The protection of personal data in Serbia is grounded in constitutional, statutory, and sector-specific sources. The Constitution of the Republic of Serbia guarantees the protection of personal data and the confidentiality of communications, allowing limitations only under strict legal and judicial conditions. The Constitution of the Republic of Serbia contains several provisions relating to the protection of privacy, including the confidentiality of letters and other means of communication (Article 41 of the Constitution) and the protection of personal data (Article 42 of the Constitution). 

Under the Constitution, the confidentiality of letters and other means of communication may only be derogated from for a specified period of time and based on a court decision for the purpose of conducting criminal proceedings or protecting the safety of Serbia, in a manner stipulated by the law (Article 41 of the Constitution). 

The Constitutional guarantee of protection of personal data (Article 42 of the Constitution) provides that use of personal data for any purpose other than that for which it was collected is prohibited and punishable in accordance with the law, unless it is necessary to conduct criminal proceedings or protect the safety of Serbia, in a manner stipulated by the law.

The Constitution also guarantees that everyone has the right to be informed of the collection of personal data relating to them, in accordance with the law, as well as the right to court protection in the event of abuse of their personal data. The primary statute is the Personal Data Protection Act (PDPA), applicable since 2019, which is largely aligned with the GDPR and the EU Law Enforcement Directive.

The PDPA applies across sectors and governs the processing, storage, and international transfer of personal data. The solutions provided by the PDPA are in line with the GDPR. The PDPA defines personal data, the different types of personal data and the manner of their collection, processing and transfer outside of the territory of Serbia. The PDPA has limited extraterritorial reach and applies to foreign controllers offering goods or services to individuals in Serbia or monitoring their behaviour. While Serbia does not regulate non-personal data or AI through binding legislation, data protection rules apply where AI systems rely on personal data, and policy alignment with EU developments is ongoing. In August 2023, Serbia adopted the Personal Data Protection Strategy for the period from 2023 to 2030. The main goal of this Strategy is “[r]especting the right to protection of personal data in all areas of life”.

Provisions that are of relevance to the protection of personal data may also be found in the Electronic Communications Act (ECA), as well as in sector-specific legislation, such as the Act on Health Documents and Records, the Act on Records and Data Processing in Interior Affairs, the National DNA Registry Act and the Law on Social Cards.

Also, the provisions of the Information Security Act (ISA) regarding data breach reporting and notification are relevant for protection of personal data and privacy. The ISA regulates (i) measures for protection against the security risks in ICT systems, (ii) the liability of legal entities in relation to the management of ICT systems, and (iii) the use of ICT systems and the competent authorities in charge of implementation of protective measures (Article 1 of the ISA).

The operators of the ICT systems of essential services are obliged to notify RATEL, as the national CERT, of incidents and attacks related to the ICT system that may have a significant impact on informational security. An incident must be reported in writing to the national CERT within one day of its occurrence. If it relates to the secret data, the operator of the ICT system of special importance is also obliged to follow the rules on data secrecy (Article 11 of the ISA).

If the reported incident is of a public interest, RATEL may order its public disclosure. If the incident is related to crimes prosecuted ex officio, RATEL shall inform the competent Public Prosecutor’s Office and/or the Ministry of the Interior. If the incident involves a violation of personal data, RATEL will report the incident to the Commissioner for Protection of Personal Data (Article 11 of the ISA).

According to the Constitution of Serbia, ratified international treaties and generally accepted rules of international law are part of the legal system of Serbia, and laws and other general acts enacted in Serbia have to comply with ratified international treaties and generally accepted rules of international law (Article 194 of the Constitution).

In the context of personal data protection, Serbia has ratified the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and its Additional Protocol regarding Supervisory Authorities and Transborder Data Flows (ETS No 108, Strasbourg, 28 January 1981) (the “Convention”). The Convention serves as a legal ground for transfer of data from Serbia to the UK after Brexit, since the UK is party to it and signatories of the Convention are considered to be countries that ensure an adequate level of data protection.

Serbia is also a signatory to various international agreements that contain provisions that could be relevant for accessing or obtaining data processed in the territory of Serbia, mostly in the context of international co-operation in civil and criminal matters. 

