The main national law regulating the collection, use and disclosure of personal data is the LPPD.

Other relevant laws in Serbia are:

• Law on Electronic Communications (Official Gazette of the Republic of Serbia, Nos. 44/2010, 60/2013 — decision of the constitutional court (CC), 62/2014, 95/2018 — other law, and 35/2023 — other law) — cookies and interception of electronic communications.
• Law on Consumer Protection (Official Gazette of the Republic of Serbia, No. 88/2021) — direct marketing.
• Law on Advertising (Official Gazette of the Republic of Serbia, Nos. 6/2016 and 52/2019 — other law) — direct marketing.
• Law on Free Access to Information of Public Importance (Official Gazette of the Republic of Serbia, Nos. 120/2004, 54/2007, 104/2009, 36/2010 and 105/2021).
• Law on Health Documentation and Records in Healthcare Sector (Official Gazette of the Republic of Serbia, No. 92/2023).
• Law on Labour Records (Official Gazette of the Federal Republic of Yugoslavia, No. 46/96 and Official Gazette of the Republic of Serbia, Nos. 101/2005 — other law, and 36/2009 — other law).
• Law on Safety and Health at Workplace (Official Gazette of the Republic of Serbia, No. 35/2023). 
• Law on Electronic Administration (Official Gazette of the Republic of Serbia, No. 27/2018) — processing of personal data by state bodies and public institutions.

In relation to investigatory powers of the authorities, aside from the LPPD, the relevant regulation is the Criminal Procedure Code (Official Gazette of the Republic of Serbia, Nos. 72/2011, 101/2011, 121/2012, 32/2013, 45/2013, 55/2014, 35/2019, 27/2021 — decision of the CC and 62/2021 — decision of the CC).

The LPPD applies to controllers and processors of personal data.

Controller means the natural or legal person or public authority, who, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor means a natural or legal person or other public authority, who processes personal data on behalf of the controller.

Data subject means a natural person whose personal data is processed.

Provisions of the Law on Electronic Communications apply to the user — a natural or legal person who uses or requests the use of a publicly available electronic communication service.

The LPPD applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Republic of Serbia, regardless of whether the processing takes place on the territory of the Republic of Serbia or not.

The LPPD applies to the processing of personal data of data subjects who have residence in the Republic of Serbia by a controller or processor not established in the Republic of Serbia, where the processing activities are related to:

• the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects on the territory of the Republic of Serbia; or 
• the monitoring of their behaviour as far as their behaviour takes place on the territory of the Republic of Serbia.

Pursuant to the definition in the LPPD, “personal data processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission or by delivery, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Personal data means any information relating to an identified or identifiable natural person — an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Pseudonymised data is subject to the LPPD and other laws, while anonymised data is not.

Special categories of data are subject to a higher level of protection, i.e., the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited, unless one of the prerequisites prescribed by the LPPD is applied.

Processing shall be considered lawful if one of the following conditions are met:

• the data subject has given consent to the processing;
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which the controller is subject (purpose for processing shall be determined by a law);
• processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (necessity of processing and the particular public interest shall be determined by a law, e.g., tax proceeding-related legislation); or
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Processing is lawful if carried out in accordance with either the LPPD or another law governing processing.

Consent

Prior consent is required for direct marketing, except for business-to-business direct advertising (see below, Question 10).

Prior consent is required for cookies — a data subject shall be given a chance to refuse the processing.

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data.

The controller shall be able to demonstrate that the data subject has consented to processing.

The data subject shall have the right to withdraw his or her consent at any time.

If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters.

If performance of a contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract (provision of a service), it shall be considered that the consent is not freely given.

A minor who has reached the age of 15 can independently give consent for the processing of personal data in the use of information society services.

Processing of personal data relating to criminal convictions and offences or related security measures based on consent shall be carried out only under the control of an official authority or when the processing is authorised by a law providing for appropriate safeguards for the rights and freedoms of data subjects.

If further processing is carried out for the purposes of archiving in the public interest, for the purposes of scientific or historical research, as well as for statistical purposes, consent shall not be required for such further processing.

Personal data shall be processed in accordance with data protection principles: 

• the processing shall be carried out in a lawful and transparent manner;
• data shall be collected for specific purposes;
• data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
• data shall be accurate and, where necessary, kept up to date;
• data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; and
• data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (TOMs).

The data subject shall be informed by the controller prior to the beginning of processing of the identity of the controller, purpose and legal ground for processing, storage period, transfer, and other obligatory information as prescribed by the LPPD.

The controller shall be able to demonstrate its compliance with the LPPD, e.g., determining which TOMs are appropriate requires a risk assessment; a data protection impact assessment shall be carried out in cases prescribed by the LPPD; the relationship with other controllers/processors shall be regulated by an agreement, etc. 

The controller shall use only processors providing sufficient guarantees to implement appropriate TOMs.

Controllers processing personal data in relation to providing electronic administration services (such as public administration, health sector, education) are obliged to store registers and records in electronic form and accounts for electronic communication in Serbia.

Data breach

The controller is obliged to notify the Commissioner of a personal data breach that may cause a risk to the rights and freedoms of natural persons without undue delay or, if possible, within 72 hours of learning of the personal data breach and the data subject without undue delay if the breach is likely to result in a high risk thereof.

