SERBIA Law and Practice Contributed by: Vladimir Djeric, Katarina Radovic and Lena Petrovic, Mikijelj, Janković & Bogdanović
5.2 Government Notifications and Approvals Under the PDPA, prior approval of the Data Pro - tection Commissioner may be required if data is to be transferred to a country that does not ensure an adequate level of protection (Article 65 of the PDPA). For more details see 5.1 Restric- tions on International Data Transfers . 5.3 Data Localisation Requirements Under the current Serbian legislation, there is no requirement for data localisation. However, each instance of data processing, including the transfer of data, has to be made on one of the grounds for data processing stipulated by the PDPA and must ensure adequate levels of data protection (Articles 12 and 65 of the PDPA). 5.4 Blocking Statutes As stated in 5.1 Restrictions on International Data Transfers , the transfer of personal data to a country that is not a party to the Convention is subject to prior approval of the Commissioner. If that approval is denied, the data cannot be transferred. As regards requests for transfer of personal data to a foreign country for the purpose of conducting criminal or civil proceedings, all such requests are governed by the rules of the international treaties and bilateral agreements regulating the co-operation of Serbia with for - eign countries in criminal and civil law matters. 5.5 Recent Developments There is no applicable information in this juris - diction.
may be transferred outside of the territory of the Republic of Serbia (Article 67 of the PDPA). Nonetheless, each international transfer of data has to be lawful – ie, it must be based on one of the legal grounds prescribed by the law, namely: • the data subject has given consent to the processing of their personal data for one or more specific purposes; • it is necessary for the performance of a con - tract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; • it is necessary for compliance with a legal obligation to which the controller is subject; • it is necessary in order to protect the vital interests of the data subject or of another natural person; • it is necessary for the performance of a task carried out in the public interest or in the exercise of the official authority vested in the controller; or • it is necessary for the purposes of the legiti - mate interests pursued by the controller or by a third party, except where those interests are overridden by those interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particu - lar where the data subject is a child.
380 CHAMBERS.COM
Powered by FlippingBook