Sadržaj/Table of Contents
Scope
Article 1
This Law regulates the right to protection of natural persons regarding the processing of personal data and the free movement of such data, on the principles of processing, on the rights of the data subjects, obligations of personal data controllers and the personal data processors, code of conduct, transfer of personal data to other states and international organizations, supervision over implementation of this Law, legal remedies, liability and sanctions in cases of infringements of the rights of natural persons relating to processing of personal data, as well as special cases of processing.
This Law also regulates the right to protection of natural persons regarding the processing of personal data performed by competent authorities for the purposes of prevention, investigation, and detection of criminal offenses, prosecution of perpetrators of criminal offenses, or the execution of criminal penalties, including prevention of and safeguarding against threats to public and national security, as well as the free flow of such data.
Objective of the Law
Article 2
This Law ensures the protection of natural persons’ fundamental rights and freedoms, and in particular, their right to personal data protection.
Provisions of separate laws regulating the processing of personal data must be in accordance with this Law.
Application
Article 3
This Law applies to the processing of personal data performed, in its entirety or in part, by automated means, as well as to the processing other than by automated means of personal data that form part of a filing system or are intended to form part of a filing system.
This Law does not apply to the processing of personal data performed by a natural person for their and/or their household’s needs.
This Law applies to the processing of personal data performed by a controller and/or processor with the seat and/or domicile or habitual residence in the territory of the Republic of Serbia in the course of activities performed in the territory of the Republic of Serbia, irrespective of whether the processing activity is performed in the territory of the Republic of Serbia or not.
This Law applies to the processing of personal data of data subjects who have their domiciles and/or habitual residence in the territory of the Republic of Serbia by a controller and/or processor who do not have their seat and/or domicile or habitual residence in the territory of the Republic of Serbia if the processing activities are related to:
1) the offering of goods and/or services, irrespective of whether or not a payment from the data subject is required for such goods and/or services, to such data subjects in the territory of the Republic of Serbia;
2) the monitoring of activities of the data subjects, as far as their activities occur within the Republic of Serbia.
The Meaning of Expressions
Article 4
Individual expressions used in this Law have the following meaning:
1) “personal data” means any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name and an identification number, location data, an online identifier in electronic communication networks or to one and/or more characteristics of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2) “data subject” means the natural person whose personal data is being processed;
3) “data processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, classification, grouping and/or structuring, storage, adaptation or alteration, disclosure, consultation, use, disclosure by transmission and/or by delivery, propagation, dissemination or otherwise making available, comparison, restriction, erasure or destruction (hereinafter referred to as: processing);
4) “restriction of processing” means the marking of stored personal data with the goal of limiting their processing in the future;
5) “profiling” means any form of automated processing used to evaluate specific personal characteristics, in particular with the aim of analyzing or predicting the natural person’s performance at work, their economic situation, health condition, personal preferences, interests, reliability, behavior, location or movements;
6) “pseudonymization” means the processing in such a manner that the personal data can no longer be attributed to a specific person without the use of additional information, provided that such additional information is kept separately and is subject to technical, organizational and staff-related measures to ensure that the personal data cannot be attributed to an identified or identifiable person;
7) “filing system” means each structured set of personal data which is accessible according to specific criteria, irrespective of whether or not the filing system is centralized, decentralized, or categorized on a functional or geographical basis;
8) “controller” means the natural or legal person and/or public authority which, independently or jointly with others, determines the purposes and means of the processing. The law determining the purposes and means of processing may additionally provide for the controller or prescribe the conditions for their nomination;
9) “processor” means a natural or legal person and/or a public authority that processes personal data on behalf of the controller;
10) “recipient” means a natural or legal person and/or a public authority to which the personal data are disclosed, irrespective of whether it is a third party or not, except if it is a case of the public authorities that receive personal data in the framework of a particular inquiry in compliance with the law and process such data in compliance with the rules on the protection of personal data which pertains to the purpose of the processing;
11) “third party” means a natural or a legal person and/or a public authority other than the data subject, controller, processor, or the person who is authorized to process personal data under the direct supervision of the controller or processor;
12) “consent” of the data subject means each freely given, specific, informed, and unambiguous expression of the will of such person, by which such person, by a statement or by an explicit affirmative action, provides consent to the processing of personal data relating to him or her;
13) “personal data breach” means a breach of security of personal data leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the personal data which is transmitted, stored, or otherwise processed;
14) “genetic data” means personal data relating to the inherited or acquired genetic characteristics of a natural person which provides unique information about the physiology or the health of that person and which is obtained, in particular, from an analysis of a sample of biological origin;
15) “biometric data” means personal data obtained from specific technical processing relating to the physical characteristics, physiological characteristics, or behavioral characteristics of a natural person, which allows or confirms the unique identification of that person, such as facial images or dactyloscopy data;
16) “data concerning health” means data related to the physical or mental health of a natural person, including those on the provision of health care services, which reveal information about his or her health status;
17) “representative” means a natural or legal person with the domicile and/or seat in the territory of the Republic of Serbia which is, under Article 44 of this Law, authorized by the controller or processor to represent the controller and/or processor regarding their respective obligations under this Law;
18) “economic operator” means a natural or a legal person who is pursuing an economic activity, irrespective of the legal form thereof, including partnerships or associations regularly engaged in an economic activity;
19) “multinational company” means an economic operator that is the controlling founder or a controlling member of the economic operator and/or the founder of a branch of an economic operator, which is pursuing an economic activity in the state other than that in which its seat is located, as well as the economic operator with a significant share in the economic operator and/or in the founder of the branch of the economic operator, which is pursuing an economic activity in the state other than that in which its seat of the multinational company is located, in compliance with the law regulating companies;
20) “group of economic operators” means a group of affiliated economic operators in compliance with the law regulating the affiliation of economic operators;
21) “binding corporate rules” means the internal rules on the protection of personal data which are adopted and which are applied by the controller and/or by the processor with the domicile or habitual residence and/or seat in the territory of the Republic of Serbia, to regulate the transfers of personal data to a controller or processor in one or more states within a multinational company or a group of economic operators;
22) “Commissioner for information of public importance and personal data protection (hereinafter referred to as: the Commissioner)” means the independent and autonomous public authority established based on the law, which is competent for supervision over the implementation of this Law and carrying out of other tasks laid down by the law;
23) “information society service” means each service that is normally provided for remuneration, at a distance, by electronic means, and at the request of a recipient of services;
24) “international organization” means an organization or its body which is governed by international public law, as well as any other body which is set up by, or based on, an agreement between countries;
25) “public authority” means a state authority, a body of territorial autonomy and a local self-government unit, a public enterprise, institution, and another public service, organization, and other legal or natural person that exercises public powers;
26) “competent authorities” means:
a) the public authorities which are competent to prevent, investigate and detect criminal offenses, as well as to persecute the perpetrators of criminal offenses or to enforce criminal sanctions, including to protect and prevent the threats to public and national security;
b) the legal person authorized by the law to carry out the tasks referred to in subitem a) of this item.