The Constitution of the Republic of Serbia contains several provisions relating to the protection of privacy, including the confidentiality of letters and other means of communication (Article 41 of the Constitution) and the protection of personal data (Article 42 of the Constitution).
Under the Constitution, the confidentiality of letters and other means of communication may only be derogated from for a specified period of time and on the basis of a court decision for the purpose of conducting criminal proceedings or protecting the safety of Serbia, in a manner stipulated by the law (Article 41 of the Constitution).
The Constitutional guarantee of protection of personal data (Article 42 of the Constitution) provides that use of personal data for any purpose other than that for which it was collected is prohibited and punishable in accordance with the law, unless it is necessary to conduct criminal proceedings or protect the safety of Serbia, in a manner stipulated by the law.
The Constitution also guarantees that everyone shall have the right to be informed of the collection of personal data relating to them, in accordance with the law, as well as the right to court protection in the case of abuse of their personal data.
The Personal Data Protection Act
In August 2019, application of the new Personal Data Protection Act (PDPA) came into effect. The solutions provided by the PDPA are in line with the GDPR.
The PDPA defines personal data, the different types of personal data and the manner of their collection, processing and transfer outside of the territory of Serbia.
Provisions that are of relevance to the protection of personal data may also be found in the Electronic Communications Act (ECA), as well as in sector-specific legislation, such as the Act on Health Documents and Records, the Act on Records and Data Processing in Interior Affairs and the National DNA Registry Act.
Under Serbian legislation, the main regulator in the area of data protection is the Commissioner for Information of Public Importance and Protection of Personal Data (“the Commissioner”), whose prerogatives are defined by the PDPA. Under the PDPA, the Commissioner is a supervisory body that:
The Commissioner also:
Data Protection Commissioner Powers
The Commissioner is vested with a set of investigative powers, corrective powers and advisory powers that are identical to the powers of the supervisory body prescribed by the GDPR. The Commissioner is authorised, inter alia, to:
Under the PDPA, the Commissioner is authorised to exercise its powers in accordance with the Administrative Procedure Act and Inspection Act (Article 77 of the PDPA) as well as to initiate proceedings before the courts and other competent bodies in accordance with the law (Article 79 of the PDPA).
The Commissioner is obliged to act upon the complaints of a data subject and initiate the inspection procedure, as well as to inform the data subject about the outcome of the inspection and their right to initiate administrative court proceedings against the decision of the Commissioner. If the data subject is not satisfied with the decision of the Commissioner, or if the Commissioner fails to act upon the complaint within 60 days from its receipt, the data subject is authorised to initiate court proceedings against the Commissioner in accordance with the Administrative Court Proceedings Act (Articles 82 and 83 of the PDPA).
According to the Constitution of Serbia, ratified international treaties and generally accepted rules of international law are part of the legal system of Serbia, and laws and other general acts enacted in Serbia have to comply with ratified international treaties and generally accepted rules of international law (Article 194 of the Constitution).
In the context of personal data protection, Serbia has ratified the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and its Additional Protocol regarding Supervisory Authorities and Transborder Data Flows (ETS No 108, Strasbourg, 28 January 1981) (the "Convention"). The Convention serves as a legal ground for transfer of data from Serbia to the UK after Brexit, since the UK is party to it and signatories of the Convention are considered to be countries that ensure an adequate level of data protection.
Serbia is also a signatory to various international agreements that contain provisions that could be relevant for accessing or obtaining data processed in the territory of Serbia, mostly in the context of international co-operation in civil and criminal matters.
Because Serbia is in the process of accession to the EU, much Serbian legislation focuses on the implementation of the standards and provisions provided by EU legislation.
Moreover, the PDPA contains solutions provided by the GDPR and the Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data (the Police Directive).
There are multiple NGOs that address issues around personal data protection in Serbia, particularly those that focus on issues relating to the protection of human rights and privacy. The SHARE foundation is an NGO worth mentioning in the context of privacy and protection of personal data, since the main goal of its activities concerns privacy protection in the online environment.
Serbian legislation regarding the protection of personal data could be described as developing towards the model set by EU legislation.
The current PDPA contains provisions that are almost identical to those of the GDPR and by-laws enacted by the Commissioner are also modelled on EU legislation.
The PDPA harmonises Serbian legislation with the solutions contained in the GDPR. In addition, by-laws that were necessary for the proper application of the PDPA have been enacted, among which are:
The Commissioner has announced that, because of the CJEU՚s decision in Schrems II, data cannot be transferred to the USA on the grounds of the decision on the list of countries, parts of their territory or one or more specified sectors within those countries or international organisations which are considered to ensure the adequate level of personal data protection, which lists the USA (limited to the Privacy Shield framework) as a country which is considered to ensure the adequate level of personal data protection. The Commissioner also noted that the legislative authorities should amend this decision in order to reflect the conclusion of the Schrems II decision.
Since the new PDPA has only been in application for two years, the focus is still on assisting legal entities in Serbia to adjust to the new regime for the processing of personal data. The Commissioner has focused primarily on monitoring the implementation of the provisions of the PDPA and on providing further guidelines in relation to the proper implementation of the PDPA. Questions related to the COVID-19 pandemic remain a significant topic of discussion.
The PDPA is the main legislation relating to personal data protection.
Under the PDPA, personal data is any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4 of the PDPA).
Personal Data Processing
Personal data must be processed in accordance with the same principles that are provided by the GDPR – ie, processing must be lawful, fair and transparent, limited in accordance with the purpose of the processing, accurate and conducted in a manner that ensures confidentiality and integrity of the processed data (Article 5 of the PDPA).
Under the PDPA, processing is lawful if:
The Commissioner has provided several opinions on how to assess the legitimate interest emphasising that this legal ground for data processing can be used only if data processing is necessary, and only if the fundamental rights and freedoms of the data subject do not override the controller’s interests.
Processing on the grounds of legitimate interests does not apply to processing carried out by public authorities in the performance of their tasks (Article 12 of the PDPA).
Privacy by Design/Default
The PDPA adopts both the privacy by design and the privacy by default concepts introduced by the GDPR and obliges the controller to, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data protection principles in an effective manner, as well as to integrate the necessary safeguards into the processing and protect the rights of data subjects. The controller is also obliged to implement appropriate technical and organisational measures for ensuring that, by default, only personal data that is necessary for each specific purpose of the processing is processed. The data must be adequately protected from abuse, destruction, loss, unauthorised alterations or access, modification and publication; in addition, controllers and processors are obliged to take all necessary technical and organisational measures, as well as measures relating to the duty of confidentiality of persons who are processing or have access to the processed data (Articles 42 and 50 of the PDPA).
Data Protection Officers
The PDPA also contains provisions relating to the designation of a data protection officer, whom the data controller and data processor are obliged to designate if:
Data Protection Impact Assessments
The data controller is also obliged to perform a data protection impact assessment in cases where any of the following occur:
Cross-Border Transfer of Data
Under the PDPA, the data controller may introduce binding corporate rules that are adhered to by a controller or processor established in the territory of the Republic of Serbia for the purpose of a transfer, or a set of transfers, of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity. If the Data Protection Commissioner approves the binding corporate rules, it is considered that a controller has provided adequate safeguards and that data may be transferred outside of the territory of the Republic of Serbia (Article 67 of the PDPA).
Data Subject Rights
As regards the rights of the data subject, the PDPA entitles a person:
Finally, under the PDPA, the data subject may seek compensation for pecuniary and non-pecuniary damages suffered due to the unlawful processing of their personal data (Article 86 of the PDPA). However, under the general rules, a party seeking damages would have to prove a causal link between the unlawful data processing and the harm caused to it – ie, the burden of proof lies on the plaintiff, in this case a person who claims damages due to the unlawful processing of their personal data.
Under the PDPA, sensitive data is defined as data relating to ethnicity, race, political opinions, religious or philosophical beliefs, trade union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Processing of sensitive data is prohibited except if:
The processing of sensitive data by public authorities is exceptionally allowed if the public authority in question is authorised to process such data by law, if processing is carried out for the purpose of protecting the vital interests of a data subject or other natural person, or if such data is obviously made available to the public by a data subject (Article 18 of the PDPA).
The PDPA does not contain a special provision that relates to financial data. However, under the Bank Act (BA), data relating to personal data, financial conditions and transactions, ownership or business relations of the clients of a bank or another bank; data on balances and flows on individual deposit accounts; and other data obtained by a bank from its clients is considered a bank secret (Article 46 of the BA).
In addition, banks, their executives, shareholders and employees, as well as external auditors and other persons who, due to the nature of their activities, have access to data that is considered a bank secret, may not disclose that data to third parties, use it against the interests of the bank and its clients, or enable third parties to access it. This duty of keeping confidential data that is classified as a bank secret lasts even after termination of a relationship based on a particular person having access to the data covered by the bank secret. Client data that represents a bank secret may be disclosed to third parties only with the client’s written approval (Article 47 of the BA).
Moreover, the National Bank of Serbia, courts and other bodies vested with public authority (as well as their employees) may use data that is considered a bank secret solely for the purpose for which that data was obtained and may not disclose it to third parties or enable third parties to learn and use it, except in cases envisaged by law (Article 49 of the BA).
