Bridging the gap between Serbian regulations and the GDPR: Serbia's Data Protection Strategy unveiled
In late August 2023, at the initiative of Serbia's Data Protection Commissioner (the "Commissioner"), the Government of Serbia adopted the Data Protection Strategy for the 2023-2030 period (the "Strategy"). The previous strategic document in this field was adopted in 2010 and did not make the anticipated impact, as neither the action plan nor the working group for its enforcement were established. As vast technological changes and increase in data processing happened in the meantime, the latest Strategy intends to pave the way to future changes of data protection regulation in Serbia by providing goals and mechanisms for their implementation. The most relevant goals and mechanisms are outlined below.
Future legislative changes
The text of the Serbian Data Protection Act (the "DP Act") is largely an adapted translation of the GDPR. However, the Strategy highlights its various flaws and provides the general direction in which future amendments will be made. First, the DP Act does not encompass the GDPR's preamble, which serves as the focal point for interpretation purposes. Furthermore, the DP Act does not adequately elaborate on procedural provisions for the Commissioner's handling of complaints. Numerous matters in the DP Act are either not addressed at all or not appropriately regulated, and there is a significant number of exceptions to the application of the DP Act, all of which negatively affect its effective implementation. The fines specified in the DP Act range up to approx. EUR 17,000, which, in comparison to the fines envisaged in the GDPR (up to EUR 2m or 4 % of a company's global annual turnover) discourages companies in Serbia from investing in compliance. The DP Act is not the only regulation that needs addressing. The Strategy states that the provisions of other Serbian laws related to personal data are not aligned with the DP Act.
Institutional framework and effective protection mechanisms
To enhance the institutional framework for data protection, the Strategy recognises that it is necessary to establish additional regional offices of the Commissioner and boost the number of specialised data protection officers. Improving personal data protection mechanisms requires an increase in capacity not only for the Commissioner but also for all data controllers and processors, as the Strategy recognises that a significant number of data controllers and processors in Serbia still do not fulfil their obligations arising from the DP Act. The Strategy addresses these issues by encouraging specialised training programmes for data protection officers at higher education institutions, establishing records of personal data processing activities and adopting internal data protection regulations. It is also necessary to increase the number of foreign data controllers (to whom the DP Act applies) who designate representatives in Serbia. The Strategy emphasises the need for a higher percentage of actions taken by public prosecutors on criminal complaints filed by the Commissioner and citizens, as well as for a higher percentage of cases resolved in courts to uphold rights based on personal data protection.
Data protection and digitalisation
Although the development of information and communication technologies is one of the main drivers of economic progress in modern society, the era of internet, smartphones, social media, and the increasing development and use of AI has made various personal data excessively accessible. In addition, video surveillance is still not systematically regulated by any law in Serbia, which often results in the purpose of personal data processing not being clearly defined and justified, nor is there an appropriate legal basis for processing. The Strategy notes that research shows that citizens prefer clear legal regulations to self-regulation, that they value anonymity, do not wish to be profiled, and are concerned about misuse by both the private and public sector, especially when it comes to genetic and biometric data. Therefore, it is necessary to provide closer guidance to data controllers and processors on the rules for processing genetic and biometric data, as well as how to conduct video surveillance in a manner that ensures that the purpose, scope and method of data processing are adequate. In addition, data controllers and processors should carefully consider the selection of data protection officers, as these individuals must have the necessary knowledge and experience to adequately assess the implications of modern technologies on individuals' rights and make appropriate decisions regarding the protection and confidentiality of their personal data.
The adoption of the Strategy is a welcome step in the further alignment of data protection in Serbia with the EU standards. As the Strategy itself outlines, its implementation is meant to result in Serbia securing an adequacy decision from the European Commission, reducing administrative burdens for data transfers between EU countries and Serbia. With its focus on raising public awareness of the importance of data protection through the organisation of various educational courses and trainings, the Strategy intends to prepare both the general populace and the Serbian authorities for the new era of increased digitalisation and the subsequent rise in data processing activities.