The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

A data subject has the following rights:

• right to be informed on the processing (see above, Question 8);
• rights of access;
• right to rectification;
• right to erasure;
• right to restriction of processing;
• right to data portability;
• right to object; and
• the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Exemptions

The above-mentioned rights can be restricted when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

• national security;
• defence;
• public security;
• the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
• other important objectives of general public interest of the Republic of Serbia, in particular an important economic or financial interest, including monetary, budgetary and taxation matters, public health and social security;
• the protection of judicial independence and judicial proceedings;
• the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
• a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in the above points, apart from the protection of judicial independence and judicial proceedings;
• the protection of the data subject or the rights and freedoms of others; and
• the enforcement of civil law claims.

Direct advertising by telephone, fax, email or by other means of remote communication is prohibited without the prior consent of the consumer, except for business-to-business direct advertising. However, this exception does not apply to direct marketing of electronic communications services providers to their end users.

If the consumer provided explicit consent to advertising by telephone, fax, email or other means of distance communication, the trader is obliged to inform the consumer about the commercial purpose of the activity in a clear and unambiguous manner, in the Serbian language, before advertising a certain good or service.

Restrictions are applied when personal data is being transferred to a country, part of its territory, or to one or more sectors of certain business activities in that country, or to an international organisation that does not provide an adequate level of protection.

The adequate level of protection shall be deemed to be provided in countries and international organisations that are parties to the Council of Europe Convention for the Protection of Individuals with regard to the processing of personal data, as well as in countries, parts of their territories, or one or more sectors of certain business activities in those countries or international organisations for which it was determined by the European Union to provide an adequate level of protection.

It shall be deemed that an adequate level of protection is ensured in case an international agreement on the transfer of personal data is concluded with another country or international organisation.

Transfer subject to appropriate safeguards

The transfer of personal data to countries which do not ensure an adequate level of protection can be carried out by means of certain transfer mechanisms (e.g., standard contractual clauses, international agreement, etc.) without prior authorisation of the Commissioner, or with such prior authorisation in accordance with the LPPD.

If the transfer of personal data is not conducted as described above, the LPPD provides for derogations.

• Investigative powers. The Commissioner is authorised to:
  • order the controller and the processor, and, where applicable, their representatives to provide any information it requires for the performance of its tasks;
  • conduct audits and evaluate implementation of the LPPD and otherwise supervise implementation over data protection applying its investigative powers;
  • notify the controller of an alleged infringement of the LPPD;
  • obtain from the controller access to all personal data and to all information necessary for the performance of its tasks; and
  • obtain access to any premises of the controller and the processor, including to any data processing equipment and means.
• Corrective powers. The Commissioner is authorised to:
  • warn the controller by submitting a written opinion that the intended processing may violate the provisions of the LPPD (data protection impact assessment, or DPIA);
  • issue a warning to the controller if the processing violates the provisions of the LPPD;
  • order the controller to act upon the request of the person to whom the data relates in connection with the exercise of his/her rights, in accordance with the LPPD;
  • order the controller to harmonise the processing operations with the provisions of the LPPD, in a precisely determined manner and within a precisely determined period;
  • order the controller to inform the data subject of data breach;
  • impose temporary or permanent restrictions on the performance of the processing operation, including the prohibition of processing;
  • order the correction, i.e., deletion of personal data or to restrict the processing, as well as to order the controller to inform the other controller, data subject and the recipients to whom the personal data has been disclosed or transferred;
  • impose a fine based on a misdemeanour order if, during the audit, it is determined that the controller committed a misdemeanour for which the LPPD prescribes a fine in a fixed amount, instead of other measures prescribed, depending on the circumstances of the case; and
  • suspend the transfer of personal data to the recipient in another state or international organisation.

Each violation of the LPPD represents a misdemeanour for which the fines in the amount from RSD 50,000 (circa EUR 400) to RSD 2,000,000 (circa EUR 17,000) are prescribed for the legal entity and fines in the amount from RSD 5,000 (circa EUR 40) to RSD 150,000 (circa EUR 1,300) for the responsible person within the legal entity. 

In addition to the pecuniary fine, the Commissioner may issue a warning to the data controller to correct inconsistencies, it may also impose a temporary or permanent restriction on the performance of the processing activity, including a ban on processing, or use other inspection powers prescribed by the LPPD. If that controller does not act in accordance with the decision of the Commissioner, the Commissioner may impose an administrative fine ranging from half the monthly income up to 10% of the yearly income of the controller gained in the previous business year in the Republic of Serbia.

Furthermore, if personal data is being transferred contrary to the LPPD, the Commissioner may forbid such transfer.

A data subject may initiate: 

• an administrative dispute, by filing a lawsuit against the Commissioner’s decision in the complaint procedure; 
• a civil dispute, by filing a claim for the protection of rights;
• a civil dispute, by filing a claim for damages; or
• misdemeanour proceedings, by submitting a request for initiation of misdemeanour proceedings, which can be initiated by the Commissioner, as well as the injured party.

Unauthorised collection of personal data is a criminal offence and criminal prosecution is initiated by a private action unless the offence is committed by an authorised state official.