The Constitution of the Republic of Serbia contains several provisions relating to the protection of privacy, including the confidentiality of letters and other means of communication (Article 41 of the Constitution) and the protection of personal data (Article 42 of the Constitution). 

Under the Constitution, the confidentiality of letters and other means of communication may only be derogated from for a specified period of time and on the basis of a court decision for the purpose of conducting criminal proceedings or protecting the safety of Serbia, in a manner stipulated by the law (Article 41 of the Constitution). 

The Constitutional guarantee of protection of personal data (Article 42 of the Constitution) provides that use of personal data for any purpose other than that for which it was collected is prohibited and punishable in accordance with the law, unless it is necessary to conduct criminal proceedings or protect the safety of Serbia, in a manner stipulated by the law.

The Constitution also guarantees that everyone shall have the right to be informed of the collection of personal data relating to them, in accordance with the law, as well as the right to court protection in the case of abuse of their personal data. 

The Personal Data Protection Act

In August 2019, application of the new Personal Data Protection Act (PDPA) came into effect. The solutions provided by the PDPA are in line with the GDPR. The PDPA defines personal data, the different types of personal data and the manner of their collection, processing and transfer outside of the territory of Serbia. In Avgust 2023 Serbia adopted the Personal Data Protection Strategy for the period from 2023 to 2030. The main goal of this Strategy is “[r]especting the right to protection of personal data in all areas of life‟.

Provisions that are of relevance to the protection of personal data may also be found in the Electronic Communications Act (ECA), as well as in sector-specific legislation, such as the Act on Health Documents and Records, the Act on Records and Data Processing in Interior Affairs, the National DNA Registry Act and the Law on Social Card.

Also, the provisions of the Information Security Act (ISA) regarding data breach reporting and notification are relevant to the protection of personal data and privacy. The ISA regulates (i) measures for protection against security risks in ICT systems, (ii) the liability of legal entities in relation to management, and (iii) the use of ICT systems and competent authorities in charge of the implementation of protective measures (Article 1 of the ISA).

Thus, the operators of the ICT systems for essential services are obliged to notify the Regulatory Authority for Electronic Communications and Postal Services (RATEL), as the national Computer Emergency Response Team (CERT), of incidents and attacks related to the ICT system that may have a significant impact on informational security. An incident has to be reported in writing to the national CERT within one day of its occurrence and, if it relates to the secret data, the operator of the ICT system of special importance is also obliged to follow the rules related to data secrecy (Article 11 of the ISA).

If the reported incident is of a public interest, RATEL may order its public disclosure. If the incident is related to crimes prosecuted ex officio, RATEL shall inform the competent Public Prosecutor’s Office and/or the Ministry of the Interior. If the incident involves a violation of personal data, RATEL will report the incident to the Commissioner for Protection of Personal Data (Article 11 of the ISA).

According to the Constitution of Serbia, ratified international treaties and generally accepted rules of international law are part of the legal system of Serbia, and laws and other general acts enacted in Serbia have to comply with ratified international treaties and generally accepted rules of international law (Article 194 of the Constitution).

In the context of personal data protection, Serbia has ratified the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and its Additional Protocol regarding Supervisory Authorities and Transborder Data Flows (ETS No 108, Strasbourg, 28 January 1981) (the “Convention”). The Convention serves as a legal ground for transfer of data from Serbia to the UK after Brexit, since the UK is party to it and signatories of the Convention are considered to be countries that ensure an adequate level of data protection.

Serbia is also a signatory to various international agreements that contain provisions that could be relevant for accessing or obtaining data processed in the territory of Serbia, mostly in the context of international co-operation in civil and criminal matters. 

Because Serbia is in the process of accession to the EU, much Serbian legislation focuses on the implementation of the standards and provisions provided by EU legislation.

Moreover, the PDPA contains solutions provided by the GDPR and Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data (the “Police Directive”).

Under Serbian legislation, the main regulator in the area of data protection is the Commissioner for Information of Public Importance and Protection of Personal Data (“the Commissioner”), whose prerogatives are defined by the PDPA. Under the PDPA, the Commissioner is a supervisory body that: 

• monitors and enforces the application of the PDPA; 
• advises the national parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons’ rights and freedoms with regard to processing; 
• provides information to any data subject concerning the exercise of their rights under the PDPA; and 
• co-operates with the supervisory authorities of other states. 

