The Law, containing the solutions contained in GDPR to a great extent, expands the scope of the rights of citizens (data subjects) and introduces new obligations for data controllers and processors. Moreover, the Law facilitates free flow of personal data between Serbia, EU and third countries. Commencement of the application of the Law harmonized with acquis communautaire, Serbia demonstrated its commitment to fulfill its obligations concerning Chapter 23 – Judiciary and Fundamental Rights, one of the most important chapters en route to full EU membership.
The main purpose of the Law is to enable data subjects to easily exercise their rights in regard to personal data processing and to make such processing transparent and lawful. However, it is a big challenge for public bodies and private companies to meet complex requirements stipulated by the Law. Both public and private companies will require competent personnel as well as resources for their businesses to be in compliance with the Law. New documents should be drafted, technical measures should be implemented, to the effect that the manner of performing of business operations should be restructured. The Commissioner has recently stated that his office will issue warnings rather than imposing fines to non-compliant public bodies and private companies for the first period of the application of the Law. Thus, the public entities and private companies will still have time to engage resources to comply with the Law and avoid penalties and lawsuits. It is expected from the Commissioner in the forthcoming period to use his powers to promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing of personal data and to efficiently monitor and enforce the application of the Law.
Although the time period granted for the implementation of the Law (9 months) was shorter than it was for the implementation of the GDPR in the EU Member States (two years), we believe that the that implementation of the Law will have positive impact on data protection, since the practice can be created only if the Law is implemented and problems are resolved in the course of implementation. When created, practice will ease fulfillment of the new obligations and standards imposed by the Law.
The previous Law on Personal Data Protection, (“Previous Law”) failed to regulate numerous issues arising from data processing, especially bearing in mind the growth of the modern technology nowadays. Controllers have not been able to obtain consent from the data subjects on-line; consent could have been obtained only in writing, i.e. by handwriting signature or by electronic signature. Transfer of personal data to third countries has been subject to Commissioner’s approval. Controllers have been obliged to submit numerous documents in procedure, which has not been defined by the law and to wait for the approval of the Commissioner to transfer data to third countries for years. The Previous Law has not provided for legitimate interest as the ground for processing of personal data that made the application of the law impossible in many cases. The Law now provides rules that are up to date with the progress of technology and correspond to solutions contained in GDPR and therefore represents solid legal ground for the development of social relations in the field of data protection.