Đorđe Krivokapić, Share Foundation:

Serbia Awaited By GDPR Alignment

Serbia is harmonising with the General Data Protection Regulation, the adoption of which has created a unique legal instrument with direct application in all 28 EU member states and further afield

“The General Data Protection Regulation (GDPR) is a new legal framework that prescribes the way in which the personal data of EU citizens can be used. The main goal is to affirm, inform and encourage EU citizens regarding the importance of protecting their personal data and changing the way companies access and handle such data by providing greater legal certainty,” says the Share Foundation’s Đorđe Krivokapić.

When does the General Data Protection Regulation come into force in Serbia?

– Justice Minister Nela Kuburović announced during the conference on the new legal framework for personal data protection, held on 14th November, that the The working group of the Ministry of Justice has completed its work on the draft Law on Personal Data Protection and that a public debate on this regulation will be opened soon. However, interested members of the public have yet to receive the aforementioned draft to inspect.

The regulation provides a detailed overview of the rights of citizens and the obligations of organisations monitoring citizens’ behaviour and processing personal data, as well as measures that ensure compliance with rules on the protection of personal data and the implementing of sanctions for violating them. The European Parliament approved and adopted the GDPR in April 2016 and, following the expiry of the essential adaptation period, it will come into force on 25th May 2018. With the adoption of this regulation, a unique legal instrument has been created with direct application in all 28 EU Member States, but also further afield. Apart from the fact that it will be applied to organisations located within the EU, companies located in Serbia will also have to comply with these regulations if they offer goods and services to EU citizens or monitor their behaviour.

Regardless of the extraterritorial principle of application, Serbia – as an EU membership candidate country, is awaited by the adoption of the new Law on Personal Data Protection that is harmonised with the GDPR, which is also envisaged by the Action Plan for Chapter 23 in the framework of EU accession negotiations.

This is of crucial significance to the adequate exercising of citizens’ rights, but also the development of domestic companies that use personal data in their operations, given that this is the only way of ensuring legal certainty.

Which procedures and criteria form the basis for the way personal data is processed?

– The GDPR prescribes the basic principles of personal data processing: legality, fairness and transparency, deadlines for retaining information, limitations of purpose, accuracy, minimisation or the use of the smallest possible volume of data, integrity and confidentiality. More precisely, these principles prescribe that data may be processed only in accordance with the law and that the people to whom data relates must be informed with regard to processing and its purposes. The data must be accurate and updated as required. They must not be kept longer than necessary (as determined by the purpose of processing) and must be processed in a manner that ensures the adequate security of personal data, including protection against unauthorised or illegal processing and accidental loss, destruction or damage caused by the application of appropriate technical or organisational measures.

Djordje Krivokapic

The GDPR prescribes the basic principles of personal data processing: legality, fairness and transparency, deadlines for retaining information, limitations of purpose, accuracy, minimisation or the use of the smallest possible volume of data, integrity and confidentiality

To what extent does the domestic legal framework recognise the GDPR’s standards today?

– The current applicable Law on Personal Data Protection was adopted almost ten years ago, and it can be said to have remained in the same form until now. This law doesn’t properly regulate some of the key segments of personal data protection, such as video surveillance, biometrics, security checks and the private security sector. The Ministry of Justice formed a working group in 2013 which, two years later, without cooperation with the interested public, presented a draft of a new law that was of an unsatisfactory quality. The Share Foundation, together with 16 other civil society organisations, sent the Government of Serbia an initiative for the urgent adoption of the new Personal Data Protection Act. In the meantime, the Commissioner for Information of Public Importance and Personal Data Protection publicly presented a new Model Law, harmonised with the current standards of relevant European documents, and particularly with the General Regulation on the Protection of Personal Data. The working group continued working on a new draft. Finally, in a statement published on 20th November 2017, the Ministry of Justice announced that it would submit to the Government of Serbia by 24th November the working text, in order for a Conclusion to be brought on launching a public debate and creating conditions for the draft to be made publicly available for comments by the interested public. The Ministry adds that it is not late when it comes to harmonising with the newly adopted legal framework of the EU, given that it will only come into force on 25th May 2018.

It is crucial for Serbia’s private sector that the new law be harmonised with the GDPR, in order for domestic companies not to have to adjust their operations to adhere to two different regulatory regimes that would lead to higher costs and legal uncertainty.

What are the basic rules for applying the regulation to business?

– The basic rule for the application of the GDPR, when it comes to the private sector, is that if the organisation deals with the processing of personal data and has a representative office in the European Union it must fully harmonise its operations with regulations, regardless of where it does this and whose data it processes. However, the GDPR additionally extends the field of application beyond the EU in two cases:
• If an organisation is engaged in offering goods or services to EU citizens, regardless of whether that offer is related to payment.
• If an organisation deals with monitoring the behaviour of EU citizens, if their behaviour occurs within the EU. The term “monitoring” implies whether private individuals are monitored on the internet, including possible subsequent uses of personal data processing techniques that comprise the profiling of private individuals, in particular when it comes to making decisions related to those individuals or for analysing or predicting their personal preferences, behaviour and attitudes.

If an organisation from Serbia processes data on EU citizens it will, in many cases, be obliged to appoint a representative located on the territory of the EU. This can be a special representative office in one of the EU countries, but also a local lawyer or responsible person tasked with communicating with the relevant bodies of the EU.