The Commissioner also: 

• handles complaints lodged by a data subject; 
• prepares standard contractual clauses and authorises contractual clauses that would serve as an adequate safeguard for the transfer of data to a country or international organisation that does not ensure adequate levels of protection of personal data; 
• establishes and maintains a list in relation to the requirements for a data protection impact assessment when required by law; and 
• accredits certification bodies, issues certifications and approves criteria of certification (Article 78 of the PDPA). 

Data Protection Commissioner Powers

The Commissioner is vested with a set of investigative powers, corrective powers and advisory powers that are identical to the powers of the supervisory body prescribed by the GDPR. The Commissioner is authorised, inter alia, to:

• order the data controller or data processor to provide information it requires for the performance of its tasks; 
• monitor the application of the provisions of the PDPA by exercising its inspection powers; 
• carry out a review on certifications issued in accordance with the PDPA; 
• obtain access to any premises of a controller or processor, including to any data-processing equipment and means; 
• issue reprimands to a controller or processor where processing operations have infringed provisions of the PDPA; 
• order the controller or the processor to comply with the data subject’s requests to exercise their rights pursuant to the PDPA; 
• order the controller or processor to bring processing operations into compliance with the provisions of the PDPA, where appropriate, in a specified manner and within a specified period; 
• order the controller to communicate a personal data breach to the data subject; 
• impose a temporary or definitive limitation, including a ban on processing; 
• order the rectification or erasure of personal data or restriction of processing; 
• withdraw a certification or order the certification body to withdraw an already-issued certification; 
• impose an administrative fine – in addition to, or instead of, other corrective measures – depending on the circumstances of each individual case; and
• order the suspension of data flows to a recipient in a third country or to an international organisation (Article 79 of the PDPA).

Under the PDPA, the Commissioner is authorised to exercise its powers in accordance with the Administrative Procedure Act and Inspection Act (Article 77 of the PDPA) as well as to initiate proceedings before the courts and other competent bodies in accordance with the law (Article 79 of the PDPA). 

The Commissioner is obliged to act upon the complaints of a data subject and initiate the inspection procedure, as well as to inform the data subject about the outcome of the inspection and their right to initiate administrative court proceedings against the decision of the Commissioner. If the data subject is not satisfied with the decision of the Commissioner, or if the Commissioner fails to act upon the complaint within 60 days from its receipt, the data subject is authorised to initiate court proceedings against the Commissioner in accordance with the Administrative Court Proceedings Act (Articles 82 and 83 of the PDPA).

The enforcement of personal data protection is the remit of the Commissioner, which is authorised to investigate whether data processing is lawful, including the right to request access to the premises of the data controller and means of data processing, as well as to order rectification of identified irregularities in data processing within a specified period of time, or to render a temporary ban on any processing carried out contrary to the provisions of the PDPA (Article 79 of the PDPA).

Data processing contrary to the provisions of the PDPA represents a misdemeanour punishable with a fine between RSD50,000 and RSD2 million for a legal entity, RSD20,000 and RSD500,000 for an entrepreneur, and RSD5,000 and RSD150,000 for both a natural person and the responsible person in a legal entity (Article 95 of the PDPA).

According to the Commissioner’s annual report for 2023 (the report for 2024 is not available at the moment of submission of this article) the Commissioner carried out a total of 731 inspections (549 regular inspections and 182 extraordinary inspections). 689 cases were closed after confirming compliance with previous inspection findings, 24 cases were closed with an official note or response to the complainant, as no violations of the PDPA were found. 18 cases were pursued further as misdemeanours.

Violations Identified

66 cases were found to involve violations of the PDPA, leading to the following enforcement actions:

• ten misdemeanour proceedings were initiated;
• five misdemeanour orders were issued; and
• 51 corrective measures (warnings) were imposed on data controllers.

Initiation of New Supervision Procedures

The Commissioner initiated 771 new supervision procedures:

• 566 regular inspections; and
• 205 extraordinary inspections;
1. 138 based on complaints;
2. 29 due to data breach notifications; and
3. 38 for other reasons.

Court Proceedings Related to Commissioner’s Activities

Administrative Court Cases

72 lawsuits were filed against the Commissioner before the Administrative Court.

