Understand Serbia's Law on Protection of Personal Data (LPDP) and its impact on your business. Learn how to comply with Serbian data protection regulations and safeguard personal data.
Explore more privacy compliance insights and best practices
As a business owner operating in Serbia, you need to be aware of the key legislation governing personal data protection. The primary law you need to be familiar with is the Law on Protection of Personal Data (Official Gazette of the Republic of Serbia, No. 87/2018), often referred to as "LPDP." This law, which came into effect on August 21, 2019, was developed based on a draft published by the Ministry of Justice in November 2017. The LPDP largely mirrors the General Data Protection Regulation (GDPR), providing a foundation for improving data protection in Serbia.
Beyond the LPDP itself, you should also be aware of the various by-laws that complement it. These regulations cover a wide range of aspects, including:
While the LPDP and its associated regulations provide a framework for data protection in Serbia, it's important to recognize that concerns about its completeness and effectiveness have been raised. As a business owner, it's crucial to familiarize yourself with these laws, ensure your practices are compliant, and implement robust data protection measures to safeguard personal data and maintain consumer trust.
By understanding and adhering to the key provisions outlined in the legislation, you can effectively navigate the complexities of data protection in Serbia, mitigate the risks of non-compliance, and demonstrate a commitment to respecting individuals' privacy rights.
The Law on Protection of Personal Data applies to you in several ways. It covers both automated and non-automated processing of personal data, as long as the data is part of a filing system or intended to be part of one.
Even if your business is not based in Serbia, the LPDP applies if you offer goods or services to individuals residing in Serbia or if you monitor their behavior within Serbia.
The LPDP protects any data that can be used to identify a specific individual, including names, phone numbers, addresses, and email addresses. It does not apply to data that cannot be used to identify an individual, or to personal data processed by individuals for purely personal or household activities.
As a business owner in Serbia, you need to understand the different types of personal data covered by the Law on Protection of Personal Data.
Personal data includes any information that can be used to identify a specific individual, such as names, identification numbers, location data, and online identifiers.
Sensitive data is a special category that requires even more stringent protection and includes information about a person's race or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and sex life or sexual orientation.
It's important to understand your role in relation to personal data under the Law on Protection of Personal Data.
As a business owner, you are responsible for ensuring that all personal data you process is handled lawfully, fairly, and transparently. This means you need to have a legal basis for collecting and using data, provide clear information to individuals about how their data is used, and obtain consent when necessary. You must also limit the data you collect to what is necessary for specific, legitimate purposes and keep it accurate and secure.
If you work with other companies to process personal data, like cloud service providers or marketing agencies, they are considered data processors. You must ensure they comply with the law and have appropriate contracts in place.
You can process personal data if you have the individual's consent, as a business owner in Serbia. This means they must freely, specifically, and knowingly agree to the processing of their data. Consent can be given through a statement or a clear affirmative action, like checking a box on a website or signing a form.
It's important to note that consent must be:
Yes, having a privacy policy is highly recommended for businesses operating in Serbia.
Serbia's Personal Data Protection Law (PDP Law) is heavily influenced by the GDPR, and a privacy policy is a crucial component of compliance.
Key reasons for having a privacy policy:
Serbia's Personal Data Protection Law (PDP Law) grants individuals several rights over their personal data. These rights largely mirror those found in the GDPR, demonstrating the significant influence of the EU's data protection framework on Serbian legislation.
Sending customer data to other countries can be tricky. There are two main ways to do it legally:
Outsourcing Matters When you hire another company to handle your customer data (like a cloud service provider), they become a "data processor." You're still responsible for making sure they protect your customers' information.
If you experience a data breach, time is of the essence. You typically have 72 hours to report the incident to the Serbian data protection authority. It's also important to inform affected customers about the breach, unless doing so would cause more harm than good.
To comply with regulations, you'll need to provide details about the breach, including what kind of information was compromised and what steps you're taking to address the situation.
Yes, you likely need to conduct a DPIA if your business processes are likely to result in a high risk to individuals.
A Data Protection Impact Assessment (DPIA) is crucial if you plan data processing activities that could pose significant risks to individuals. Here's what you need to know:
You must conduct a DPIA if your activities involve:
Your DPIA should detail:
If your DPIA shows high risks, you might need approval from the Serbian data protection authority. This process can take up to 60 days, so plan ahead.
Failing to conduct a DPIA when required can lead to significant fines. It's essential to take data protection seriously and follow the guidelines outlined in the Serbian PDP Law.
As a business owner in Serbia, you may need to appoint a Data Protection Officer (DPO) depending on the nature of your business and the data you process.
You are required to appoint a Data Protection Officer if your business is a public authority or body, if your core business activities involve regularly monitoring individuals, or if you process large amounts of sensitive data, such as health data or criminal records.
Your DPO must possess professional qualities, including expert knowledge of data protection law and practices, and the ability to fulfill the required tasks. They can be employed by your company or work under a contract.
The DPO advises you and your employees on data protection obligations, monitors your company's compliance with data protection laws and regulations, provides input and monitors the Data Protection Impact Assessment (DPIA) process for high-risk processing activities, and acts as a contact point for the Poverenik (Commissioner for Information of Public Importance and Protection of Personal Data) providing advice on data processing activities.
You must provide the DPO with the necessary resources, access to data and processing activities, and opportunities for professional development, while also ensuring their independence in carrying out their duties.
The DPO must be accessible to both you and data subjects. Data subjects can contact the DPO with any questions or concerns about their personal data.
You can face fines of up to RSD 2 million (approximately EUR 17,000) if you fail to appoint a DPO when required or fail to fulfill your obligations towards the DPO.
In serbia, the Poverenik (Commissioner for Information of Public Importance and Protection of Personal Data) has the authority to impose fines on businesses that violate the law.
If the Poverenik finds that your business has committed a misdemeanor related to data protection, they can issue a misdemeanor order and impose a fine. The maximum fine that can be imposed is approximately EUR 17,000.
By using Secure Privacy's consent management platform, you can easily align with the requirements of the LPDP. Our solution is designed to handle various data protection laws globally, ensuring that your website or business operations meet the necessary standards.
Schedule a call with us today!