Under the PDPA, health data is personal data related to the physical or mental health of a natural person, including the provision of healthcare services that reveals information about their health status. Health data is considered to be a type of sensitive data, and thus the PDPA rules regarding the processing of sensitive data apply. In addition, under the Health Protection Act (HPA), medical records are confidential and medical institutions, as well as individuals working therein, are obliged not to disclose them (Article 54 of the HPA).
The PDPA does not directly address the question of communication data, so the general rules on data processing provided by the PDPA are applicable to all communication data.
Provisions relevant to the protection of communication data – including voice telephony, text messaging and the content of electronic communications – are contained in the ECA, which prohibits network operators and service providers from retaining the content of customer communications (Article 129 of the ECA). However, they are obliged to enable lawful interception of communication under the conditions set out by the law, which are explained in 3. Law Enforcement and National Security Access and Surveillance.
As regards metadata, the ECA obliges network operators and service providers to retain for a period of 12 months data:
They are also obliged to disclose retained metadata to the police, the State Prosecutor, the Security Information Agency or the Military Security Agency, dependent on one of these bodies obtaining a court decision allowing them such access for a limited period of time and for the purpose of conducting criminal proceedings or national security (Articles 128 and 129 of the ECA).
There is also an exception to this rule by which the security agencies and police may, exceptionally, in emergency situations and only temporarily, access the communication data without a court decision, such as in cases of domestic or international terrorism (see for example Article 60 of the Police Act (PA)).
However, in practice, the telecommunication companies have reported a significant number of instances of access to their systems by the security agencies and the police without prior presentation of a court decision, which raises the question of abuse of their prerogatives to intercept communications or to obtain the retained metadata without a court order only in exceptional circumstances.
Generally, consent for data processing is valid if it is given by a person 18 years of age or older.
The PDPA recognises exceptions to this rule in relation to consent concerning information society services. Under the PDPA, 15-year-old persons are able to give consent in relation to information society services. On behalf of persons younger than 15, consent is given by their parents or other personal representative of a minor (Article 16 of the PDPA).
Internet, Streaming and Video Issues
Serbian legislation does not have special rules governing the application of cookies, beacons, the use of tracking technologies or behavioural advertising so the general rules of the PDPA apply to these topics as well.
The PDPA does not contain special provisions regarding online marketing. However, it does regulate processing for direct marketing purposes and entitles the data subject to object at any time to the processing of personal data concerning them for such marketing, which also includes profiling (Article 37 of the PDPA). Regarding other aspects of online marketing, general rules on data processing apply.
The Advertising Act (AA) also contains a provision that allows direct advertising only upon obtaining prior consent from a person to whom the advertising is sent (Articles 62 and 63 of the AA). Behavioural advertising and targeted advertising are not regulated explicitly by Serbian law.
The ECA also contains provisions that prohibit unsolicited commercial and marketing communications without the prior consent of the recipient of such communication (Articles 118-119 of the ECA).
Under the PDPA, processing of employees’ personal data is carried out in accordance with the provisions of employment law and collective agreements based on the principles set out by the PDPA. The PDPA also recognises that employment regulations and collective agreements may contain provisions related to the protection of personal data of employees, in which case they also need to specify suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights (Article 91 of the PDPA).
Under the Employment Act of the Republic of Serbia, employers are allowed to collect data regarding their employees where this is prescribed by that Law and other laws related to employment matters. The Employment Act also authorises employers to monitor the work of their employees, a provision that is frequently used in practice as a ground for accessing employees’ computers and email communications. In this respect, the Commissioner has taken the position that such access is allowed if the computer and email account were provided by the employer for the purpose of work performance and if it does not invade the employees’ privacy. If an employee is using a private email account or private computer, the employer may access the data contained therein only in the presence of that employee, who will then be able to prevent the employer’s access to private communication and files. In a recent ruling the Commissioner took the position that an employer must not continue to use its former employee’s email account upon termination of employment, as it contains the employee’s name: a piece of personal data whose processing is no longer justifiable, legal and necessary.
As stated in 1.3 Administration and Enforcement Process and 2.1 Omnibus Laws and General Requirements, the enforcement of personal data protection is the remit of the Commissioner, which is authorised to investigate whether data processing is lawful, including the right to request access to the premises of the data controller and means of data processing, as well as to order rectification of identified irregularities in data processing within a specified period of time, or to render a temporary ban on any processing carried out contrary to the provisions of the PDPA (Article 79 of the PDPA).
Data processing contrary to the provisions of the PDPA represents a misdemeanour punishable with a fine between RSD50,000 and RSD2 million for a legal entity, RSD20,000 and RSD500,000 for an entrepreneur, and RSD5,000 and RSD150,000 for both a natural person and the responsible person in a legal entity (Article 95 of the PDPA).
