SERBIA Law and Practice Contributed by: Vladimir Djeric, Katarina Radovic and Lena Petrovic, Mikijelj, Janković & Bogdanović
tive agreements based on the principles set out by the PDPA. The PDPA also recognises that employment regulations and collective agree - ments may contain provisions related to the pro - tection of personal data of employees, in which case they also need to specify suitable and spe - cific measures to safeguard the data subject’s human dignity, legitimate interests and funda - mental rights (Article 91 of the PDPA). Under the Employment Act of the Republic of Serbia, employers are allowed to collect data regarding their employees where this is pre - scribed by that law and other laws related to employment matters. The Employment Act also authorises employers to monitor the work of their employees, a provision that is frequently used in practice as a ground for accessing employees’ computers and email communications. In this respect, the Commissioner has taken the posi - tion that such access is allowed if the computer and email account were provided by the employ - er for the purpose of work performance and if it does not invade the employees’ privacy. If an employee is using a private email account or private computer, the employer may access the data contained therein only in the presence of that employee, who will then be able to prevent the employer’s access to private communication and files. In a recent ruling the Commissioner took the position that an employer must not con - tinue to use its former employee’s email account upon termination of employment, as it contains the employee’s name: a piece of personal data whose processing is no longer justifiable, legal and necessary. 4.4 Transfer of Personal Data in Asset Deals In Serbia, the transfer of personal data in asset deals is regulated by the PDPA. When an asset deal involves personal data (eg, customer or
employee databases), the transfer must have a valid legal basis under the LPDP: • legitimate interest (Article 12 of the PDPA); • consent if the transaction involves sensitive data or when no other legal basis is available (Article 15); and • legal obligation (Article 17) (eg, employment records). During the due diligence procedure, the sell - er should minimise data exposure and use anonymised or pseudonymised data where pos - sible. NDAs must also be signed. Once the transaction is closed, the buyer becomes a new data controller and must inform data subjects (customers, employees) about the change. If the transfer changes the purpose of data processing, additional consent may be required. If the buyer is outside Serbia, data transfers must comply with PDPA rules on inter - national transfers (transfers to countries without an adequate level of protection require standard contractual clauses (SCCs) or other safeguards). The buyer must provide information on how their data will be used post-transfer. 5. International Considerations 5.1 Restrictions on International Data Transfers Under the PDPA, international transfers of data to a country, a territory or one or more specified sectors within that country, or an international organisation that ensures an adequate level of protection do not require any prior authorisation (Articles 63 and 64 of the PDPA). It is assumed that an adequate level of protec - tion exists in:
378 CHAMBERS.COM
Powered by FlippingBook