16 lawsuits were filed by the Ministry of Internal Affairs due to orders to delete personal data from their records.

The Administrative Court resolved 12 lawsuits, rejecting all as unfounded.

The Constitutional Court received 30 constitutional complaints related to the Commissioner’s decisions, but due to classification methods, it is unclear how many were about personal data protection.

The Constitutional Court issued 12 rulings, rejecting all complaints.

Misdemeanour responsibility

The Commissioner filed ten misdemeanour requests due to violations of the PDPA, targeting:

• four cases of processing personal data contrary to fundamental principles;
• one case of processing personal data without consent; and
• five cases of failure to appoint a Data Protection Officer (DPO).

These requests were filed against three responsible persons, six legal entities and one entrepreneur.

Since 2010, 238 misdemeanour requests have been filed:

• 216 under the old PDPA, with common violations including failure to update records, unlawful processing and failure to comply with the Commissioner’s orders; and
• 24 under the new PDPA, mainly related to unlawful processing and lack of adequate security measures.

In 2023, five misdemeanour orders were issued for:

• three cases of failure to maintain processing records; and
• two cases of failing to publish or submit DPO contact information.

Criminal Complaints and Prosecutor’s Actions

Since 2010, the Commissioner has filed 49 criminal complaints, covering offences such as unauthorised wiretapping, unauthorised data collection and abuse of official position.

Only two indictments were filed, leading to:

• one conditional conviction (six months’ probation); and
• one acquittal.

23 complaints were dismissed due to:

• 15 cases of prosecution being deferred;
• three cases where the offence was not considered a criminal act; and
• five cases of expired statutes of limitations. In 2023, misdemeanour courts issued five first-instance decisions:

• three convictions with warnings;
• one dismissal due to expired statutes of limitations; and
• one rejection due to the statute of limitations.

SHARE Foundation has reported 76 cases of violations of privacy and data protection, out of which 22 perpetrators are persons from the public sector, 16 natural persons and 16 persons from media outlets. In 42 cases, the violation affected a large number of people, 32 cases relate to individual data subjects and one relates to a political data subject.

Serbia has an active but relatively mild enforcement of data protection laws. While there are administrative and legal actions against violators, the lack of significant fines or major criminal convictions suggests that data protection compliance may not yet be a top enforcement priority. The relatively low penalties (compared to GDPR) may contribute to the limited motivation for full compliance among organisations.

AI is still not regulated in Serbian legislation. In 2019, Serbia adopted “Strategy for the Development of Artificial Intelligence in the Republic of Serbia for the period 2020-2025.” The strategy established “goals and measures for the development of artificial intelligence, the implementation of which should result in economic growth, improvement of public services, improvement of scientific staff and development of skills for the jobs of the future”. Also, “implementation of the measures of the Strategy should ensure that artificial intelligence in the Republic of Serbia is developed and applied in a safe manner and in accordance with internationally recognised ethical principles in order to use the potential of this technology to improve the quality of life of each individual and society as a whole, as well as for achieving the Sustainable Development Goals”.

In 2022, Serbia became a member of Global Partnership on Artificial Intelligence and, in 2023, Serbia became a member of the AI Governance Alliance at the AI Governance Summit of the World Economic Forum in San Francisco.

In January 2025, Serbia adopted the new “Strategy for the Development of Artificial Intelligence in the Republic of Serbia for the period 2025-2030”. The new Strategy acknowledged that Serbia had adopted UNICEF’s Recommendation on the Ethics of Artificial Intelligence and that it had implemented the application of AI in the educational and health sector. The new Strategy advocates support for start-ups and small- and medium-sized enterprises in the AI sector and measures for increasing investment in the development of AI. It also establishes a National Artificial Intelligence Platform, an infrastructure platform which would facilitate innovation. The Strategy also focuses on introducing and implementing AI solutions in the public sector. One of the most important goals prescribed by the Strategy is the creation of a legislative framework for AI. The adoption and full implementation of the AI legislation are planned by the end of 2027.

As mentioned in 1.5 AI Regulation, AI is not regulated in Serbian legislation.

Two main pieces of legislation relevant for privacy litigation in Serbia are the PDPA and the Law on Public Information and Media. The PDPA defines data subjects’ rights and mechanisms for their protection, with the Commissioner as the main authority for the protection of personal data. As mentioned in 1.4 Data Protection Fines in Practice, Serbia has a modest number of cases related to the protection of personal data. However, there are numerous defamation cases governed primarily by the provisions of the Law on Public Information and Media.

