At the moment, there is no generally applicable obligation to report a personal data security breach in Serbia. This type of obligation is currently envisaged only by certain sector specific laws such as the Law on Electronic Communications.
Under the Law on Electronic Communications (which originated in 2010 and was last amended in 2018), electronic communication operators are obliged to undertake the following activities, in relation to the safety and integrity of public communication networks and services: (i) To report to the competent authority any breach of safety and integrity of the respective networks and services which influenced their work significantly, particularly any data security and privacy breaches relating to their subscribers or users; and (ii) To notify their subscribers of any risk concerning a data security breach and, if such a risk is out of the scope of the measures which a particular operator is obliged to undertake, to notify them of the possible measures of protection as well as the implementation costs of those measures.
The competent authority is the Regulatory Agency for Electronic Communications and Postal Services (RATEL). Its competence in the field of electronic communications includes, among other things, adopting subordinate legislation, deciding on the rights and obligations of operators and users, cooperating with relevant regulatory and expert authorities in Serbia and abroad, and participating in the work of international organizations and institutions in the field of electronic communications in the capacity of a national regulatory authority. Additionally, under the Information Security Law, RATEL has the role of the National Center for Prevention of Security Risks in Information-Communication Systems of the Republic of Serbia (CERT).
On the other hand, the current Serbian Law on the Protection of Personal Data (originating from 2008) does not envisage any obligation to report a data security breach to the competent data protection (or any other) authority or to notify data subjects of such a breach. However, this is about to be changed. Specifically, this “old” law shall soon be superseded by the new Law on the Protection of Personal Data (the “New DP Law”) - which introduces those obligations.
The New DP Law was adopted on November 21, 2018, in order to align Serbian data protection legislation with the EU General Data Protection Regulation (GDPR). However, although adopted last year, its application was postponed until August 21, 2019, when it became fully effective.
Since August 21, data controllers (regardless of the field or industry in which they perform their business activities) are obliged to fulfil the data breach notification obligations envisaged by the New DP Law. The precondition is that a particular breach is likely to result in a risk or high risk to the rights and freedoms of natural persons. If there is no such risk, the respective obligations do not need to be fulfilled. If, however, such a risk would exist, the data controller would be obliged to notify both the Serbian data protection authority (i.e., the Commissioner for Information of Public Importance and the Protection of Personal Data), as well as the data subject of that particular data breach. These obligations should be fulfilled without undue delay and, in case of a notification towards the Commissioner, no later than 72 hours after becoming aware of it. Additionally, the data processor is to notify the controller without undue delay after becoming aware of that particular data breach.
If the relevant obligations are not fulfilled, a legal entity may be liable for misdemeanour and fined in an amount up to RSD 2 million (i.e., up to approx. EUR 16,950), plus the same type of liability and fine in an amount up to RSD 150,000 (i.e. up to approx. EUR 1,270) for the responsible person in the legal entity.
It remains to be seen how these rules will be implemented in practice and how strictly the penal policy will be applied. In the meantime, data controllers should ensure that all measures – technical and otherwise; which are necessary for them to fulfil the relevant obligations are undertaken in a timely manner. Failure to fulfil those obligations may expose them not only to the aforementioned lability and fines, but also to significant reputational risks. Such risks, if realized, may result in irreparable damage to their businesses, particularly if they include the processing of personal data of a large number of data subjects and/or a broad scope of personal data, such as, for example, in the field of telecommunications and media.
By Goran Radosevic and Sanja Spasenovic, Independent attorneys at law in cooperation with Karanovic & Partners
This Article was originally published in Issue 6.8 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.