The Serbian Criminal Code (CC) also recognises the criminal offence of unauthorised processing of personal data, which is punishable with a fine or imprisonment, depending on the particularities of the specific case (Article 146 of the CC).
The data subject is also authorised to initiate court proceedings against the data controller and data processor if the data is processed unlawfully, as well as to request compensation for material or non-material damage suffered as a result of an infringement of the PDPA (Articles 84–86 of the PDPA). However, the burden of proof for the damages suffered from unlawful data processing lies on the plaintiff – ie, on the person to whom the unlawfully processed data relates. Class actions are not allowed in the Serbian legal system.
The data subject’s rights provided by the PDPA may be limited as long as those limitations do not infringe basic human rights and freedoms and if they are necessary and proportionate in a democratic society for the purposes of protecting, inter alia, national security, defence, public safety, judicial independence, other vital public interests and particularly important financial interests of the Republic of Serbia, as well as for the prevention and investigation of criminal acts and offenders (Article 40 of the PDPA). This provision has been criticised as too broad and prone to misuse by public authorities.
The relevant provisions for data processing by the public authorities can be found in the Criminal Procedure Code (CPC), the ECA and laws relating to the powers of the police force, secret service agency and military security agencies.
Criminal Procedure Code
The CPC authorises the State Prosecutor to conduct activities, for the purpose of prosecution of persons suspected of committing a criminal offence, which encompass the collection of personal data.
The CPC also contains provisions relating to so-called special investigation measures, among which are interception and surveillance of electronic communications, computer searches of processed personal and other data, and the collection of communication data (including metadata). These measures may be employed, as special investigation measures, in the pre-formal and formal investigation stages of criminal proceedings, and ordered against a person suspected of committing or preparing a war crime, organised crime, cybercrime or one of various listed serious crimes (stated in Article 162 of the CPC), if evidence of that crime cannot be collected in any other way, or if gathering evidence by regular investigation measures would cause significant difficulties (Article 161 of the CPC).
The order for interception is issued by the competent criminal court. The interception may be performed by the police, the Security Information Agency or the Military Security Agency (Article 168 of the CPC). If, during the interception, the relevant government agency obtains information indicating that a person uses another phone number or address, the interception may be extended to include that phone number or address by a decision of the director of that government agency, who will also notify the State Prosecutor. The State Prosecutor subsequently files the request for extension with the competent criminal court, which will render a new decision approving the extension or order the destruction of the materials collected (Article 169 of the CPC).
Under the Police Act, the police are authorised to intercept electronic communications if that interception is necessary to arrest or apprehend a person under reasonable suspicion of having committed an offence punishable with imprisonment of four or more years and for whom an international arrest warrant is issued, if the police cannot apprehend such a person by other means or when other means would involve disproportionate difficulties. The request for interception is submitted by the director of the police and approved by the president of the Supreme Court of Cassation or, in the absence of the president of the Supreme Court of Cassation, by a judge of the Supreme Court of Cassation authorised to rule on such a request.
In circumstances in which waiting for the Court’s approval might jeopardise a police investigation, the interception may be ordered by a decision of the director of the police, with prior written approval of the president of the Supreme Court of Cassation or the authorised judge of that Court. In such cases, the director of the police is obliged to submit to the Court a written request for continued interception within 24 hours from obtaining prior approval. The Court will decide on the continuation or suspension of the interception within 72 hours of receipt of the request (Article 60 of the PA).
Similar provisions are also contained in the Security Information Agency Act and the Military Intelligence Agency Act.
Electronic Communication Act
Articles 37 and 127 of the ECA provide that network operators and service providers have an obligation to enable the lawful interception of electronic communications. Interceptions of electronic communications that reveal the content of a communication are allowed only for a limited period of time and on the basis of a court decision, if such interception is necessary to conduct criminal proceedings or for the protection of national security (Article 126, paragraph 1 of the ECA). The interception of electronic communications must be authorised by a decision of the competent court, which will specify the government agency designated to conduct the interception. Under Article 129 of the ECA, network operators and service providers must not retain the content of customer communications. Since, however, Article 128, paragraph 2 of the ECA allows the interception of electronic communications on the basis of a court decision, if that court decision contains an order for the retention of the content of electronic communications then network operators and service providers would be obliged to act upon it.
According to Article 128, paragraph 2 of the ECA, network operators and service providers are obliged to disclose retained metadata to government agencies (the police, the State Prosecutor, the Security Information Agency and the Military Security Agency) that obtain a court decision allowing them such access for a limited period of time and for the purpose of conducting criminal proceedings or national security.
According to Article 128, paragraph 6, and Article 129 of the ECA, network operators and service providers are obliged to retain for a period of 12 months data:
Article 27, paragraph 3 of the ECA prevents network operators and service providers from publishing records of requests for interception or access to metadata that provides information on the identity of the persons conducting the interception or who gained access to the metadata, the identity of the people whose communications were intercepted or whose metadata was accessed, the purpose of the interception or access, or the time and place of the interception or access.
