Serbia - Data Breach Guide

Serbia

1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?

A controller must notify data breaches:

• which may create a high risk to the rights and freedoms of natural persons to the data subject without undue delay;
• which may create a risk to the rights and freedoms of natural persons without undue delay, and where feasible, not later than 72 hours, to the Commissioner for Information of Public Importance and Personal Data Protection ("Commissioner").

1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

The Serbian Law on Data Protection ("Law") prescribes that a controller is obliged to notify affected individuals or the Commissioner about a data breach. The notification is not conditioned with the type of data. It is conditioned with the amount of risk which may be created to the rights and freedoms of the natural persons.

Therefore, a controller shall notify affected individuals if a data breach creates a high risk to the rights and freedoms of such data subjects without undue delay. A controller is not obliged to inform affected individual in case that:

• appropriate technical, organizational and personnel protection measures have been taken, in relation to personal data whose security has been violated, especially if it has prevented the cryptographic protection or other measures from making the data understandable to all persons who are not authorized to access this data;
• measures ensuring that the violation of personal data with a high risk for the rights and freedoms of the data subject may no longer produce consequences for that person have been taken subsequently;

• notifying data subjects constitutes a disproportionate waste of time and resources. In such case, the controller is obliged to notify the data subject by means of public information or otherwise effectively.

On the other hand, even if data processor is not obliged to inform data subjects nor Commissioner, a data processor is obliged to inform the controller about a data breach, without undue delay.

1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?

1.3.1 Content of the notice

The Law prescribes the mandatory elements of a notification in general. Furthermore, content and form of the notification is regulated by the Rulebook adopted by the Commissioner.

Namely, each data breach notification shall contain:

(a) Data about controller:

(i) the name of the controller;

(ii) address and headquarters;

(iii) the name and contact details of the data protection officer, if any, or other manners by which information relating to data breach may be obtained.

(b) Data about breach:

(i) a description of the nature of the data breach, including the circumstances surrounding the breach;

(ii) the type of personal data;

(iii) the number of data subjects;

(iv) the number of personally identifiable information that has been compromised;

(v) date and time of the data security breach (if known, or as estimated).

(c) Description of the possible consequences of the breach.

(d) Description of the measures taken or proposed by the controller.

(e) Other data relevant to the notification of data breach.

Please find the form of the notification under the section ОБРАЗАЦ ОБАВЕШТЕЊА О ПОВРЕДИ ПОДАТАКА О ЛИЧНОСТИ.

1.3.2 Time period in which notice must be given

• Notification of the Commissioner

The controller is obliged to inform the Commissioner without undue delay, and where feasible, not later than 72 hours. If the controller does not inform the Commissioner within the prescribed deadline, the controller is obliged to explain the reasons for not acting within the prescribed deadline.

• Notification of data subjects

On the other hand, controller is obliged to inform data subject without undue delay.

1.3.3 Method of giving a notice

• Notification of the Commissioner

A controller shall provide the Commissioner with a notice of data breach in writing, directly or by mail. Additionally, controller could also send a scanned copy of the notification to the following email address: povredapodataka@poverenik.rs.

• Notification of data subjects

The method of giving notice to affected persons (data subjects) is not prescribed by the Law or bylaws. Therefore, by analogy, the same methods of delivery as delivery methods to the Commissioner should apply.

1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?

Data subjects who have suffered material or non-pecuniary damage as a result of a violation of the provisions of the Law are entitled to a monetary compensation for this damage from the controller who caused the damage.

Besides the monetary compensation, in the case of failure to notify the data subject or Commissioner the administrative fine may be imposed to the controller (up to RSD 2,000,000 approx. EUR 17,000). Moreover, the responsible person within the controller may be fined (up to RSD 150,000 approx. EUR 1,300).

1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?

The Law applies to the processing of personal data of the data subject who has permanent or temporary residence in the territory of Serbia by the controller or processor who does not have headquarters, or permanent or temporary residence in Serbia, if the processing activities are related to:

• offering of goods/services (paid or for free) on the territory of the Republic of Serbia or
• monitoring the behaviour of individuals, if the activities are carried out on the territory of Serbia.

Therefore, if one of the above specified criteria is fulfilled, the notification shall be done.

Even if the above conditions are not fulfilled and there is no legal obligation to notify the affected individuals, notification to individuals may be recommended in the event of a data breach, as it may mitigate or exclude the company’s liability in case of any damages incurred.

1.6 What are the applicable (data protection) laws or guidelines within your country?

In Serbia, data protection matters are regulated by the Serbian Law on Data Protection (Law), as the core legislation, and several bylaws adopted on the basis of the Law. However, some matters are still regulated with lex specialis which are not yet harmonized with the Law.

1.7 Contact information for the local Data Protection Authority:

For more information, contact: