November 25, 2008

Law on Personal Data Protection

The Law on Personal Data Protection (“the Law”) was published in the Official Gazette no. 97/2008 and will be applicable as of January 01, 2009.

The Law regulates the conditions for collection and processing of personal data, rights and protection of the persons whose data are being collected and processed, limitations of the protection of the personal data, recording of personal data, transferring the personal data from Republic of Serbia to other countries and supervision of the implementation of this Law.

Protection of personal data is granted to any physical person, regardless of his/her nationality, place of residence, race, age, sex, religion, social status, education, etc.  The protection of the personal data will be within the competence of the Controller of Information of Public Importance ("the Controller"), as an autonomous state body, independent in performance of tasks that fall within their competence.

The terms used in this Law shall have the following meaning:

"Personal Data" means any information relating to a physical person regardless of the manner it is expressed (paper, tape, film, electronic media, etc), in whose name or on whose behalf the information is collected, date or place where the information has originated, etc.

"Processing of Personal Data" means any action undertaken in connection with data, such as collection, recording, multiplying, copying, retrieval, organization, storage, adaptation or alteration, alignment or combination, consultation, use, disclosure by transmission, dissemination or otherwise making available, blocking, erasure or destruction or otherwise making unavailable, whether or not by automatic, semi-automatic, or other means. 

"Personal Data Processor" means a physical or legal entity or governmental body that processes the data.

A physical person has to give his/her consent for the processing of personal data. The consent may be given in writing or verbally, on the record. The consent may also be given by an attorney holding a certified power of attorney. The consent may be revoked.

Processing of personal data is allowed without any consent:

  • (i) In order to protect some important interests of a person, especially life, health and physical integrity;
  • (ii) With the aim of meeting the obligations determined under law, by-laws rendered in accordance with the law, or a contract concluded between the person and the Personal Data Processor
  • (iii) In other cases determined under the Law.

The Personal Data Processor is required to notify the person whose data are being processed about the purpose of the data collection, manner of use of collected data, right to revoke the consent, and of other relevant rights.

Processing of personal data is not allowed, inter alia, in the following cases: when a physical person has not given his/her consent, i.e. if the processing of personal data is carried out without any legal basis; when processing of personal data is carried out for purposes other than the one determined; when the purpose of the processing of personal data is not clearly determined, or it is amended, unlawful or already accomplished; when the data that is being processed is unnecessary or unsuitable for the implementation of the processing purpose, etc.

"Sensitive Personal Data", i.e. data relating to race or ethnicity, political orientation, religious beliefs, physical or mental health, sexual orientation, conviction of criminal offences, may be processed only upon the receipt of a written consent containing designation of the data that is being processed, the purpose of processing, and the manner of use.

Personal Data Processor is required to inform the Controller of its intent to start the processing of personal data or to create a data base, as well as to provide the Controller with the relevant information, 15 days prior to the beginning of the processing of personal data or the creation of the data base.  

A person has the right to request from the Personal Data Processor to be fully and truthfully apprised of his/her data that is being processed, the purpose of the processing, the user of the processed data, legal grounds of the processing of personal data, time periods of processing of personal data, etc. Furthermore, the person has the right to review his/her data that is being processed, including the right to inspect, listen and make notes, as well as to copy his/her data that is being processed. Finally, the person has the right to request correction, amendment, update and, under certain condition, deletion or termination of processing of personal data.

Request for information, inspection, and to make copies needs to be submitted to the Personal Data Processor in writing. Personal Data Processor is obliged to give the requested information within 15 days, i.e. to allow the inspection and/or issue copies within 30 days as of the receipt of the request.

The requesting party has the right to file a complaint with the Controller against the decision of the Personal Data Processor under which his/her request has been rejected or denied, if the Personal Data Processor has not responded to the request within the prescribed time, if the Personal Data Processor has not granted the inspection or has not issued a copy of the data requested, etc. The Controller is obliged to decide on the complaint within 30 days as of day of the complaint filing. The decision of the Controller is final and enforceable.

The Controller is, inter alia, competent to: supervise the data protection, decide on the complaints, keep the Central Registry, supervise and permit the transfer of data from the Republic of Serbia, give suggestions and recommendations for improvement of the data protection, prepare a list of countries and international organization which have appropriate systems of the data protection, etc.

The data may be transferred from the Republic of Serbia to another country/member of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data of the Council of Europe.  The data may also be transferred to a non-member country if that country has secured the level of personal data protection in accordance with the Convention.

The fines for the data collection and processing carried out contrary to the provisions of this Law range from RSD 50,000 to RSD 1,000,000.