IV CONTROLLER AND PROCESSOR

1. General Obligations 

Obligations of the Controller

Article 41 

The controller is obliged to implement appropriate technical, organizational and staff-related measures to ensure that processing is performed in compliance with this Law and to be able to demonstrate that, taking into account the nature, scope, circumstances and purpose of processing, as well as the likelihood of the occurrence of risks and the risk level for the rights and freedoms of natural persons. 

The measures referred to in paragraph 1 of this Article are reviewed and updated if necessary. 

Where proportionate to processing activities, the measures referred to in paragraph 1 of this Article include implementing appropriate internal acts on personal data protection by the controller.

The controller may demonstrate their compliance with the obligations referred to in paragraph 1 of this Article based on implementing the approved code of conduct as referred to in Article 59 of this Law or based on the issued certificate referred to in Article 61 of this Law. 

Paragraph 4 of this Article does not apply to the processing carried out by the competent authorities for special purposes. 

Safeguards 

Article 42 

Taking into account the level of technical achievements and the costs of their implementation, the nature, scope, circumstances and purpose of processing, as well as the likelihood of the occurrence of risk and the risk level for the rights and freedoms of the natural persons arising from the processing, the controller is obliged, both on the occasion of determining the processing method and at the time of processing itself, to: 

1) implement appropriate technical, organizational, and staff-related measures, such as pseudonymization, which are aimed at ensuring the implementation of data-protection principles, such as data minimization in an effective manner; 

2) ensure implementation of the necessary safeguards during the processing to meet the requirements for processing prescribed by this Law and to protect the rights and freedoms of data subjects. 

Through the constant implementation of appropriate technical, organizational, and staff-related measures, the controller is obliged to ensure that only personal data necessary for the realization of each specific purpose of the processing is processed. That obligation applies to the amount of personal data collected, the extent of its processing, its storage period, and its accessibility. 

The measures referred to in paragraph 2 of this Article must ensure that personal data cannot be made accessible without the intervention of the natural person to an indefinite number of natural persons. 

The issued certificate as referred to in Article 61 of this Law may be used by the controller to demonstrate their compliance with the obligations referred to in paragraphs 1 through 3 of this Article. 

Paragraph 4 of this Article does not apply to the processing by the competent authorities for special purposes. 

Joint Controllers 

Article 43 

If two or more controllers jointly determine the purposes and processing method, they are considered joint controllers. 

The joint controllers referred to in paragraph 1 of this Article, in a transparent manner, determine their respective responsibilities for compliance with the obligations prescribed by this Law, in particular, the obligations as regards the exercising of the rights of the data subject and their respective fulfilling of duties to provide to such person information referred to in Articles 23 through 25 of this Law. 

The responsibility referred to in paragraph 2 of this Article is regulated by an agreement of the joint controllers unless such responsibility is laid down by the law applicable to the controllers. 

The agreement referred to in paragraph 3 of this Article must designate a contact person for the data subject and regulate the relationships of each joint controller vis-à-vis the data subject. 

The essence of the agreement referred to in paragraph 3 of this Article must be made available to the data subject. 

Provisions of paragraphs 4 and 5 of this Article do not apply to the processing carried out by the competent authorities for special purposes. 

Irrespective of the agreement’s provisions in paragraph 3 of this Article, the data subject may exercise his or her rights laid down by this Law in respect of and against each joint controller. 

Representatives of Controllers or Processors Which Do Not Have Their Seat in the Republic of Serbia 

Article 44 

The controller and/or the processor, in the cases referred to in Article 3, paragraph 4 of this Law, is obliged to designate in writing a representative in the Republic of Serbia, unless if: 

1) the processing is occasional, does not include, on a large scale, processing of special data referred to in Article 17, paragraph 1 of this Law or personal data relating to convictions for criminal offenses and punishable offenses referred to in Article 19 of this Law, and is unlikely to cause any risk to the rights and freedoms of natural persons, taking into account the nature, circumstances, scope and purposes of the processing; 

2) the controller i.e. the processor is a public authority. 

The controller and/or the processor will authorize the representative referred to in paragraph 1 of this Article as a person to which, in addition to the controller or processor, and/or instead of them, the data subject, the Commissioner or another person can be addressed in respect of all the issues related to processing of personal data, to ensure compliance with the provisions of this Law. 

A complaint, action and other legal requests referred to in this Law can be filed against the controller or processor, irrespective of whether their representative referred to in paragraph 1 of this Article has been designated. 

