GDPR Compliance in Serbia

June 28, 2018 by Nebojša Stanković

Even though Serbia is on its way of becoming a member of the European Union and is not directly obliged to apply GDPR standards which came into effect on May 25th, 2018, there are numerous legal and business reasons because of which companies and business owners in Serbia need to consider legal applications of GDPR in Serbia.

The most dynamic aspect of the world economy, the IT industry, is widely present in Serbia as well, in the corporate sense of the word – through branch offices and subsidiary companies whose work processes are often tied to countries within the EU. Although GDPR regulations are international and exactly the same for all countries, they have an indirect effect on how companies do business in Serbia.

All Serbian companies which are involved in the data analysis of individuals and business entities who are citizens of EU member countries, as well as the data analysis of those who are not the citizens of EU member countries but have a permanent residence on the territory of the EU, have the right to be protected by GDPR regulations. 
All companies, business owners or individuals who have access to or are in any way involved in gathering, processing, and using the personal data of individuals who are the citizens or temporary residents of some of the EU member countries are obliged by GDPR regulations to keep that data safe at all times.  

The Serbian legal system will likewise become compliant with GDPR regulations by the end of 2018, when the National Assembly of the Republic of Serbia is expected to establish a new Law of Personal Data Protection.

The outline of this law is in accordance with GDPR regulations to a great extent, which further emphasizes that Serbian citizens and residents need to completely start applying these regulations in all aspects eventually.

While we are still waiting for Serbia to establish this Law of Personal Data Protection, the European Parliament already established the General Data Protection Regulation in 2016, which came into effect on May 25th, 2018.

The application of GDPR regulations will serve as a unique legal framework for personal data protection across Europe. The gist of this new European personal data protection is that each and every company which is involved in personal data gathering and analysis process is obliged to be well-informed about these individuals’ rights.

What is GDPR?

General Data Protection Regulation

When we are talking about the General Data Protection Regulation or GDPR for short, we are actually referring to the new legal framework which is designed to determine how the personal data of the citizens of the European Union can be used.
As it has been previously announced, GDPR came into effect on May 25th, 2018 and replaced the outdated Directive of Personal Data Protection from 1995. While this 1995 directive was still in effect, EU member countries have been establishing their local regulations, which is the reason why the laws regarding personal data protection across Europe haven’t been coordinated.

With GDPR, a unique legal instrument with the direct application for each of the 28 EU member countries, and some other countries as well, has been established. It has replaced all the various ways in which the previous directive has been applied.

Apart from this, GDPR also takes into account new technologies which haven’t been included in the previous directive, such as Big Data (data which is too extensive to be processed using standard computers only), mobile apps (Viber, Skype, WhatsApp), operating systems (Android, iOS), and social media platforms (Instagram, Facebook, Twitter, etc.).

So, each and every business and public entity which is in any way involved in the analysis of data of any individual who is either a citizen or a resident of EU member countries will be obliged to work in accordance with these new rules on personal data protection.

What kind of penalties can we expect if we don’t follow these regulations?

GDPR - General Data Protection Regulation

GDPR prescribes some rigorous penalties for not following its standards regarding personal data protection. The highest penalties can cost companies up to 20 million EUR or up to 4 percent of their global annual profits, depending on which of these amounts is higher.

For some less severe violations, companies may expect to pay up to 10 million EUR or 2 percent, but even less depending on the level of severity of the violations that have been made. For instance, if some other unimportant data which is not too relevant has been misused, the penalty won’t be so high.

GDPR Compliance in Serbia, TV Kopernikus - Nebojsa Stankovic