The European Union (hereinafter: “EU”) has rendered on October 1995 the Data Protection Directive in order of creating necessary conditions for processing and transfer of personal data, and on April 2016 rendered the new General Data Protection Regulation that becomes applicable on May 25, 2018 and introduces a number of novelties and a different regime of personal data protection, not only for the companies and citizens of the EU, but also companies and subjects outside the EU, by expanding the territorial application principle.
GDPR shall be directly applied not only to the companies established in the EU, but also:
• companies which are not established in the EU, but offer goods and services to the citizens of EU, whereas the criteria for assessment shall include the prospects of the offer and business intentions and plans of the company; and
• companies which are not established in the EU, but profile or in some other way monitor the behaviour of the citizens of the EU (such as online marketing services for the citizens of EU).
Personal data is defined quite broadly, as any data that refer to an identified or identifiable natural person, including indirect identification through for instance static IP addresses. Personal data refer not only to information about a specific natural person, but also to what he or she rights or creates (such as photos or social media posts), covering all areas, including business information, as well as biometrical and genetic information.
Significant novelties introduced by the GDPR that may influence the business of Serbian companies if these fall under any of the given criteria, include the following:
1) Terms and conditions for providing consent of the person whose personal data is being processed are now stricter, setting forth that the consent must be provided in an unambiguous way, through a statement or clear confirmation;
2) The rights of the persons whose personal data are being processed are regulated in more detail, so it is prescribed that such person is entitled to a confirmation from the processor and entitled to access processed personal data; entitled to, without delay, receive correction of all false data that refer to him or her; entitled to ask from the processor to delete personal data that refer to him or her, if one of the conditions prescribed by the GDPR are met (personal data are no longer necessary, the person revokes the provided consent and there are no other grounds for processing, the person objects, personal data were illegally processed etc.); entitled to data transfer; entitled to object etc.;
3) GDPR introduces pseudonymization as the way of processing personal information so that these can no longer be assigned to a specific person whose information are being used, without the use of additional information, under the condition that such information are kept separately and are subject to technical and organizational measures in order of ensuring that personal data are no longer attributed to the person whose identity is identified or could be identified, the personal data encryption as a process of transforming information into encrypted form so that these remain hidden from unauthorized persons, as well as certification as a protection mechanism for information, stamps and information marks in order of providing evidence that the processing was done in accordance with the GDPR;
4) Obligation of processors that are not established in the EU to appoint the EU representative in writing, is also introduced;
5) GDPR prescribes the right to judicial protection if the information are processed in breach of the GDPR, by adding an alternative Court jurisdiction for this kind of disputes, besides the corporate seat of the controller or processor, also the habitual residence of the person whose information have been processed, meaning that Serbian companies could be sued before the Courts in the EU and such verdicts could be enforced, upon recognition, in the territory of Republic of Serbia;
6) Penalties prescribed by the GDPR reach the amounts of EUR 20,000,000.00 or 4% of the total yearly income in the previous fiscal year.
Besides the GDPR that regulates the personal data protection, related matter shall be additionally regulated by the E-Privacy Directive, still in draft, which should replace the previous Privacy and Electronic Communications Regulations and jointly with GDPR completely regulate the matters of data protection.
Currently applicable regulation in Serbia is the Law on Personal Data Protection („Official Gazette of the RS“, no.97/2008, 104/2009-other law, 68/2012-decision of the CC and 107/2012), that has not been harmonized with the GDPR, why the Ministry of Justice has prepared on December 2017, the draft of the Law on Personal Data Protection which underwent the public debate in January 2018, and is currently before the European Commission in Brussels.
For any additional questions, explanations and help with application of the GDPR, feel free to contact Tasić & Partners team at +381 11 6302233 or to reach us via e-mail [email protected] or [email protected].