According to the Defence Act (DA), in a state of emergency or a state of war, legal entities in the postal-telegraph-telephone sector and other carriers of telecommunications systems must prioritise the delivery of their services as specified by the Ministry of Defence (Article 73, paragraph 1 of the DA).
Article 202 of the Constitution allows for the introduction of measures that would provide derogation from the general protection given to confidentiality of letters and other means of communication and protection of personal data (under Article 41 of the Constitution) in a state of emergency or war. Government agencies may, on the basis of such measures, require access to a network operator’s or service provider’s customer communications data and/or network, without adhering to the procedure prescribed for obtaining this data in regular circumstances (described in 3.1 Laws and Standards for Access to Data for Serious Crimes); that is, without presenting a court decision authorising the interception of electronic communications or access to the retained data.
Measures providing for derogation from Article 41 of the Constitution are adopted by the National Assembly or, if the National Assembly is not in a position to convene, by government decree with the President of the Republic as a co-signatory in the case of a national emergency (Article 200, paragraph 6 of the Constitution) or by the President of the Republic, together with the President of the National Assembly and the Prime Minister in the case of a state of war (Article 201, paragraph 4 of the Constitution).
Measures providing for derogation from Article 41 of the Constitution in a state of emergency are effective for a maximum of 90 days, with the possibility of extension under the same terms. Measures providing for derogation from Article 41 of the Constitution in a state of war may continue as long as necessary, as decided by the National Assembly or the government if the National Assembly is not in a position to convene.
Under the PA, in emergencies, the disclosure of metadata relating to electronic communications may be ordered by a decision of the director of the police, with the prior written approval of the president of the Cassation Court or, in the absence of the president of the Cassation Court, by an authorised judge of the Cassation Court, in which case the director of the police is obliged to submit a written request to the court allowing continued collection of that metadata within 24 hours of obtaining prior approval (Article 60).
Under the Military Security Agency and Military Intelligence Agency Act (MSA), in emergencies, and particularly in cases of domestic and international terrorism, the secret collection of data may be ordered by a decision of the director of the Military Security Agency, with the interim prior approval of a judge of the Court of Cassation. The decision will subsequently be assessed in more detail and the judge will grant a continuation of the measure or terminate the measure within 24 hours of its commencement (Article 15 of the MSA).
A foreign government request for access to personal data is not recognised as a separate ground for collection and processing of data. Such a request is governed by the multilateral and bilateral conventions on co-operation in criminal matters signed by the Republic of Serbia. Serbia does not participate in a Cloud Act agreement with the USA.
The key privacy issue in this area is control over the law enforcement agencies’ access to personal data for the purpose of preventing the abuse of powers conferred to them by the law. As stated in 2.2 Sectoral and Special Issues, the telecommunications companies have reported a significant number of instances of access to their systems by the security agencies and the police without prior presentation of a court decision, particularly in relation to the collection of metadata. This topic has also been addressed by the Commissioner and the ombudsman.
Under the PDPA, international transfers of data to a country, a territory or one or more specified sectors within that country, or an international organisation that ensures an adequate level of protection does not require any prior authorisation (Articles 63 and 64 of the PDPA).
Transfer of data to a country, a territory or one or more specified sectors within that country, or an international organisation that does not ensure an adequate level of protection is also possible if the data controller and data processors provide the appropriate safeguards to ensure an adequate level of protection (Article 65 of the PDPA).
The Serbian government has rendered the decision on the list of countries, parts of their territory or one or more specified sectors within those countries or international organisations which are considered to ensure the adequate level of personal data protection, which specifies the countries to which transfer of data is free.
Nonetheless, each international transfer of data has to be lawful – ie, it must be based on one of the legal grounds mentioned in 2.1 Omnibus Laws and General Requirements.
Transfers to Countries/Institutions Regarded as Ensuring Adequate Protection
Transfer of data to a country, a territory of, or one or more specified sectors within, that country, or an international organisation that ensures an adequate level of protection does not require any prior authorisation.
It is assumed that an adequate level of protection exists in:
Furthermore, under the PDPA, the transfer of personal data is also allowed to a country, a territory of, or one or more specified sectors within, that country, or an international organisation that do not have an adequate level of protection if the controller or processor provides appropriate safeguards, and if enforceable data subject rights and effective legal remedies for data subjects are available in that country, a territory of, or one or more specified sectors within, that country, or the relevant international organisation.
