The valid Serbian Law on Personal Data Protection (“LPDP”), which has been in full application since 21 August 2019, has extraterritorial application alike the GDPR (General Data Protection Regulation).

Is my company with seat outside the Republic of Serbia obliged to appoint representative under the LPDP?

It depends on the nature of processing activities which you, as controller or processor, perform. The LPDP applies to the processing of personal data of the persons with residence i.e. domicile in the territory of the Republic of Serbia, by controller i.e. processor that does not have a seat, domicile or residence in the territory of the Republic of Serbia, given that processing activities are related to:

• offer of goods or services to the person that the data refer to within the territory of the Republic of Serbia, whether such person is requested to pay a price for such goods or services or not;
• monitoring the activities of the person that the data refer to, if the activities are carried out in the territory of the Republic of Serbia.

Controller or processor shall be obliged to specify in writing their representative in the Republic of Serbia, unless:

• the processing is temporary, it does not include to a large extent the processing of special data or personal data referring to criminal convictions and offences, and it will probably not impose any risk to rights and freedoms of natural persons, given the nature, circumstances, scope and purposes of processing;
• controller or processor are government authorities.

What does representative of a foreign controller or processor do?

The representative is a natural or legal person with residence i.e. domicile in the territory of the Republic of Serbia, authorised to represent the controller i.e. processor in relation to their obligations under the LPDP.

The controller i.e. processor authorises the representative as a person which, beside the controller or processor i.e. instead of them, the person that the data refer to, Commissioner for Information of Public Importance and Personal Data Protection (“Commissioner”) or other person may address with regard to any issue relating to personal data protection and for the purpose of ensuring the compliance with LPDP provisions.

However, complaint, claim and other legal motions under the LPDP may still be filed against the controller or processor, whether their representative was designated or not.

What are the consequences of failure to appoint the representative in the Republic of Serbia?

If a controller i.e. processor fails to appoint their representative in the Republic of Serbia, the Commissioner may impose a fine – in the amount of RSD 100,000 to a legal entity, RSD 50,000 to an entrepreneur, and RSD 20,000 to an authorised person in a legal entity.

Interestingly, in December 2019 non-profit organisation SHARE Foundation filed misdemeanour charges to the Commissioner against companies Google and Facebook for failure to designate their representatives in the Republic of Serbia. We shall see whether and how the Commissioner would act according to these charges, particularly having in mind that in January 2017 it awarded SHARE Foundation for exceptional contribution to the affirmation of right to personal data protection.

This article is to be considered as exclusively informative, with no intention to provide legal advice.
If you should need additional information, please contact us directly.