LAWON PERSONAL DATA PROTECTION("Off. Herald of RS", No. 87/2018) |
Article 1
This Law shall regulate the right to protection of natural persons with regard to the processing of personal data and the free movement of such data, the principles of processing, the rights of persons to which data pertains, obligations of personal data handlers and of the personal data processors, code of conduct, transfer of personal data to other states and international organizations, supervision over implementation of this Law, legal remedies, liability and sanctions in cases of infringements of the rights of natural persons relating to processing of personal data, as well as special cases of processing.
This Law shall additionally regulate the right to protection of natural persons with regard to the processing of personal data performed by competent authorities for the purposes of prevention, investigation and detection of criminal offences, prosecution of perpetrators of criminal offences or the enforcement of criminal sanctions, including prevention of and safeguarding against threats to public and national security, as well as free flow of such data.
Article 2
This Law shall ensure protection of fundamental rights and freedoms of natural persons, and in particular of their right to protection of personal data.
Provisions of separate laws regulating processing of personal data must be in conformity with this Law.
Article 3
This Law shall apply to processing of personal data which is performed, in entirety or in part, by automated means, as well as to the processing other than by automated means of personal data which form part of a data collection or are intended to form part of a data collection.
This Law shall not apply to the processing of personal data performed by a natural person for their own needs i.e. for the needs of their household.
This Law shall apply to the processing of personal data performed by a handler i.e. processor with the seat i.e. domicile or habitual residence in the territory of the Republic of Serbia, in the course of activities performed in the territory of the Republic of Serbia, irrespective of whether the processing activity is performed in the territory of the Republic of Serbia or not.
This Law shall apply to the processing of personal data of a person who has its domicile i.e. habitual residence in the territory of the Republic of Serbia by a handler i.e. processor who does not have its seat i.e. domicile or habitual residence in the territory of the Republic of Serbia, where the processing activities are related to:
1) Offering of goods i.e. services in the territory of the Republic of Serbia to a person to who the data relates to, irrespective of whether or not such a person is required to pay for such goods i.e. services;
2) Monitoring of activities of persons to who the data relates to, as far as their activities take place within the Republic of Serbia.
Article 4
Individual expressions used in this Law shall have the following meanings:
1) "Personal data" shall mean any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name and an identification number, location data, an online identifier in electronic communication networks or to one i.e. more characteristics of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2) "Person to who the data relates to" shall be the natural person whose personal data is being processed;
3) "Data processing" shall be any operation or set of operations which is performed on personal data or on collections of personal data, whether or not by automated means, such as collection, recording, classification, grouping i.e. structuring, storage, adaptation or alteration, disclosure, inspection, use, disclosure by transmission i.e. by delivery, multiplication, dissemination or otherwise making available, comparison, restriction, erasure or destruction (hereinafter referred to as: processing);
4) "Restriction of processing" shall mean the marking of stored personal data with the aim of limiting their processing in the future;
5) "Profiling" shall mean any form of automated processing used to evaluate certain personal characteristic, in particular with the aim of analyzing or predicting the natural person's performance at work, their economic situation, health condition, personal preferences, interests, reliability, behavior, location or movement;
6) "Pseudonymization" shall mean the processing in a manner that prevents attribution of personal data to a specific person without the use of additional information, provided that such additional information is kept separately and is subject to technical, organizational and staff-related measures to ensure that the personal data cannot be attributed to a specific or identifiable person;
7) "Data collection" shall be each structured set of personal data which is accessible according to specific criteria, irrespective of whether or not the collection is centralized, decentralized or categorized on a functional or geographical basis;
8) "Handler" shall be the natural or legal person, i.e. public authority which, independently or jointly with others, determines the purposes and means of the processing. The law that determines the purpose and means of processing may additionally determine the handler or prescribe the conditions for their determination;
9) "Processor" shall be a natural or legal person, i.e. a public authority which processes personal data on behalf of the handler;
10) "Recipient" shall be a natural or legal person i.e. a public authority to which the personal data are disclosed, irrespective of whether it is a third party or not, except where it is a case of public authorities which receive personal data in the framework of an investigation in a particular case in compliance with the law and process such data in compliance with the rules on the protection of personal data that pertain to the purpose of the processing;
11) "Third party" shall be a natural or a legal person i.e. a public authority, other than the person to who the data relates to, handler or processor and the person who is authorized to process personal data under the direct supervision of the handler or processor;
12) "Consent" of the person to who the data relates to shall be each freely given, specific, informed and unambiguous expression of the will of such person, by which such person, by a statement or by a clear affirmative action, provides consent to the processing of personal data relating to him or her;
13) "Personal data breach" shall be a breach of security of personal data leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the personal data which is transmitted, stored or otherwise processed;
14) "Genetic data" shall be personal data relating to the inherited or acquired genetic characteristics of a natural person which provides unique information about the physiology or the health of that person and in particular the data which is obtained from an analysis of a sample of biological origin;
15) "Biometric data" shall be personal data obtained from specific technical processing relating to the physical characteristics, physiological characteristics or behavioral characteristics of a natural person, which allows or confirms the unique identification of that person, such as his/her facial image or dactyloscopic data;
16) "Data concerning health" shall be data about the physical or mental health of a natural person, including those on the provision of health care services, which reveal information about his or her health status;
17) "Representative" shall be a natural or legal person with the domicile i.e. seat in the territory of the Republic of Serbia which is, pursuant to Article 44 of this Law, authorized to represent the handler i.e. processor with regard to their respective obligations under this Law;
18) "Economic operator" shall be a natural or a legal person which is pursuing an economic activity, irrespective of the legal form thereof, including partnerships or associations that regularly engage in an economic activity;
19) "Multinational company" shall be an economic operator which is the controlling founder or a controlling member of the economic operator i.e. the founder of a branch of an economic operator, which is pursuing an economic activity in the state other than that in which its seat is located, as well as the economic operator with a significate share in the economic operator i.e. in the founder of the branch of the economic operator, which is pursuing an economic activity in the state other than that in which the seat of the multinational company is located, in compliance with the law regulating companies;
20) "Group of economic operators" shall be a group of affiliated economic operators, in compliance with the law regulating affiliation of economic operators;
21) "Binding corporate rules" shall be the internal rules on the protection of personal data which are adopted and which are applied by the handler i.e. by the processor with the domicile or habitual residence, i.e. seat in the territory of the Republic of Serbia, for the purpose of regulating the transfer of personal data to a handler or processor in one or more states within a multinational company or a group of economic operators;
22) "Commissioner for information of public importance and personal data protection (hereinafter referred to as: the Commissioner)" shall the independent and autonomous public authority established on the basis of the law, which is competent for supervision over implementation of this Law and carrying out of other tasks laid down by the law;
23) "Information society service" shall be each service which is normally provided for remuneration, at a distance, by electronic means and at a request of a recipient of services;
24) "International organization" shall be an organization or its body which is governed by the international public law, as well as any other body which is set up by, or on the basis of, an agreement between countries;
25) "Public authority" shall be a state organ, a body of a territorial autonomy and a local self-government unit, a public enterprise, institution and another public service, organization and other legal or natural person which performs public powers;
26) "Competent authorities" shall be:
a) Public authorities which are competent to prevent, investigate and detect criminal offences, as well as to persecute the perpetrators of criminal offences or to enforce criminal sanctions, including to protect and prevent the threats to public and national security;
b) Legal person which is authorized by law to carry out the tasks referred to in subitem a) of this item.
Article 5
Personal data must be:
1) Processed lawfully, fairly and in a transparent manner in relation to the person to whom the data relates to ("lawfulness, fairness and transparency"). Lawful processing shall be the processing performed in compliance with this Law i.e. other law regulating processing;
2) Collected for specified, explicit, legitimate and lawful purposes and cannot be further processed in a manner that is incompatible with those purposes ("limitation relating to the purposes of processing");
3) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization");
4) Accurate and, where necessary, kept up to date. Taking into account the purposes for which it is processed, every reasonable measure must be taken to ensure that personal data that is inaccurate is erased or rectified without delay ("accuracy");
5) Stored in a form which permits identification of persons only within the time limit that is necessary for the achievement of purposes of processing ("storage limitation");
6) Processed in a manner that ensures appropriate protection of the personal data, including protection against unauthorized or unlawful processing, as well as against accidental loss, destruction or damage, by using appropriate technical, organizational or staff-related measures ("integrity and confidentiality").
The handler shall be responsible for application of the provisions of paragraph 1 of this Article and must be able to demonstrate the application thereof ("accountability for actions").
Article 6
Notwithstanding Article 5, paragraph 1, item 2) of this Law, where further processing is carried out for the purposes of archiving in the public interest, for scientific or historical research purposes, as well as for statistical purposes, in compliance with this Law, it shall be considered that personal data is not processed in the manner which is incompatible with the original purpose.
Where processing for a purpose which is different from the purpose for which data has been collected is not based on the law that prescribes the necessary and proportionate measures in a democratic society with a view to safeguarding the objectives referred to in Article 40, paragraph 1 of this Law, or on the consent from the person to who the data relates to, the handler shall be obliged to assess whether or not processing for such other purpose is compatible with the purpose of processing for which data has been initially collected, in particular by taking into account:
1) Whether there is a connection between the purposes for which data has been collected, and other purpose of intended processing;
2) Circumstances under which data has been collected, including the relationship between the handler and person to who the data relates to;
3) Nature of data, and in particular whether some special types of personal data referred to in Article 17 of this Law is being processed or not i.e. whether or not the personal data related to criminal verdicts and punishable offences referred to in Article 19 of this Law is being processed;
4) Possible consequences of further processing for person to who the data relates to;
5) Application of adequate protective measures, such as encryption or pseudonymization.
Provisions of paragraphs 1 and 2 of this Article shall not apply to processing performed by the competent authorities for the purposes of prevention, investigation and uncovering of criminal offences, prosecution of perpetrators of criminal offences or enforcement of criminal sanctions, including prevention and protection from threats to public and national security (hereinafter referred to as: for special purposes).
Processing for Other Purposes by Competent Authorities
Article 7
Personal data collected by the competent authorities for special purposes cannot be processed for a purpose other than the purpose for which data has been collected, except where such further processing is prescribed by the law.
Processing performed by the competent authorities for special purposes which are different from those for which the personal data has been collected shall be permitted where the following conditions are aggregately met:
1) Handler is authorized to process such personal data for such other purposes, in compliance with the law;
2) Processing is necessary and proportionate to such other purpose, in compliance with the law.
Processing performed by the competent authorities for special purposes may cover archiving of personal data for the public interest, i.e. its use for scientific, statistical or historical purposes, providing that adequate technical, organizational and staff-related measures are applied with the aim of protecting the rights and freedoms of persons to who the data relates to.
Storage, Storage Periods and Review of the Need for Storage in Special Cases
Article 8
Notwithstanding Article 5, paragraph 1, item 5) of this Law, personal data processed exclusively for the purposes of archiving for the public interest, for the purposes of scientific or historical research, as well as for statistical purposes, can be stored for a even longer period, provided that the provisions of this Law on application of adequate technical, organizational and staff-related measures are complied with, all with the aim of protecting the rights and freedoms of persons to who the data relates to.
In the case of personal data processed by the competent authorities for special purposes, a time limit must be set for erasure of such data i.e. a time limit for periodical evaluation of the need for its storage.
Where the time limit referred to in paragraphs 1 and 2 of this Article is not determined by the law, it shall be determined by the data handler.
The Commissioner shall supervise compliance with the time limits referred to in paragraphs 1 through 3 of this Article in accordance with his powers prescribed by this Law.
Differentiating Individual Types of Persons to who the data relates to
Article 9
Where it is a case of personal data processed by the competent authorities for special purposes, the competent authority shall be obliged to, on the occasion of processing thereof, if possible, make a clear distinction between data relating to individual types of persons whose data is being processed, such as:
1) The persons against whom there is reasonable suspicion that they have committed or that they intend to commit criminal offences;
2) The persons against whom there is reasonable suspicion that they have committed criminal offences;
3) The persons who have been convicted of criminal offences;
4) The persons injured by a criminal offence or the persons for whom it is presumed that they could be injured by a criminal offence;
5) Other persons which are linked to a criminal offence, such as the witnesses, persons that can provide information on a criminal offence, linked persons or collaborators of the persons referred to in items 1) through 3) of this Article.
Differentiating Individual Types of Personal Data
Article 10
Where it is a case of personal data processed by the competent authorities for special purposes, the competent authority shall be obliged to, to the degree to which it is possible, clearly separate the personal data which is based solely on the findings of facts from the personal data which is based on a personal assessment.
Quality Assessment of Personal Data and Special Conditions for Processing Performed by the Competent Authorities for Special Purposes
Article 11
The competent authorities which are processing personal data for special purposes shall be obliged to, by applying reasonable measures, ensure that any inaccurate, incomplete pieces of personal data and those which have not been updated is not transmitted i.e. that it is not accessible.
Accuracy, completeness and whether or not personal data is kept up to date shall be checked by the competent authorities, to the degree possible, prior to initiating the transfer i.e. prior to making such data available.
The competent authority which is transmitting personal data to another competent authority shall be obliged to, to the extent possible, additionally deliver information which is necessary for ascertaining the degree of accuracy, completeness, authenticity i.e. reliability of personal data, as well as to deliver a notice on keeping of such data up to date.
Where inaccurate personal data is transmitted i.e. where personal data is transmitted unlawfully, the competent authority to which such data is transferred must be notified thereof without delay, and the transmitted personal data must be rectified or erased, i.e. its processing must be limited in compliance with this Law.
Where special conditions are required by the law for processing, the competent authority which is transmitting personal data shall be obliged to inform the recipient of data of such special conditions, as well as of the obligation to comply therewith.
Article 12
Processing shall be lawful only where one of the following conditions is met:
1) The person to who the data relates to has consented to processing of their personal data for one or more specifically designated purposes;
2) Processing is necessary for performance of a contract concluded with the person to who the data relates to or for taking actions, at the request of the person to who the data relates to, prior to conclusion of the contract;
3) Processing is necessary with the aim to complying with the legal obligations of the handlers;
4) Processing is necessary with the aim of protecting the vitally important interests of the person to who the data relates to or of another natural person;
5) Processing is necessary with the aim of carrying out of tasks in the public interest or executing the legally prescribed powers of the handler;
6) Processing is necessary with the aim of realizing the legitimate interests of the handler or of a third party, except where the interests or the fundamental rights and freedoms of the person to who the data relates to which require protection of personal data prevail over such interests, and in particular where the person to who the data relates to is an underage person.
Paragraph 1, item 6) of this Article shall not apply to the processing performed by a public authority within their scope of competence.
Provisions of paragraphs 1 and 2 of this Article shall not apply to the processing performed by the competent authorities for special purposes.
Lawfulness of Processing Performed by the Competent Authorities for Special Purposes
Article 13
Processing performed by the competent authorities for special purposes shall be lawful only where such processing is necessary for conducting the tasks of the competent authorities and where it is prescribed by the law. Such law shall at the minimum lay down the objectives of processing, personal data which is to be processed and the purposes of processing.
Lawfulness of Processing in Special Cases
Article 14
The basis for processing referred to in Article 12, paragraph 1, items 3) and 5) of this Law shall be laid down by the law.
Where it is a case of processing referred to in Article 12, paragraph 1, item 3) of this Law, the law shall additionally determine the purpose of processing, and where it is a case of processing referred to in Article 12, paragraph 1, item 5) of this Law, the law shall prescribe whether or not processing is necessary with the view to carrying out the tasks in the public interest or in the exercise of the legally prescribed powers vested in the handler.
The law referred to in paragraph 1 of this Article shall prescribe the public interest which is intended to be realized, as well as the obligation to comply with the rules on proportionate processing with regards to the objective intended to be achieved, and may additionally prescribe the conditions for permissibility of processing by the handler, the types of data which is subject to processing, the persons to who the personal data relates to, the persons to who the data can be disclosed and the purpose of disclosure thereof, limitations pertaining to the purpose of processing, the storage and keeping period, as well as other special actions and the procedure of processing, including the measures to provide for lawful and fair processing.
Article 15
Where processing is based on consent, the handler must be able to demonstrate that the person has consented to processing of their personal data.
If the consent of the person to who the data relates to is given in the context of a written declaration which also concerns other matters, the request for the provision of consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, as well as by using clear and simple words. Any part of such a declaration which is contrary to this Law shall not have any legal effect.
The person to who the data relates to shall have the right to withdraw their consent at any moment. The withdrawal of consent shall not affect the permissibility of processing which has been performed on the basis of the consent prior to withdrawal. Before providing consent, the person to who the data relates to must be informed of the right to withdrawal, as well as of the effect of the withdrawal. Withdrawing of consent must be simple, just as giving consent.
When assessing whether consent for processing of personal data has been freely given or not, utmost account shall be taken of whether or not the performance of contracts, including the provision of services, is conditional on giving consent that is not necessary for its performance.
Consent of an Underage Person in relation to the Use of Information Society Services
Article 16
An underage person who has turned 15 may independently provide consent to processing of their personal data when using the services of information society.
In a case of an underage person who has not turned 15, the consent for processing of data referred to in paragraph 1 of this Article must be given by the parent exercising parental right i.e. by another legal representative of the underage person.
The handler must take reasonable measures with the aim of determining whether the consent has been provided by the parent who exercises the parental right i.e. by another legal representative of the underage person, by taking into consideration available technologies.
Processing of Special Types of Personal Data
Article 17
Processing of personal data revealing racial or ethnic origin, political opinion, religious or philosophical belief or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health condition or data concerning sex life or sexual orientation of a natural person shall be prohibited.
