Predrag Groza



Tel: +381 11 3285 153, Mob.: +381 63 27 99 12

Fax: +381 11 3285 208

Belgrade Office

Carice Milice 3, 11000 Belgrade, Serbia

11. 07. 2019.

New Law on Personal Data Protection in Serbia

Newsletter 116

The Republic of Serbia adopted a new Law on Personal Data Protection (the ‘’Law’’) in November last year, however its application has been postponed until 21 August 2019.

The Law is an expected step forward, albeit coming with a significant delay, in the context of developments in Europe surrounding the GDPR and harmonization of our regulations as part of the accession process to the European Union.

In line with the GDPR, the Law brings numerous and fundamental novelties into the domestic legislation, especially if we have in mind that the current law had long ago become outdated and was de-facto inapplicable in modern business and living environment.

Therefore, the main goal of the Law has been to ensure, in the era of internet and information technologies, an adequate and efficient protection of personal data, guaranteed as one of the major human rights and freedoms under the Constitution of the Republic of Serbia.

This system of protection includes:


  • clear and transparent regulation of general principles and legal grounds for lawful processing which must cover each and every instance of data processing,


  • improved regulations governing the exercise of data protection rights by individuals,


  • regulation, for the first time under a law, of mutual relations between the controller and the processor, including the liability in case of violation of an individual’s rights,


  • better governance of data security by prescribing more security measures and procedures in case of a data breach,


  • introduction of impact assessment prior to commencement of data processing (being mandatory in certain cases),


  • more detailed regulation of data transfer outside of Serbia,


  • introduction of new institutes, such as officer for personal data protection (corresponds to DPO in the European Union),


  • new authorities of the Commissioner for Information of Public Importance and Personal Data Protection,


  • etc.


Of course, although we now have a significantly improved legal framework, it remains to be seen in practice to what extent Serbian controllers and processors are really prepared for the commencement of the application of the Law in terms of adjusting their data processing with new statutory obligations and requirements.

Lastly, the Law prescribes monetary penalties up to 2 million dinars, an amount considerably lower than that under the GDPR. However, one should stay alert, since the adoption of the Serbian Law does not exclude a possibility (risk) of the application of the GDRP against Serbian controllers or processors in case they should, in the course of offering goods / services or monitoring behaviour, collect and process the data of individuals who are located in the European Union.

For any question you may have in regard to personal data protection you may contact me at .