In recent times, more and more international companies are outsourcing their call centres and data processing facilities to Serbia.
This has opened a practice area which has, until recently, been relatively unknown to Serbian law professionals – transferring of personal data out of Serbia.
If the data collected and stored in Serbia is transferred to a country that is a party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the process is a simple one, possibly impeded only by technical matters.
However, if the data is to be transferred to a country not a party to the said Convention, among others USA, Canada and Australia, the process could turn out to be lengthy and demanding.
The transfer is supervised by the Commissioner for Information of Public Importance and Personal Data Protection. The Commissioner has the final saying on the demanded transfer and can authorise it or deny it.
In order to start the process, a company has to be registered as a personal data processor. This is done by registering at least one database with the Commissioner. This is done both on-line and in hard copy. It is an unwritten rule that the first database registered is an employee database.
For each database the Commissioner reviews legal basis for collection of the data and the justification of data collection. The legal basis and justification for data collection and transfer are under even more detailed scrutiny when it comes to data transfer outside of the Convention area.
The Commissioner has the discretionary right to deny a transfer if he deems it unjustified, or if he finds that the data security and the right of privacy of an individual will be put in jeopardy with the requested transfer. The consent forms are also put under detailed scrutiny, especially in cases where the Commissioner finds that the individual giving consent is not in position to refuse the consent, for example employees.
It is a common practice that a data transfer agreement and a consent form are redrafted several times before the consent is given.
According to unofficial estimates of the Commissioners own employees, from the moment when the procedure for database registration starts to the authorisation of data transfer, there is an average period of at least 6 to 8 months.
Therefore, it is a prudent business decision for a company planning to set up operations in Serbia that require data transfer to initiate the procedures for authorization on the first day after they receive their company registration from the Serbian Business Registers Agency.
By Marija Oreski Tomasevic, Partner, and Dusan Dincic, Senior Associate, SOG / Samardzic, Oreski & Grbovic