By way of exception, the processing referred to in paragraph 1 of this Article shall be permitted in the following cases:
1) The person to who the data relates to has given their explicit consent to processing for one or more purposes of processing, except where the law prescribes that processing shall not be performed on the basis of consent;
2) Processing is necessary with the aim of carrying out the obligations or exercising legally prescribed authorizations of the handler or of the person to who the data relates to in the field of labor, social insurance and social protection, if such processing is prescribed by law or collective agreement which provides for appropriate measures to safeguard the fundamental rights, freedoms and the interests of the person to who the data relates to;
3) Processing is necessary with a view to protecting the vitally important interests of the person to who the data relates to or of another natural person, where the person to who the data relates to is physically or legally incapable of giving consent;
4) Processing is carried out in the course of the registered economic activity and by applying the appropriate protective measures by an endowment, foundation, association or any other non-profit organization whose purpose is of a political, philosophical, religious or trade union nature, provided that the processing relates solely to the members i.e. former members of that organization or to persons who have regular contacts with it in connection with the purposes of the organization, as well as that the personal data is not disclosed outside that organization without the consent of the person to who the data relates to;
5) The personal data are processed which the person to whom it relates to has manifestly made public;
6) Processing is necessary for the purpose of submitting, exercising or defending a legal claim or in the case where a court is acting within its scope of competence;
7) Processing is necessary for the purpose of realizing a substantial public interest specified by law, provided that such processing is proportionate to the aim pursued, by respecting the essence of the right to personal data protection and provided that application of suitable and specific measures to safeguard the fundamental rights and the interests of the person to who the data relates to is provided for;
8) Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of employees, medical diagnosis procedures, the provision of health or social protection i.e. the management of health or social care systems, on the basis of law or pursuant to a contract with a health professional, providing that the processing is carried out by or under supervision of a medial worker or another person who is bound to keep a professional secret prescribed by law or professional rules;
9) Processing is necessary for the purpose of achieving public interest in the area of public health, such as the protection against serious cross-border threats to public health or ensuring high standards of quality and safety of health care and of medicines and medicinal devices, on the basis of the law which provides for suitable and specific measures to safeguard the rights and freedoms of the person to who the data relates to, in particular in respect of keeping professional secrecy;
10) Processing is necessary for purposes of archiving in the public interest, for scientific or historical research purposes or for statistical purposes, in compliance with Article 92, paragraph 1 of this Law, providing that such processing is proportionate to the aims pursued, while respecting the essence of the right to personal data protection and provided that suitable and specific measures to safeguard the fundamental rights and the interests of the person to who the data relates to is provided for.
Provisions of paragraphs 1 and 2 of this Article shall not apply to processing performed for special purposes by the competent authorities.
Processing of Special Types of Personal Data Performed by the Competent Authorities for Special Purposes
Article 18
Processing of personal data performed for special purposes by the competent authorities which is revealing racial or ethnic origin, political opinion, religious or philosophical belief, or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health condition or data concerning sex life or sexual orientation of a natural person shall be permitted only where it is necessary, with application of appropriate measures to safeguard the rights of the person to who the data relates to, in one of the following cases:
1) The competent authority is authorized by law to process the special types of personal data;
2) The processing of the special types of personal data is carried out with a view to protect the vitally important interests of the person to who the data relates to or of another natural person;
3) The processing relates to special types of personal data which are manifestly made available to public by the person to who the data relates to.
Processing Relating to Criminal Judgements and Punishable Offences
Article 19
Processing of personal data relating to criminal judgements, punishable offences and safety measures can be carried out based on Article 12, paragraph 1 of this Law only under supervision of a competent authority or, where processing is authorized by the law, with the application of appropriate special measures to safeguard the rights and freedoms of person to who the data relates to.
The comprehensive records of criminal judgements shall be kept only by and under supervision of a competent authority.
Processing Which Does Not Require Identification
Article 20
If for the realization of the purpose of processing, the handler does not need or no longer needs to identify the person to who the data relates to, the handler shall not be obliged to keep, acquire or process additional information in order to identify that person for the sole purpose of complying with this Law.
If in the case referred to in paragraph 1 of this Article, the handler is able to demonstrate that he cannot identify the person to who the data relates to, he shall be obliged to inform that person thereof, if possible.
In the case referred to in paragraphs 1 and 2 of this Article, the provisions of Articles 26, paragraphs 1 through 4, Article 29, Article 30, paragraphs 1 through 5, Article 31, paragraphs 1 through 3, Article 33, paragraphs 1 and 2 and Article 36, paragraphs 1 through 4 of this Law shall not apply, unless the person to who the data relates to, for the purpose of exercising the rights under those Articles, provides additional information enabling his/her identification.
Provisions of paragraphs 2 and 3 of this Article shall not apply to processing carried out by the competent authorities for special purposes.
III RIGHTS OF THE PERSON TO WHO THE DATA RELATES TO
1. Transparency and Methods for the Exercise of Rights
Transparent Information, Informing and Methods for the Exercise of Rights of a Person to who the data relates to
Article 21
The handler shall be obliged to take appropriate measures to provide all information referred to in Articles 23 and 24 of this Law i.e. information relating to exercise of the rights referred to in Article 26, Articles 29 through 31, Article 33, Articles 36 through 38 and Article 53 of this Law to the person to who the data relates to, in a concise, transparent, intelligible and easily accessible manner, using clear and plain words, in particular in case of a piece of information intended to an underage person. Such information shall be provided in writing or in some other form, including, where appropriate, in electronic form. When requested by the person to whom the data relates to, information can be provided orally, provided that the identity of the person has been undoubtedly established.
The handler shall be obliged to provide assistance to the person to who the data relates to in exercising of their rights under Article 26, Articles 29 through 31, Article 33 and Articles 36 through 38 of this Law. In the cases referred to in Article 20, paragraphs 2 and 3 of this Law, the handler may not refuse to act according to the request of the person to who the data relates to for exercising of their rights under Article 26, Articles 29 through 31, Article 33 and Articles 36 through 38 of this Law, unless where the handler has demonstrated that he cannot identify the person.
The handler shall be obliged to provide information on action taken based on a request under Article 26, Articles 29 through 31, Article 33 and Articles 36 through 38 of this Law to the person to who the data relates to without delay and within 30 days from the receipt of the request at the latest. That time limit can be extended by additional 60 days where necessary, taking into account the complexity and number of the requests. The handler shall be obliged to inform the person to who the data relates to of any such extension of the time limit and of the reasons for such extension within 30 days from the receipt of the request. Where the person to whom the data relates to has submitted the request by electronic means, the information must be provided by electronic means where possible, unless that person has requested that information should be provided in another way.
If the handler fails to act on the request of the person to who the data relates to, they shall be obliged to inform such person without delay and within 30 days from the day of receipt of the request at the latest of the reasons for not taking action, as well as of the right to file a complaint with the Commissioner, i.e. to file a lawsuit.
The handler shall provide information referred to in Articles 23 and 24 of this Law i.e. information relating to exercising of the rights referred to in Article 26, Articles 29 through 31, Article 33, Articles 36 through 38 and Article 53 of this Law free of charge. Where the request of the person to whom the data relates to is manifestly unfounded or excessive, and in particular where the same request is frequently repeated, the handler may:
1) Charge the necessary administrative costs of provision of information i.e. taking action on the request;
2) Refuse to act on the request.
The burden of demonstrating that the request is manifestly unfounded or excessive shall lie with the handler.
Where the handler has reasonable doubts concerning the identity of the person who submitted the request referred to in Article 26, Articles 29 through 31, Article 33 and Articles 36 through 38 of this Law, the handler may request the provision of additional information necessary to confirm the identity of the person, which shall not exclude the application of Article 20 of this Law.
The information provided to persons to who the data relates to pursuant to Articles 23 and 24 of this Law can be provided in combination with standardized icons presented in electronic form in order to provide meaningful insight into the intended processing in an easily visible, intelligible and clearly observable manner. It must be provided that the standardized icons presented electronically are readable on an electronic device.
The Commissioner shall determine information which shall be presented by standardized icons displayed electronically and shall regulate the procedure for determining thereof.
Provisions of paragraphs 1 through 9 of this Article shall not apply to processing of data carried out by the competent authorities for special purposes.
Informing and Modality for Exercising of the Rights of the Person to who the data relates to where Processing is carried out by the Competent Authorities for Special Purposes
Article 22
Where processing is carried out by the competent authorities for special purposes, the handler shall be obliged to take reasonable measures in order to provide to the person to who the data relates to complete information referred to in Article 25 of this Law i.e. information relating to exercising of the rights referred to in Articles 27, 28, 32, 34, 35, 39 and 53 of this Law, in a concise, intelligible and easily accessible manner, by using clear and plain language. Such information shall be provided in any manner appropriate, including by electronic means. As a rule, the handler shall provide information in the same form as that of the request of the person to who the data relates to.
The handler shall be obliged to provide assistance to the person to who the data relates to in exercising of their rights referred to in Articles 27, 28, 32, 34, 35 and 39 of this Law.
The handler shall be obliged to give information to the person to whom the data relates to on actions taken on their request without delay, in writing.
The handler shall provide the information referred to in Article 25 of this Law and shall act in compliance with Articles 27, 28, 32, 34, 35, 39 and 53 of this Law free of any charge. Where the request of the person to whom the data relates to is manifestly unfounded or excessive, and in particular where the same request is frequently repeated, the competent authority may:
1) Charge the necessary administrative costs of provision of information i.e. taking action on the request;
2) Refuse to act on the request.
The burden of proof that the request is manifestly unfounded or excessive shall lie with the handler.
Where the handler has reasonable doubts concerning the identity of the person submitting the request referred to in Article 27 or Article 32 of this Law, the handler may request the provision of additional information necessary to confirm the identity of that person.
2. Information and Access to Personal Data
Information which are Given if Personal Data is collected from the Person to who the data relates to
Article 23
Where personal data is collected from the person to whom the data relates to, the handler shall be obliged to give the following information to that person at the time when personal data is collected:
1) On the identity and on the contact details of the handler as well as on the handler's representative, where he/she has been designated;
2) The contact details of the person tasked with personal data protection, where he/she has been designated;
3) On the purpose of intended processing and on the legal basis for the processing;
4) On the existence of a legitimate interest pursued by the handler or a third party, where the processing is carried out on the basis of Article 12, paragraph 1, item 6) of this Law;
5) On the recipient i.e. on the group of recipients of the personal data, if they exist;
6) On the fact that the handler intends to carry out personal data to another country or to an international organization, as well as on whether or not such country or international organization is on the list referred to in Article 64, paragraph 7 of this Law, and in the case of a transfer referred to in Articles 65 and 67 or Article 69, paragraph 2 of this Law, on the reference or the appropriate protective measures, as well as on the means by which the person to who the data relates to can get acquainted with such measures.
In addition to information referred to in paragraph 1 of this Article, the handler shall be obliged to, at the moment of collecting personal data on the person to whom the data relates to, provide the following further information which may be necessary in order to ensure fair and transparent processing with regard to that person:
1) On the period for which the personal data will be stored, or if that is not possible, on the criteria used to determine that period;
2) On the existence of the right to request from the handler access to, rectification or erasure of their personal data i.e. on the existence of the right to restriction of processing, the right to objection, as well as the right to data transferability;
3) On the existence of the right to withdraw consent at any given time, as well as that the withdrawal of consent shall not affect the permissibility of processing based on consent before its withdrawal, in cases where processing is carried out on the basis of Article 12, paragraph 1, item 1) or Article 17, paragraph 2, item 1) of this Law;
4) On the right to file a complaint with the Commissioner;
5) On whether the provision of personal data is a statutory or contractual obligation, or the provision of personal data is a requirement necessary to conclude a contract, as well as on whether or not the person to who the data relates to is under the obligation to give the personal data and of the possible consequences of failure to provide the data;
6) On the existence of automated decision-making, including profiling referred to in Article 38, paragraphs 1 and 4 of this Law, and, at least in those cases, meaningful information about the logic involved, as well as on the significance and the expected consequences of such processing for the person to who the data relates to.
Where the handler intends to further process the personal data for a purpose other than that for which the personal data was collected, the handler shall be obliged to provide the person to who the data relates to, prior to further processing, with information on that other purpose as well as with any relevant information as referred to in paragraph 2 of this Article.
Where the person to whom the data relates to has already been informed of any of the pieces of information referred to in paragraphs 1 through 3 of this Article, the handler shall be under no obligation to provide such information.
Provisions of paragraphs 1 through 4 of this Article shall not apply to processing of data carried out by the competent authorities for special purposes.
Information provided where Personal Data are not collected from the Person to who the data relates to
Article 24
Where personal data is not collected from the person to who the data relates to, the handler shall be obliged to provide the person to who the data relates to with the following information:
1) On the identity and on the contact details of the handler, as well as their representative, if he/she has been designated;
2) On the contact details of the person tasked with the protection of personal data, where he/she has been designated;
3) On the purpose of the intended processing and on the legal basis for the processing;
4) On the type of data that is to be processed;
5) On the recipient, i.e. on the group of recipients of the personal data, if they exist;
6) On the fact that the handler intends to carry out the personal data to another country or to an international organization, as well as on whether or not such country i.e. international organization is on the list referred to in Article 64, paragraph 7 of this Law, and in the case of the transfer referred to in Articles 65 and 67 or Article 69, paragraph 2 of this Law, on the reference to the appropriate safeguard measures, as well as on the means by which the person can get acquainted with such measures.
In addition to information referred to in paragraph 1 of this Article, the handler shall be obliged to provide the following further information to the person to who the data relates to, which may be necessary in order to ensure fair and transparent processing with regard to the person to who the data relates to:
1) On the period for which the personal data will be stored, or if that is not possible, on the criteria used to determine that period;
2) On the existence of a legitimate interest of the handler or a third party, where processing is carried out on the basis of Article 12, paragraph 1, item 6) of this Law;
3) On the existence of the right to request from the handler access to, rectification or erasure of their personal data i.e. on the existence of the right to restriction of processing, the right to objection to processing, as well as the right to data transferability;
4) On the existence of the right to withdraw consent at any given time, as well as that the withdrawal of consent shall not affect the permissibility of processing based on consent before its withdrawal, in cases where processing is carried out on the basis of Article 12, paragraph 1, item 1) or Article 17, paragraph 2, item 1) of this Law;
5) On the right to file a complaint with the Commissioner;
6) On the source from which the personal data originates, and, where necessary, on whether data originates from the publicly available sources or not;
7) On the existence of automated decision-making, including profiling referred to in Article 38, paragraphs 1 and 4 of this Law, and, at least in those cases, meaningful information about the logic involved, as well as on the significance and the expected consequences of such processing for the person to who the data relates to.
The handler shall be obliged to provide information referred to in paragraphs 1 and 2 of this Article:
1) Within a reasonable time limit following collecting of the personal data, and within 30 days at the latest, having regard to all the specific circumstances of the processing;
2) At the latest on the occasion of establishing the first communication, where the personal data is used for communication with the person to who the data relates to;
3) At the latest on the occasion when the personal data is first disclosed, where disclosure of personal data to another recipient is envisaged.
Where the handler intends to further process the personal data for a purpose other than that for which the personal data was collected, the handler shall be obliged to provide the person to who the data relates to, prior to commencing such further processing, with information on that other purpose, as well as with any relevant further information as referred to in paragraph 2 of this Article.
The handler shall not be obliged to provide information referred to in paragraphs 1 through 4 of this Article to the person to who the data relates to if:
1) The person to who the data relates to already has that information;
2) The provision of such information proves impossible or would require disproportionate consummation of time and means, in particular in the case of processing for archiving purposes in the public interest, scientific or historical research purposes, as well as for statistical purposes, subject to the conditions and safeguard measures referred to in Article 92 paragraph 1 of this Law or if it is probable that the discharging of obligations referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the purposes of that processing. In such cases, the handler shall take appropriate measures to protect the rights and freedoms of the person to who the data relates to, as well as the legitimate interests of the person to who the data relates to, which shall include public publication of such information;
3) Collecting or disclosure of personal data is expressly laid down by the law providing for the appropriate measures to protect the legitimate interests of the person to who the data relates to;
4) The confidentiality of personal data must be kept in accordance with an obligation of professional secrecy which is prescribed by law.
Provisions of paragraphs 1 through 5 of this Article shall not apply to processing of data carried out by the competent authorities for special purposes.
Information which is made Available or provided to the Person to who the data relates to, where Processing is carried out by the Competent Authorities for Special Purposes
Article 25
Where processing is carried out by the competent authorities for special purposes, the handler shall be obliged to make available to the person to who the data relates to at least the following information:
1) On the identity and contact details of the handler;
2) On the contact details of the person for protection of personal data, where they are designated;
3) On the purpose of intended processing;
4) On the right to file a complaint with the Commissioner and the contact details of the Commissioner;
5) On the existence of the right to request from the handler access to, rectification or erasure of his personal data i.e. on the existence of the right to restrict processing of such data.
In addition to information referred to in paragraph 1 of this Article, the handler shall be obliged to provide the person to who the data relates to the following additional information, in order to enable, in certain cases, exercising of his rights:
1) On the legal grounds for data processing;
2) On the period for which the personal data will be stored, or where that is not possible, on the criteria used to determine that period;
3) On the group of recipients of personal data, if any, including those in other states or international organizations;
4) Other data, where necessary, and in particular where personal data has been collected without the knowledge of the person to who the data relates to.
The information referred to in paragraph 2 of this Article which is relating to individual types of data processing can be denied i.e. provided under restrictions or at a later time to the person to who the data relates to only in so far and in the duration as necessary and proportionate in a democratic society with regard to the respect of the fundamental rights and legitimate interests of natural persons, in order to:
1) Avoid disturbance of official or legally regulated collection of information, investigation or procedure;
2) Enable preventing, investigation and discovery of criminal offences, prosecution of the perpetrators of criminal offences or enforcement of criminal sanctions;
3) Protect public safety;
4) Protect national security and defense;
5) Protect the rights and freedoms of other persons.
The law can determine the types of processing which, entirely or partly can be covered by some of the cases referred to in paragraph 3 of this Article.
Right of Access belonging to the Person to whom the data relates to
Article 26
The person to who the data relates to shall be entitled to request from the handler information on whether or not his personal data is being processed, access to such personal data, as well as the following information:
1) On the purpose of the processing;
2) On the types of personal data which is being processed;
3) On the recipients or types of recipients to whom the personal data have been or will be disclosed, in particular on the recipients in other countries or international organizations;
4) On the envisaged period for which the personal data will be stored, or, where that is not possible, on the criteria used to determine that period;
5) On the existence of the right to request from the handler rectification or erasure of his personal data, the right to restrict the processing and the right to object to such processing;
6) On the right to file a complaint with the Commissioner;
7) Available information on the source of personal data, where the personal data has not been collected from the person to who the data relates to;
8) On the existence of automated decision-making, including profiling referred to in Article 38, paragraphs 1 and 4 of this Law and, at least in those cases, meaningful information about the logic involved, as well as on the significance and the expected consequences of such processing for the person to who the data relates to.
Where personal data is transferred to another state or international organization, the person to who the data relates to shall have the right to be informed of the appropriate safeguard measures relating to the transfer, in compliance with Article 65 of this Law.
At the request of the person to whom the data relates to the handler shall be obliged to provide a copy of the data undergoing processing. The handler may request compensation of the necessary costs for any further copies requested by the person to whom the data relates to. Where the request for the copy is sent by electronic means, the information shall be provided in a commonly used electronic form, unless different kind of delivery is requested by the person to who the data relates to.
Exercising of the right to obtain a copy referred to in paragraph 3 of this Article shall not adversely affect the exercising of the rights and freedoms of other persons.
Provisions of paragraphs 1 to 4 of this Article shall not apply to the processing carried out by the competent authorities for special purposes.
Right to Access to Data Processed by the Competent Authorities belonging to the Person to whom the data relates to
Article 27
Where personal data is processed by the competent authorities for special purposes, the person to who the data relates to shall be entitled to obtain from the handler information on whether or not his personal data is being processed, access to such data, as well as the following information:
1) On the purpose of processing and on the legal basis for the processing;
2) On the types of personal data that is being processed;
3) On the recipient or the types of recipients to which the personal data has been disclosed, and in particular on the recipients in other states or international organizations;
4) On the envisaged period for storage of personal data or, where this is not possible, on the criteria used to determine such period;
5) On the existence of the right to request from the handler rectification or erasure of his personal data, i.e. the right to restrict the processing of such data;
6) On the right to file a complaint to the Commissioner, as well as on the contact details of the Commissioner;
7) Information on the personal data that is being processed, as well as the available information on their source.
Restriction of the Right to Access
Article 28
The right to access referred to in Article 27 of this Law can be restricted, in its entirety or in a part thereof, only in so far and in the duration as such partial or complete restriction is necessary and represents a proportionate measure in a democratic society, with respect of the fundamental rights and legitimate interests of the persons whose personal data is being processed, in order to:
1) Avoid disturbance of official or legally regulated collection of information, investigation or procedures;
2) Enable preventing, investigation and discovery of criminal offences, prosecution of the perpetrators of criminal offences or enforcement of criminal sanctions;
3) Protect public safety;
4) Protect national security and defense;
5) Protect the rights and freedoms of other persons.
The law can determine the types of processing which, in their entirety or in a part thereof, can be covered by some of the cases referred to in paragraph 1 of this Article.
The handler shall be obliged to notify the person to who the data relates to in writing of the rejection or restriction of access to his personal data, as well as of the reasons for rejection or restriction, without undue delay, and within 15 days at the latest.
The handler shall not be obliged to act in compliance with paragraph 3 of this Article if that would call into question the realization of purpose for which the access has been refused or restricted.
In the case referred to in paragraph 4 of this Article, as well as in the case where it is determined in the procedure at the request for access to data that the personal data of the person submitting the request is not being processed, the handler shall be obliged to, without undue delay, and within 15 days at the latest, notify in writing the person submitting the request that it has been determined by means of a check that there is no personal data with regard to which the right envisaged by the law can be exercised, as well as that they can address a complaint to the Commissioner i.e. an action to a court.
The handler shall be obliged to document the factual and legal reasons for passing of the decision on the restriction of the right referred to in paragraph 1 of this Article, which must be placed at the disposal to the Commissioner, at his request.
3. Right to Rectification, Supplement, Erasure, Restriction and to Transferability
Right to Rectification and Supplement
Article 29
The person to who the data relates to shall have the right to his inaccurate personal data rectified without undue delay. Depending on the purpose of the processing, the person to who the data relates to shall have the right to have his incomplete personal data supplemented, including by means of providing a supplementary statement.
Right to Erasure of Personal Data
Article 30
The person to who the data relates to shall have the right to have the personal data concerning them erased by the handler.
The handler shall be obliged to erase the personal data referred to in paragraph 1 of this Article without undue delay in the following cases:
1) The personal data is no longer necessary for realization of purpose for which it was collected or otherwise processed;
2) The person to who the data relates to has withdrawn the consent based on which processing has been carried out, in compliance with Article 12, paragraph 1, item 1) or Article 17, paragraph 2, item 1) of this Law, and where there is no other legal ground for processing;
3) The person to who the data relates to has filed a complaint to processing in compliance with:
а) Article 37, paragraph 1 of this Law, and there is no other legal ground for processing which is overriding the legitimate interest, right or freedom of the person to who the data relates to,
b) Article 37, paragraph 2 of this Law;
4) The personal data has been unlawfully processed;
5) The personal data must be erased with the aim of discharging of the legal obligations of the handler;
6) The personal data has been collected in relation to the use of information society services referred to in Article 16, paragraph 1 of this Law.
Where the handler has made the personal data public, his obligation to erase personal data in compliance with paragraph 1 of this Article shall include taking all the reasonable measures, including technical measures, taking into account available technologies and the potentials to bear the costs of their use, with the aim of informing other handlers which are processing such personal data that the person to who the data relates to has submitted the request to erase all the copies of such data and references, i.e. electronic links to this data.
The person to who the data relates to shall submit the request for exercising of the right referred to in paragraph 1 of this Article to the handler.
Paragraphs 1 through 3 of this Article shall not apply to the extent that the processing is necessary for:
1) Exercising the right of freedom of expression and information;
2) Compliance with a legal obligation of the handler which requires processing or for the performance of tasks carried out in the public interest or in the exercise of official authority vested in the handler;
3) Realizing public interest in the area of public health, in compliance with Article 17, paragraph 2, items 8) and 9) of this Law;
4) Archiving purposes in the public interest, scientific or historical research purposes, as well as for statistical purposes in compliance with Article 92, paragraph 1 of this Law, and it is justifiably expected that the exercise of the right referred to in paragraphs 1 and 2 of this Article could render impossible or seriously impair the achievement of the objectives of that purpose;
5) Submission, exercising or defense of a legal claim.
Provisions of paragraphs 1 through 5 of this Article shall not apply to the processing carried out by the competent authorities for special purposes.
Right to Restriction of Processing
Article 31
The person to who the data relates to is entitled to have the processing of his personal data restricted by the handler, where one of the following cases applies:
1) The accuracy of the personal data is contested by the person to who the data relates to, for a period enabling the handler to verify the accuracy of the personal data;
2) The processing is unlawful and the person to who the data relates to opposes the erasure of the personal data and requests the restriction of its use instead;
3) The handler no longer needs the personal data for the realization of purposes of the processing, but the person to who the data relates to requested it for the purpose of submission, exercise or defense of a legal claim;
4) The person to who the data relates to has submitted an objection to processing pursuant to Article 37, paragraph 1 of this Law, and the assessment whether the legal grounds for processing by the handler override the interests of that person is ongoing.
Where processing has been restricted in compliance with paragraph 1 of this Article, such data may only be further processed based on consent of the person to who the data relates to, except where it is a case of its storage or for the purpose of submission, exercise or defense of a legal claim or for the protection of the rights of other natural i.e. legal persons or for reasons of realization of important public interests.
Where processing has been restricted in compliance with paragraph 1 of this Article, the handler shall be obliged to inform the person to who the data relates to on the termination of the restriction, before the restriction of processing is terminated.
Provisions of paragraphs 1 through 3 of this Article shall not apply to the processing carried out by the competent authorities for special purposes.
Right to Erasure or Restriction of Processing Carried Out by the Competent Authorities for Special Purposes
Article 32
Where processing is carried out by the competent authorities for special purposes, the person to who the data relates to shall have the right to have their personal data erased by the handler and the handler shall be obliged to, without undue delay, erase such data where the processing has been carried out in violation of the provisions of Articles 5, 13 and 18 of this Law or where the personal data must be erased for compliance with a legal obligation of the handler.
The handler shall be obliged to restrict the processing, instead of erasing the personal data, in the following cases:
1) Accuracy of personal data has been contested by the person to who the data relates to, and the accuracy i.e. inaccuracy thereof cannot be determined;
2) Personal data must be stored with the aim of collecting and provision of evidence.
Where processing has been restricted in compliance with paragraph 2, item 1) of this Article, the handler shall be obliged to inform the person to who the data relates to on the termination of the restriction, before the restriction of processing is terminated.
Obligation of Notification Regarding Rectification or Erasure of Data, As Well As Restriction of Processing
Article 33
The handler shall be obliged to notify all the recipients to which personal data has been disclosed on each rectification or erasure of personal data or restriction of the processing thereof in compliance with Article 29, Article 30, paragraph 1 and Article 31 of this Law, unless where that is impossible or requires disproportionate use of time and resources.
The handler shall be obliged to notify the person to who the data relates to, at their request, of all the recipients referred to in paragraph 1 of this Article.
Provisions of paragraphs 1 through 2 of this Article shall not apply to the processing carried out by the competent authorities for special purposes.
Obligation of Notification Regarding Rectification or Erasure of Data, as well as Restriction of Processing Carried Out by the Competent Authorities for Special Purposes
Article 34
Where the processing is carried out by the competent authorities for special purposes, the handler shall be obliged to notify the person to who the data relates to in writing of the rejection of rectification or erasure of their personal data, i.e. of the restriction of processing, as well as of the reasons for such rejection or restriction.
The handler shall be completely or partially relieved from the obligation of notification referred to in paragraph 1 of this Article in so far as such restriction is a necessary and proportionate measure in a democratic society, with due respect of the fundamental rights and legitimate interests of the person to who the data relates to, in order to:
1) Avoid disturbance of official or statutory regulated collection of information, investigation or procedures;
2) Enable preventing, investigation and discovery of criminal offences, prosecution of the perpetrators of criminal offences or enforcement of criminal sanctions;
3) Protect public safety;
4) Protect national security and defense;
5) Protect the rights and freedoms of other persons.
In the case referred to in paragraphs 1 and 2 of this Article, the handler shall be obliged to inform the person to who the data relates to that they can address a complaint to the Commissioner i.e. an action to a court.
The handler shall be obliged to inform the competent authority from which such data has been obtained of the rectification of inaccurate data.
Where the personal data has been rectified, erased or where the processing thereof has been restricted in compliance with Article 29 and Article 32, paragraphs 1 and 2 of this Law, the handler shall be obliged to inform the recipients of such data of their rectification, erasure or restriction of processing.
The recipients of data which have been informed in compliance with paragraph 5 of this Article shall be obliged to rectify or erase the data they hold or restrict their processing.
Exercising of the Right of the Person to who the data relates to Where Processing is Carried Out by the Competent Authorities for Special Purposes and Verification by the Commissioner
Article 35
In the cases referred to in Article 25, paragraph 3, Article 28, paragraphs 3 and 4 and Article 34, paragraph 2 of this Law, the rights of the person to who the data relates to can additionally be exercised through the Commissioner, in compliance with the Commissioner’s powers prescribed by this Law.
The handler shall be obliged to notify the person to who the data relates to of the option of exercising of their rights through the Commissioner in the cases referred to in paragraph 1 of this Article.
Where, in the cases referred to in paragraph 1 of this Article, the rights of the person at least to who the data relates to are exercised through the Commissioner, the Commissioner shall be obliged to at least notify such person that the verification and monitoring of their personal data has been conducted, as well as of the right to address the court for the protection of their rights.
Article 36
The person to who the data relates to shall have the right to receive the personal data concerning him or her, which he or she has previously provided to a handler, in a structured, commonly used and machine- readable format and have the right to transmit such data to another handler without hindrance from the handler to which the personal data has been provided, where the following conditions have been aggregately fulfilled:
1) The processing is based on consent pursuant to Article 12, paragraph 1, item 1) or Article 17, paragraph 2, item 1) of this Law or based on a contract, in compliance with Article 12, paragraph 1, item 2) of this Law;
2) The processing is carried out by automated means.
The right referred to in paragraph 1 of this Article shall additionally include the right of the person to have his or hers personal data transferred directly to another handler by the handler to which such data has previously been transferred, where technically feasible.
The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to the application of Article 30 of this Law. The right referred to in paragraph 1 of this Article cannot be exercised where the processing is necessary for the performance of tasks carried out in the public interest or in the exercise of official authorities vested in the handler.
Exercising of the right referred to in paragraph 1 of this Article may not adversely affect the exercise of rights and freedoms of other persons.
Provisions of paragraphs 1 through 4 of this Article shall not apply to the processing carried out by the competent authorities for special purposes.
4. Right to Objection and Automated Adoption of Individual Decisions
Article 37
Where they consider that to be duly justified in relation to a particular situation in which they find themselves, the person to who the data relates to shall have the right to, at any time, submit to the handler an objection to processing of their personal data which is carried out in compliance with Article 12, paragraph 1, items 5) and 6) of this Law, including profiling based on those provisions. The handler shall be obliged to discontinue the processing of data relating to the person submitting the objection, unless the handler demonstrates the existence of statutory reasons for the processing which override the interests, rights and freedoms of the person to who the data relates to or are in connection to submission, exercise or defense of a legal claim.
The person to who the data relates to shall have the right to, at any given moment, submit an objection to processing of their personal data which is processed for direct marketing purposes, which includes profiling, to the extent that it is related to such direct marketing.
If the person to whom the data relates to submits an objection to processing for direct marketing purposes, the personal data may no longer be processed for such purposes.
The handler shall, at the latest at the time of establishing the first communication with the person to who the data relates to, warn such person on the existence of the right referred to in paragraphs 1 and 2 of this Article and to inform them about such rights in a direct and clear way, separately from any other information the handler provides to such person.
In the context of the use of information society services, the person to who the data relates to shall have the right to submit an objection by automated means, in compliance with the technical specifications for the use of services.
Where personal data is processed for scientific or historical research purposes or for statistical purposes in compliance with Article 92 of this Law, the person to who the data relates to, on grounds relating to his or her particular situation, shall have the right to submit objection to processing of his or hers personal data, unless the processing is necessary for the performance of affairs in the public interest.
Automated Adoption of Individual Decisions and Profiling
Article 38
The person to who the data relates to shall have the right not to be subject to a decision based solely on automated processing, including profiling, where such decision produces legal effects concerning such person or where such decision significantly affects his or her position.
Paragraph 1 of this Article shall not apply where the decision is:
1) Necessary for conclusion or performance of a contract between the person to who the data relates to and the handler;
2) Based on the law, where such law prescribes suitable measures to safeguard the rights, freedoms and legitimate interests of the person to who the data relates to;
3) Based on the explicit consent of the person to who the data relates to.
In the case referred to in paragraph 2, items 1) and 3) of this Article, the handler shall be obliged to implement suitable measures to safeguard the rights, freedoms and legitimate interests of the person to who the data relates to, and at least the right to ensure the natural person’s participation under control of the handler in decision-making, the right of the person to who the data relates to, to express his or her point of view with regard to the decision, as well as the right of the person to who the data relates to, to contest the decision before the authorized person of the handler.
The decisions referred to in paragraph 2 of this Article may not be based on special types of personal data referred to in Article 17, paragraph 1 of this Law, unless Article 17, paragraph 2, items 1) and 5) of this Law apply and where suitable measures to safeguard the rights, freedoms and legitimate interests of the person to who the data relates to are in place.
Provisions of paragraphs 1 through 4 of this Article shall not apply to the processing of data carried out by the competent authorities for special purposes.
Automated Adoption of Individual Decisions and Profiling in connection to the Processing Carried Out by the Competent Authorities for Special Purposes
Article 39
Decision-making based solely on automated processing carried out by the competent authorities for special purposes, including profiling, shall be prohibited, where such decision may produce adverse legal effects concerning the person to who the data relates to or where such decision significantly affects the position of that person, except where such decision-making is based on the law and where such law lays down suitable measures to safeguard the rights and freedoms of the person to who the data relates to, and at least the right to ensure the natural person’s participation under control of the handler in decision-making.
The decision referred to in paragraph 1 of this Article may not be based on special types of personal data referred to in Article 18, paragraph 1 of this Law, unless where suitable measures to safeguard the rights, freedoms and legitimate interests of the person to who the data relates to are applied.
Profiling leading to discrimination of natural persons on the grounds of the special types of personal data referred to in Article 18, paragraph 1 of this Law shall be prohibited.
