SERBIA Law and Practice Contributed by: Vladimir Djeric, Katarina Radovic and Lena Petrovic, Mikijelj, Janković & Bogdanović
1. Legal and Regulatory Framework 1.1 Overview of Data and Privacy- Related Laws The Constitution of the Republic of Serbia con - tains several provisions relating to the protection of privacy, including the confidentiality of letters and other means of communication (Article 41 of the Constitution) and the protection of personal data (Article 42 of the Constitution). Under the Constitution, the confidentiality of letters and other means of communication may only be derogated from for a specified period of time and on the basis of a court decision for the purpose of conducting criminal proceedings or protecting the safety of Serbia, in a manner stip - ulated by the law (Article 41 of the Constitution). The Constitutional guarantee of protection of personal data (Article 42 of the Constitution) pro - vides that use of personal data for any purpose other than that for which it was collected is pro - hibited and punishable in accordance with the law, unless it is necessary to conduct criminal proceedings or protect the safety of Serbia, in a manner stipulated by the law. The Constitution also guarantees that everyone shall have the right to be informed of the collec - tion of personal data relating to them, in accord - ance with the law, as well as the right to court protection in the case of abuse of their personal data. The Personal Data Protection Act In August 2019, application of the new Personal Data Protection Act (PDPA) came into effect. The solutions provided by the PDPA are in line with the GDPR. The PDPA defines personal data, the different types of personal data and the man -
ner of their collection, processing and transfer outside of the territory of Serbia. In Avgust 2023 Serbia adopted the Personal Data Protection Strategy for the period from 2023 to 2030. The main goal of this Strategy is “[r]especting the right to protection of personal data in all areas of life”. Provisions that are of relevance to the protec - tion of personal data may also be found in the Electronic Communications Act (ECA), as well as in sector-specific legislation, such as the Act on Health Documents and Records, the Act on Records and Data Processing in Interior Affairs, the National DNA Registry Act and the Law on Social Card. Also, the provisions of the Information Security Act (ISA) regarding data breach reporting and notification are relevant to the protection of personal data and privacy. The ISA regulates (i) measures for protection against security risks in ICT systems, (ii) the liability of legal entities in relation to management, and (iii) the use of ICT systems and competent authorities in charge of the implementation of protective measures (Arti - cle 1 of the ISA). Thus, the operators of the ICT systems for essential services are obliged to notify the Regu - latory Authority for Electronic Communications and Postal Services (RATEL), as the national Computer Emergency Response Team (CERT), of incidents and attacks related to the ICT sys - tem that may have a significant impact on infor - mational security. An incident has to be reported in writing to the national CERT within one day of its occurrence and, if it relates to the secret data, the operator of the ICT system of special impor - tance is also obliged to follow the rules related to data secrecy (Article 11 of the ISA).
371 CHAMBERS.COM
Powered by FlippingBook