personal data may only be recognised or enforceable in the Republic of Serbia on the grounds of an international agreement, such as a mutual legal assistance treaty (Article 68 of the PDPA).

Therefore, this matter is covered by multilateral and bilateral international conventions to which Serbia is party, and which provide for procedures for exchange of information between Serbia and a foreign country.

As stated in 4.2 Mechanisms or Derogations that Apply to International Data Transfers, the transfer of personal data to a country that is not a party to the Convention is subject to prior approval of the Commissioner. If that approval is denied, the data cannot be transferred.

As regards requests for transfer of personal data to a foreign country for the purpose of conducting criminal or civil proceedings, all such requests are governed by the rules of the international treaties and bilateral agreements regulating the co-operation of Serbia with foreign countries in criminal and civil law matters.

Big Data Analytics

Current Serbian legislation does not contain provisions that specifically address the question of big data analytics and thus this matter is to be observed in the context of the general rules of the PDPA.

Considering that processing needs to be specified, that the amount of processed data needs to be proportionate to the purpose of its processing, the data minimisation principle, as well as other principles of data processing, it is questionable whether and to what extent big data analytics is permissible under the PDPA.

Automated Decision-Making

Under the PDPA, any decision producing legal consequences for a person or compromising their position cannot be based solely on data processed automatically and used in the assessment of some specific characteristic of that person’s work ability, reliability, creditworthiness, etc; unless, it is explicitly prescribed by the law, it is based on the data subject’s explicit consent, or is necessary for entering into – or the performance of – a contract between the data subject and a data controller, provided that adequate safeguards are put in place. In all these cases, the data subject has to be informed of the automated data-processing and the decision-making process (Article 38 of the PDPA).

Decisions based on data processed automatically by the public authorities must not be based on special categories of personal data unless the data controller implements suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests in place (Article 39 of the PDPA).

Profiling

Under the PDPA, profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. The data controller is obliged to inform the data subject if a certain decision is based on profiling and the consequences of that decision, as well as to adhere to the rules of automated decision-making prescribed by the PDPA (Articles 38 and 39 of the PDPA).

Artificial Intelligence, Internet of Things, Autonomous Decision-Making

The PDPA does not specifically address the issues of artificial intelligence, the internet of things or autonomous decision-making.

Facial Recognition, Biometric Data, Geolocation

The PDPA defines biometric data as personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic (fingerprint) data (Article 4 of the PDPA). Biometric data is classified as sensitive data and the PDPA’s rules on processing sensitive data apply to biometric data as well.

The PDPA does not contain provisions regarding facial recognition and geolocation.

However, the legislation governing some of these matters, such as the Personal Identification Document Act or the ECA, does not address the question of personal data protection, which means that the general rules of the PDPA, regarding the processing of sensitive and personal data, are applicable to these topics as well.

Drones

The PDPA does not address the question of data collection through drones. There is legislation regarding drones that contains rules on their use that explicitly provides for the responsibility of the person who controls a drone for any damages or unlawful use of drones. However, this legislation is silent on the question of data processing through drones, which means that such processing also falls under the general rules on data processing prescribed by the PDPA.

The importance of FAIR (findability, accessibility, interoperability and reusability) data practices is recognised in Serbia, particularly within educational and scientific organisations and institutions, which invest the time and effort to implement and follow FAIR data principles in their activities.

Enforcement of the provisions of the PDPA and sanctions for its violation are described in 2.5 Enforcement and Litigation.

The general rules of the PDPA apply to the process of conducting due diligence in corporate transactions. The major points that should be taken into account, particularly by a target company are:

• the types of personal data it collects;
• the internal regulations on data processing and confidentiality;
• the legal grounds for processing various types of personal data; and
• the application of one or more measures that would prevent unauthorised access or disclosure of personal data to unauthorised third parties (eg, to a potential buyer or its financial or legal advisors), such as data minimisation (anonymisation and pseudonymisation), access restrictions, restrictions on downloading, printing, sharing and the like.

Apart from the PDPA, the Information Security Act (ISA), which is the main law in the field of cybersecurity, obliges the operators of the ICT systems of essential services to notify the Serbian Telecommunications Agency (RATEL), as the national Computer Emergency Response Team (CERT), of incidents and attacks related to the ICT system that may have a significant impact on informational security. An incident has to be reported in writing to RATEL within one day of its occurrence and, if it relates to secret data, the operator of an ICT system of special importance is also obliged to follow the rules related to data secrecy (Article 11 of the ISA). If the reported incident is of a public interest, RATEL may order its public disclosure.

There are no data protection or privacy issues of major importance not already covered in this chapter.