The appropriate safeguards may be provided by a controller without requiring any specific authorisation from the Data Protection Commissioner by:
The appropriate safeguards may also be provided through contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation, or through provisions inserted into administrative arrangements between public authorities or bodies that include enforceable and effective data subject rights, but only with the specific authorisation of the Commissioner, which is obliged to give such an authorisation within 60 days from the day of receipt of the request for authorisation (Article 65 of the PDPA).
Under the PDPA, prior approval of the Data Protection Commissioner may be required if data is to be transferred to a country that does not ensure an adequate level of protection (Article 65 of the PDPA). For more details see 4.2 Mechanisms or Derogations that Apply to International Data Transfers.
Under the current Serbian legislation, there is no requirement for data localisation. However, each instance of data processing, including the transfer of data, has to be made on one of the grounds for data processing stipulated by the PDPA and must ensure adequate levels of data protection (Articles 12 and 65 of the PDPA).
The current Serbian legislation does not impose an obligation to share technical details such as a software code or algorithms with the government.
The PDPA provides that any judgment of a court or tribunal, and any decision of an administrative authority of a third country, requiring a controller or processor to disclose or transfer personal data may only be recognised or enforceable in the Republic of Serbia on the grounds of an international agreement, such as a mutual legal assistance treaty (Article 68 of the PDPA).
Therefore, this matter is covered by multilateral and bilateral international conventions to which Serbia is party, and which provide for procedures for exchange of information between Serbia and a foreign country.
As stated in 4.2 Mechanisms or Derogations that Apply to International Data Transfers, the transfer of personal data to a country that is not a party to the Convention is subject to prior approval of the Commissioner. If that approval is denied, the data cannot be transferred.
As regards requests for transfer of personal data to a foreign country for the purpose of conducting criminal or civil proceedings, all such requests are governed by the rules of the international treaties and bilateral agreements regulating the co-operation of Serbia with foreign countries in criminal and civil law matters.
Big Data Analytics
Current Serbian legislation does not contain provisions that specifically address the question of big data analytics and thus this matter is to be observed in the context of the general rules of the PDPA.
Considering that processing needs to be specified, that the amount of processed data needs to be proportionate to the purpose of its processing, the data minimisation principle, as well as other principles of data processing, it is questionable whether and to what extent big data analytics is permissible under the PDPA.
Under the PDPA, any decision producing legal consequences for a person or compromising their position cannot be based solely on data processed automatically and used in the assessment of some specific characteristic of that person’s work ability, reliability, creditworthiness, etc, unless it is explicitly prescribed by the law, is based on the data subject’s explicit consent, or is necessary for entering into – or the performance of – a contract between the data subject and a data controller, provided that adequate safeguards are put in place. In all these cases, the data subject has to be informed of the automated data-processing and the decision-making process (Article 38 of the PDPA).
Decisions based on data processed automatically by the public authorities must not be based on special categories of personal data unless the data controller implements suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests (Article 39 of the PDPA).
Under the PDPA, profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. The data controller is obliged to inform the data subject if a certain decision is based on profiling and the consequences of that decision, as well as to adhere to the rules of automated decision-making prescribed by the PDPA (Articles 38 and 39 of the PDPA).
Artificial Intelligence, Internet of Things and Autonomous Decision-Making
The PDPA does not specifically address the issues of artificial intelligence, the internet of things or autonomous decision-making.
Facial Recognition, Biometric Data and Geolocation
The PDPA defines biometric data as personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic (fingerprint) data (Article 4 of the PDPA). Biometric data is classified as sensitive data and the PDPA’s rules on processing sensitive data also apply to biometric data.
The PDPA does not contain provisions regarding facial recognition and geolocation.
However, the legislation governing some of these matters, such as the Personal Identification Document Act or the ECA, does not address the question of personal data protection, which means that the general rules of the PDPA, regarding the processing of sensitive and personal data, are applicable to these topics as well.
The PDPA does not address the question of data collection through drones. There is legislation regarding drones that contains rules on their use that explicitly provides for the responsibility of the person who controls a drone for any damages or unlawful use of drones. However, this legislation is silent on the question of data processing through drones, which means that such processing also falls under the general rules on data processing prescribed by the PDPA.
The importance of FAIR (findability, accessibility, interoperability and reusability) data practices is recognised in Serbia, particularly within educational and scientific organisations and institutions, which invest the time and effort to implement and follow FAIR data principles in their activities.
Enforcement of the provisions of the PDPA and sanctions for its violation are described in 2.5 Enforcement and Litigation.