Processor 

Article 45 

If processing is carried out on behalf of a controller, the controller may designate as processors only the person or the public authority that can provide sufficient guarantees relating to the implementation of appropriate technical, organizational and staff-related measures in such a manner as to ensure that processing will be carried out in compliance with the provisions of this Law and that the protection of the rights of the data subject is ensured. 

The processor referred to in paragraph 1 of this Article may entrust the processing to another processor only if they are duly authorized to do so by the controller based on a general or specific written authorization. If processing is carried out based on a general authorization, the processor is obliged to inform the controller of any intended changes concerning the selection of another processor, thereby allowing the controller to oppose such change. 

Processing by a processor must be governed by a contract or other legally binding act, which is concluded and/or adopted in writing, which includes by electronic means, that is binding on the processor regarding the controller and that regulates the subject matter and the duration of the processing, the nature and purpose of the processing, the type of personal data and the type of persons on which data is to be processed, as well as the rights and obligations of the controller. 

The contract or another legally binding act referred to in paragraph 3 of this Article shall prescribe that the processor is obliged to: 

1) process personal data only based on written instructions from the controller, including the instructions regarding transfers of personal data to other countries or international organizations, unless the processor is obliged to process data by the law. In such a case, the processor is obliged to inform the controller of that legal obligation before commencing the processing unless that law prohibits pthe rovision of such information on the grounds of protection of an important public interest; 

2) ensure that the natural person who is authorized to process the personal data has committed themselves to confidentiality or that such person is subject to a legal obligation of confidentiality; 

3) take all the necessary measures in compliance with Article 50 of this Law; 

4) comply with the conditions for entrusting the processing to another processor as referred to in paragraphs 2 and 7 of this Article; 

5) taking into account the nature of the processing, assist the controller by applying appropriate technical, organizational and staff-related measures, insofar as this is possible, for the fulfillment of the controller’s obligation regarding the requests for exercising the rights of the data subject laid down in Chapter III of this Law; 

6) assist the controller in compliance with the obligations referred to in Article 50 and Articles 52 through 55 of this Law, taking into account the nature of processing and information available to them; 

7) following the completion of agreed activities of processing, and based on the decision of the controller, delete or return to the controller complete personal data and delete all copies of such data, unless the obligation to store data is legally prescribed; 

8) make available to the controller complete information necessary to demonstrate compliance with the obligations of the processor laid down in this Article, as well as information allowing for and contributing to the control of work of the processor which is conducted by the controller or another person authorized to do so by the controller. 

In the case referred to in paragraph 4, item 8) of this Article, the processor is obliged to warn the controller without delay if, in their opinion, the written instructions obtained from them are not in compliance with this Law or another law regulating the protection of personal data. 

If the processing is carried out by the competent authorities for special purposes, the contract or another legally binding act referred to in paragraph 3 of this Article will prescribe that the processor is obliged to: 

1) process personal data on the basis of the instructions of the controller only; 

2) ensure that the person authorized to process data has committed themselves to confidentiality or that such person is subject to a legal obligation of confidentiality; 

3) assist in an appropriate manner the controller in fulfillment of the controller’s obligation to comply with the provisions on the rights of data subjects referred to in Chapter III of this Law; 

4) following the completion of agreed activities of processing, and based on the decision of the controller, delete or return to the controller complete personal data and delete all copies of such data, unless the obligation to store data is legally prescribed; 

5) make available to the controller complete information that is necessary to demonstrate compliance with the obligations of the processor laid down in this Article; 

6) ensure compliance with the conditions referred to in paragraphs 2, 3, and 6 of this Article if they entrust the processing to another processor. 

If the processor designates another processor for carrying out specific processing activities on behalf of the controller, the same obligations regarding the protection of personal data prescribed by the contract or other legally binding act between the controller and the processor referred to in paragraphs 3 and 4 of this Article shall also bind that other processor, based on a separate contract or other legally binding act concluded or adopted in writing, including electronic form, which provides sufficient guarantees in the relationship between the processor and the other processor for the implementation of appropriate technical, organizational and personnel measures ensuring that the processing is carried out following this Law. If that other processor fails to fulfill its obligations relating to data protection, the processor remains fully liable to the controller for the performance of that other processor’s obligations. 

If the processor violates the provisions of this Law by determining the purpose and method of processing personal data, the processor is considered the controller vis-à-vis such processing. 

The implementation of the approved code of conduct, as referred to in Article 59 of this Law, and/or the issued certificate, as referred to in Article 61 of this Law, can be applied to demonstrate that the processor fulfills the obligations of providing guarantees referred to in paragraphs 1 and 7 of this Article. 