In recent years, there have been many SLAPPs (strategic lawsuits against public participation) against independent media and investigative journalists, filed by government officials, public servants, politicians, celebrity figures, and business owners whose business activities have been associated with corrupt practices.

Since Serbia is not a member of the EU, EU case law does not directly affect Serbian courts. However, decisions of the ECHR are relevant for domestic court cases and are considered, particularly concerning the interpretation and application of the provisions of the European Convention on Human Rights.

As discussed in 1.4 Data Protection Fines in Practice, there is not much case law relating to the application of the PDPA. Recent examples of SLAPPs relate to the investigative journalist’s portal KRIK (the Crime and Corruption Reporting Network), which has been sued by a judge and her husband for a violation of privacy rights (criminal charges were also brought) by publishing profiles in the “Judge Who Judges” database, which aims to increase transparency within the judiciary. Monetary compensation was requested in the lawsuit. Similarly, Nenad Milanović, chief of staff to the mayor of Belgrade, filed a lawsuit against the Balkan Investigative Reporting Network (BIRN) Serbia, alleging defamation.

Serbian legislation does not support collective redress mechanisms in relation to privacy and data protection. Serbian Consumer Protection Law is a single piece of legislation which provides a collective redress mechanism but only for consumer-related matters. Registered consumer associations and the Ministry of Trade may initiate proceedings for the protection of the consumer’s collective interest. However, this possibility is not available for privacy litigations.

Since Serbia is in the process of accession to the EU, it should take into account the EU’s Representative Actions Directive (EU) 2020/1828 and introduce collective redress mechanisms into other areas of law apart from the consumer protection law; there is no indication that such legislation will be adopted in the near future.

IoT is not regulated by Serbian law.

IoT is not regulated by Serbian law. The processing of personal data is subject to the general rules of the PDPA.

See 3.1 Objectives and Scope of Data Regulation.

See 3.1 Objectives and Scope of Data Regulation.

Serbian legislation does not have special rules governing the application of cookies, beacons, the use of tracking technologies or behavioural advertising so the general rules of the PDPA also apply to these topics.

The PDPA does not contain special provisions regarding online marketing. However, it does regulate processing for direct marketing purposes and entitles the data subject to object at any time to the processing of personal data concerning them for such marketing, which also includes profiling (Article 37 of the PDPA). Regarding other aspects of online marketing, general rules on data processing apply. 

The Advertising Act (AA) also contains a provision that allows direct advertising only upon obtaining prior consent from the person to whom the advertising is sent (Articles 62 and 63 of the AA). Behavioural advertising and targeted advertising are not regulated explicitly by Serbian law.

Under the PDPA, the processing of employees’ personal data is carried out in accordance with the provisions of employment law and collective agreements based on the principles set out by the PDPA. The PDPA also recognises that employment regulations and collective agreements may contain provisions related to the protection of personal data of employees, in which case they also need to specify suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights (Article 91 of the PDPA). 

Under the Employment Act of the Republic of Serbia, employers are allowed to collect data regarding their employees where this is prescribed by that law and other laws related to employment matters. The Employment Act also authorises employers to monitor the work of their employees, a provision that is frequently used in practice as a ground for accessing employees’ computers and email communications. In this respect, the Commissioner has taken the position that such access is allowed if the computer and email account were provided by the employer for the purpose of work performance and if it does not invade the employees’ privacy. If an employee is using a private email account or private computer, the employer may access the data contained therein only in the presence of that employee, who will then be able to prevent the employer’s access to private communication and files. In a recent ruling the Commissioner took the position that an employer must not continue to use its former employee’s email account upon termination of employment, as it contains the employee’s name: a piece of personal data whose processing is no longer justifiable, legal and necessary.

In Serbia, the transfer of personal data in asset deals is regulated by the PDPA. When an asset deal involves personal data (eg, customer or employee databases), the transfer must have a valid legal basis under the LPDP:

• legitimate interest (Article 12 of the PDPA);
• consent if the transaction involves sensitive data or when no other legal basis is available (Article 15); and
• legal obligation (Article 17) (eg, employment records).