The general rules of the PDPA apply to the process of conducting due diligence in corporate transactions. The major points that should be taken into account, particularly by a target company are:
Apart from the PDPA, the Information Security Act (ISA), which is the main law in the field of cybersecurity, obliges the operators of the ICT systems of essential services to notify the Serbian Telecommunications Agency (RATEL), as the national Computer Emergency Response Team (CERT), of incidents and attacks related to the ICT system that may have a significant impact on informational security. An incident has to be reported in writing to RATEL within one day of its occurrence and, if it relates to secret data, the operator of an ICT system of special importance is also obliged to follow the rules related to data secrecy (Article 11 of the ISA). If the reported incident is of a public interest, RATEL may order its public disclosure.
There has been no discussion about the enactment of laws or policies similar to the EU’s Digital Markets Act, Digital Services Act, Data Act and alike. The regulation of tech companies, data practices and their influence on consumers, as well as the market, have not been subject to a specific regulation. The general rules of the Consumer Protection Act, the PDPA and the Competition Act remain applicable to tech companies.
There are no data protection or privacy issues of major importance not already covered in this chapter.
+381 11 3231 970
+381 11 3245 firstname.lastname@example.org www.mjb.rs
In 2022, the overall legal framework for the processing of personal data remained unchanged. The focus of the Commissioner for Information of Public Importance and Personal Data Protection (the "Commissioner") is on raising awareness of the importance of the rules on data processing, both for data controllers and data subjects.
Certain steps have been taken in relation to the regulation of artificial intelligence (AI). A draft of the Artificial Intelligence Ethics Guidelines has been prepared and the intention to proceed with the drafting of the Law on Artificial Intelligence has been announced. However, the application of AI in the area of social protection, which was implemented in the Social Card Act, raised serious concerns as to the discrimination of the most vulnerable members of society.
The Commissioner՚s focus was also on establishing the level of awareness and digital literacy of minors with respect to the protection of their personal data in the online environment.
Finally, the Commissioner rendered several interesting decisions which are useful from the perspective of the interpretation of the Personal Data Protection Act (PDPA), with special focus on explaining and providing guidelines on the preparation of data protection impact assessment.
Artificial Intelligence Ethics Guidelines
In December 2022, the government of the Republic of Serbia prepared a draft of the Artificial Intelligence Ethics Guidelines for the development, application, and use of trustworthy AI. The Guidelines were prepared on the basis of the Strategy for the Development of Artificial Intelligence in the Republic of Serbia up to 2025, which proclaims the ethical and safe application of AI as one of its main objectives, and the UNESCO Recommendation on the Ethics of Artificial Intelligence.
The Artificial Intelligence Ethics Guidelines prescribe the following principles, which should be intrinsic to any AI system.
Transparency and explainability
Transparency has been described as the ability to verify all the processes of a system in all its stages, including verification during the design process of a system, the testing phase as well as the application stage, which also includes an assessment of the short-term and long-term effects of the system.
Explainabilty is defined as the understandability of the input, output and the functioning of each part of a system as well as the purpose of the system and its functions, with particular focus on decisions made by the system. Systems lacking explainability and transparency should be avoided.
Respect, protection and promotion of human dignity
The AI system must be designed and used in a manner that provides for the respect and protection of human rights and human dignity of all persons affected by the application of that system.
"Do no harm" principle
The AI system must comply with the safety standards and contain certain mechanisms which would prevent the occurrence of a harm to people and their property, as well as prompt recovery should harm occur.
Fairness and non-discrimination
AI systems should safeguard fairness and should not be discriminatory, particularly in relation to vulnerable categories of society. Fairness comprises two parts: the first relates to the substance of AI systems, which should provide equal opportunity to all persons without causing bias, discrimination and stigmatisation, and the second relates to the procedural side of fairness and ensures the challenging of decisions related to the AI system, as well as the responsibility of the designer of the AI system.
Apart from laying down the underlying principles for the use of AI systems, the Guidelines also define the AI systems with special emphasis on high-risk AI systems. They are described as systems with a predisposition to directly or indirectly violate principles and conditions defined by the Guidelines even if no such violation has been detected. The Guidelines identify several areas in which AI systems could be classified as high-risk, such as AI systems for biometric identification, systems for managing critical infrastructure (systems for water, gas, heating and electricity supply and traffic), systems implemented in the areas of education and professional improvement, employment, healthcare, criminal prosecution, migration of people, justice and the courts.
The Guidelines also provide for an open list of requirements that all AI systems should fulfil:
To verify whether an AI system fulfils these requirements, the Guidelines provide a questionnaire which has set of questions for each of the above-prescribed requirements. The Guidelines have not yet been adopted, however, even in their draft form they are a helpful tool for explaining the environment and underling principles which should be observed during the process of creating and applying an AI system.