The legal relationship between the controller and the processor, which is regulated in compliance with paragraphs 3 and 7 of this Article can be based in its entirety or a part thereof on the standard contractual clauses referred to in paragraph 11 of this Article, including those relating to the certificate that is granted to the controller or the processor in compliance with Articles 61 and 62 of this Law. 

The Commissioner may lay down standard contractual clauses relating to the obligations referred to in paragraphs 3 and 7 of this Article, considering the European practice of laying down standard contractual clauses. 

Provisions of paragraphs 4, 5, 7, and paragraphs 9 through 11 of this Article do not apply to the competent authorities carrying out processing for special purposes. 

Processing upon an Order 

Article 46 

The processor and/or any other person has access to personal data under the authority of the controller or of the processor and may not process such data without an order from the controller unless such processing is laid down by the law. 

Records of Processing Activities 

Article 47 

The controller and their representative, if they are designated, are obliged to maintain records on processing activities under their responsibility, which contain information on: 

1) the name and contact details of the controller and, if any and/or if they are designated, on the joint controllers, the controller’s representative and the data protection officer; 

2) the purpose of the processing; 

3) the type of data subjects and on the types of personal data; 

4) the type of recipients to whom the personal data have been or will be disclosed, including recipients in other countries or international organizations; 

5) the transfers of personal data to other countries or international organizations, including the name of other country or international organization, as well as the documents on the implementation of safeguards if data is transferred in compliance with Article 69, paragraph 2 of this Law, if such transfer of personal data is performed; 

6) the time limit upon the expiry of which certain types of personal data will be erased if such time limit has been set; 

7) the general description of the safeguards referred to in Article 50, paragraph 1 of this Law, where possible. 

The provisions of paragraph 1 of this Article do not apply if the processing is carried out by the competent authorities for special purposes. 

If the processing is carried out by the competent authorities for special purposes, the controller is obliged to maintain the records on all the types of processing activities under their responsibility, which contain information on: 

1) the name and contact details of the controller and, if any and/or if they are designated, on the joint controllers and the data protection officers; 

2) the purpose of the processing; 

3) the type of data subjects and the types of personal data; 

4) the type of recipients to whom the personal data have been or will be disclosed, including recipients in other countries or international organizations; 

5) the use of profiling, where profiling is used; 

6) the types of personal data transfers to other countries or international organizations, if such personal data transfers are performed; 

7) the legal grounds for the processing procedure, including the personal data transfer; 

8) the time limit upon the expiry of which certain types of personal data will be erased, if such time limit has been set; 

9) the general description of the safeguards referred to in Article 50, paragraph 1 of this Law, where possible. 

The processor and their representative, if they are designated, is obliged to maintain the records on all the types of processing activities performed on behalf of a controller, which contains information on: 

1) the name and contact details of each processor and each controller on behalf of which processing is carried out, and/or if any and/or if they are designated, on the controller’s or processor’s representative and the data protection officer; 

2) the types of processing performed on behalf of each controller; 

3) the transfers of personal data to other countries or international organizations, including the name of the other country or international organization, as well as the documents on the implementation of safeguards if data is transferred in compliance with Article 69, paragraph 2 of this Law, if such transfer of personal data is performed; 

4) the general description of the safeguards referred to in Article 50, paragraph 1 of this Law, where possible. 

The provisions of paragraph 4 of this Article do not apply if the processing is carried out by the competent authorities for special purposes. 

If the processing is carried out by the competent authorities for special purposes, each processor is obliged to maintain the records on all the types of processing activities performed on behalf of the controller, which shall contain information on: 

1) the name and contact details of each processor and each controller on behalf of which processing is performed, and/or the data protection officer, if they are designated; 

2) the types of processing performed on behalf of each controller; 

3) the transfers of personal data to other countries or international organizations, providing that the controller requires that explicitly, including the name of the country or international organization, if such transfer of personal data is performed; 

4) the general description of the safeguards referred to in Article 50, paragraph 1 of this Law, where possible. 

The records referred to in paragraphs 1, 3, 4 and 6 of this Article are maintained in writing, which includes the electronic form, and be kept permanently. 

The controller or the processor, as well as their representatives, if they are designated, is obliged to make the records referred to in paragraphs 1, 3, 4 and 6 of this Article available to the Commissioner, at their request. 