Article 40
The rights and obligations referred to in Articles 21, 23, 24, 26, Articles 29 through 31, Article 33, Articles 36 through 39 and Article 53, as well as Article 5 of this Law where such provisions pertain to exercising of rights and obligations referred to in Articles 21, 23, 24, 26, Articles 29 through 31, Article 33 and Articles 36 through 39 of this Law, can be restricted where such restrictions do not interfere with the essence of the fundamental rights and freedoms and where that represents a necessary and proportionate measure in a democratic society for safeguarding of:
1) National security;
2) Defense;
3) Public security;
4) Prevention, investigation and discovery of criminal offences, prosecution of perpetrators of criminal offences or enforcement of criminal sanctions, including prevention and protection against threats to public security;
5) Other important public interests, and in particular the important state or financial interests of the Republic of Serbia, including monetary policy, budget, tax system, public health and social protection;
6) Independence of the judiciary and court proceedings;
7) Prevention, investigation, detection and prosecution of breaches of professional ethics;
8) Function of monitoring, supervision or the performance of regulatory function that is permanently or occasionally connected to the exercise of official authorities in the cases referred to in items 1) through 5) and item 7) of this paragraph;
9) Persons to who the data relates to or the rights and freedoms of other persons;
10) Pursuing claims in civil law affairs.
Where necessary, in implementation of the restrictions of the rights and obligations referred to in paragraph 1 of this Article, at least the following must be taken into account:
1) Purposes of the processing or the types of processing;
2) Types of personal data;
3) Scope of restrictions;
4) Protection measures with the aim to prevent abuse, unpermitted access or transfer of personal data;
5) Specifics of the handler, i.e. the type of handler;
6) Storage period and the measures to protect the personal data that can be applied, taking into account the nature, scope and purposes of the processing or the type of processing;
7) Risks to the rights and freedoms of persons to who the data relates to;
8) Right of person to who the data relates to, to be informed about the restriction, unless where such information is prejudicial to realization of the purpose of the restriction.
Provisions of paragraphs 1 and 2 of this Article shall additionally apply in the cases where processing by the competent authorities is not performed for special purposes.
Article 41
The handler shall be obliged to implement appropriate technical, organizational and staff-related measures to ensure that processing is performed in accordance with this Law and to be able to demonstrate that, taking into account the nature, scope, circumstances and purpose of processing, as well as the likelihood of the occurrence of risks and the risk level for the rights and freedoms of natural persons.
The measures referred to in paragraph 1 of this Article shall be reviewed and updated where necessary.
Where proportionate in relation to processing of data, the measures referred to in paragraph 1 of this Article shall include the implementation of appropriate internal bylaws of the handler on the protection of personal data.
The handler may also demonstrate their compliance with the obligations referred to in paragraph 1 of this Article based on the implementation of the approved code of conduct as referred to in Article 59 of this Law or based on the issued certificate as referred to in Article 61 of this Law.
Paragraph 4 of this Article shall not apply to the processing carried out by the competent authorities for special purposes.
Article 42
Taking into account the level of technical achievements and the costs of their implementation, the nature, scope, circumstances and purpose of processing, as well as the likelihood of the occurrence of risk and the risk level for the rights and freedoms of natural persons arising from the processing, the handler shall be obliged, both on the occasion of determining the processing method and during processing itself, to:
1) Implement appropriate technical, organizational and staff-related measures, such as pseudonymization, which are aimed at ensuring effective implementation of data-protection principles, such as data minimization;
2) Ensure implementation of the necessary safeguard mechanisms during processing, in order to meet the requirements for processing prescribed by this Law and to protect the rights and freedoms of the person to who the data relates to.
The handler shall be obliged to, through constant implementation of appropriate technical, organizational and staff-related measures ensure that only personal data which are necessary for realization of each specific purpose of the processing are always processed. That obligation applies to the amount of personal data collected, the extent of its processing, the period of its storage and its accessibility.
The measures referred to in paragraph 2 of this Article must always ensure that without the intervention of a natural person the personal data cannot be made accessible to an indefinite number of natural persons.
The issued certificate as referred to in Article 61 of this Law may be used by the handler to demonstrate their compliance with the obligations referred to in paragraphs 1 through 3 of this Article.
Paragraph 4 of this Article shall not apply to the processing carried out by the competent authorities for special purposes.
Article 43
Where two or more handlers jointly determine the purpose and method of processing, they shall deem to be joint handlers.
The joint handlers referred to in paragraph 1 of this Article shall, in a transparent manner, determine their respective responsibilities for compliance with the obligations prescribed by this Law, in particular the obligations as regards the exercising of the rights of the person to who the data relates to and their respective fulfilling of duties to provide to such person information referred to in Articles 23 through 25 of this Law.
The responsibility referred to in paragraph 2 of this Article shall be regulated by an agreement of the joint handlers, unless such responsibility is laid down by the law applicable to the handlers.
The agreement referred to in paragraph 3 of this Article must designate a person in charge of contact with the person to who the data relates to and regulate the relationships of each individual joint handler with the person to whom the data relates to.
The essence of the provisions of the agreement referred to in paragraph 3 of this Article must be made available to the person to who the data relates to.
Provisions of paragraphs 4 and 5 of this Article shall not apply to the processing carried out by the competent authorities for special purposes.
Irrespective of the provisions of the agreement referred to in paragraph 3 of this Article, the person to who the data relates to may exercise his or her rights laid down by this Law individually in respect to each of the joint handlers.
Representatives of Handlers or Processors Which Do Not Have Their Seat in the Republic of Serbia
Article 44
The handler i.e. the processor, in the cases referred to in Article 3, paragraph 4 of this Law, shall be obliged to designate in writing a representative in the Republic of Serbia, unless where:
1) Processing is occasional, does not include a large scale processing of special data referred to in Article 17, paragraph 1 of this Law or personal data relating to convictions for criminal offences and punishable offences referred to in Article 19 of this Law, and is unlikely to cause any risk to the rights and freedoms of natural persons, taking into account the nature, circumstances, scope and purposes of the processing;
2) Handler i.e. the processor is a government agency.
The handler i.e. the processor shall authorize the representatives referred to in paragraph 1 of this Article as a person to which, in addition to the handler or processor, i.e. instead of them, the person to who the data relates to, the Commissioner or another person can contact in respect of all the issues related to processing of personal data, for the purposes of ensuring compliance with the provisions of this Law.
A complaint, action and other legal requests referred to in this Law can be filed against the handler or processor, irrespective of whether their representative referred to in paragraph 1 of this Article has been designated or not.
Article 45
Where processing is carried out on behalf of the handler, the handler may designate as processors only the person or the government agency which can fully guarantee the implementation of appropriate technical, organizational and staff-related measures, in such a manner as to ensure that processing is carried out in compliance with the provisions of this Law and that the protection of the rights of the person to who the data relates to is ensured.
The processor referred to in paragraph 1 of this Article may entrust the processing to another processor only if he is authorized to do so by the handler based on a general or specific written authorization. Where processing is carried out on the basis of a general authorization, the processor shall be obliged to inform the handler of any intended selection of another processor, i.e. change of the processor, thereby giving the handler the opportunity to oppose such change.
Processing by a processor must be regulated by a contract or other legally binding act, which is concluded i.e. adopted in writing, which shall include by electronic means as well, that is binding on the processor with regard to the handler and that regulates the subject-matter and the duration of the processing, the nature and purpose of the processing, the type of personal data and the type of persons whose data is being processed, as well as the rights and obligations of the handler.
The contract or another legally binding act referred to in paragraph 3 of this Article shall prescribe that the processor is due to:
1) Process the personal data only based on written instructions from the handler, including the instructions with regard to the transfer of personal data to other countries or international organizations, unless where the processor is obliged to process data by the law. In such a case, the processor shall be obliged to inform the handler of that legal obligation before commencing the processing, unless where that law prohibits provision of such information on the grounds of protection of an important public interest;
2) Ensure that the natural person who is authorized to process the personal data has committed to confidentiality of data or that such person is subject to a statutory obligation of keeping the data confidential;
3) Take all the necessary measures in compliance with Article 50 of this Law;
4) Comply with the conditions for entrusting the processing to another processor as referred to in paragraphs 2 and 7 of this Article;
5) Taking into account the nature of processing, assist the handler by applying appropriate technical, organizational and staff-related measures, insofar as this is possible, for the fulfilment of the handler's obligations regarding the requests for exercising the rights of the person to who the data relates to laid down in Chapter III of this Law;
6) Assist the handler in compliance with the obligations referred to in Article 50 and Articles 52 through 55 of this Law, taking into account the nature of processing and information available to them;
7) Following the completion of agreed activities of processing, and based on the decision of the handler, delete or return to the handler all personal data and delete all copies of such data, unless where the obligation to store data is prescribed by law;
8) Make available to the handler all information necessary to demonstrate compliance with the obligations of the processor laid down in this Article, as well as information that enable and contribute to the control of work of the processor which is conducted by the handler or another person authorized to do so by the handler.
In the case referred to in paragraph 4, item 8) of this Article, the processor shall be obliged to warn the handler without delay if he deems that the written instructions obtained from the handler are not in compliance with this Law or other law which regulates the protection of personal data.
Where the processing is carried out by the competent authorities for special purposes, the contract or another legally binding act referred to in paragraph 3 of this Article shall prescribe that the processor is due to:
1) Process personal data on the basis of the instructions of the handler only;
2) Ensure that the person authorized to process data has committed to keeping the confidentiality of data or that such person is subject to a statutory obligation to keep confidentiality of data;
3) Assist in an appropriate manner the handler in fulfilment of the handler's obligation to comply with the provisions on the rights of the person to who the data relates to referred to in Chapter III of this Law;
4) Following the completion of agreed activities of processing, and based on the decision of the handler, delete or return to the handler all personal data and delete all copies of such data, unless where the obligation to store data is prescribed by law;
5) Make available to the handler all information which is necessary to demonstrate the compliance with the obligations of the processor laid down in this Article;
6) Ensure compliance with the conditions referred to in paragraphs 2, 3 and 6 of this Article if he entrusts the processing to another processor.
Where a processor designates another processor for carrying out specific processing activities on behalf of the handler, the same data protection obligations as set out in the contract or other legally binding act between the handler and the processor referred to in paragraphs 3 and 4 of this Articles shall bind that other processor, on the basis of a separate contract or other legally binding act which is concluded i.e. adopted in writing, which includes electronic means, whereby sufficient guarantees for implementation of adequate technical, organizational and staff-related measures are imposed upon the processor and the other processor ensuring that the processing is carried out in compliance with this Law. If the other processor fails to fulfil his obligations relating to personal data protection, the processor shall be liable to the handler for the fulfillment of those obligations.
If the processor violates the provisions of this Law by determining the purpose and method of processing of the personal data, the processor shall be considered to be the handler in relation to that processing.
The application of the approved code of conduct as referred to in Article 59 of this Law i.e. of the issued certificate as referred to in Article 61 of this Law can be used to demonstrate that the processor fulfils the obligations of providing guarantees referred to in paragraphs 1 and 7 of this Article.
The legal relationship between the handler and the processor which is regulated in compliance with paragraphs 3 and 7 of this Article can be based entirely or partly on the standard contractual clauses referred to in paragraph 11 of this Article, including those relating to the certificate that is granted to the handler or to the processor in compliance with Articles 61 and 62 of this Law.
The Commissioner may draw up standard contractual clauses which pertain to the obligations referred to in paragraphs 3 and 7 of this Article, taking into account in particular the European practice in drawing up of standard contractual clauses.
Provisions of paragraphs 4, 5, 7 and paragraphs 9 through 11 of this Article shall not apply to the competent authorities which are carrying out processing for special purposes.
Article 46
The processor i.e. any other person who has been authorized by the handler or the processor to access the personal data, may not process such data without an order from the handler, unless such processing is laid down by the law.
Records of Processing Activities
Article 47
The handler and their representative, where they are appointed, shall be obliged to maintain records on processing activities under their responsibility, which shall contain information on:
1) The name and contact details of the handler and, if any i.e. where they are appointed, of the joint handlers, the handler's representative and the person in charge of protecting the personal data;
2) The purpose of processing;
3) The type of persons to who the data relates to and on the type of personal data;
4) The type of recipients to whom the personal data have been or will be disclosed, including recipients in other countries or international organizations;
5) The transfer of personal data to other countries or international organizations, including the name of other country or international organization, as well as the documents on implementation of safeguard measures where data is transferred in compliance with Article 69, paragraph 2 of this Law, where such transfer of personal data is performed;
6) The time limit upon the expiry of which certain types of personal data shall be erased, where such time limit has been set;
7) The general description of the safeguard measures referred to in Article 50, paragraph 1 of this Law, if possible.
Provisions of paragraph 1 of this Article shall not apply where the processing is carried out by the competent authorities for special purposes.
Where the processing is carried out by the competent authorities for special purposes, the handler shall be obliged to maintain the records on all the types of processing activities under their responsibility, which shall contain information on:
1) The name and contact details of the handler and, if any i.e. where they are designated, of the joint handlers and the person in charge of protection of personal data;
2) The purpose of the processing;
3) The type of person to who the data relates to and on the type of personal data;
4) The type of recipients to whom the personal data has been or will be disclosed, including recipients in other states or international organizations;
5) The use of profiling, where profiling is used;
6) The types of personal data transfers to other states or international organizations, if such personal data transfers are performed;
7) The legal grounds for the processing procedure, including the personal data transfer;
8) The time limit upon the expiry of which certain types of personal data shall be erased, where such time limit has been set;
9) The general description of the safeguard measures referred to in Article 50, paragraph 1 of this Law, where possible.
The processor and his representative, if appointed, shall be obliged to maintain the records on all the types of processing activities performed on behalf of a handler, which shall contain information on:
1) The name and contact details of each processor and each handler on behalf of which processing is carried out, i.e. if any i.e. where they are designated, of the handler's or processor’s representative and the person in charge of protection of personal data;
2) The types of processing performed on behalf of each handler;
3) The transfer of personal data to other countries or international organizations, including the name of other country or international organization, as well as the documents on implementation of safeguard measures where data is transferred in compliance with Article 69, paragraph 2 of this Law, where such transfer of personal data is performed;
4) The general description of the safeguard measures referred to in Article 50, paragraph 1 of this Law, where possible.
Provisions of paragraph 4 of this Article shall not apply where the processing is carried out by the competent authorities for special purposes.
Where the processing is carried out by the competent authorities for special purposes, each processor shall be obliged to maintain the records on all the types of processing activities performed on behalf of the handler, which shall contain information on:
1) The name and contact details of each processor and each handler on behalf of which processing is performed, i.e. of the person in charge of protection of personal data, where they are designated;
2) The types of processing performed on behalf of each handler;
3) The transfer of personal data to other states or international organizations provided that the handler requires that explicitly, including the name of the state or international organization, where such transfer of personal data is performed;
4) The general description of the safeguard measures referred to in Article 50, paragraph 1 of this Law, where possible.
The records referred to in paragraphs 1, 3, 4 and 6 of this Article shall be maintained in writing, which includes the electronic shape and shall be kept permanently.
The handler or the processor, as well as their representatives, where appointed, shall be obliged to make the records referred to in paragraphs 1, 3, 4 and 6 of this Article available to the Commissioner, at their request.
Provisions of paragraphs 1 and 4 of this Article shall not apply to the economic operators and organizations employing less than 250 persons, except where:
1) The processing that they perform can result in a high risk to the rights and freedoms of the person to who the data relates to;
2) The processing is not occasional;
3) The processing includes special types of personal data as referred to in Article 17, paragraph 1 of this Law or personal data relating to criminal convictions, punishable offences and safeguard measures referred to in Article 19 of this Law.
Recording of Processing Activities Performed by the Competent Authorities for Special Purposes
Article 48
The competent authority which is processing data for special purposes shall be obliged to ensure that on the occasion of the use of system for automatic processing in that system at least the following processing activities are recorded: entry, alteration, insight, disclosure, including transfer, comparison and erasure.
Recording of inspection and disclosure of personal data must enable determining of reasons for performing the processing activities, date and time of processing activities and, where possible, identity of the person performing insight or disclosing the personal data, as well as the identity of the recipient of such data.
The recording referred to in paragraph 1 of this Article can only be used for the purpose of assessment of legality of the processing, internal supervision, ensuring integrity and safety of data, as well as initiating and conducting criminal proceedings.
The record created by means of recording referred to in paragraph 1 of this Article shall be made available to the Commissioner for inspection, at his request.
Cooperation with the Commissioner
Article 49
The handler, processor and their representatives, where they are designated, shall cooperate with the Commissioner in the performance of his powers.
Article 50
In accordance with the level of technological achievements and the costs of implementation thereof, the nature, scope, circumstances and purposes of processing, as well as the likelihood of the occurrence of risk and the level of risk to the rights and freedoms of natural persons, the handler and the processor shall implement the appropriate technical, organizational and staff-related measures to achieve an appropriate level of security in relation to the risk.
As appropriate, the measures referred to in paragraph 1 of this Article shall in particular include:
1) The pseudonymization and encryption of personal data;
2) The ability to ensure durable confidentiality, integrity, availability and resilience of the system and processing services;
3) Ensuring that the availability and access to personal data is restored in the event of physical or technical incidents within the shortest time possible;
4) The procedure of regular testing, assessing and evaluating the effectiveness of technical, organizational and staff-related measures for security of the processing.
When assessing the appropriate level of security referred to in paragraph 1 of this Article, account shall in particular be taken of the risks that are presented by processing, in particular risks from accidental or illegal destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
Application of the approved code of conduct as referred to in Article 59 of this Law, i.e. an issued certificate as referred to in Article 61 of this Law, may be used for demonstrating compliance with the obligations referred to in paragraph 1 of this Article.
The handler and the processor shall be obliged to take measures with the aim of ensuring that any natural person authorized to access personal data by the handler or the processor, processes such data only on the order of the handler or if so required by the law.
Provisions of paragraphs 1 through 5 of this Article shall not apply to the processing carried out by the competent authorities for special purposes.
Security of Processing Performed by the Competent Authorities for Special Purposes
Article 51
Where the processing is performed by the competent authorities for special purpose, and in accordance with the level of technological achievements and the costs of the application thereof, the nature, scope, circumstances and the purpose of processing, as well as the likelihood of the occurrence of risks and the level of risk to the rights and freedoms of natural persons, the handler and the processor shall implement the adequate technical, organizational and staff-related measures in order to achieve an adequate level of security in relation to the risk, in particular in cases of processing of special types of personal data as referred to in Article 18 of this Law.
Based on the assessment of risk, the handler or the processor shall be obliged to, in the process of automatic processing, implement adequate measures referred to in paragraph 1 of this Article which shall ensure that:
1) Access to the equipment used for processing is prevented to any unauthorized person ("control of access to the equipment");
2) Unauthorized reading, copying, change or removal of data carriers is prevented ("control of data carriers");
3) Unauthorized entering of personal data, as well as any unauthorized modification, erasure and control of the stored personal data is prevented ("storage control");
4) The use of automatic processing system by any unauthorized person is prevented, by using the data transfer equipment ("usage control");
5) The person authorized to use the system for automatic processing has access only to the personal data covered by their authorization for access to data is ensured ("control of access to data");
6) They may check i.e. determine to whom personal data has been transferred, may be transferred or made available, by using the equipment for data transfer ("transfer control");
7) They may subsequently check i.e. determine which pieces of personal data have been entered in the system for automatic processing, by which person and when they were entered ("entry control");
8) Unauthorized reading, copying, modification or erasure of personal data in the course of transfer thereof or in the course of transportation of the data carrier is prevented ("transport control");
9) The installed system is restored in a case of any interruption of operation thereof ("system restoration");
10) Proper operation of the system and regular reporting of system operation errors are ensured ("reliability"), as well as that the personal data stored cannot be jeopardized due to any deficiencies in system operation ("integrity").
Notifying the Commissioner about a Personal Data Breach
Article 52
The handler shall be obliged to notify the Commissioner of the breach of personal data that can result in a risk to the rights and freedoms of natural persons without undue delay, or, where possible, within 72 hours after having become aware of the breach.
Where the handler does not act within 72 hours after having become aware of the breach, he must provide an explanation of the reasons for not having acted within such time limit.
The processor shall be obliged to, after becoming aware of a personal data breach, notify the handler of such breach without undue delay.
The notification referred to in paragraph 1 of this Article must at least include the following pieces of information:
1) The description of the nature of the personal data breach, including the types of data and the approximate number of persons to who the data of that kind relates to, as well as the approximate number of personal data the security of which has been breached;
2) The name and contact details of the person in charge of personal data protection or information on any other possible method of obtaining information on the breach;
3) A description of the possible consequences of the breach;
4) A description of the measures taken by the handler or whose undertaking has been proposed relating to the breach, including measures taken to mitigate the adverse effects.
Where complete information referred to in paragraph 4 of this Article cannot be provided at the same time, the handler shall provide available information in phases without undue delay.
The handler shall be obliged to document each personal data breach, including the facts relating to the personal data breach, its effects and the remedial action taken.
The documentation referred to in paragraph 6 of this Article shall enable the Commissioner to determine whether or not the handler has acted in compliance with the provisions of this Article.
In case of a breach of personal data processed by the competent authorities for special purposes, which is transferred to the handler in another state or an international organization, the handler shall be obliged to without undue delay provide information referred to in paragraph 4 of this Article to the handler in such other state or international organization, in compliance with the international agreement.
The Commissioner shall prescribe the form for the notification referred to in paragraph 1 of this Article and shall regulate the notification method in more detail.
Notifying the Person about the Personal Data Breach
Article 53
Where the personal data breach may result in a high risk to the rights and freedoms of natural persons, the handler shall notify the person to whom the data relates to about the breach without undue delay.
In the communication referred to in paragraph 1 of this Article, the handler shall be obliged to describe in clear and understandable manner the nature of the data breach and to state at least the information referred to in Article 52, paragraph 4, items 2) through 4) of this Law.
The handler shall not be obliged to notify the person referred to in paragraph 1 of this Article where:
1) He has applied appropriate technical, organizational and staff-related protection measures in relation to the personal data whose safety has been breached, in particular where the data has been rendered unintelligible with the aid of encryption or other measures to any person who is not authorized to access it;
2) He has taken subsequent measures which ensure that the personal data breach involving high risk to the rights and freedoms of person to who the data relates to may no longer produce consequences for such person;
3) Notification of the person to who the data relates to would involve disproportionate use of time and resources. In such a case, the handler shall be obliged to ensure provision of a notification to the person to who the data relates to through a public announcement or through another effective manner.
If the handler has not notified the person to who the data relates to about the personal data breach, the Commissioner may, having considered the possibility that the personal data breach results in a high risk, order the handler to do so or may determine that the conditions referred to in paragraph 3 of this Article are met.
Where it is a case of a breach of personal data processed by the competent authorities for special purposes, the handler may postpone or restrict the notifying of the person to who the data relates to, in compliance with the conditions and on the grounds of the reasons referred to in Article 25, paragraph 3 of this Law.
3. Assessment of Processing Impact to Personal Data Protection and Prior Opinion of the Commissioner
Personal Data Protection Impact Assessment
Article 54
Where a type of processing in particular using new technologies, and taking into account the nature, scope, circumstances and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the handler shall, prior to commencing the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
A single assessment may be carried out where a number of similar processing operations may present similar high risks for the protection of personal data.
When carrying out the impact assessment, the handler shall be obliged to seek the opinion from the person in charge of data protection, where such person is appointed.
The data protection impact assessment referred to in paragraph 1 of this Article shall mandatorily be performed in the case of:
1) Systematic and comprehensive evaluation of the state and characteristics of the natural person which is carried out by automated processing of personal data, including profiling, and based on which decisions are made which are of significance for the legal position of the individual or similarly significantly affecting them;
2) Processing of special types of personal data referred to in Article 17, paragraph 1 and Article 18, paragraph 1 or of personal data relating to criminal convictions and punishable offences referred to in Article 19 of this Law, on a large scale;
3) Systematic monitoring of a publicly accessible area on a large scale.
The Commissioner shall be obliged to draw up and to make public on his website a list of the kinds of processing operations which are subject to mandatory impact assessment referred to in paragraph 1 of this Article and he may additionally draw up and make public a list of the kinds of processing activities for which no assessment is required.
The impact assessment must contain at least:
1) A comprehensive description of the envisaged processing operations and the purposes of the processing, including the description of the legitimate interest of the handler, if it exists;
2) An assessment of the necessity and proportionality of carrying out the processing operations in relation to the purposes of the processing;
3) An assessment of the risks to the rights and freedoms of person to who the data relates to referred to in paragraph 1 of this Article;
4) A description of the measures intended to be taken in relation to the existence of the risks, including safeguard mechanisms, as well as the technical, organizational and staff-related measures to ensure the protection of personal data and to provide evidence of the compliance with the provisions of this Law, taking into account the rights and legitimate interests of persons to who the data relates to and other persons.
Paragraph 6 of this Article shall not apply to the impact assessment of the processing carried out by the competent authorities for special purposes.
The impact assessment of the processing carried out by the competent authorities for special purposes shall at least include a comprehensive description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of the person to who the data relates to, a description of measures intended to be taken in relation to the existence of risk, including the safeguard mechanisms, as well as the technical, organizational and staff-related measures to ensure personal data protection and to provide evidence of compliance with the provisions of this Law, taking into account the rights and legitimate interests of the person to who the data relates to and other persons.
Compliance with the approved code of conduct referred to in Article 59 of this Law by the handlers or processors must be taken into account when assessing the impact of the processing operations on the protection of personal data.
Paragraph 9 of this Article shall not apply to the processing carried out by the competent authorities for special purposes.
On a need to basis, the handler shall seek the opinion of the person to who the data relates to or their representatives on the intended processing operations, without prejudice to the protection of commercial or public interests or the security of processing operations.
Where a separate law prescribes individual processing operations i.e. groups of processing operations, and the processing is performed in compliance with Article 12, paragraph 1, item 3) or item 5) of this Law, and the personal data protection impact assessment has already been carried out as part of a general impact assessment on the occasion of the adoption of the law, paragraphs 1 through 9 of this Article shall not apply, unless where it is determined that it is necessary to carry out a new assessment.
Where necessary, and at least in the case of a change in the risk levels concerning the processing operations, the handler shall be obliged to reconsider whether processing operations are performed in accordance with the executed personal data protection impact assessment.
Prior Opinion of the Commissioner
Article 55
Where the data protection impact assessment, which has been carried out in compliance with Article 54 of this Law, indicates that the intended processing operations will result in a high risk in the absence of measures taken to mitigate the risk, the handler shall be obliged to seek an opinion from the Commissioner prior to commencing the processing operations.
Paragraph 1 of this Article shall not apply to the processing carried out by the competent authorities for special purposes.
Where the processing is performed by the competent authority for special purposes, the handler i.e. the processor shall be obliged to seek an opinion from the Commissioner prior to commencing the processing operations which will result in the creation of a new data collection in case that:
1) The data protection impact assessment, which has been carried out in compliance with Article 54 of this Law, indicates that the intended processing activities will result in a high risk in the absence of measures taken to mitigate the risk;
2) The type of processing and in particular where new technologies are applied, protection mechanisms or procedures present a high risk to the rights and freedoms of the person to who the data relates to.
Where the Commissioner is of the opinion that infringements of the provisions of this Law could be caused by the intended processing operations referred to in paragraphs 1 and 3 of this Article, and in particular if the handler has not assessed or mitigated the risk in an adequate manner, the Commissioner shall be obliged to, within 60 days from the day of receipt of the request, provide a written opinion to the handler or the processor, if he has submitted the request, as well as to, where necessary, exercise the powers referred to in Article 79 of this Law.
The time limit referred to in paragraph 4 of this Article can be extended by 45 days taking into account the complexity of the intended processing operations, and the Commissioner shall be obliged to inform the handler or the processor, if he has submitted the request, of the postponement and of the reasons for postponement of providing the opinion, within 30 days from the day of receipt of the request for the opinion.
The time limits referred to in paragraphs 4 and 5 of this Article do not run until the Commissioner has obtained complete information requested which is necessary for providing an opinion.
Enclosed with the request for opinion, the handler shall be obliged to provide to the Commissioner information on:
1) The duties of the handler and, if they exist, of the joint handlers and processors involved in the processing, in particular for processing performed within a group of economic operators;
2) The purposes and means of the intended processing;
3) The technical, organizational and staff-related measures, as well as on the mechanisms to safeguard the rights and freedoms of the person to who the data relates to in compliance with this Law;
4) The contact details of the person in charge of data protection, if appointed;
5) The data protection impact assessment provided for in Article 54 of this Law;
6) Any other information requested by the Commissioner.
Paragraph 7 of this Article shall not apply to the processing carried out by the competent authorities for special purposes.
Where the processing is carried out by the competent authority for special purposes, the handler referred to in paragraph 3 of this Article shall be obliged to provide to the Commissioner information on impact assessment on the protection of personal data referred to in Article 54 of this Law, and at the request of the Commissioner other pieces of information of significance for his opinion about the processing operations as well, in particular on the risk to the protection of personal data of the person to who the data relates to and on the mechanisms to safeguard such person’s rights.
The Commissioner may draw up and make public on his website the list of processing operation types concerning which his opinion must be requested.
The public authorities proposing adoption of the laws and legal regulations based on the laws, which include provisions on processing of personal data, shall be obliged to request the opinion of the Commissioner in the course of their drafting.
4. Person for Protection of Personal Data
Article 56
The handler and the processor may designate a data protection officer.
The handler and the processor shall be obliged to designate a person in charge of personal data protection if:
1) The processing is carried out by a government agency, except for the processing performed by the court for the purpose of exercising their judicial powers;
2) The core activities of the handler or the processor consist of processing operations which, by virtue of their nature, scope i.e. purposes, require a regular and systematic monitoring of a large number of persons to who the data relates to;
3) The core activities of the handler or the processor consist of processing on a large scale of special types of personal data from Article 17, paragraph 1 or personal data relating to criminal convictions and punishable offences referred to in Article 19 of this Law.
Provisions of paragraphs 1 and 2 of this Article shall not apply to the processing by the competent authorities for special purposes.
Where the processing is performed by the competent authorities for special purposes, the handler shall be obliged to designate a person in charge of personal data protection, except in the case of processing performed by the courts for the purpose of exercising their judicial powers.
A group of economic operators may jointly designate a person in charge of personal data protection, on condition that such person shall be equally available to each member of the group.
Where the handlers or the processors are government agencies or competent authorities, a person may be jointly designated to protect the personal data, taking account of the organizational structure and size of such public authorities.
A separate law may prescribe that the handlers i.e. the processors or their associations representing them must designate a person for protection of personal data.
The person in charge of personal data protection shall be designated on the basis of their professional qualities and, in particular, their expert knowledge and experience in the field of protection of personal data, as well as the ability to fulfil the obligations referred to in Article 58 of this Law.
The person in charge of personal data protection may be employed with the handler or processor, or may fulfil the tasks on the basis of a contract.
The handler or the processor shall publish the contact details of the person in charge of personal data protection and provide them to the Commissioner.
The Commissioner shall maintain the list of persons in charge of personal data protection officers which includes: the names and surnames of the persons for personal data protection, their contact details, as well as the names and contact details of the handler i.e. the processor.
The Commissioner shall prescribe the form of the list referred to in paragraph 11 of this Article and shall regulate the method of maintaining it.
Status of the Person for Personal Data Protection
Article 57
The handler and the processor shall timely and in a proper manner include the person in charge of personal data protection in all tasks which relate to the protection of personal data.
The handler and processor shall enable the person in charge of personal data protection to carry out the tasks referred to in Article 58 of this Law by providing resources necessary to carry out those obligations, access to personal data and processing operations, as well as specialized training.
The handler and processor shall ensure that the person in charge of personal data protection is independent in carrying out his duties.
The handler or the processor may not penalize the person in charge of protection of personal data or terminate the employment, i.e. contract with because of performing the obligations referred to in Article 58 of this Law.
For the performance of obligations referred to in Article 58 of this Law the person in charge of personal data protection shall report directly to the handler’s or processor’s manager.
Persons to whom the data relates to may address the person in charge of personal data protection in connection to all issues related to processing of their personal data, as well as to the exercise of their rights prescribed by this Law.
The person for personal data protection shall keep the secrecy, i.e. confidentiality of data gathered through performance of his or her obligations referred to in Article 58 of this Law, in accordance with the law.
The person in charge of personal data protection may carry out other tasks and perform other duties, while the handler or processor shall ensure that the performance of other tasks and duties does not lead the person in charge of personal data protection into a conflict of interest.
Where the handlers are competent authorities which are carrying out the processing for special purposes, provisions of paragraphs 1 through 5 and 8 of this Article shall not apply to the processor.
Obligations of the Person in charge of Personal Data Protection
Article 58
The person in charge of personal data protection shall at least have the following obligations:
1) Inform and provide an opinion to the handler or the processor, as well as the employees who carry out processing operations, about their legal obligations with regard to the protection of personal data;
2) Monitor the implementation of the provisions of this Law, other laws and internal regulations of the handler or processor in relation to the protection of personal data, including the issues of assignment of responsibilities, awareness raising and training of employees participating in the processing operations, as well as controls;
3) Provide opinion, when requested, on the assessment of processing’s impact on data protection and monitor the actions conducted based on such assessment in compliance with Article 54 of this Law;
4) Cooperate with the Commissioner, act as a contact point for cooperation with the Commissioner and consult with him in relation to the issues relating to processing, including notification and acquiring opinions referred to in Article 55 of this Law.
The person in charge of personal data protection shall in particular have due regard, when performing their tasks, to the risk associated with processing operations, taking into account the nature, scope, circumstances and purposes of processing.
Where the handlers are the competent authorities performing processing for special purposes, the provisions of paragraph 1, items 1) and 2) of this Article shall not apply to the processor.
5. Code of Conduct and Issuing of Certificates
Article 59
Associations and other entities representing groups of handlers or processors may draw up a code of conduct for the purpose of more efficient implementation of this Law, in particular in respect of:
1) Fair and transparent processing;
2) Legitimate interests of the handler, taking into account the circumstances of specific cases;
3) Collection of personal data;
4) Pseudonymization of personal data;
5) Information provided to the public and to persons to who the data relates to;
6) Exercising the rights by the persons to who the data relates to;
7) Information provided to underage persons, their protection, as well as the manner in which the consent of the parent exercising parental right is obtained;
8) Measures and procedures referred to in Articles 41 and 42 of this Law, as well as the measures aimed at ensuring the security of processing referred to in Article 50 of this Law;
9) Notifying the Commissioner of a personal data breach, as well as informing the persons to whom the data relates to of such breaches;
10) Transfer of personal data to other countries or international organizations;
11) Manner of dispute resolution through amicable means between handlers and persons to who the data relates to, which has no effect on the exercise of rights by the persons to who the data relates to referred to in Articles 82 and 84 of this Law.
The handlers i.e. the processors to which this Law does not apply, with the aim of providing for appropriate measures to protect the persons to who the data relates to in the transfer of their personal data to other countries or international organizations based on Article 65, paragraph 2, item 3) of this Law, may accept or undertake to apply the code of conduct approved in compliance with paragraph 5 of this Article, by means of contractual or other legally binding acts whereby they undertake to apply such protection measures, in particular regarding the rights of the persons to who the data relates to.
A code of conduct referred to in paragraph 1 of this Article shall mandatorily contain provisions which enable the person referred to in Article 60, paragraph 1 of this Law to carry out the monitoring of implementation of the code by the handlers or processors which undertook to apply the code, which shall be without prejudice to the inspection and other powers of the Commissioner referred to in Articles 77 through 79 of this Law.
