All you need to know about Serbian Data Protection Representative

What is a Serbian Data Protection Representative?

Serbian Data Protection Representative is a natural person residing in the Republic of Serbia or a legal entity established in the Republic of Serbia offering the service of data protection representation in Serbia for foreign companies processing Serbian individuals’ personal data.

Does my company need a Serbian Data Protection Representative?

If your company offers goods and services or monitors behavior of individuals in the Republic of Serbia and does not have a business establishment in Serbia, your company needs to appoint a Serbian Data Protection Representative.

Can you give an example of such situation?

A Germany-based web shop selling clothes to Serbian individuals would be an example. Such web shop naturally processes Serbian individuals’ personal data, such as names, email addresses, physical addresses, all necessary for filling out the orders and shipping clothes to Serbia. So, such Germany-based web shop needs to appoint a Data Protection Representative in Serbia.

My company is a USA-based company processing personal data of EU individuals as well as Serbian individuals. My company has already designated an EU Representative. Does my company need to designate a Serbian Data Protection Representative too?

Yes. Your company still needs to designate a Serbian Data Protection Representative because Serbia is not an EU Member State, nor it is a part of the EEA area. However, the same rules the GDPR sets out for an EU Representative govern Serbian Representative designation process since Serbian Personal Data Protection Act is aligned with the GDPR.

Who can be a Serbian Data Protection Representative?

It can be either a natural or legal person. It is necessary for a representative to have

i) residence (for natural persons) or establishment (for legal persons) in Serbia and

ii) to be able to represent your company in Serbia.

Are there any qualifications for Serbian Data Protection Representative?

Since the main function of a Data Protection Representative is to facilitate communication between Serbian data subjects and your company on one side and between Serbian Data Protection Authority and your company on the other side, an experienced privacy professional, preferably holding a personal data protection certificate, would be the natural choice.

How is my company going to designate a Serbian Data Protection Representative?

Serbian Personal Data Protection Act requires such designation to be in writing, so executing a service agreement between your company and a Data Representative would serve.

Does my company have to register the appointment with the Serbian Data Protection Authority?

No, such appointment does not have to be registered with the Serbian Data Protection Authority. However, the identity and contact details of your designated Representative need to be easily accessible to the Serbian Data Protection Authority.

How does my company inform Serbian individuals of Serbian Data Protection Representative designation?

The best way to do that is to publish the identity and contact details of the Representative in your Privacy Notice which must be easily accessible to Serbian individuals.

What are the responsibilities of Serbian Data Protection Representative?

A Representative serves as a point of contact between your company and Serbian individuals’, meaning that all queries and data subjects’ rights requests concerning your company will be addressed to your company via the Representative. Consequently, enabling Serbian individuals to exercise personal data protection rights in their native language.

A Representative also serves as a point of contact for the Serbian Data Protection Authority thus facilitating your company communication and cooperation with the Serbian Data Protection Authority. A Representative also holds a copy of your company Record of Processing Activities.

Is Serbian Data Protection Representative responsible for my business compliance with Serbian Personal Data Protection Act?

No, your company compliance with Serbian Data Protection Act is your sole responsibility. By designating a Representative in Serbia, you are one step closer to achieving full Serbian Data Protection Act compliance, but the designation of a representative does not insulate you against your liability both in terms of compliance and damage liability. Meaning you are still responsible and liable for your personal data processing activities as if you did not appoint a Representative. However, since Data Protection Representative is a privacy professional, he or she can help you in improving your overall compliance.

What about Serbian Data Protection Representative’s liability?

Serbian Data Protection Representative is liable for performing its responsibilities under Serbian Personal Data Protection Act and can be held liable by Serbian Data Protection Authority.

What is the best choice for Serbian Data Protection Representative?

The best choice would be an experienced privacy professional, preferably a certified data protection officer.

Is Serbian Data Protection Representative the same as Data Protection Officer?

No. A Data Protection Officer (DPO) is the person designated to facilitate and assess a company’s compliance with the provisions of the Serbian Data Protection Act. A Serbian Data Protection Representative is the person designated to represent companies that are not based in Serbia regarding their obligations under the Serbian Personal Data Protection Act.

If you need more info on Serbian Data Protection Representative or need help designating one, feel free to contact Sandra Acimovic, Enloya‘s ambassador in Serbia.

Related:

3 Digital Trends in Legal Practice

Legal Checklist For Small Businesses

Legal Services For Startups – Costs and Needs

1 Shares: