Personal Data Protection: Serbia’s Vision for Data Protection 2023-2030

The importance of Personal Data Protection

The period from 2023 to 2030 calls for a robust Personal Data Protection Strategy, necessitating the enactment of new legislation to align with the General Data Protection Regulation (GDPR) and the Police Directive. This legislation aims to ensure the effective safeguarding of individuals’ rights and privacy.

In an era marked by the proliferation of electronic services and data exchanges across various governmental bodies and organizations, the importance of personal data protection has surged. To mitigate the risk of unauthorized access leading to identity theft, it is imperative to establish legal guidelines governing the copying and retention of citizens’ personal documents.

The Serbian Government, in response to the ever-evolving technological landscape and its implications on data protection and the business environment, unveiled the Personal Data Protection Strategy 2023 – 2030 in late August. This strategic move couldn’t have come at a more opportune time, considering the significant technological advancements and data processing surges since the previous 2010 strategy. The Serbian Data Protection Authority has long advocated for an updated strategy to steer data protection in the future.

The central objective of this strategy is to secure Serbia an adequacy decision from the European Commission, signifying recognition of Serbia’s data protection standards on par with those in the EU. Such recognition would facilitate data flow between Serbia and the EU, fostering enhanced business collaboration and greater integration of Serbia into markets fueled by major economies.

The Strategy highlights that the primary impediment to achieving this ambition lies in the deficiencies within the existing Personal Data Protection Law (DP Law) and other related legislation. Despite adopting GDPR articles nearly verbatim, the DP Law failed to incorporate GDPR’s recitals and address local nuances, making compliance interpretation challenging for companies and regulatory supervision less streamlined.

To address these issues, the Strategy first identifies key gaps in Serbia’s legal and socio-political framework and proposes a series of goals to achieve by 2030. A pivotal step involves aligning the DP Law with GDPR standards and harmonizing other laws with DP Law provisions. Interestingly, the Strategy prioritizes adopting legislation in areas where guidance is most lacking, aiming to establish regulations for video and audio surveillance, biometrics, and genetic personal data by the end of 2024, an ambitious endeavor given the complexity of these topics and the tight timeline.

The Strategy also commits to bolstering the enforcement of the DP Law, recognizing its historical weakness over the past 15 years. In contrast to GDPR, which allows fines of up to EUR 20 million or 4% of a company’s global annual turnover, the DP Law imposes fines limited to approximately EUR 17,000. The Strategy’s reference to the mechanism in Serbian Competition Law, which permits fines calculated as a percentage of a company’s turnover, signals a strong intent to amend the DP Law for more effective compliance enforcement.

Additionally, the Strategy aims to increase the number of appointed data protection officers for local companies and foreign companies operating in Serbia. It emphasizes the need for entities subject to the DP Law to adopt and maintain necessary internal documentation and outlines improvements to the legal remedy apparatus.

Finally, the Strategy underscores the importance of enhancing the capabilities of the Data Protection Authority, particularly in terms of IT and digitalization personnel. It seeks to raise public awareness about data protection through revised school curricula, employee training, roundtable discussions, and increased engagement with the Data Protection Authority’s website.

The introduction of the Personal Data Protection Strategy 2023 – 2030 in Serbia is a critical step toward aligning data protection practices with international standards. It prompts companies within or conducting business in Serbia to reevaluate their data protection measures and prepare for forthcoming changes in data protection regulations.

For more information on the data protection and privacy matters do not hesitate to contact our data protection team via