Because Serbia is in the process of accession to the EU, much Serbian legislation focuses on the implementation of the standards and provisions provided by EU legislation.

Moreover, the PDPA contains solutions provided by the GDPR and the Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data (the Police Directive).

Personal data processing in Serbia is governed by the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality.

Processing must rely on a valid legal basis, such as consent, contractual necessity, legal obligation, legitimate interest, or public interest.

Data subjects have rights to access, rectification, erasure, restriction, portability, objection, and protection against automated decision-making. Organisations must implement appropriate technical and organisational measures and maintain internal accountability.

Key compliance obligations include:

• maintaining records of processing activities;
• implementing data protection by design and by default;
• appointing a data protection officer (DPO) where required;
• concluding data processing agreements;
• adopting breach response procedures; and
• conducting data protection impact assessments where high-risk processing is involved.

Special categories of personal data include personal data on racial or ethnic origin, political opinion, religious or philosophical belief, or trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health; or data concerning a natural person’s sex life or sexual orientation. Their processing is generally prohibited unless a specific statutory exemption applies, such as explicit consent, employment law obligations, public health interests, or legal claims.

Processing of data relating to criminal convictions and offences is permitted only under the control of competent authorities or where expressly authorised by law.

Consent for data processing is valid if it is given by a person of 18 years of age or older. Data concerning minors requires heightened protection, and consent must be obtained from a parent or legal guardian when information society services are offered directly to children. Exceptionally, persons aged 15 years or older are able to give consent in relation to online services.

Companies providing digital tools or technologies used in healthcare may process patient data for research and development purposes if a valid legal basis exists and appropriate safeguards are applied, in accordance with the PDPA.

Scientific and statistical research may rely on legal obligations, public interest, or consent, provided data minimisation and confidentiality are ensured. Serbia does not yet have legislation comparable to the European Health Data Space Regulation, but alignment is expected as part of EU accession.

Serbia does not currently have binding AI legislation. However, the use of AI systems involving personal data remains subject to the PDPA. Controllers must ensure transparency, purpose limitation, data accuracy, and proportionality when training or deploying AI models.

Automated decision-making that produces legal or similarly significant effects is restricted unless based on explicit consent, contractual necessity, or legal authorisation, with safeguards including human intervention. Serbia’s 2025–2030 AI Strategy envisages the adoption of comprehensive AI legislation by 2027, likely reflecting a risk-based approach similar to the EU AI Act.

In practice, organisations are expected to implement internal governance, bias mitigation, explainability measures, and human oversight when AI systems process personal data.

In the event of a personal data breach, controllers must notify the Commissioner without undue delay and, where feasible, within 72 hours after becoming aware of the breach. Notification to affected data subjects is required if the breach is likely to result in a high risk to their rights and freedoms.

The notification must describe the nature of the breach, likely consequences, and measures taken or proposed to mitigate harm. Controllers must document all breaches internally, regardless of notification obligations.

Data breaches may trigger inspections by the Commissioner, co-ordination with the national CERT under the Information Security Act, and potential misdemeanour proceedings.

The primary supervisory authority is the Commissioner for Information of Public Importance and Protection of Personal Data. Under the PDPA, the Commissioner is a supervisory body that: 

• monitors and enforces the application of the PDPA; 
• advises the national parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons’ rights and freedoms with regard to processing; 
• provides information to any data subject concerning the exercise of their rights under the PDPA; and 
• co-operates with the supervisory authorities of other states. 

The Commissioner also: 

• handles complaints lodged by a data subject; 
• prepares standard contractual clauses and authorises contractual clauses that would serve as an adequate safeguard for the transfer of data to a country or international organisation that does not ensure adequate levels of protection of personal data; 
• establishes and maintains a list in relation to the requirements for a data protection impact assessment when required by law; and 
• accredits certification bodies, issues certifications and approves criteria of certification (Article 78 of the PDPA). 

