One might wonder what this has to do with companies operating in Serbia, which is not a member of the EU. But Serbian companies are impacted either as data importers or in the event of extended application of the GDPR. If you are a multinational company receiving personal data from the EU or are running a business that could fall under extended application of the GDPR, you should definitely examine this topic as soon as possible.
Just over two years ago we saw yet another invalidation of the EU-US personal data transfer mechanism. Only this time, the invalidation had more far-reaching consequences than its predecessor.1 The Court of Justice of the European Union ("ECJ") rendered a judgment in the case C-311/18 of 16 July 2020 that became viral, widely known as "Schrems II".2 In short, this decision invalidated a mechanism that enabled free flow of personal data between the EU and the United States: the Privacy Shield Framework.
The ECJ's decision did more than just invalidate a single document. Schrems II led to the enactment of new Standard Contractual Clauses in the EU ("New SCCs"), which in turn introduced a new obligation for data exporters and importers: a Transfer Impact Assessment.
What is a Transfer Impact Assessment?
In addition to invalidating the Privacy Shield Framework, the ECJ also examined the validity of the most common mechanism for introducing additional safeguards during international transfers – standard contractual clauses applicable at the time.
Although the ECJ found that standard contractual clauses should remain applicable as a safeguarding measure per se, it concluded that the data exporter and importer must ensure that they are enforceable under the laws of the importing country in terms of the rules and regulations surrounding the government's access to data and covert surveillance. It is the idea that standard contractual clauses can only be deemed reliable safeguards if the national jurisdiction of the data importer does not prevent it from the obligations enshrined in the standard contractual clauses.
This prompted the EU Commission to enact New SCCs in June 2021, which introduced the Transfer Impact Assessment as a new obligation for all data exporters and importers. Even though no official guide or template has been published yet, each Transfer Impact Assessment should be an exercise in serious examination of data importers' laws regulating governments' and authorities' access to the transferred personal data and its compliance with the GDPR. This assessment is supposed to show whether the government and authorities of the importing country can access personal data subject to transfer as both a matter of law and practice and, if so, whether those modalities of data access are proportional and based on solid legal grounds.
The EU Commission gave an 18-month transition period for all organisations to align with the New SCCs and prepare Transfer Impact Assessments. This period ends soon – on 27 December 2022.
Impact on Serbian companies
If you run a Serbian-based endeavour, you are probably thinking "what does all this have to do with me?" Even though Serbia is not an EU Member State, there are still ways in which Schrems II impacts Serbian companies directly.
First, if you are offering goods or services in the EU or monitoring the behaviour of EU residents insofar as this takes place within the EU, you are obliged to comply with the GDPR and therefore with the New SCCs. For example, you may be a travel agency advertising its newest "Touring Serbia" package to EU tourists, or perhaps a gaming developer trying to penetrate the EU market by advertising its latest game through social media in the EU. This would entail an obligation to comply with the GDPR and to conduct a Transfer Impact Assessment when transferring data to countries not covered by the EU adequacy decision.
Second, even if you are not obliged to comply with the GDPR, chances are your EU-based business partner or your shareholder/affiliate (member of your corporate group) is. Therefore, you should expect to be asked to perform a Transfer Impact Assessment, as under the New SCCs you presumably know the laws in your jurisdiction better than the EU-based exporter and have an obligation to assist the data exporter in compiling the Transfer Impact Assessment.
Eventually, Serbia may become a subject of the EU adequacy decision or even an EU Member State. Until then, any Serbian controller or processor would be wise to have answers to the questions the Transfer Impact Assessment poses already in place and to take a proactive approach to this cumbersome task.
1 ECJ Case C‑362/14, 6 October 2015, available at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62014CJ0362.
2 Full text of the decision available at: https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en.