On Nov. 9, 2018, Serbia adopted the Personal Data Protection Law. The law went into effect the following summer, Aug. 21, 2019.

In general, the LPDP is harmonized with the EU General Data Protection Regulation, as this was the obligation of Serbia as an EU member candidate in the process of EU integration. Provisions of the LPDP mirror the normative provisions of the GDPR in almost all aspects, including provisions regulating the territorial application of the LPDP, legal basis for data processing, privacy by design, data subject rights, security of processing and personal data breach, data protection impact assessments and officers, and the transfer of personal data.

However, even after two years, the implementation of LPDP faces many difficulties, including obstacles from the start of LPDP as well as arising ones. 

Short preparation period and unpreparedness of the Serbian data protection authority

Unlike the GDPR's 24-month “vacatio legis,” the time between adoption and commencement of implementation of LPDP was only nine months. Excluding the international companies already operating in line with GDPR, this period was not long enough for most of the Serbian-based companies and public authorities to comprehend their responsibilities and prepare for all obligations stipulated by the LPDP.

Due to lack of organizational capabilities and qualified personnel, Serbia's data protection authority, the Commissioner for Information of Public Importance and Personal Data Protection, was not ready for such a short preparation period. The commissioner officially requested from the National Assembly of the Republic of Serbia the postponement of LPDP 18 days prior to commencement of its implementation. Although such request was not adopted and LPDP commenced with its implementation, this was a clear signal for companies their noncompliance with LPDP would likely not result in any enforcement, at least for a period of time.

Inconsistencies in LPDP provisions and noncompliance of other laws with LPDP

Though the LPDP is quite similar to the GDPR, the LPDP does not contain the recitals of GDPR that have proven to be a crucial source for better understanding and implementing the GDPR. This lack of recitals and adequate court practice makes some provisions of LPDP more difficult to interpret and requires consultation of GDPR recitals and European Data Protection Board opinions for implementation of the LPDP, even though they are not formal sources of law in the Republic of Serbia.

Additionally, the LPDP contains provisions that echo the EU's Law Enforcement Directive, which made unnecessary confusion in the systematization of the LPDP. A better solution might have been the adoption of a separate law to regulate this area and avoid mixing the standard processing of personal data with processing necessary in specific cases, such as purposes concerning national security.

Finally, other Serbian laws that regulate personal data processing are still not harmonized with LPDP, although, according to Article 100 of the LPDP, such alignment should have been done before the end of 2020. Since dozens of laws regulate personal data processing, it is clear there is a lot of work to be done from the legislation standpoint in this regard. 

Lower fines and their influence on both Serbian companies and global tech companies

Perhaps the most important point where the LPDP differs from the GDPR is regarding sanctions. According to the LPDP, the maximum fine imposed on companies is approximately 17,000 euros. Serbia's DPA is authorized to issue warnings to data controllers and data processors, order the correction or deletion of the collected data, and order rectification of other detected irregularities as well as directly fine the controllers and processors for certain misdemeanors with fines of 850 euros. For all other violations of the LPDP, the Court of Offences is entitled to impose fines.

Lower fines compared to the fines stipulated in the GDPR have been one of the biggest influences leading to the lack of motivation of some companies to make their business compliant with the LPDP, resulting in many still not within compliance today.

The lack of interest in complying with the obligations in the LPDP was especially obvious for some of the biggest global technology companies. Namely, pursuant to Article 44 of the LPDP — which mirrors Article 27 of the GDPR — controllers and processors outside of Serbia to which the LPDP applies to must appoint a representative in Serbia, who will be responsible for communication with the Serbian DPA and data subjects on all issues related to the processing of personal data.

Although the appointment of a representative in Serbia is essentially the same obligation all global tech companies that process personal data from EU data subjects face, only some of them nominated their representatives, such as Google, Yahoo and Upwork.

The reasons why some of these companies decided to appoint their representative in Serbia cannot be attributed to their potential ambition to avoid the fine penalty, as the fine for not appointing a representative in Serbia is only 850 euros. Rather, it is seemingly their intent to provide their Serbian users with the same level of rights as their EU users have in accordance with GDPR.

Implementation of the LPDP in practice

Despite the aforementioned obstacles, there is a certain percentage of companies that are compliant or are in the process of getting their business compliant with the LPDP. In addition to the international companies with established local business entities, most are companies whose businesses rely on the processing of personal data, such as IT or medical tech, as well as companies engaged in business relations with EU organizations, usually in the capacity of service providers, such as a data processor.

On the other hand, with few exceptions, most of the public authorities in Serbia are not compliant with the LPDP. Even with performing formal aspects of compliance, such as appointment of the DPO, there is still a long way to making an organization compliant with the LPDP. This is due in part to the lack of technical and organizational measures, but also to the lack of implementation of the LPDP's fundamental principles, such as lawfulness, fairness, transparency, data minimization principles and privacy by design.

According to the official report from Serbia's DPA, there were only 139 complaints lodged to the DPA in 2020, showing a very small percentage of people are using their rights. There are many reasons for this current situation, but potentially the most important ones are lack of awareness of the risks that may arise due to unlawful data processing as well as poor knowledge of data subject rights, which stems as a consequence of insufficient educational training and programs and must be remedied.

Once people start to use their rights more often, the number of companies and organizations that will harmonize their business with the LPDP can only grow.

Photo by Ljubomir Žarković on Unsplash