In light of the new EU data protection scheme, shaped by the GDPR, Serbia has enacted a new Data Protection Law earlier this year, with its' applicability postponed for 21 August 2019. The new law was long-awaited: it has been 10 years since the existing law was passed, which was even at that moment already outdated (e.g. it recognized only consent in the written form and almost completely restricted data transfers to non-European countries).
The new law presents a copy of the GDPR to a large extent – perhaps too large, as the critics of the new law (including the Serbian Data Protection Authority, "DPA") argued that the implementation of the GDPR was performed badly, without the much needed harmonization with the Serbian legal framework. In addition, the GDPR's recitals (all 173 of them) were not copied or otherwise implemented in the new law, potentially creating a number of issues in its future interpretation. The new law also failed to regulate certain important data protection aspects, such as video surveillance, which are regulated in the EU via other community and national pieces of legislation.
That being said, the new law undoubtedly marks a revolution in the way personal data should be handled in Serbia, similarly to what GDPR did for the EU- and perhaps even more so, since the EU's previous data protection framework was far less outdated then in the case of Serbia. It is rightfully expected to result in an extensive range of adjustment activities performed by Serbian companies, not just legal but also technical and organizational ones, in order to prepare for the comprehensive changes that will be introduced in nine months.
Some of the most important changes are summarised below.
1. The scope of the new law
The new law will not apply only to the processing of data carried out by Serbian controllers and processors, but also by the ones based outside of Serbia whose processing activities relate to the offering of goods or services (even for free) to or monitoring the behaviour of Serbian data subjects within Serbia. For example, a company outside of Serbia targeting consumers in Serbia will be subject to the new law, which was not the case so far. As a result, a number of these controllers and processors will need to appoint their representatives in Serbia, to be addressed by the DPA and the data subjects on all issues related to processing.
2. Data processing consent: new forms and stricter requirements
As opposed to the existing law, which recognizes only hand-signed consent in the written form - creating significant issues in the digital age, the new law explicitly introduces other forms as well, such as online and oral consent, or consent by other clear affirmative action, provided that the controller is able to demonstrate that the data subject has indeed consented.
On the other hand, the conditions for obtaining consent have become much stricter – it must be freely given, specific, informed and unambiguous. For example, there is a presumption that consent will not be valid unless separate consents are obtained for different processing operations, where appropriate, and the request for consent - when presented in a written document, must be clearly distinguishable from all other matters, using clear and plain language - i.e. catch-all clauses will not be valid. In addition, consent will not be considered freely given if the performance of a contract is conditional on the consent to the processing of personal data that is not necessary for its performance.
Consent is not the only legal ground for data processing – others exist as well, such as the performance of the contract, compliance with legal obligations or processing necessary for legitimate interests, and will in fact be used much more often than consent.
3. New and expanded data subjects' rights
The new law significantly expands the existing right of individuals to receive information about the processing of and access to their personal data. Data controllers must provide transparent information to data subjects in a more comprehensive manner, and in particular must inform data subjects of certain rights - such as the ability to withdraw consent, and the period for which the data will be stored. The information needs to be provided in a concise, transparent, intelligible and easily accessible way, using clear and plain language. However, this will be hard to achieve given the fact that the elements that need to be included in the information are quite excessive, which should be carefully addressed by the companies when analysing and updating their existing information notices.
In addition, the new law introduces a new right to data portability, and provides additional details concerning the erasure of personal data. The right to data portability gives an individual the right to demand that the controller provides him with his personal data, or to transmit them directly to another controller, in a machine readable format, if the relevant processing was automatic and based on consent or the fulfilment of a contract. The right to erasure binds the controller to erase the data without undue delay upon the individual's request if the personal data is no longer necessary for the purpose of processing, if there is no legal basis for processing - including cases where consent has been withdrawn, or if the data is otherwise processed contrary to the law, and even requires that the controller uses reasonable measures to notify other controllers processing the same data about the received erasure request.
4. Removal of the database registration obligation
One of the important novelties under the new law is the removal of the existing obligation to register personal databases with the DPA, which was mostly ignored so far in Serbia. Under the new law, controllers and processors will only be required to internally maintain the database records and, in certain cases, even that obligation will not apply to companies with up to 250 employees. The maintenance of the Central Register of Databases, established under the existing law, has even been terminated with immediate effect by the new law.
5. Data Protection Officer
The controllers and processors will be required to designate a data protection officer ("DPO"), whose primary tasks will be to ensure compliance with the data processing legislation and to communicate with the DPA and the data subjects on all data protection matters. This obligation applies if: (i) the processing is carried out by a public authority, (ii) the core activities of the controller/processor require the regular and systematic monitoring of data subjects on a large scale, or the large scale processing of special categories of personal data - e.g. health data or trade union memberships, or criminal convictions/offences data.
