The valid Serbian Law on Personal Data Protection (“LPDP”) has been in full application since 21 August 2019. Alike the GDPR, the LPDP envisages the appointment of Data Protection Officer.

Is my company obliged to appoint the Data Protection Officer?

The answer to this question depends on several factors. First you need to establish whether your company is data controller or data processor in terms of LPDP. Then you need to run a qualitative test regarding processing activities and types of personal data that you process. In particular, if the core activities of your company, as controller or processor, comprise of: the activities of processing whose nature, scope or purposes require regular and systematic supervision of a large number of persons that the data refer to, or

• the activities of processing whose nature, scope or purposes require regular and systematic supervision of a large number of persons that the data refer to, or
• the processing of special categories of personal data or personal information relating to criminal convictions or offences on a large scale,

then the company is legally obliged to appoint a Data Protection Officer.

Also, a special law may stipulate that controllers and/or processors shall appoint a Data Protection Officer.

In all other situations, there is no obligation to appoint such person and it is done on a voluntary basis.

Considering the tasks of the Data Protection Officer, which are primarily advisory and aimed at facilitating the application of the LPDP, and considering that such person is a contact point for cooperation with the Commissioner for Information of Public Importance and Personal Data Protection (“Commissioner”), as well as for communication with the persons that the data refer to, in case of dilemma as to whether to appoint such person if there is no legal obligation, the appointment should certainly prevail.

Who can be Data Protection Officer?

Data Protection Officer may be a natural person employed with the controller or processor or the person who performs the tasks on contract basis. Such person may also perform other tasks and other obligations, whereas he/she may not be in conflict of interest.

The Data Protection Officer shall be designated on basis of his/her professional qualifications, particularly on basis of professional knowledge and experience in the field of personal data protection, as well as capacity to perform the tasks stipulated by the LPDP.

A group of economic entities may designate a joint data protection officer, given that such person is equally accessible for each member of the group.

What are the tasks of the Data Protection Officer?

The tasks of the Data Protection Officer include:

• to inform and advise the controller or the processor and the employees who carry out processing of their legal obligations pertaining to the protection of personal data;
• to monitor the application of provisions of the LPDP, other laws and internal regulations of controller or processor with regard to personal data protection, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
• to provide advice where requested as regards the data protection impact assessment and monitor the performance pursuant to such assessment;
• to cooperate with the Commissioner, act as contact point for cooperation with the Commissioner and consult with the Commissioner as regards the issues pertaining to processing, including reporting and provision of prior opinion of the Commissioner;
• to communicate with the persons that the data refer to as regards any issue relating to processing of their personal data, as well as relating to exercising of their rights as stipulated by the LPDP.

How to appoint the Data Protection Officer?

The Data Protection Officer is appointed pursuant to the decision of the controller i.e. processor.

Any entity that appoints a Data Protection Officer, whether under legal obligation or on voluntary basis, shall be obligated to publish contact information of such person and to deliver them to the Commissioner in writing, directly, via regular mail or to e-mail address: licezazastitu@poverenik.rs.

For the purpose of communication efficiency, the Commissioner recommends that the Data Protection Officer is provided with a special e-mail account for these purposes and a special mobile or landline telephone number.

What are the consequences of non-fulfilment of obligations relating to the appointment of Data Protection Officer?

If a controller i.e. processor with legal person capacity fails to appoint a Data Protection Officer despite the obligation to do so, such controller and/or processor may be fined from RSD 50,000 to 2,000,000, an entrepreneur from RSD 20,000 to 500,000, and authorised person in a legal entity from RSD 5,000 to 150,000.

For failure to publish the information on Data Protection Officer and failure to submit them to the Commissioner, the latter may determine a mandatory fine to a legal entity in the amount of RSD 100,000, to an entrepreneur in the amount of RSD 50,000 and to an authorised person in a legal entity in the amount of RSD 20,000.

This article is to be considered as exclusively informative, with no intention to provide legal advice.
If you should need additional information, please contact us directly.