Preparing for the Worst, Hoping for the Best – Can You Insure Your Business for GDPR Fines?

June 15, 2020

Preparing for the Worst, Hoping for the Best – Can You Insure Your Business for GDPR Fines?

June 15, 2020

Milan Samardžić

Milan Samardžić


Dragan Martin

Dragan Martin

Junior Associate

Ever since General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) entered into force in 2018, companies around the world have put their best effort in achieving full compliance. Despite their best efforts, some companies have found themselves on the receiving end of enormous fines imposed by their national Data Protection Authorities.

Having in mind that the fines for violating GDPR could be as high as 20 million euros or 4% of the annual worldwide turnover for the preceding financial year (if that amount is greater), insuring your business for GDPR non-compliance may not be such a bad idea.

Consequentially, insurance companies took notice and immediately started to offer insurance products for GDPR related fines to the extent permissible by law (as will be explained in detail below).

Meanwhile, the Republic of Serbia adopted the Personal Data Protection Act (“PDPA”) in 2018, which was modeled after GDPR. However, upper thresholds for fines proposed by the PDPA are far lower than the ones set in GDPR. Additionally, Serbian Data Protection Authority i.e. the Commissioner for Information of Public Importance and Personal Data Protection (“Commissioner”) has yet to issue a fine or initiate a proceeding for violation of PDPA. This is likely the reason why insurance policies for such violations are not readily available at the moment in the Republic of Serbia.

It could be expected that similar insurance products will appear on the Serbian insurance market as the activity of the Commissioner increases over time.


Insurability of regulatory fines


In many jurisdictions across Europe, the insurability of GDPR fines has become quite questionable. The main problem with creating and selling such insurance policies was related to regulatory limitations set by national law regarding the insurance of illegal actions. For example, in countries like France, Italy, Hungary, Ireland, and Germany, regulatory fines are not insurable as a matter of public policy, with very few exceptions. The legislators felt that enabling such insurance policies to exist would lessen the effect of fines and encourage more violations of the law.

Contracts and Torts Act of the Republic of Serbia, in contrast, prescribes three requirements which an insurance contract needs to fulfill in order to be considered valid. An insured event stipulated by insurance contract must be:


  • a future event
  • an uncertain event, and
  • entirely independent of the contracting parties’ will.


This would indicate that regulatory fines are insurable in the Republic of Serbia, however, their enforceability may be questioned ex-post if the insured party acted with intent or gross negligence.

Form of GDPR/PDPA related insurance products

Where allowed and to the extent permissible by law, a multitude of insurance providers are offering insurance products that cover GDPR fines both in and out of the European Union. These insurance products may be offered as a part of a broader cyber-security insurance package or as a separate product. Furthermore, the exact wording of the insurance policy is what dictates its scope and nature within applicable regulatory requirements.

Some products offer coverage for all GDPR related breaches and financial consequences in relation to such breaches, while others cover only specific risks in connection to GDPR violations (e.g. fines for not implementing appropriate technical and organizational measures).

In the Republic of Serbia, classes of insurance are enumerated in the Insurance Act. Having in mind the nature of fines that could be issued on the basis of PDPA and GDPR, it is likely that these insurance products would be classified as financial loss insurances. This would depend, however, on the exact wording of the insurance policy and whether it is offered as a separate insurance product or as a part of another existing policy that would be amended to include coverage of PDPA and GDPR fines and/or related financial consequences.


Availability of insurance products that cover GDPR/PDPA fines


Although there are numerous providers of insurance products covering GDPR fines globally, insurance products covering PDPA fines are not yet available or at least not as a separate product in the Republic of Serbia. This may be due to amounts of PDPA fines being low, lack of demand caused by the absence of fines being issued, or lack of awareness on the part of interested actors.

Be that as it may, even companies that consider themselves to be fully compliant with both GDPR and PDPA may want to consider purchasing such insurance, as there is still uncertainty related to application and enforceability of PDPA. On the other hand, insurance providers have an opportunity to seize this area of the market and acquire additional clients in the process.



This text is for informational purposes only and should not be considered legal advice. Should you require any additional information, feel free to contact us.


Milan Samardžić, Partner

Dragan Martin, Junior Associate


We are Hiring!

We are Hiring!

 We are looking to expand our Belgrade team with a Senior Associate.   Qualifications   corporate and M&A, banking and finance, data protection and GDPR, media and IP and Employment   Skills   client relationship management; legal research...

read more

Let's connect

Let us know how we can help you and your business.