Modernizing Data Protection Regulation – Serbia Ratifies Protocol to the Convention 108

Modernizing Data Protection Regulation – Serbia Ratifies Protocol to the Convention 108

Serbia
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

On 26 May 2020, Republic of Serbia ratified the Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, (CETS 223, “Protocol 223”). This makes Republic of Serbia the fourth country to ratify the Protocol 223 out of 38 signatory states.

Novelties introduced by the Protocol 223

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”) was adopted by the European Council on 28 January 1981 and has since been amended only once in 1999. The Convention 108 was the first international binding instrument of its kind, seeking to ensure protection of personal data on the global scale, as it was open for signing to both state-members of the European Council and non-members alike. However, vast technological advancements of the previous two decades coupled with adoption of General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) by the European Union warranted a need for another update.

The Protocol 223 was adopted and opened for singing by the European Council on 10 October 2018 as a welcome amendment to the Convention 108. The main goal of the Protocol 223 is to facilitate protection of personal data in relation to new information and communications technologies, as well as strengthen mechanisms for its implementation.

These amendments include:

  • stronger requirements regarding the proportionality, transparency, data minimization principles and lawfulness of the processing;
  • genetic and biometric data, trade union membership and ethnic origin are categorized as sensitive data;
  • obligation to declare data breaches;
  • new rights for the data subjects in an algorithmic decision-making context (particularly relevant in connection with the development of artificial intelligence);
  • stronger accountability of data controllers;
  • requirement that the “privacy by design” principle is applied;
  • application of the data protection principles to all processing activities, including for national security reasons, with possible exceptions and restrictions, and in any case with independent and effective review and supervision;
  • clear regime of transborder data flows (transfer of personal data to other countries);
  • reinforced powers and independence of the data protection authorities and enhancing legal basis for international cooperation.

The Protocol 223 shall enter into force on 11 October 2023.

Connection to GDPR

GDPR consists of the original text and the Recitals aimed at providing additional information and clarity where it is needed. Recital no. 103 of GDPR states that the Commission of the European Union (“EU Commission”) may decide with effect for the entire European Union that a third country, a territory or specified sector within a third country, or an international organization, offers an adequate level of data protection. In such cases, transfers of personal data to that third country or international organization may take place without the need to obtain any further authorization.

Criteria for determining which country possesses an adequate level of data protection are set forth in the Recitals no. 104 and 105 accordingly. One of those criteria is accession to the Convention 108 and the Protocol 223. This means that the countries outside of the European Union or European Economic Area that were not yet determined as a third country providing an adequate level of data protection (“Adequacy decision”), have higher chances of achieving such a status if they sign and ratify both the Convention 108 and the Protocol 223. 

Importance to Republic of Serbia

Republic of Serbia signed and ratified the Protocol 223 on the initiative of the Commissioner for Information of Public Importance and Personal Data Protection from 18 March 2019. The initiative was addressed to the Ministry of Justice, explaining the importance of the Protocol 223 and the effects it would have on Serbian personal data protection legislation.

Even though the Serbian Data Protection Act has been modeled after GDPR, Republic of Serbia has not yet become a subject of the Adequacy decision of the EU Commission (Republic of Serbia is not a member of the European Union or European Economic Area). Ratification of the Protocol 223 could potentially bring Republic of Serbia closer to negotiations regarding its status in this capacity, along with strengthening existing personal data protection mechanisms. 

This text is for informational purposes only and should not be considered legal advice. Should you require any additional information, feel free to contact us.

By Milos Velimirovic, Partner, and Dragan Martin, Junior Associate, Samardzic, Oreski & Grbovic