The Social Card Act
In 2021, the Social Card Act was adopted. This Act introduced the so-called Social Card Register as a centralised register of data on the socio-economic status of individuals who are applying for social benefits. The Social Card Register contains data collected from different registers of public authorities that are used to determine the socio-economic status of individuals and their ability to qualify for social benefits. It is manged by the Ministry of Labour, Employment, Veteran and Social Affairs. The Social Card Act contains a detailed list of the data contained in the Social Card Register, the purpose of the data processing, the storage of the data, together with an explanation of the technical measures applied for assuring the safety and protection of the personal data within it.
The Social Card Register was established with the aim of facilitating the process of establishing factual circumstances and fulfilment of legal conditions necessary for obtaining social benefits. The Social Card Act explicitly states that data processing within the Social Card Register is performed for the purpose of:
The Social Card Register is accessible to social workers and public authorities who are in charge of social protection. Although announced as a piece of legislation which would facilitate the process of distribution of the social welfare benefits and contribute to fairer distribution, its application created a more hostile environment for the applicant for social benefits and confirmed the concerns previously raised by non-governmental agencies about its lack of transparency and potentially discriminatory outcome of its application. According to the information from the non-governmental agency A11 as of the date of application of this Act, the overall number of users of social welfare benefits has been reduced by 10%, which raises questions about the tools and processes used by the Social Card Register system.
One of the main criticisms of the Social Card Register is that it lacks transparency and explainability since it is not clear how the decision-making process is designed. Based on the users' experience and proclaimed purpose of data processing, it was presumed that the Social Card Act would introduce an automated decision-making process for granting social benefits to applicants. The social workers were reporting that the register is designed in a manner that leaves them no room for decision-making and that the system requires them to simply select one of the options made available by the system. Should the system, based on the given inputs, conclude that the applicant does not qualify for social benefits, it simply rejects the application and social workers do not have the tools to influence such decision, even if the factual circumstances of an application suggest otherwise. Moreover, there have been cases when certain conditions, which prior to the implementation of the Social Card Register were not considered as an obstacle to qualifying for social benefits, started to be an impediment and resulted in denying the applicants the right to social benefits for which they were eligible only several months ago.
Critics of the Social Card Register claim that the automated decision-making process is blind to the real needs of the applicants for social benefits who are frequently lacking the proper education or means to fight for their rights. It has not been unusual for social workers to advise applicants to contact free legal aid services in order to be able to exercise their rights.
It is also claimed that the Social Card Register is detached from the real needs of the users of social benefits who are now faced with the complexities, difficulties and errors that come with the centralised database of social security applicants. Another set of criticisms relates to the processing of an extensive amount of data contained in the Social Card Register without transparency, which as a result targets marginalised and vulnerable groups of the population. Recipients of social benefits, many of whom are people with disabilities or members of the Roma community, have the lowest incomes in the country. As a result of the Social Card Register’s strict conditions and non-transparent procedures, their poor living conditions are only further exacerbated.
The authorities were invited to respond to these criticisms, however, they rejected them stating that the decision-making process is not automated and that it is still in the hands of social workers who only rely on the data from the Social Card Register.
Children and Privacy on the Internet
In 2022, the results of the research concerning data protection and privacy of minors on the internet have been published. The research was conducted by Centre for Free Elections and Democracy (CeSID) in co-operation with the Commissioner with the support of the United States Agency for International Development (USAID) and Propulsion. The research focuses on minors’ use of the internet and reveals that it is used mainly for communication purposes and entertainment, particularly on social platforms. The research also explores the level of awareness of the necessity to protect personal data and privacy in the online environment. Overall, between one third and one half of the participants in the research were aware of the manner in which social platforms present content to the users, cookies policies, means for avoiding and fighting digital violence, and the existence of the PDPA and the GDPR as legal documents which provide solutions for the protection of their privacy.
Guidelines on Data Protection Impact Assessments
The Commissioner’s annual report on data protection contains a section devoted to guidelines on data protection impact assessments. These guidelines were prepared because of the increasing need to perform data protection impact assessments and provide explanations as to when a type of data processing is likely to result in a high risk to the rights and freedoms of individuals. The guidelines stipulate when the performance of a data protection impact assessment is necessary, as well as the structure and content of the data protection impact assessment.
Voice as Personal Data
In 2022, the Commissioner issued a reprimand to a company that had been processing audio files of voice recordings of persons and presenting them as pranks on its website. The company recorded the pranks through interactive voice response and made the audio files available on its website without informing persons of such recordings and the intended use of the recorded audio files. The Commissioner first confirmed that the recording of a voice is considered "personally identifiable information" even if the phone number of a recipient of a call and a caller has not been disclosed. It also stated that such data processing is not in accordance with the law as it violets the principles of lawfulness, fairness and transparency. As a result of this reprimand, the company permanently shut down its server on the territory of the Republic of Serbia as it was not able to implement voice modulation techniques.
+381 11 3231 970
+381 11 3245 email@example.com www.mjb.rs