During the due diligence procedure, the seller should minimise data exposure and use anonymised or pseudonymised data where possible. NDAs must also be signed.

Once the transaction is closed, the buyer becomes a new data controller and must inform data subjects (customers, employees) about the change. If the transfer changes the purpose of data processing, additional consent may be required. If the buyer is outside Serbia, data transfers must comply with PDPA rules on international transfers (transfers to countries without an adequate level of protection require standard contractual clauses (SCCs) or other safeguards). The buyer must provide information on how their data will be used post-transfer.

Under the PDPA, international transfers of data to a country, a territory or one or more specified sectors within that country, or an international organisation that ensures an adequate level of protection do not require any prior authorisation (Articles 63 and 64 of the PDPA).   

It is assumed that an adequate level of protection exists in:

• countries and international organisations that are parties to the Convention; 
• countries and international organisations that are considered by the EU to ensure adequate levels of protection of personal data; and 
• countries with which the Republic of Serbia has concluded international treaties regarding the transfer of personal data (Article 64 of the PDPA).

The Serbian government has rendered a decision on the list of countries, parts of their territory or one or more specified sectors within those countries or international organisations which are considered to ensure the adequate level of personal data protection, which specifies the countries to which the transfer of data is free.

Furthermore, under the PDPA, the transfer of personal data is also allowed to a country, a territory of, or one or more specified sectors within, that country, or an international organisation that does not have an adequate level of protection if the controller or processor provides appropriate safeguards, and if enforceable data subject rights and effective legal remedies for data subjects are available in that country, a territory of, or one or more specified sectors within, that country, or the relevant international organisation (Article 65 of the PDPA).

The appropriate safeguards may be provided by a controller without requiring any specific authorisation from the Data Protection Commissioner by: 

• a legally binding instrument between public authorities or bodies;
• standard data protection clauses prepared by the Data Protection Commissioner that regulate the legal relationship between the controller and processor;
• binding corporate rules that regulate processing of personal data by a controller and the group of companies to which the controller belongs;
• an approved code of conduct, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
• an approved certificate issued in accordance with the PDPA, together with binding and enforceable commitments on the part of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

The appropriate safeguards may also be provided through contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation, or through provisions inserted into administrative arrangements between public authorities or bodies that include enforceable and effective data subject rights, but only with the specific authorisation of the Commissioner, which is obliged to give such authorisation within 60 days from the day of receipt of the request for authorisation (Article 65 of the PDPA).

Further, under the PDPA, the data controller may introduce binding corporate rules that are adhered to by a controller or processor established in the territory of the Republic of Serbia for the purpose of a transfer, or a set of transfers, of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity. If the Data Protection Commissioner approves the binding corporate rules, it is considered that a controller has provided adequate safeguards and that data may be transferred outside of the territory of the Republic of Serbia (Article 67 of the PDPA).

Nonetheless, each international transfer of data has to be lawful – ie, it must be based on one of the legal grounds prescribed by the law, namely:

• the data subject has given consent to the processing of their personal data for one or more specific purposes; 
• it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; 
• it is necessary for compliance with a legal obligation to which the controller is subject; 
• it is necessary in order to protect the vital interests of the data subject or of another natural person; 
• it is necessary for the performance of a task carried out in the public interest or in the exercise of the official authority vested in the controller; or
• it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where those interests are overridden by those interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child. 

Under the PDPA, prior approval of the Data Protection Commissioner may be required if data is to be transferred to a country that does not ensure an adequate level of protection (Article 65 of the PDPA). For more details see 5.1 Restrictions on International Data Transfers.

Under the current Serbian legislation, there is no requirement for data localisation. However, each instance of data processing, including the transfer of data, has to be made on one of the grounds for data processing stipulated by the PDPA and must ensure adequate levels of data protection (Articles 12 and 65 of the PDPA).

As stated in 5.1 Restrictions on International Data Transfers, the transfer of personal data to a country that is not a party to the Convention is subject to prior approval of the Commissioner. If that approval is denied, the data cannot be transferred. 

As regards requests for transfer of personal data to a foreign country for the purpose of conducting criminal or civil proceedings, all such requests are governed by the rules of the international treaties and bilateral agreements regulating the co-operation of Serbia with foreign countries in criminal and civil law matters.

There is no applicable information in this jurisdiction.