The associations and other entities referred to in paragraph 1 of this Article intending to draw up a code of conduct or to amend the existing code, shall be obliged to deliver the draft code or any amendments thereto to the Commissioner for opinion.
The Commissioner shall provide an opinion on the compliance of the draft code of conduct or the amendments thereto with the provisions of this Law, and where he determines that the draft code contains sufficient guarantees for the protection of personal data, the code of conduct or the amendments thereto shall be registered and made public on his website.
Provisions of paragraphs 1 through 5 of this Article shall not apply to the processing carried out by the competent authorities for special purposes.
Code of Conduct Implementation Control
Article 60
Control of implementation of the code of conduct, in compliance with Article 59, paragraph 3 of this Law, can be performed by a legal person accredited to perform control in compliance with the law regulating accreditation.
Conducting the control referred to in paragraph 1 of this Article shall be without prejudice to the inspection and other powers of the Commissioner referred to in Articles 77 through 79 of this Law.
The legal person referred to in paragraph 1 of this Article may be accredited only where it has:
1) Proven to the Commissioner its independence and expertise in relation to the contents of the code;
2) Established the procedure of assessment whether the handlers and processors are qualified to apply the code of conduct, of monitoring the handlers’ or processors’ implementation of the code, as well as of periodical review its effectiveness;
3) Established the procedure and the body to decide on complaints about infringements of the code of conduct or the manner in which it is being implemented by the handler or processor, as well as to ensure transparency of that procedure and the body towards the public and the person to who the data relates to;
4) Proved to the Commissioner that in exercising of its powers no conflict of interests may arise.
In a case of breach of the code by a handler or processor, the legal person referred to in paragraph 1 of this Article shall take appropriate measures in the prescribed procedure, including a temporary or permanent exclusion of the handler i.e. processor from implementation of the code.
The legal person referred to in paragraph 1 of this Article shall be obliged to notify the Commissioner of the measures taken from paragraph 4 of this Article, as well as of the reasons for their imposition.
Taking of measures referred to in paragraph 4 of this Article shall be without prejudice to the powers of the Commissioner and application of the provisions of Chapter VII of this Law.
Accreditation of the legal person referred to in paragraph 1 of this Article shall be revoked if it is established that it no longer fulfils the conditions for accreditation or where the measures taken by it infringe the provisions of this Law.
Provisions of paragraphs 1 through 7 of this Article shall not apply to the public authorities and the processing carried out by the competent authorities for special purposes.
Article 61
With a view to demonstrating compliance with the provisions of this Law by the handlers and processors, and taking into account in particular the needs of the small and medium companies, the procedures for issuing of personal data protection certificates may be established, with appropriate seals and data protection marks.
A certificate with appropriate seals and marks can be issued, in compliance with paragraph 5 of this Article to a handler i.e. a processor who are not subject to this Law, with the aim of proving that the protection measures are taken by the handler and processor, within the framework of the transfer of their personal data to other states or international organizations on the basis of Article 65, paragraph 2, item 5) of this Law, providing that they accept, via a contract or other legally binding instrument, the application of these protection measures, including the protection of the rights of persons to who the data relates to.
The procedure of issuing certificates shall be voluntary and transparent.
The existence of a certificate issued may not impact the legal obligations of the handler and processor, or the inspection and other powers of the Commissioner referred to in Articles 77 through 79 of this Law.
A certificate shall be issued by the certification body referred to in Article 62 of this Law or by the Commissioner, based on the criteria prescribed by the Commissioner, in compliance with the powers referred to in Article 79, paragraph 3 of this Law.
The handler and the processor which demand the issuing of the certificate shall be obliged to provide the certification body referred to in Article 62 of this Law i.e. the Commissioner, where the application is addressed to him, with access to processing activities and all processing information necessary to conduct the certification procedure.
The certificate shall be issued to the handler and the processor for a period that cannot be longer than three years, and it may be renewed where they continue to fulfil the same conditions and criteria prescribed for certificate issuing.
The certificate referred to in paragraph 7 of this Article shall be revoked in the case when the certification body i.e. the Commissioner, if the demand is addressed to him, determines that the handler i.e. the processor no longer fulfills the criteria prescribed for certificate issuing.
The Commissioner shall maintain and make public on his website the list of certification bodies and certificates issued, with relevant seals and marks.
Provisions of paragraphs 1 through 9 of this Article shall not apply to the processing carried out by the competent authorities for special purposes.
Article 62
The certification body, which has an appropriate level of expertise in relation to data protection and which has been accredited in compliance with the law regulating accreditation, shall issue, renew and revoke a certificate, inclusive of the seal and mark, after informing the Commissioner of the decision intended to be taken, which shall be without prejudice to the inspection and other powers of the Commissioner referred to in Articles 77 through 79 of this Law.
The certification body referred to in paragraph 1 of this Article can be accredited only where it has:
1) Proven to the Commissioner its independence and expertise in relation to the subject-matter of the certification;
2) Undertaken to respect the prescribed criteria referred to in Article 61, paragraph 5 of this Law;
3) Prescribed the procedure for issuing, periodical reviews and revoking of a certificate, seal and mark;
4) Prescribed procedure and designated bodies to act upon the complaints against the handler and processor because of processing activities conducted in the manner contrary to the certificate issued and made them available to the public and to the person to who the data relates to;
5) Proven to the Commissioner that during performance of its duties no conflict of interest may arise.
The Commissioner shall prescribe the criteria for accreditation of a certification body, based on the conditions referred to in paragraph 2 of this Article.
Accreditation shall be issued to the certification body for a period of up to five years and may be renewable if the certification body still fulfils the prescribed conditions and criteria for accreditation.
Accreditation of a certification body shall be revoked where it is determined that it no longer fulfils the accreditation conditions and criteria or where it is determined that the certification body breaches the provisions of this Law.
The certification body shall be responsible for adequate assessment of compliance with the criteria for issuing, renewal and revoking of certificates and shall be obliged to inform the Commissioner about the reasons for issuing, renewal or revoking of certificates.
The Commissioner shall publish the accreditation criteria referred to in paragraph 3 of this Article.
A certificate issued by a certification body of other state or international organization shall be valid in the Republic of Serbia, provided that it has been issued in compliance with the confirmed international agreement to which the Republic of Serbia is a signatory.
Where a certification body which has performed certification is accredited by a national body of another state which has signed an agreement with the Accreditation Body of Serbia whereby equivalence of the accreditation systems is mutually recognized to the extent specified by the agreement signed, certificates of such certification body may be accepted in the Republic of Serbia without repeating the certification procedure.
Provisions of paragraphs 1 through 9 of this Article shall not apply to the processing carried out by the competent authorities for special purposes.
V TRANSFER OF PERSONAL DATA TO OTHER STATES AND INTERNATIONAL ORGANISATIONS
General Principles of Transfer
Article 63
Any transfer of personal data whose processing is ongoing or are intended for further processing after their transfer to another state or international organization may take place only if, subject to the other provisions of this Law, the conditions laid down in this Chapter of the Law are complied with by the handler and processor, including the onward transfer of personal data from another state or international organization to a third state or international organization, in order to ensure an appropriate level of protection of natural persons which is equal to the level guaranteed by this Law.
Where the processing is carried out by the competent authorities for special purposes, the transfer of data whose processing in underway or which is intended for further processing after its transfer to other state or international organization can be performed only where the following conditions are jointly fulfilled:
1) The transfer is necessary for special purposes;
2) The personal data is transferred to the handler in another state or international organization which is a competent authority for carrying out of tasks for special purposes;
3) The Government has determined a list of states, parts of their territories or one or multiple sectors of specified activities in those states and a list of international organizations which are providing an appropriate level of personal data protection in compliance with Article 64 of this Law, and the transfer of data is carried out to one of those states, to a part of its territory or to one or multiple sectors of a specified activity in that state or to an international organization, or, where this is not a case, the application of appropriate safeguard measures has been ensured in compliance with Article 66 of this Law, or, where the application thereof has not been ensured, provisions on the transfer of data in special situations from Article 70 of this Law are applied;
4) In a case of onward transfer of personal data from another country or international organization to a third country or international organization, the competent authority which has performed the first transfer or another competent authority in the Republic of Serbia has approved onward transfer, after having taken into account all the circumstances of significance for further transfer, including the gravity of the criminal offence, the purpose of the first transfer and the level of personal data protection in the third country or international organization to which data is to be transferred onward.
Transfer on the basis of Appropriate Protection Level
Article 64
Transfer of personal data to another state, into a part of its territory or in one or multiple sectors of specified activities in that country or to an international organization, without prior approval, can be performed if it has been determined that such other state, part of its territory or one or multiple sectors of specified activities in that state or such international organization has provided an appropriate level of protection for personal data.
It shall be considered that an appropriate level of protection referred to in paragraph 1 of this Article has been provided in the states and international organizations which are members to the Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data, i.e. in the countries, in the parts of their territories or in one or multiple sectors of specific activities in those states or international organizations which have been determined by the European Union to provide appropriate level of protection.
The Government may determine that a country, a part of its territory, an activity sector i.e. a field of legal regulation or an international organization does not provide an appropriate level of protection referred to in paragraph 1 of this Article, except in the case of the members of the Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data, taking into account:
1) The principle of the rule of law and respect for the human rights and fundamental freedoms, applicable legislation, including regulations in the field of public security, defense, national security, criminal law and the access of public authorities to personal data, as well as the application of such legislation, data protection rules and professional rules in this field i.e. taking of measures for the protection of personal data, including rules on onward transfer of personal data to third states or international organization, which are applied in the practice of courts and other public authorities in another country or international organization, as well as effectiveness of executing of rights of a person to who the data relates to and in particular effectiveness of administrative and judicial proceedings for the protection of rights of persons whose personal data is being transferred;
2) The existence and effective functioning of the supervisory body for the protection of personal data in another state or the supervisory body in charge of supervision over international organization in this field, with authorization to ensure implementation of the personal data protection rules and to initiate proceedings for the protection of personal data in cases of noncompliance, to provide assistance and to advise the persons to who the data relates to in exercising their rights, as well as to cooperate with the supervisory authorities of other countries;
3) The international commitments the other state or international organization has undertaken, or other obligations arising from legally binding international treaties or other legal instruments, as well as from membership in multilateral or regional organizations, in particular in relation to the protection of personal data.
It shall be considered as well that an appropriate level of protection has been provided where an international agreement has been concluded with another state or international organization on the transfer of personal data.
In the procedure for conclusion of an international agreement on the transfer of personal data compliance with the conditions referred to in paragraph 3 of this Article shall in particular be determined.
The Government shall monitor the situation in the field of personal data protection in other states, in parts of their territories, or in one or multiple sectors of specified activities in such states or in international organizations, on the basis of available gathered information and on the basis of information collected by the international organizations, which is of significance for assessing the existence of appropriate level of protection.
The list of countries, parts of their territories or one or multiple sectors of specified activities in such states and of international organizations which are considered to have provided appropriate level of protection i.e. for which the Government has determined that an adequate level of protection is not ensured shall be published in the "Official Herald of the Republic of Serbia".
Transfer with Implementation of Appropriate Protection Measures
Article 65
A handler or processor may transfer personal data to another state, part of its territory or to one or multiple sectors of specified activities in such country or to an international organization for which the existence of an appropriate level of protection has not been determined in list referred to in Article 64, paragraph 7 of this Law only if the handler i.e. the processor has provided adequate measures to protect such data and if the person to who the data relates to has been provided with enforceability of his rights and effective legal protection.
The appropriate measures of protection referred to in paragraph 1 of this Article may be ensured without specific approval of the Commissioner, by:
1) A legally binding act drawn up between public authorities;
2) Standard contractual clauses drawn up by the Commissioner in compliance with Article 45 of this Law, whereby the legal relation between the handler and the processor is regulated in its entirety;
3) Binding business rules, in accordance with Article 67 of this Law;
4) An approved code of conduct in accordance with Article 59 of this Law, together with binding and enforceable implementation of adequate safeguard measures, including the protection of rights of the person to who the data relates to, by the handler or processor in another state or international organization;
5) Issued certificates referred to in Article 61 of this Law, together with commitments undertaken to apply adequate safeguard measures, including the protection of the rights of the person to who the data relates to, by the handler or processor in another state or international organization.
Adequate safeguard measures referred to in paragraph 1 of this Article may be additionally provided for based on a special approval of the Commissioner, by:
1) Contractual clauses between the handler or processor and the handler, processor or the recipient in another state or international organization;
2) Provisions to be inserted into an agreement between public authorities, whereby effective and enforceable protection of rights of the person to who the data relates to is provided for.
The Commissioner shall grant the approval referred to in paragraph 3 of this Article within 60 days from the day of submission of the application for approval.
Provisions of paragraphs 1 through 4 of this Article shall not apply to the transfer of data processed by the competent authorities for special purposes.
Transfer of Data Processed by the Competent Authorities for Special Purposes, with Application of Adequate Protection Measures
Article 66
Where the processing is performed by the competent authorities for special purposes, the transfer of personal data to another state, a part of its territory or one or multiple sectors of specified activities in such state or to an international organization for which the existence of an appropriate level of protection has not been determined by means of the list referred to in Article 64, paragraph 7 of this Law shall be permitted in one of the following cases:
1) Where adequate safeguard measures for personal data have been provided for in a legally binding act;
2) Where the handler has assessed all the circumstances relating to the transfer of personal data and has determined that adequate safeguard measures for the personal data exist.
The handler shall be obliged to notify the Commissioner of the transfer which is performed based on paragraph 1, item 2) of this Article.
The handler shall be obliged to document the transfer performed based on paragraph 1, item 2) of this Article, as well as to make the documentation on such transfer available to the Commissioner, at his request.
Documentation on the transfer referred to in paragraph 3 of this Article shall include information on the date and time of transfer, competent authority which receives the data, on the reasons for the transfer and on the data transferred.
Article 67
The Commissioner shall approve the binding business rules, provided that such rules jointly fulfil the following conditions:
1) They are legally binding, apply to and are implemented by every member of a multinational company or a group of business entities, including their employees;
2) Expressly provide for exercising of the rights of the persons to who the data relates to with regard to the processing of their personal data;
3) Fulfil the conditions laid down in paragraph 2 of this Article.
The binding business rules referred to in paragraph 1 of this Article must determine at least:
1) The structure and contact details of the multinational company or the group of business entities, as well as of each of its members;
2) The transfer or sets of transfers of personal data, including the types of personal data, the types of processing activities and their purposes, the type of persons to who the data relates to and the name of the state to which data is transferred;
3) The legally binding nature of the business rules, both internally within a multinational company or a group of business entities, and externally;
4) The application of the general principles of data protection, in particular limitation to processing purpose, data minimization, limited storage periods, data integrity, permanent measures of data protection, legal basis for processing, processing of special types of personal data, safeguard measures and conditions for onward transfer of personal data to other persons or bodies which are not bound by the binding business rules;
5) The rights of the person to who the data relates to in regard to processing and the ways to exercise those rights, including the rights linked to automated individual decision making and profiling referred to in Article 38 of this Law, the right to file a complaint with the Commissioner i.e. an action before the court in accordance with Article 82 and 84 of this Law, as well as the right to damages for a breach of the binding business rules;
6) The acceptance of liability by the handler, i.e. processor with the domicile, residence or seat in the territory of the Republic of Serbia for any breach of these rules committed by another member of the group which does not have the domicile, residence or seat in the territory of the Republic of Serbia, except where the handler or processor proves that such other member of the group is not liable for the event that has given rise to the damage;
7) The manner in which the information on the binding business rules, in particular on the provisions of items 4) through 6) of this paragraph, is provided to the person to who the data relates to, in addition to provision of other information referred to in Articles 23 and 24 of this Law;
8) The authorizations of the person in charge of personal data protection, appointed in compliance with Article 58 of this Law, or any other person authorized to supervise the implementation of the binding business rules within a multinational company or a group of business entities, including supervision over training and deciding about complaints within a multinational company or group;
9) The procedure undertaken after the complaint;
10) The mechanism within a multinational company or a group of business entities for the verification of compliance with the binding business rules. This mechanism shall include audit of personal data protection and corrective measures to protect the rights of the persons to who the data relates to. Results of such verification must be communicated to the person referred to in item 8) of this paragraph, as well as to the governing body of the multinational company or group of business entities, and must be made available to the Commissioner as well, at his request;
11) The method of reporting and maintaining recordings on changes to the binding business rules and method of notifying those changes to the Commissioner;
12) The method of cooperation with the Commissioner to ensure implementation of the binding business rules by any member of the multinational company or a group of business entities individually, in particular the way of making available to the Commissioner the results of verifications referred to in item 10) of this paragraph;
13) The method of reporting to the Commissioner on the legal obligations applied in another state to a member of the multinational company or group of business entities, which could have a substantial adverse effect on the guarantees prescribed by the binding business rules;
14) The appropriate personal data protection training to persons having permanent or regular access to personal data.
The Commissioner may regulate in more detail the method of exchange of information between the handlers, processors and the Commissioner in application of paragraph 2 of this Article.
Where the conditions referred to in paragraph 1 of this Article have been fulfilled, the Commissioner shall approve the binding business rules within 60 days from the day of submission of the application for their approval.
Provisions of paragraphs 1 through 4 of this Article shall not apply to the transfer of data which is processed by the competent authorities for special purposes.
Transfer or Disclosure of Personal Data Based on a Decision of another State’s Authority
Article 68
Decisions of a court or administrative authority of another state requiring a handler or processor to transfer or disclose personal data may only be recognized or enforced in the Republic of Serbia if they are based on an international agreement, such as an agreement on international legal assistance concluded between the Republic of Serbia and such other state, which shall be without prejudice to application of other grounds for transfer pursuant to the provisions of this Chapter of the Law.
