SERBIA Law and Practice Contributed by: Vladimir Djeric, Katarina Radovic and Lena Petrovic, Mikijelj, Janković & Bogdanović
organisation that does not ensure adequate levels of protection of personal data; • establishes and maintains a list in relation to the requirements for a data protection impact assessment when required by law; and • accredits certification bodies, issues certifi - cations and approves criteria of certification (Article 78 of the PDPA). Data Protection Commissioner Powers The Commissioner is vested with a set of inves - tigative powers, corrective powers and advisory powers that are identical to the powers of the supervisory body prescribed by the GDPR. The Commissioner is authorised, inter alia, to: • order the data controller or data processor to provide information it requires for the perfor - mance of its tasks; • monitor the application of the provisions of the PDPA by exercising its inspection powers; • carry out a review on certifications issued in accordance with the PDPA; • obtain access to any premises of a controller or processor, including to any data-process - ing equipment and means; • issue reprimands to a controller or processor where processing operations have infringed provisions of the PDPA; • order the controller or the processor to com - ply with the data subject’s requests to exer - cise their rights pursuant to the PDPA; • order the controller or processor to bring pro - cessing operations into compliance with the provisions of the PDPA, where appropriate, in a specified manner and within a specified period; • order the controller to communicate a per - sonal data breach to the data subject; • impose a temporary or definitive limitation, including a ban on processing;
• order the rectification or erasure of personal data or restriction of processing; • withdraw a certification or order the certifi - cation body to withdraw an already-issued certification; • impose an administrative fine – in addition to, or instead of, other corrective measures – depending on the circumstances of each individual case; and • order the suspension of data flows to a recipi - ent in a third country or to an international organisation (Article 79 of the PDPA). 1.3 Enforcement Proceedings and Fines Under the PDPA, the Commissioner is author - ised to exercise its powers in accordance with the Administrative Procedure Act and Inspection Act (Article 77 of the PDPA) as well as to initiate proceedings before the courts and other com - petent bodies in accordance with the law (Article 79 of the PDPA). The Commissioner is obliged to act upon the complaints of a data subject and initiate the inspection procedure, as well as to inform the data subject about the outcome of the inspec - tion and their right to initiate administrative court proceedings against the decision of the Com - missioner. If the data subject is not satisfied with the decision of the Commissioner, or if the Commissioner fails to act upon the complaint within 60 days from its receipt, the data sub - ject is authorised to initiate court proceedings against the Commissioner in accordance with the Administrative Court Proceedings Act (Arti - cles 82 and 83 of the PDPA). The enforcement of personal data protection is the remit of the Commissioner, which is author - ised to investigate whether data processing is lawful, including the right to request access to the premises of the data controller and means
373 CHAMBERS.COM
Powered by FlippingBook