SERBIA Law and Practice Contributed by: Vladimir Djeric, Katarina Radovic and Lena Petrovic, Mikijelj, Janković & Bogdanović
• countries and international organisations that are parties to the Convention; • countries and international organisations that are considered by the EU to ensure adequate levels of protection of personal data; and • countries with which the Republic of Serbia has concluded international treaties regarding the transfer of personal data (Article 64 of the PDPA). The Serbian government has rendered a deci - sion on the list of countries, parts of their territory or one or more specified sectors within those countries or international organisations which are considered to ensure the adequate level of personal data protection, which specifies the countries to which the transfer of data is free. Furthermore, under the PDPA, the transfer of personal data is also allowed to a country, a ter - ritory of, or one or more specified sectors within, that country, or an international organisation that does not have an adequate level of protection if the controller or processor provides appropri - ate safeguards, and if enforceable data sub - ject rights and effective legal remedies for data subjects are available in that country, a territory of, or one or more specified sectors within, that country, or the relevant international organisation (Article 65 of the PDPA). The appropriate safeguards may be provided by a controller without requiring any specific authorisation from the Data Protection Com - missioner by: • a legally binding instrument between public authorities or bodies; • standard data protection clauses prepared by the Data Protection Commissioner that regulate the legal relationship between the controller and processor;
• binding corporate rules that regulate process - ing of personal data by a controller and the group of companies to which the controller belongs; • an approved code of conduct, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or • an approved certificate issued in accordance with the PDPA, together with binding and enforceable commitments on the part of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights. The appropriate safeguards may also be pro - vided through contractual clauses between the controller or processor and the controller, pro - cessor or the recipient of the personal data in the third country or international organisation, or through provisions inserted into administra - tive arrangements between public authorities or bodies that include enforceable and effec - tive data subject rights, but only with the spe - cific authorisation of the Commissioner, which is obliged to give such authorisation within 60 days from the day of receipt of the request for authorisation (Article 65 of the PDPA). Further, under the PDPA, the data controller may introduce binding corporate rules that are adhered to by a controller or processor estab - lished in the territory of the Republic of Serbia for the purpose of a transfer, or a set of transfers, of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity. If the Data Protec - tion Commissioner approves the binding corpo - rate rules, it is considered that a controller has provided adequate safeguards and that data
379 CHAMBERS.COM
Powered by FlippingBook