Paragraph 1 of this Article shall not apply to the transfer of data processed by the competent authorities for special purposes.
Transfer of Data in Special Situations
Article 69
Where the transfer of personal data is not performed in compliance with the provisions of Articles 64, 65 and 67 of this Law, such data can be transferred to another country or international organization only in one of the following cases:
1) The person to who the data relates to has explicitly consented to the proposed transfer, after having been informed of the possible risks linked to such transfer due to the absence of a decision on adequate protection level and appropriate safeguard measures;
2) The transfer is necessary for the performance of a contract between the person to who the data relates to and the handler, or for the implementation of pre-contractual measures taken at the request of the person to whom the data relates to;
3) The transfer is necessary for the conclusion or performance of a contract concluded between the handler and another natural or legal person in the interest of the person to who the data relates to;
4) The transfer is necessary for the realization of an important public interest prescribed by the law of the Republic of Serbia, providing that the transfer of individual types of personal data is not restricted by this Law;
5) The transfer is necessary for the submission, realization or defense of a legal claim;
6) The transfer is necessary in order to protect the vitally important interests of the person to who the data relates to or of another natural person, where the person to who the data relates to is physically or legally incapable of giving consent;
7) Certain personal data comprised in a public register are the subject of transfer, and such data is available to the public or to any person who can demonstrate a legitimate interest, but only to the extent in which the conditions laid down by the law have been fulfilled regarding the availability in such special case.
Where the transfer may not be performed in compliance with paragraph 1 of this Article and Articles 64, 65 and 67 of this Law, personal data may be transferred to another state or international organization only where the following conditions are jointly fulfilled:
1) The transfer of data is not repeated;
2) The data of a limited number of natural persons is being transferred;
3) The transfer is necessary in order to achieve a legitimate interest of the handler which is overriding the interests i.e. the rights or freedoms of the person to who the data relates to;
4) The handler has ensured application of adequate measures for the protection of personal data on the basis of a prior assessment of all the circumstances relating to the transfer of this data.
The handler i.e. processor shall be obliged to provide proof in the records on the processing activities referred to in Article 47 of this Law on the assessment performed and on application of adequate protection measures referred to in paragraph 2, item 4) of this Article.
The handler shall be obliged to notify the Commissioner of the transfer of data performed in compliance with paragraph 2 of this Article.
The handler shall be obliged to provide to the person to who the data relates to, in addition to information referred to in Articles 23 and 24 of this Law, the information on the transfer of data referred to in paragraph 2 of this Article, including the information on the specific legitimate interest of the handler that is being realized by such transfer.
The transfer of data referred to in paragraph 1, item 7) of this Article may not pertain to all personal data or to complete types of personal data contained in the register.
Where the transfer is carried out involving the data from the register available only to the person having a legitimate interest, in compliance with paragraph 1, item 7) of this Article, the transfer may be made only at the request of that person or if that person is the recipients of data.
Provisions of paragraph 1, items 1) through 3) and paragraph 2 of this Article shall not apply to the activities of public authorities in performance of their competencies.
Provisions of paragraphs 1 through 8 of this Article shall not apply to the transfer of data processed by the competent authorities for special purposes.
Special Situations Regarding the Transfer of Data Processed by the Competent Authorities for Special Purposes
Article 70
Where the transfer of personal data processed by the competent authorities for special purposes is not carried out in compliance with the provisions of Articles 64 and 66 of this Law, such data can be transferred to another state or international organization only where such transfer is necessary in one of the following cases:
1) In order to protect the vitally important interests of the person to whom the data relates to or of another natural person;
2) In order to protect the legitimate interests of the person to who the data relates to, if that is provided for by the law;
3) In order to prevent an imminent and serious threat to the public safety of the Republic of Serbia or another state;
4) In an individual case, where it is a case of processing for special purposes;
5) In an individual case, with the aim of submitting, exercising or defending of a legal claim, where such aim is directly related to the special purposes.
The transfer of personal data cannot be performed where the competent authority which is performing the transfer determines that the interest of the protection of fundamental rights and freedoms of the person to who the data relates to is overriding the public interest referred to in paragraph 1, items 4) and 5) of this Article.
The competent authority shall be obliged to document the transfer performed on the basis of paragraph 1 of this Article, as well as to make such documentation available to the Commissioner, at his request.
The documentation on transfer referred to in paragraph 3 of this Article shall include information on the date and time of the transfer, on the competent authority which is receiving the data, on the reasons for transfer and on the data transmitted.
Transfer of Data Processed by the Competent Authorities for Special Purposes to a Recipient in another Country
Article 71
Notwithstanding the provision of Article 63, paragraph 2, item 2) of this Law and irrespective of the application of the international agreement referred to in paragraph 2 of this Article, the competent authority processing the data for special purposes may directly transfer the personal data to a recipient in another state only where other provisions of this Law are complied with and where the following conditions are aggregately met:
1) Transfer is necessary for exercising of a legal authorization of the competent authority which is carrying out the transfer for special purposes;
2) Competent authority which is carrying out the transfer has established that the interest of the protection of fundamental rights or freedoms of the person to who the data relates to is not overriding the public interest for the protection of which data transfer needs to be carried out;
3) Competent authority which is carrying out the transfer considers that the transfer to the competent authority in another state for special purposes is inefficient or does not correspond to the achievement of such purposes, and in particular where the transfer cannot be carried out in due time;
4) Competent authority in another state has been notified of the transfer without undue delay, except where such notification is inefficient or does not correspond to the achievement of the purpose;
5) Competent authority which is carrying out the transfer has notified the recipient in another state of the purposes of data processing, as well as that the processing can only be carried out for such purposes, by the recipient only and only where such processing is necessary.
The international agreement referred to in paragraph 1 of this Article shall be each agreement which is concluded between the Republic of Serbia and one or several other states, which is regulating cooperation in criminal matters or police cooperation.
The competent authority which is carrying out the transfer shall be obliged to notify the Commissioner of the transfer which has been carried out on the basis of paragraph 1 of this Article.
The competent authority shall be obliged to document the transfer which has been carried out on the basis of paragraph 1 of this Article, as well as to make such documentation available to the Commissioner, at his request.
The documentation on transfer referred to in paragraph 4 of this Article shall include information on the date and time of the transfer, on the recipient of data, on the reasons for transfer and on the personal data transmitted.
International Cooperation with regard to the Protection of Personal Data
Article 72
The Commissioner shall take appropriate measures in relations with the authorities competent for the protection of personal data in other countries and international organizations with a view to:
1) Developing international cooperation mechanisms to facilitate the effective implementation of laws pertaining to the protection of personal data;
2) Providing international mutual assistance in the implementation of laws pertaining to the protection of personal data, including through notification, referral to protection procedures and legal assistance in supervision, as well as to exchange of information, subject to appropriate safeguard measures for the protection of personal data and fundamental rights and freedoms;
3) Engaging stakeholders in discussions and activities aimed at development of international cooperation in the implementation of laws pertaining to the protection of personal data;
4) Promoting and improving the exchange of information on personal data protection legislation and its application, including on the issues of jurisdictional conflicts with other states in this field.
Article 73
With the aim of protecting the fundamental rights and freedoms of natural persons in relation to processing, the Commissioner, as an independent public authority, shall perform the tasks related to monitoring of the application of this Law in compliance with his prescribed powers.
The Commissioner shall have a deputy for the protection of personal data.
Provisions of the law regulating free access to information of public importance shall apply to the seat of the Commissioner, election of the Commissioner and deputy Commissioner, termination of their term, procedure of their removal, their status, expert staff of the Commissioner, as well as to financing and reporting, unless where specified otherwise by this Law.
Article 74
In exercising their powers and in performing tasks in accordance with this Law, the Commissioner is completely independent, free from any external influence, whether direct or indirect, and shall neither seek nor take orders from anybody.
The Commissioner may not pursue any other commercial activity or engage in any other occupation, whether gainful or not, and may not perform any other public function or exercise any other public authorization or be politically active.
With a view to ensuring effective exercise of the legally prescribed powers, the necessary financial means for work, premises for work, as well as the necessary technical, organizational and staff-related conditions for work of the Commissioner shall be provided in compliance with the law regulating budget and the laws regulating public administration and the position of public officers.
The Commissioner shall independently select the employees among the candidates who are fulfilling the requirements prescribed by law for to work in public service and shall manage them completely independently.
The State Audit Institution shall control expenditure of the Commissioner’s budget, in compliance with the law, in such a manner as not to impact the independence of the Commissioner.
Conditions for Election of Commissioner
Article 75
In addition to the conditions for election of Commissioner, which are prescribed by the law regulating free access to information of public importance, the Commissioner must possess the required expertise and experience in the field of protection of personal data.
Duty to Keep Professional Secret
Article 76
The Commissioner, deputy Commissioner and employees of the Commissioner shall be obliged to keep as a professional secret all data which has come to their knowledge in the course of exercise of their function i.e. performance of tasks, including any data relating to the infringement of this Law reported to them by a person not employed with the Commissioner.
The obligation referred to in paragraph 1 of this Article shall remain even after termination of Commissioner’s or Deputy Commissioner’s term of office, i.e. termination of employment in the staff of the Commissioner.
2. Competencies of the Commissioner
Article 77
The Commissioner shall exercise his powers, in compliance with this Law, in the territory of the Republic of Serbia.
In exercising of his powers, the Commissioner shall act in compliance with the law regulating the general administrative procedure, as well as with mutatis mutandis application of the law regulating inspection procedure, unless this Law specifies otherwise.
The Commissioner shall not be competent to monitor the processing operations undertaken by the courts in exercising of their judicial powers.
Article 78
The Commissioner shall:
1) Monitor and ensure application of this Law in compliance with his powers;
2) Take care of the promotion of public awareness of the risks, rules, safeguard measures and rights in relation to processing, in particular where it is a case of processing of data belonging to an underage person;
3) Provide opinion to the National Assembly, Government, other public authorities and organizations, in compliance with a regulation, on the statutory and other measures relating to the protection of rights and freedoms of natural persons with regard to processing;
4) Take care of the promotion of the awareness of handlers and processors of their obligations prescribed by this Law;
5) At the request of the person to who the data relates to, provide information on their rights laid down by this Law;
6) Handle complaints of the persons to who the data relates to, determine whether or not there has been an infringement of this Law and inform the complainant of the progress and the outcomes of the proceeding conducted by them in compliance with Article 82 of this Law;
7) Cooperate with supervisory authorities of other states with regard to the protection of personal data, in particular in exchange of information and in providing of mutual legal assistance;
8) Perform inspection over application of this Law, in compliance with this Law and by mutatis mutandis application of the law regulating inspection procedure, and file motion to initiate misdemeanor proceedings where he determines infringements of this Law, in compliance with the law regulating misdemeanors;
9) Monitor development of information and communication technologies, as well as business and other practices of significance for the protection of personal data;
10) Draw up standard contractual clauses referred to in Article 45, paragraph 11 of this Law;
11) Draw up and make public the lists referred to in Article 54, paragraph 5 of this Law;
12) Provide opinion in writing as referred to in Article 55, paragraph 4 of this Law;
13) Maintain lists of persons in charge of personal data protection referred to in Article 56, paragraph 11 of this Law;
14) Encourage drawing up of the code of conduct pursuant to Article 59, paragraph 1 of this Law and provide opinions and consents to the code of conduct in compliance with Article 59, paragraph 5 of this Law;
15) Carry out the tasks pursuant to Article 60 of this Law;
16) Encourage issuing of certificates for the protection of personal data and of relevant seals and marks in compliance with Article 61, paragraph 1 and prescribe criteria for certification in compliance with Article 61, paragraph 5 of this Law;
17) Carry out periodical reviews of certificates in compliance with Article 61, paragraph 8 of this Law;
18) Prescribe and publish criteria for accreditation of a certification body and carry out the tasks in compliance with Article 62 of this Law;
19) Approve the provisions of a contract or an agreement referred to in Article 65, paragraph 3 of this Law;
20) Approve binding business rules in compliance with Article 67 of this Law;
21) Maintain internal records of infringements of this Law and of measures taken in carrying out inspection in compliance with Article 79, paragraph 2 of this Law;
22) Carry out other tasks specified by this Law.
The Commissioner shall carry out the monitoring tasks referred to in paragraph 1, items 1) and 8) of this Article through the authorized persons from the expert staff of the Commissioner.
The records referred to in paragraph 1, item 21) of this Article shall include: data on handlers or processors which have committed infringements of this Law (their name and surname or the company name, domicile, residence or seat), information on infringements of this Law (descriptions of infringements and Article of the Law that has been breached), information on measures taken and information on actions of the handlers or processors taken in compliance with the measures ordered.
The Commissioner shall prescribe the form of the records referred to in paragraph 3 of this Article and the method of maintaining it.
With the aim of facilitating submission of complaints, the Commissioner shall prescribe the complaint form and enable its submission by electronic means, without excluding other means of communication.
The Commissioner shall carry out his tasks free of charge for the person to who the data relates to and the person in charge of personal data protection.
In cases where a complaint submitted to the Commissioner is manifestly unfounded, excessive in volume or overly repetitive, the Commissioner may charge a fee for the necessary costs or refuse to act on such complaint, stating the reasons to demonstrate that it is a case of an unfounded, excessive or overly repetitive request.
Article 79
The Commissioner shall have the power to:
1) Order the handler and the processor, and, where needed, their representatives, to provide all pieces of information he requires in exercising of his powers;
2) Check and assess the application of provisions of the law and otherwise carry out supervision over protection of personal data by using his inspection powers;
3) Verify compliance with the requirements for certification in accordance with Article 61, paragraph 8 of this Law;
4) Notify the handler i.e. the processor of potential infringements of this Law;
5) Request and obtain from the handler and processor access to all pieces of personal data, as well as to information necessary for exercising of his powers;
6) Request and obtain access to all the premises of the handler and the processor, including access to all the means and equipment.
The Commissioner shall be authorized to take the following corrective measures:
1) Warn the handler and processor through delivery of a written opinion that intended processing operations may infringe provisions of this Law in compliance with Article 55, paragraph 4 of this Law;
2) Issue a warning to the handler, i.e. processor where processing has infringed provisions of this Law;
3) Order the handler and the processor to act upon the request of the person to who the data relates to in relation to the exercise that person’s rights, in compliance with this Law;
4) Order the handler and the processor to bring processing operations into compliance with the provisions of this Law, in a precisely specified manner and within a precisely specified time limit;
5) Order the handler to notify the person to who the data relates to of a breach of personal data;
6) Impose a temporary or definitive limitation to performing the processing operations, including a ban on processing;
7) Order rectification, i.e. erasure of personal data or limit performance of processing operations in compliance with Articles 29 through 32 of this Law, as well as to order the handler to notify thereof another handler, the person to who the data relates to and the recipients to which the personal data has been disclosed or transmitted, in compliance with Article 30, paragraph 3 and Articles 33 and 34 of this Law;
8) Revoke a certificate or order the certification body to revoke a certificate issued pursuant to Articles 61 and 62 of this Law, as well as to order the certification body to refuse to issue certificate if the requirements for issuing thereof are not met;
9) Impose a fine on the basis of a misdemeanor order, where it is determined in the course of an inspection that a misdemeanor has been committed for which a fine of a fixed amount is prescribed by this Law, instead of other measures prescribed by this paragraph or in addition thereto, depending on the circumstances of each individual case;
10) Suspend transfer of personal data to a recipient in another state or international organization.
The Commissioner shall additionally have the powers to:
1) Draw up the standard contractual clauses referred to in Article 45, paragraph 11;
2) Provide opinion to the handlers in the procedure of prior obtaining of opinions from the Commissioner, in compliance with Article 55 of this Law;
3) Provide opinion to the National Assembly, Government, other public authorities and organizations, on his own initiative or at their request, as well as to the public, on all the issues relating to the protection of personal data;
4) Register and publish a code of conduct, which he has previously approved, in compliance with Article 59, paragraph 5 of this Law;
5) Issue certificates and prescribe criteria for certificate issuing, in compliance with Article 61, paragraph 5 of this Law;
6) Prescribe criteria for accreditation, in compliance with Article 62 of this Law;
7) Approve contractual provisions i.e. provisions to be entered in an agreement, in compliance with Article 65, paragraph 3 of this Law;
8) Approve the binding business rules, in compliance with Article 67 of this Law.
Control of acts of the Commissioner which are adopted on the basis of this Article shall be performed by the court, in compliance with the law.
In exercising of his powers, the Commissioner may initiate a proceeding before the court or another authority, in compliance with the law.
Reporting of Infringements of the Law
Article 80
The competent authority which is carrying out processing for special purposes shall be obliged to ensure that effective mechanisms for confidential reporting of cases of infringements of this Law to the Commissioner are applied.
Article 81
The Commissioner shall be obliged to draw up an annual report on his activities, which shall include information on the types of infringements of this Law and on the measures taken with regard to these infringements, as well as to submit them to the National Assembly.
The report referred to in paragraph 1 of this paragraph shall additionally be delivered to the Government and made available for inspection to the public, in an appropriate manner.
VII REMEDIES, LIABILITY AND PENALTIES
Right to File a Complaint with the Commissioner
Article 82
Person to who the data relates to shall have the right to file a complaint with the Commissioner if he/she considers that the processing of his/her personal data has been carried out contrary to the provisions of this Law. Provisions of the law regulating inspection procedure in the part thereof relating to actions upon complaints shall apply mutatis mutandis in the proceedings initiated upon complaints. Filing of a complaint with the Commissioner shall be without prejudice to the right of such person to initiate other administrative or judicial remedial proceedings.
