On 10 August 2020, the Commissioner for Information of Public Importance and Personal Data Protection (the “Commissioner“) issued an official statement confirming that the recently annulled mechanism for the free transfer of personal data to the United States (better known as the “Privacy Shield Framework”) cannot be considered a lawful basis for the transfer of personal data anymore.

Namely, the Court of Justice of the European Union on 16 July 2020, rendered a historic decision declaring the Privacy Shield Framework invalid (you can find a more detailed analysis of this decision in our article here).

Considering the Act on Personal Data Protection of the Republic of Serbia prescribes that an appropriate level of personal data protection is provided in countries, in parts of their territories or in one or multiple sectors of specific activities in those states or international organizations as determined by the European Union, it follows that the annulled mechanism of personal data transfer to the United States of America cannot be considered valid on the territory of the Republic of Serbia as well.

Furthermore, the Decision of the Government of the Republic of Serbia on countries, the parts of their territories or one or multiple sectors of specific activities in those states or international organizations which are considered to provide an adequate level of personal data protection, specifically mentions the Privacy Shield Framework as the mechanism which provides an adequate level of personal data protection.

Having mentioned in mind, the Commissioner sent an official letter to the Government of the Republic of Serbia in which he emphasized the need for harmonization of the said Decision with the Act on Personal Data Protection and the caselaw of the Court of Justice of the European Union.

This initiative of the Commissioner came as a confirmation of what has already been determined by the said decision of the Court of Justice of the European Union. If you are processing personal data and have so far relied on the Privacy Shield Framework as the lawful basis for data transfers to the US, now would be the right time to comply with the newly established rules under which such transfer is permitted.

This text is for informational purposes only and should not be considered legal advice. Should you require any additional information, feel free to contact us.

Contact:

Katarina Živković, Senior Associate
katarina.zivkovic@sog.rs

Dragan Martin, Junior Associate
dragan.martin@sog.rs