Data Protection Commissioner Powers

The Commissioner is vested with a set of investigative powers, corrective powers and advisory powers that are identical to the powers of the supervisory body prescribed by the GDPR. The Commissioner is authorised, inter alia, to:

• order the data controller or data processor to provide information it requires for the performance of its tasks; 
• monitor the application of the provisions of the PDPA by exercising its inspection powers; 
• carry out a review on certifications issued in accordance with the PDPA; 
• obtain access to any premises of a controller or processor, including to any data-processing equipment and means; 
• issue reprimands to a controller or processor where processing operations have infringed provisions of the PDPA; 
• order the controller or the processor to comply with the data subject’s requests to exercise their rights pursuant to the PDPA; 
• order the controller or processor to bring processing operations into compliance with the provisions of the PDPA, where appropriate, in a specified manner and within a specified period; 
• order the controller to communicate a personal data breach to the data subject; 
• impose a temporary or definitive limitation, including a ban on processing; 
• order the rectification or erasure of personal data or restriction of processing; 
• withdraw a certification or order the certification body to withdraw an already-issued certification; 
• impose an administrative fine – in addition to, or instead of, other corrective measures – depending on the circumstances of each individual case; and
• order the suspension of data flows to a recipient in a third country or to an international organisation (Article 79 of the PDPA).

Other authorities with overlapping competences include RATEL (telecommunications and cybersecurity incidents), sectoral regulators, and courts. Proceedings are typically triggered by data subject complaints, breach notifications, or ex officio inspections. Guidance issued by the Commissioner is formally non-binding but is treated as authoritative in practice and frequently relied upon by courts and public bodies.

Under the PDPA, the Commissioner is authorised to exercise its powers in accordance with the Administrative Procedure Act and Inspection Act (Article 77 of the PDPA) as well as to initiate proceedings before the courts and other competent bodies in accordance with the law (Article 79 of the PDPA). 

The Commissioner is obliged to act upon the complaints of a data subject and initiate the inspection procedure, as well as to inform the data subject about the outcome of the inspection and their right to initiate administrative court proceedings against the decision of the Commissioner. If the data subject is not satisfied with the decision of the Commissioner, or if the Commissioner fails to act upon the complaint within 60 days from its receipt, the data subject is authorised to initiate court proceedings against the Commissioner in accordance with the Administrative Court Proceedings Act (Articles 82 and 83 of the PDPA).

The enforcement of personal data protection is the remit of the Commissioner, who is authorised to investigate whether data processing is lawful, including the right to request access to the premises of the data controller and means of data processing, as well as to order rectification of identified irregularities in data processing within a specified period of time, or to render a temporary ban on any processing carried out contrary to the provisions of the PDPA (Article 79 of the PDPA).

Data processing contrary to the provisions of the PDPA represents a misdemeanour punishable with a fine between RSD50,000 and RSD2 million for a legal entity, RSD20,000 and RSD500,000 for an entrepreneur, and RSD5,000 and RSD150,000 for both a natural person and the responsible person in a legal entity (Article 95 of the PDPA).

Enforcement activity in Serbia remains moderate and largely corrective rather than punitive. Recent trends show a focus on failure to maintain records, lack of DPO appointments, insufficient transparency, and inadequate security measures. Large-scale fines remain uncommon, and enforcement is often complaint-driven.

Two main pieces of legislation relevant for privacy litigation in Serbia are the PDPA and the Law on Public Information and Media. The PDPA defines data subjects’ rights and mechanisms for their protection, with the Commissioner as the main authority for the protection of personal data. Serbia has a modest number of cases related to the protection of personal data. However, there are numerous defamation cases governed primarily by the provisions of the Law on Public Information and Media.

Privacy litigation in Serbia remains limited compared with that in EU member states. Most disputes arise in the context of media reporting, defamation, and alleged violations of privacy under the Law on Public Information and Media.

Non-material damage is compensable under general tort law, and courts may award damages for emotional distress or reputational harm. Strategic lawsuits against public participation (SLAPPs) targeting journalists and media outlets have increased in recent years.

Since Serbia is not a member of the EU, EU case law does not directly affect Serbian courts. However, decisions of the ECHR are relevant in domestic court cases and are taken into account, particularly in the interpretation and application of the provisions of the European Convention on Human Rights.

There is limited case law directly interpreting the PDPA. However, court decisions and regulatory practice increasingly reference ECHR jurisprudence on privacy and freedom of expression.

Cases involving investigative journalism platforms have shaped the balance between public interest reporting and privacy rights, confirming that public figures enjoy a lower expectation of privacy when reporting serves democratic oversight.

Serbian legislation does not support collective redress mechanisms in relation to privacy and data protection. Serbian Consumer Protection Law is a single piece of legislation which provides a collective redress mechanism but only for consumer-related matters. Registered consumer associations and the Ministry of Trade may initiate proceedings for the protection of the consumer’s collective interest. However, this mechanism is not available for privacy litigations.

As Sebia is in the process of EU accession, it should take into account the European Union’s Representative Actions Directive (EU) 2020/1828 and introduce a collective redress mechanism into other areas of law apart from consumer protection. However, there is no indication that such legislation will be adopted in the near future.

Serbia does not have a comprehensive legal framework governing non-personal data, data sharing, or IoT comparable to the EU Data Act.

As stated in 1.1 Overview of Data and Privacy-Related Laws and 3.1 Objectives and Scope of Data Regulation, Serbia does not have a special legislation governing non-personal data. In principle, if datasets contain both personal and non-personal data, the PDPA applies to the personal data component. IP rights, trade secrets, and confidentiality obligations govern non-personal data. Organisations should ensure lawful separation, anonymisation, or access controls to avoid the unlawful processing of personal data.

There are no general statutory rights relating to data access, portability, or interoperability for non-personal data. Such rights arise only contractually.

No dedicated authority oversees non-personal data regulation.

Serbian legislation does not have special rules governing the application of cookies, beacons, the use of tracking technologies or behavioural advertising; therefore, the general rules of the PDPA apply to these areas as well. 

In practice, opt-in consent is required for non-essential cookies, particularly where personal data is involved.

The PDPA does not contain special provisions regarding online marketing. However, it does regulate processing for direct marketing purposes and entitles the data subject to object at any time to the processing of personal data concerning them for such marketing, which also includes profiling (Article 37 of the PDPA). With respect to other aspects of online marketing, the general rules on data processing apply. 

The Advertising Act (AA) also contains a provision that allows direct advertising only with the prior consent of the person to whom the advertising is sent (Articles 62 and 63 of the AA). Behavioural advertising and targeted advertising are not regulated explicitly by Serbian law.

Under the PDPA, the processing of employees’ personal data must be carried out in accordance with the provisions of employment law and collective agreements, based on the principles set out by the PDPA. The PDPA also recognises that employment regulations and collective agreements may contain provisions related to the protection of personal data of employees, in which case they also need to specify suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights (Article 91 of the PDPA). 

Under the Employment Act of the Republic of Serbia, employers are allowed to collect data regarding their employees where this is prescribed by that Law and other laws related to employment matters. The Employment Act also authorises employers to monitor the work of their employees, a provision that is frequently used in practice as a ground for accessing employees’ computers and email communications. In this respect, the Commissioner has taken the position that such access is allowed if the computer and email account were provided by the employer for the purpose of work performance and if it does not invade the employees’ privacy. If an employee is using a private email account or private computer, the employer may access the data contained therein only in the presence of that employee, who will then be able to prevent the employer’s access to private communication and files. In a recent ruling, the Commissioner took the position that an employer must not continue to use its former employee’s email account upon termination of employment, as it contains the employee’s name: a piece of personal data whose processing is no longer justifiable, legal and necessary.

During the due diligence procedure, the seller should minimise data exposure and use anonymised or pseudonymised data where possible. NDAs must also be signed.

The transfer of personal data in M&A and asset deals is regulated by the PDPA. When they involve personal data (eg, customer or employee databases), the transfer must have a valid legal basis under the LPDP: (i) legitimate interest (Article 12 of the PDPA), (ii) consent if the transaction involves sensitive data or when no other legal basis is available (Article 15), and (iii) legal obligation (Article 17) (eg, employment records).