The Commissioner shall be obliged to inform the complainant on the course of the proceedings that he conducts, on the outcomes of the proceedings, as well as of the right of such person to initiate a court proceeding in compliance with Article 83 of this Law.
Right to Judicial Protection against a Decision of the Commissioner
Article 83
Person to who the data relates to, handler, processor i.e. other natural or legal person to whom the Commissioner’s decision passed in compliance with this Law relates to, shall be entitled to initiate an administrative dispute against such decisions within 30 days from the day of receipt of the decision. Filing of an action in an administrative dispute shall be without prejudice to the right to initiate other administrative or judicial remedial procedures.
Where the Commissioner fails to act within 60 days from filing of complaint or fails to act in compliance with Article 82, paragraph 2 of this Law, the person to who the data relates to shall have the right to initiate the administrative dispute.
Court Protection of Person’s Rights
Article 84
Person to who the data relates to shall have the right to judicial redress where they consider that their rights under this Law have been infringed as a result of the processing operation involving their personal data by a handler or a processor in non-compliance with this Law. Filing of an action to a court shall be without prejudice to the right of such person to initiate other administrative or judicial redress procedures.
In an action for the protection of rights referred to in paragraph 1 of this Article, a request can be made to the court to put the defendant under legal obligation of:
1) Provision of information referred to in Articles 22 through 27, Articles 33 through 35 and Article 37 of this Law;
2) Rectification i.e. erasure of data on the plaintiff referred to in Articles 29, 30 and 32 of this Law;
3) Restriction of processing referred to in Articles 31 and 32 of this Law;
4) Provision of data in a structured, commonly used and machine-readable form;
5) Transmission of data to another handler referred to in Article 36 of this Law;
6) Suspend processing of data referred to in Article 37 of this Law.
In an action for the protection of rights referred to in paragraph 1 of this Article, a request can additionally be made to the court to determine that the decision concerning plaintiff has been passed contrary to Articles 38 and 39 of this Law.
The action referred to in paragraphs 2 and 3 of this Article shall be filed with a higher court in the territory of which the handler i.e. the processor or their representative has their domicile, residence i.e. seat or in the territory of which the person to who the data relates to has the domicile or residence, except where the handler i.e. the processor is a public authority.
A revision of a final decision passed upon the actions referred to in paragraphs 2 and 3 of this Article shall always be permitted.
In a judicial remedy procedure, provisions of the law regulating civil procedure shall apply, unless where determined otherwise by this Law.
Representing the Persons to whom the Data Relates to
Article 85
In connection to the protection of personal data, the person to whom the data relates to shall have the right to authorize a representative of an association which is active in the field of protection of rights and freedoms of persons to whom the data relates to, to represent them in compliance with the law, in the proceedings referred to in Articles 82 through 84 and Article 86 of this Law.
Article 86
A person who suffered loss or injury as a result of an infringement of the provisions of this Law shall be entitled to damages paid at the expense of the handler i.e. processor that has caused the damage.
Where the loss or injury has been caused by unlawful processing carried out by the competent authorities for special purposes, i.e. by infringement of the provisions of the law relating to processing of such data, the person that has suffered loss or injury shall be entitled to damages at the expense of the handler or another competent authority against which an action for damages can be filed, in compliance with the law.
The handler shall be held liable for the loss or injury referred to in paragraph 1 of this Article, and the processor shall be held liable only where they have not complied with obligations prescribed by this Law that are specifically directed to them or where they have acted outside or contrary to instructions of the handler, issued in compliance with this Law.
The handler, i.e. processor shall be exempt from liability for loss or injury if they prove that they have not been in any way responsible for the event giving rise to the loss or injury.
If processing is carried out by several handlers, i.e. processors, or jointly by a controller and a processor, and they are responsible for loss or injury, each handler, i.e. processor shall be held liable for the entire amount of damages.
Where a handler, i.e. processor referred to in paragraph 5 of this Article has paid full amount of damages, they shall be entitled to demand the refund from other handlers, i.e. processors corresponding to their part in the responsibility for the damage, in accordance with paragraph 3 of this Article.
Article 87
Fines in respect of infringements of the provisions of this Law shall in each individual case be imposed and applied in an effective, proportionate and dissuasive manner.
The fines referred to in paragraph 1 of this Article, depending on the circumstances of each individual case, can be imposed in addition to the measures or instead of the measures provided for in Article 79, paragraph 2, items 1) through 8) and item 10) of this Law.
When deciding whether to impose a fine and deciding on the amount of the fine in each individual case due regard must be given to:
1) The nature, gravity and duration of the infringement of provisions of the law, taking into account the nature, scope and purpose of the processing concerned, as well as the number of persons to whom the data relates to and the level of damage suffered by them;
2) The existence of an intention or negligence of the offender;
3) Any action taken by the handler or processor directed at eliminating or mitigating the damage suffered by the persons to whom the data relates to;
4) The degree of responsibility of the handler or processor, taking into account the measures implemented by them in compliance with Article 42 and Article 50 of this Law;
5) Previous cases of infringements of the provisions of this Law by the handler or processor which are of relevance for imposition of the fine;
6) The degree of cooperation by the handler and processor with the Commissioner with the aim of eliminating the consequences of the infringement of the law and eliminating or mitigating the adverse consequences of the infringement;
7) The types of personal data related to the infringements;
8) The manner in which the infringement became known to the Commissioner, in particular whether, and if so to what extent, the handler i.e. processor notified the Commissioner of the infringement;
9) Compliance with the corrective measures of the Commissioner previously imposed against the handler, i.e. processor with regard to the same case of infringement, in compliance with Article 79, paragraph 2 of this Law;
10) Adherence to approved codes of conduct in compliance with Article 59 of this Law, i.e. existence of the certificate referred to in Article 61 of this Law;
11) Any other aggravating or mitigating circumstances applicable to the case in question, such as financial losses avoided or benefits gained, directly or indirectly, from the infringement of the provisions of this Law.
VIII SPECIAL CASES OF PROCESSING
Processing and Freedom of Expression and Information
Article 88
Provisions of Chapters II through VI and Articles 89 through 94 of this Law shall not apply to processing carried out for purposes of journalistic research and publication of information in media, as well as for the purposes of scientific, artistic or literary expression, if in the specific case such restriction is necessary to protect the freedom of expression and information.
Processing and Free Access to Information of Public Importance
Article 89
Information of public importance which include personal data can be made available to a person seeking information by the public authorities in such a manner as to ensure that the right of the public to be informed and the right to protection of personal data can be exercised together, to the extent prescribed by the law regulating free access to information of public importance and by this Law.
Processing of the Citizens’ Unique Personal Identification Number
Article 90
Provisions of the law regulating the Citizens’ Unique Personal Identification Number, i.e. other law shall apply to processing of the Citizens’ Unique Personal Identification Number, in addition to application of the provisions of this Law that relate to the protection of the rights and freedoms of person to whom the data refer to.
Processing in the Field of Labor and Employment
Article 91
Provisions of the law regulating labor and employment and collective agreements shall apply to processing in the field of labor and employment, in addition to application of the provisions of this Law.
If the law that regulates labor and employment or collective agreement includes the provisions on protection of personal data, specific measures must additionally be prescribed to safeguard the personal dignity, legitimate interests and fundamental rights of the person to whom the data relates to, especially regarding the transparency of processing, the exchange of personal data within a multinational company, i.e. a group of economic entities, as well as the monitoring system in the work environment.
Safeguard Measures and Restrictions to Application of the Law Relating to Processing for Archiving Purposes in the Public Interest, Scientific or Historical Research Purposes or Statistical Purposes
Article 92
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate measures to protect the rights and freedoms of the persons to whom the data relates to prescribed by this Law. Those measures shall ensure that technical, organizational and staff-related measures are implemented, in particular in order to ensure respect for the principle of data minimization. Those measures may include pseudonymization if the purpose of processing may be fulfilled by using that measure.
Where the purposes referred to in paragraph 1 of this Article can be achieved without identification or without further identification of the persons to whom the data relates to, such purposes must be achieved in a manner that will prevent further identification of such person.
Provisions on the rights of the persons to whom the data relates to referred to in Articles 26, 29, 31 and 37 of this Law shall not apply where processing is carried out for the purposes of scientific or historical research or statistical purposes, providing that this is necessary for achievement of such purposes or where application of such provisions of the law would render impossible or significantly impair the achievement of such purposes, with implementation of the measures referred to in paragraphs 1 and 2 of this Article.
The provisions regarding the rights of persons to whom the data relates to referred to in Articles 26 and 29 and Articles 31 through 37 of this Law shall not apply where processing is carried out for archiving purposes in the public interest, where that is necessary for achievement of such purpose or where application of such provisions of the law would render impossible or significantly impair the achievement of such purpose, with implementation of the measures referred to in paragraphs 1 and 2 of this Article.
Where the processing referred to in paragraphs 3 and 4 of this Article is performed for other purposes as well, provisions of this Law shall apply without limitations to the processing for other purposes.
Processing by Church and Religious Communities
Article 93
Where churches or religious communities apply comprehensive rules relating to the protection of natural persons with regard to processing, such existing rules may continue to apply, provided that they are brought into line with this Law.
In the case referred to in paragraph 1 of this Article, provisions of this Law on the inspection and other powers of the Commissioner referred to in Articles 77 through 79 of this Law shall also apply, unless a church i.e. a religious community establishes a separate independent supervisory body to execute such authorities, providing that such a body complies with the conditions provided for in Chapter VI of this Law.
Processing for Humanitarian Purposes by the Public Authorities
Article 94
Personal data processed by a public authority can additionally be processed in order to collect funds for humanitarian purposes, with implementation of appropriate measures to safeguard the rights and freedoms of the persons to whom the data relates to, in compliance with this Law.
With the aim of collecting funds for humanitarian purposes, personal data processed by a public authority may not be given to other persons.
Article 95
A fine ranging from RSD 50,000 to RSD 2,000,000 shall be imposed for a misdemeanor against the handler and/or processor who has the capacity of legal person if:
1) They process the personal data contrary to the principles of processing referred to in Article 5, paragraph 1 of this Law;
2) They process the personal data for other purposes, contrary to Articles 6 and 7 of this Law;
3) They fail to clearly separate personal data based on findings of facts from the personal data based on a personal assessment (Article 10);
4) They fail to, by using reasonable measures, ensure that incorrect, incomplete and not updated personal data are not transmitted i.e. made available (Article 11, paragraph 1);
5) They process the personal data without consent from the persons to whom such data relates to, and cannot demonstrate that the person to whom such data relates to has given consent to processing of his/her personal data (Article 15, paragraph 1);
6) They process special types of personal data contrary to Articles 17 and 18 of this Law;
7) They process the personal data with regard to criminal judgements, punishable offences and safety measures contrary to Article 19, paragraph 1 of this Law;
8) They fail to provide the information referred to in Article 23, paragraphs 1 through 3 and Article 24, paragraphs 1 through 4 of this Law to the person to whom the data relates to;
9) They fail to make available to or fail to provide information referred to in Article 25, paragraphs 1 and 2 of this Law to the person to whom the data relates to;
10) They fail to provide information requested, fail to provide access to data, i.e. fail to provide a copy of data processed by them (Article 26, paragraphs 1 and 2 and Article 27);
11) They restrict partially or completely the right to access to data to the person to whom the data relates to, contrary to Article 28, paragraph 1 of this Law;
12) They fail to rectify incorrect data or fail to supplement incomplete data, contrary to Article 29 of this Law;
13) They fail to erase data of the person to who the data relates to without delay in the cases referred to in Article 30, paragraph 2 of this Law;
14) They fail to limit the processing of personal data in the cases referred to in Article 31 of this Law;
15) They fail to erase personal data (Article 32);
16) They fail to notify the recipient with regard to a rectification, erasure and limitation of processing (Article 33, paragraph 1);
17) They fail to inform the person to who the data relates to about the decision to refuse rectification, erasure, i.e. limitation of processing, as well as about the reason for refusal (Article 34, paragraph 1);
18) They fail to terminate the processing of data following a complaint filed by the person to who the data relates to (Article 37, paragraph 1);
19) A decision is made which results in legal effects for the person to who the data relates to exclusively based on the automated processing, contrary to Articles 38 and 39 of this Law;
20) When determining the method of processing, as well as during processing, the appropriate technical, organizational and staff-related measures have not been taken, contrary to Article 42 of this Law;
21) The relation between the joint handlers is not regulated as prescribed by Article 43, paragraphs 2 through 4 of this Law;
22) They entrust the processing of personal data to a processor contrary to Article 45 of this Law;
23) Data is processed without an order or contrary to the order of the handler (Article 46);
24) They fail to notify the Commissioner of the breach of security of the data contrary to Article 52 of this Law;
25) They fail to notify the person to who the data relates to of the breach of security of data contrary to Article 53 of this Law;
26) They fail to perform an impact assessment to the protection of security of data as provided for in Article 54 of this Law;
27) They fail to notify the Commissioner i.e. fail to seek opinion from the Commissioner prior to commencing the processing activity (Article 55, paragraphs 1 and 3);
28) They fail to designate a person for protection of personal data in cases referred to in Article 56, paragraph 2 of this Law;
29) They fail to perform their obligations towards the person in charge of protection of personal data referred to in Article 57, paragraphs 1 through 3 of this Law;
30) The transfer of personal data to other countries and to international organizations is carried out contrary to Articles 63 through 71 of this Law;
31) They fail to ensure implementation of effective mechanism for confidential reporting of cases of infringements of this Law (Article 80);
32) They process the personal data for the purposes of archiving in the public interest, for scientific or historical research purposes or for statistical purposes contrary to Article 92 of this Law.
The handler i.e. processor who has the capacity of a legal person shall be sanctioned for a misdemeanor with a fine amounting to RSD 100,000 if:
1) They fail to inform the recipient of the special conditions for the processing of personal data prescribed by the law and of their obligation to comply with these conditions (Article 11, paragraph 5);
2) They fail to deliver to the person to whom the data relates to a reasoned decision, i.e. fail to notify the person within the time limit referred to in Article 28, paragraphs 3 and 5 of this Law;
3) They continue processing for the purpose of direct advertising where the person to whom the data relates to has filed a complaint against such processing (Article 37, paragraph 3);
4) They fail to designate their representative in the Republic of Serbia, contrary to Article 44 of this Law;
5) They fail to maintain the prescribed records on processing (Article 47), or fail to record the processing activities (Article 48);
6) They fail to make publicly available the contact details of the person for protection of personal data and fail to deliver them to the Commissioner (Article 56, paragraph 11).
A fine ranging from RSD 5,000 to RSD 150,000 shall be imposed for the misdemeanor against a natural person who fails keep the personal data disclosed to them in the course of performance of their tasks as a professional secret (Article 57, paragraph 7 and Article 76).
A sole trader shall be sanctioned for the misdemeanor referred to in paragraph 1 of this Article with a fine ranging from RSD 20,000 to RSD 500,000.
A natural person, i.e. responsible person in a legal person, in a state organ, i.e. organ of a territorial autonomy and a local self-government unit, as well as the responsible person with a branch office or a business unit of a foreign legal person shall be sanctioned for the misdemeanor referred to in paragraph 1 of this Article with a fine ranging from RSD 5,000 to RSD 150,000.
A sole trader shall be sanctioned for the misdemeanor referred to in paragraph 2 of this Article with a fine amounting to RSD 50,000.
A natural person i.e. a responsible person in a legal person, in a state organ, i.e. organ of a territorial autonomy and of a local self-government unit, as well as the responsible person with a branch office or a business unit of a foreign legal person shall be sanctioned for the misdemeanor referred to in paragraph 2 of this Article with a fine amounting to RSD 20,000.
Х TRANSITIONAL AND FINAL PROVISIONS
Article 96
Deputy Commissioner for the protection of personal data elected in compliance with the Law on Protection of Personal Data ("Official Herald of RS", No. 97/08, 104/09 - other law, 68/12 - CC and 107/12) shall continue to perform such duty until the expiry of the term of office for which he/she has been elected.
Article 97
Proceedings initiated upon appeals with regard to the requests for exercising of rights relating to processing, procedures initiated upon applications for issuing permissions to carry out data from the Republic of Serbia and supervision procedures which are have not been completed by the initial date of application of this Law shall be completed in accordance with the provisions of the Law on Protection of Personal Data ("Official Herald of RS", No. 97/08, 104/09 - other law, 68/12 - CC and 107/12).
Central Register of Data Collections
Article 98
Central Register of Data Collections which has been established under provisions of the Law on Personal Data Protection ("Official Herald of RS", No. 97/08, 104/09 - other law, 68/12 - CC and 107/12) shall cease to be kept on the day of entry into force of this Law.
The central register referred to in paragraph 1 of this Article, as well as data contained in that register, shall be handled in compliance with the regulations governing handling of archival materials.
Article 99
Secondary legislation envisaged by this Law shall be passed within nine months from the day of entry into force of this Law.
Application of the secondary legislation adopted on the basis of the Law on Personal Data Protection ("Official Herald of RS", No. 97/08, 104/09 - other law, 68/12 - CC and 107/12) shall continue until the adoption of the secondary legislation referred to in paragraph 1 of this Article, unless where they are contrary to this Law.
Article 100
Provisions of other laws, which pertain to the processing of personal data, shall be harmonized with this Law by the end of 2020.
Article 101
The Law on Personal Data Protection ("Official Herald of RS", No. 97/08, 104/09 - other law, 68/12 - CC and 107/12) shall be repealed on the day of commencement of application of this Law.
Article 102
This Law shall enter into force on the eighth day from the date of publication in the "Official Herald of RS" and it shall become applicable upon the expiry of nine months from the day of entry of the Law in force, except for the provision of Article 98 of this Law, which shall apply as of the day of entry into force of the Law.