The new Serbian Data Protection Act (“Act”), which implements the General Data Protection Regulation (GDPR) into Serbian legislation, came into force on the 21 November 2018 and shall apply as of the 21 August 2019.  The Act delegates legislative power the Commissioner for Information of Public Importance and Personal Data Protection (“Commissioner”) and entitles it to enact bylaws, which will ensure that the provisions of the Act will operate successfully, within 9 months as of the date of its entry into force.

The following bylaws have been adopted so far:

1. Rulebook on Form and Method of Keeping Record of the Data Protection Officers

According to this Rulebook, the Commissioner keeps the unique record of data protection officers in digital form.  This record contains data regarding the data controller, i.e. the data processor and data protection officer.

2. Rulebook on the Form of Complaint

This Rulebook defines the form and content of a complaint that an individual can submit to the Commissioner if they consider that their personal data were processed contrary to the provisions of the Act.

3. Rulebook on Form of Notice on Personal Data Breach and Method of Notifying the Commissioner for Information of Public Importance and Personal Data Protection on Personal Data Breach

As defined under this Rulebook, the controller has an obligation to notify the Commissioner on personal data breach within 72 hours as of knowing of the breach, otherwise, they will be obliged to explain the reasons for failing to act within the time limit.  According to the Rulebook, the notification must contain the following information: data on the data controller, data on personal data breach, description of possible consequences of the breach, description of measures undertaken or proposed by the controller and other relevant data.

4. Rulebook on Form and Method of Keeping Internal Records of Breach of the Data Protection Act and Methods Conducted While Performing Inspection

The Commissioner keeps the record of breach of the Act, which contains information on the person that violated the Act, the exact breach, the conducted method as well as the behavior regarding the conducted method.

5. The decision on the List of Types of Data Processing Actions for Which an Estimation of Impact on Protection of Personal Data Must be Conducted and for Which an Opinion from the Commissioner for Information of Public Importance and Personal Data Protection Must be Sought

This Decision defines cases in which, prior to process personal data, a data controller must perform an impact assessment and seek the Commissioner’s opinion.

All above-mentioned bylaws shall apply as of 21 August 2019, the same date as the Act itself.  Since the Commissioner has been given legislative powers, the list of the adopted bylaws should be expected to grow in the above mentioned period.

This text is for informational purposes only and should not be considered legal advice. Should you require any additional information, feel free to contact us.

Contact:

Miloš Velimirović , Partner
milos.velimirovic@sog.rs

Nevena Milošević, Associate
nevena.milosevic@sog.rs