Once the transaction is closed, the buyer becomes the new data controller and must inform data subjects (customers, employees) of the change. If the transfer changes the purpose of data processing, additional consent may be required. If the buyer is outside Serbia, data transfers must comply with the PDPA՚s rules on international transfers (transfers to countries without an adequate level of protection require standard contractual clauses (SCCs) or other safeguards.) The buyer must provide information on how their data will be used post-transfer.

Under the PDPA, international transfers of data to a country, a territory or one or more specified sectors within that country, or an international organisation that ensures an adequate level of protection does not require any prior authorisation (Articles 63 and 64 of the PDPA).   

It is assumed that an adequate level of protection exists in:

• countries and international organisations that are parties to the Convention; 
• countries and international organisations that are considered by the EU to ensure adequate levels of protection of personal data; and 
• countries with which the Republic of Serbia has concluded international treaties regarding the transfer of personal data (Article 64 of the PDPA).

The Serbian government has rendered a decision establishing the list of countries, parts of their territory or one or more specified sectors within those countries or international organisations which are considered to ensure the adequate level of personal data protection, specifying the countries to which the transfer of data may occur freely.

Furthermore, under the PDPA, the transfer of personal data is also permitted to a country, a territory of, or one or more specified sectors within, that country, or an international organisation that does not have an adequate level of protection, if the controller or processor provides appropriate safeguards, and if enforceable data subject rights and effective legal remedies for data subjects are available in that country, a territory of, or one or more specified sectors within, that country, or the relevant international organisation (Article 65 of the PDPA).

The appropriate safeguards may be provided by a controller without requiring any specific authorisation from the Data Protection Commissioner by: 

• a legally binding instrument between public authorities or bodies;
• standard data protection clauses prepared by the Data Protection Commissioner that regulate the legal relationship between the controller and processor;
• binding corporate rules that regulate processing of personal data by a controller and the group of companies to which the controller belongs;
• an approved code of conduct, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
• an approved certificate issued in accordance with the PDPA, together with binding and enforceable commitments on the part of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

The appropriate safeguards may also be provided through contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation, or through provisions inserted into administrative arrangements between public authorities or bodies that include enforceable and effective data subject rights, but only with the specific authorisation of the Commissioner, which is obliged to give such an authorisation within 60 days from the day of receipt of the request for authorisation (Article 65 of the PDPA).

Further, under the PDPA, the data controller may introduce binding corporate rules that are adhered to by a controller or processor established in the territory of the Republic of Serbia for the purpose of a transfer, or a set of transfers, of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity. If the Data Protection Commissioner approves the binding corporate rules, it is considered that a controller has provided adequate safeguards and that data may be transferred outside of the territory of the Republic of Serbia (Article 67 of the PDPA).

Nonetheless, each international transfer of data has to be lawful – ie, it must be based on one of the legal grounds prescribed by the law:

• the data subject has given consent to the processing of their personal data for one or more specific purposes; 
• it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; 
• it is necessary for compliance with a legal obligation to which the controller is subject; 
• it is necessary in order to protect the vital interests of the data subject or of another natural person; 
• it is necessary for the performance of a task carried out in the public interest or in the exercise of the official authority vested in the controller; and
• it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where those interests are overridden by those interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child.

Under the PDPA, prior approval of the Data Protection Commissioner may be required if data is to be transferred to a country that does not ensure an adequate level of protection (Article 65 of the PDPA). For more details, see 5.1 Restrictions on International Data Transfers.

Under the current Serbian legislation, there is no requirement for data localisation. However, each instance of data processing, including the transfer of data, has to be made on one of the grounds for data processing stipulated by the PDPA and must ensure adequate levels of data protection (Articles 12 and 65 of the PDPA).

As stated in 5.1 Restrictions on International Data Transfers, the transfer of personal data to a country that is not a party to the Convention is subject to prior approval of the Commissioner. If that approval is denied, the data cannot be transferred. 

As regards requests for transfer of personal data to a foreign country for the purpose of conducting criminal or civil proceedings, all such requests are governed by the rules of the international treaties and bilateral agreements regulating the co-operation of Serbia with foreign countries in criminal and civil law matters.

No major legislative changes occurred in the past year. Future developments are expected in the context of EU accession, AI regulation, and cross-border data governance.