The DPO may be employed or engaged under a service contract, and in any case must have sufficient expert knowledge. A group of companies may appoint a single data protection officer, provided that he is equally accessible by each company.
The controllers and processors are required to ensure the DPO's independence in the performance of his tasks, meaning that no instructions may be given to him, that he reports directly to the manager of the controller/processor and that he may not be dismissed or penalised for performing his tasks.
6. Accountability, data security and privacy by design & by default
Same as with the GDPR, the new law introduces burdensome accountability obligations on data controllers, which are required to "demonstrate compliance". This includes their obligation to: (i) implement, maintain and update appropriate technical and organisational measures to ensure a level of security appropriate to the risk - taking into account the state of the art, the associated implementation costs etc., (ii) have in place certain documentation, such as data protection policies and records of processing activities, (iii) implement data protection by design and by default, and, (iv) conduct a data protection impact assessment for processing operations which are considered more of risk to the rights and freedoms of individuals.
Data protection by design requires the controllers to adopt, as well as maintain and update when needed, appropriate measures - such as pseudonymisation, data minimisation, etc., which will integrate the safeguards necessary for processing. Data protection by default, on the other hand, requires the controllers to adopt measures so that, by default, only the processing which is necessary for the specific purpose will be possible (e.g. that, by default, privacy settings on one's social network profile do not make his data public).
7. Liberalised data transfer concept
The data transfer regime has been completely revamped and liberalised under the new law, which is a much welcomed change from the current overly restrictive concept - which requires controllers to obtain prior approval from the DPA for transfers to non-European countries. The new law explicitly applies to both direct and indirect data transfers, unlike the existing law for which it is not fully clear whether it covers indirect transfers at all.
Under the new law, controllers will be entitled to transfer personal data abroad if one of the following conditions (amongst others) is met:
- personal data is to be transferred to a country that ratified the Council of Europe Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data;
- data transfers are performed to a country included on the EU list or the Serbian Government's list of countries providing an adequate level of data protection;
- data transfers are performed to a country which has a bilateral agreement with Serbia regulating data transfers;
- the transfer is based on the standard contractual clauses prepared by the Serbian DPA;
- the transfer is based on binding corporate rules or a code of conduct approved by the Serbian DPA, or on certificates issued in accordance with the new law;
- the Serbian DPA has issued a specific approval for the transfer to be performed on the basis of an agreement between the data exporter and the data importer; and,
- the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks.
This should enable much more options for the transfer of data to non-European countries, especially once the DPA prepares the standard contractual clauses - which should be based on the ones approved by the EU Commission. In addition, it is expected that the process of obtaining the DPA's approval for such transfers will be more efficient, and should be completed within 60 days - currently the procedure often lasts for more than one year.
8. Personal data breach obligations
Data breach obligations present a significant novelty introduced by the new law, as they previously existed only for controllers in specific sectors. Under the new law, data controllers will generally be required to document each data breach, as well as to notify the DPA of most of them, without undue delay and, when feasible, within 72 hours after becoming aware of the breach. In addition, data processors will have to notify the controllers of the breach without undue delay.
If the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller is also required to communicate the personal data breach to the concerned individual as well, without undue delay. However, this does not apply if the controller has implemented appropriate technical and organisational measures - e.g. encryption, which rendered the relevant data unintelligible to any unauthorised person, or if the notification would involve disproportionate efforts, in which case a public communication or a similar measure must be made in order to properly inform the individuals.
9. Sanctions and enforcement
The new law is generally harmonised with the GDPR in almost all aspects, with certain local specificities, except with respect to sanctions – the maximal fines which may be imposed on companies are up to approx. EUR 17,000, rather than GDPR's EUR 20 million or 4% of the company's global annual turnover. As before, the DPA is still authorised to issue warnings to data controllers and data processors, order the correction or deletion of the collected data, rectification of other detected irregularities etc., but is now also able to directly fine the controllers and processors in certain situations, with fines in the amount of approx. EUR 850 - currently, only the Court of Offences is entitled to impose fines.
However, formally speaking, under the Law on Administrative Procedure, the DPA is also authorised to enforce its orders by threatening the company with a fine of up to 10% of its annual income in Serbia, in case it fails to comply with the order. This is a relatively new option for Serbian authorities that has not yet been tested in practice, to the best of our knowledge.
What the future brings?
Now, it is the controllers' and processors' turn: by the summer of 2019, they will have to ensure the compliance of their data processing operations with the new law, which will not be a quick or easy task. At the same time, the DPA will also have a lot on its plate in order to prepare for the new law, especially with resolving a number of its ambiguities raised during the public debate, preparing the standard contractual clauses, and raising the public's awareness concerning the approaching data protection overhaul.