New Bylaws on the Serbian Data Protection Act

July 17, 2019

New Bylaws on the Serbian Data Protection Act

July 17, 2019

Miloš Velimirović

Miloš Velimirović

Partner

Nevena Milošević

Nevena Milošević

Associate

The new Serbian Data Protection Act (“Act”), which implements the General Data Protection Regulation (GDPR) into Serbian legislation, came into force on the 21 November 2018 and shall apply as of the 21 August 2019.  The Act delegates legislative power the Commissioner for Information of Public Importance and Personal Data Protection (“Commissioner”) and entitles it to enact bylaws, which will ensure that the provisions of the Act will operate successfully, within 9 months as of the date of its entry into force.

The following bylaws have been adopted so far:

  1. Rulebook on Form and Method of Keeping Record of the Data Protection Officers

According to this Rulebook, the Commissioner keeps the unique record of data protection officers in digital form.  This record contains data regarding the data controller, i.e. the data processor and data protection officer.

  1. Rulebook on the Form of Complaint

This Rulebook defines the form and content of a complaint that an individual can submit to the Commissioner if they consider that their personal data were processed contrary to the provisions of the Act.

  1. Rulebook on Form of Notice on Personal Data Breach and Method of Notifying the Commissioner for Information of Public Importance and Personal Data Protection on Personal Data Breach

As defined under this Rulebook, the controller has an obligation to notify the Commissioner on personal data breach within 72 hours as of knowing of the breach, otherwise, they will be obliged to explain the reasons for failing to act within the time limit.  According to the Rulebook, the notification must contain the following information: data on the data controller, data on personal data breach, description of possible consequences of the breach, description of measures undertaken or proposed by the controller and other relevant data.

  1. Rulebook on Form and Method of Keeping Internal Records of Breach of the Data Protection Act and Methods Conducted While Performing Inspection

The Commissioner keeps the record of breach of the Act, which contains information on the person that violated the Act, the exact breach, the conducted method as well as the behavior regarding the conducted method.

  1. The decision on the List of Types of Data Processing Actions for Which an Estimation of Impact on Protection of Personal Data Must be Conducted and for Which an Opinion from the Commissioner for Information of Public Importance and Personal Data Protection Must be Sought

This Decision defines cases in which, prior to process personal data, a data controller must perform an impact assessment and seek the Commissioner’s opinion.

All above-mentioned bylaws shall apply as of 21 August 2019, the same date as the Act itself.  Since the Commissioner has been given legislative powers, the list of the adopted bylaws should be expected to grow in the above mentioned period.

This text is for informational purposes only and should not be considered legal advice. Should you require any additional information, feel free to contact us.

Contact:

Miloš Velimirović , Partner
milos.velimirovic@sog.rs

Nevena Milošević, Associate
nevena.milosevic@sog.rs

OTHER NEWS

The New Serbian Legal Framework for Internships to Be Adopted

The New Serbian Legal Framework for Internships to Be Adopted

 At the end of 2021, a public debate was held in the National Assembly on the Draft Law on Work Practice. The Draft itself is a reaction to relatively unfavourable basic labour market indicators, which predict that young people in Serbia lag behind their peers in...

read more
NFTs in the Light of Trademark Law

NFTs in the Light of Trademark Law

 Recently, non-fungible tokens (“NFTs”) have become the subject of significant public attention, primarily due to the high amounts of money allocated for their purchase. For example, it is estimated that the worth of the global NFT market in 2021 was about 41...

read more
What Is a Data Protection Officer (DPO)?

What Is a Data Protection Officer (DPO)?

 Data Protection Officer (“DPO”) is a person overseeing a company’s data protection strategy and implementation in order to ensure compliance with General Data Protection Regulation (“GDPR”) requirements. Any company that processes or stores personal data is...

read more

Let's connect

Let us know how we can help you and your business.