Although more than six years have passed since the adoption of the new Personal Data Protection Law (the “Law“), there are still practical uncertainties about when data controllers and processors must appoint a Data Protection Officer (DPO). Additionally, many foreign data controllers and processors subject to the Law have yet to fulfill their obligation to appoint a representative for personal data protection. This lack of compliance makes it harder for individuals to exercise their rights when it comes to the processing of their personal data.
Based on our extensive experience in this field, we’ve summarized the key aspects of these two issues below.
- DPO
According to the Law, similarly to the GDPR (General Data Protection Regulation), data controllers and processors are required to appoint a DPO in specific situations. These include:
- regular and systematic monitoring – when their core activities involve processing operations that, by their nature, require regular and systematic monitoring of a large number of individuals (e.g., surveillance services provided by video monitoring agencies);
- large-scale processing of sensitive date – when special categories of personal data (such as data on religion, ethnicity, race, political opinions, genetic or biometric data) are processed on a large scale;
- processing by public authorities – when processing is carried out by public authorities (e.g., government bodies, local governments or public institutions).
To enhance personal data protection and mitigate the risks of unlawful data processing, data controllers and processors can voluntarily appoint a DPO. This can be an internal employee or, in cases where no internal candidate has sufficient knowledge of data protection regulations, an external expert. In such instances, external DPOs are often law firms with experience and expertise in personal data protection.
If a DPO is appointed, controllers and processors must inform the Commissioner for Information of Public Importance and Personal Data Protection about the appointment.
- Representative of Foreign Controller and Processor
The Law applies not only to data controllers and processors based in Serbia but also to foreign entities that offer goods or services to individuals in Serbia or monitor the activities of individuals within Serbia. In such cases, foreign controllers and processors may be required to appoint a representative in Serbia to facilitate communication with Serbian individuals and ensure better protection of their data.
While some companies have appointed representatives in Serbia (typically law firms), many foreign controllers and processors have not fulfilled this obligation. Given the scale of their business operations in Serbia, many of them are likely obliged to do it. Failure to appoint a representative, despite being legally obligated, exposes these entities to potential sanctions. These may include bans on data processing or the export of data outside Serbia—measures that could significantly affect their operations in the country.
By addressing these requirements, both local and foreign entities can ensure compliance with the Law, minimize risks, and build trust with individuals whose data they process.
This text is written for informational purposes only and does not constitute legal advice. We are at your disposal for any additional information.
By Milorad Glavan, Partner, DNVG Attorneys