Provisions of paragraphs 1 and 4 of this Article do not apply to the economic operators and organizations employing less than 250 persons, except if: 

1) the processing that they perform can result in a high risk to the rights and freedoms of the data subjects; 

2) the processing is not occasional; 

3) the processing includes special types of personal data, as referred to in Article 17, paragraph 1 of this Law, or personal data relating to criminal convictions, punishable offences, and safeguards referred to in Article 19 of this Law. 

Recording of Processing Activities Performed by the Competent Authorities for Special Purposes 

Article 48 

The competent authority that is processing data for special purposes is obliged to ensure that on the occasion of the use of the system for automatic processing, at least the following processing activities are recorded in such system: entry, alteration, inspection, disclosure, including transfer, comparison, and erasure. 

Recording of inspection and disclosure of personal data must enable determining the reasons for performing the processing activities, the date and time of processing activities, and, where possible, the identity of the person performing an inspection or disclosing the personal data, as well as the identity of the recipient of such data. 

The recording referred to in paragraph 1 of this Article can only be used to assess the lawfulness of the processing and internal supervision, ensure data integrity and safety, and initiate and conduct criminal proceedings. 

The record created by means of recording referred to in paragraph 1 of this Article will be made available to the Commissioner for inspection at their request. 

Cooperation with the Commissioner 

Article 49 

The controller, processor and their representatives, if where are designated, will cooperate with the Commissioner in the performance of his powers. 

2. Security of Personal Data 

Security of Processing 

Article 50 

In accordance with the level of technological achievements and the costs of implementation, the nature, scope, circumstances, and purposes of the processing, as well as the likelihood of the occurrence of risks and the level of risk to the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical, organizational and staff-related measures to achieve a level of security appropriate to the risk. 

As appropriate, the measures referred to in paragraph 1 of this Article in particular include: 

1) the pseudonymization and encryption of personal data; 

2) the ability to ensure durable confidentiality, integrity, availability, and resilience of processing systems and processing services; 

3) ensuring restoration of the availability and access to personal data in the event of a physical or technical incident within the shortest time possible; 

4) the procedure of regular testing, assessing, and evaluating the effectiveness of technical, organizational, and staff-related measures for processing security. 

When assessing the appropriate level of security referred to in paragraph 1 of this Article, special account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. 

Application of an approved code of conduct as referred to in Article 59 of this Law, and/or an issued certificate as referred to in Article 61 may be used for demonstrating compliance with the obligations referred to in paragraph 1 of this Article. 

The controller and the processor are obliged to take measures to ensure that any natural person authorized to access personal data by the controller or the processor processes such data on the controller’s order or if they are required to do so by the law. 

Provisions of paragraphs 1 through 5 of this Article do not apply to the processing carried out by the competent authorities for special purposes. 

Security of Processing Performed by the Competent Authorities for Special Purposes 

Article 51 

If the processing is performed by the competent authorities for special purposes, and in accordance with the level of technological achievements and the costs of the application thereof, the nature, scope, circumstances, and purpose of processing, as well as the likelihood of the occurrence of risks and the level of risk to the rights and freedoms of natural persons, the controller and the processor shall implement adequate technical, organizational and staff-related measures to achieve an adequate level of security appropriate to the risk, in particular in cases of processing of special types of personal data as referred to in Article 18 of this Law. 

Based on the assessment of risk, the controller or the processor are obliged to, in automatic processing, implement adequate measures referred to in paragraph 1 of this Article, which ensure that: 

1) access to the equipment used for processing is rendered impossible to any unauthorized person (“control of access to the equipment”); 

2) unauthorized reading, copying, change or removal of medium is prevented (“medium control”); 

3) unauthorized entering of personal data, as well as any unauthorized modification, erasure and control of the stored personal data is prevented (“storage control”); 

4) the use of an automatic processing system by any unauthorized person is prevented, by using data transfer equipment (“usage control”); 

5) the person authorized to use the system for automatic processing has access only to the personal data covered by their authorization for access to data is ensured (“control of access to data”); 

6) they may check and/or determine to whom personal data has been transferred, may be transferred or made available, by using the equipment for data transfer (“transfer control”); 

7) they may subsequently check and/or determine which pieces of personal data have been entered in the system for automatic processing, by which person and when (“entry control”); 

8) unauthorized reading, copying, modification or erasure of personal data in the course of transfer thereof or the course of transportation of the medium is prevented (“transport control”); 

9) the installed system is restored in the case of any interruption of operation thereof (“system restoration”); 10) proper operation of the system and regular reporting of system operation errors are ensured (“reliability”), as well as that the personal data stored cannot be jeopardized due to any deficiencies in system operation (“integrity”).

Notification of a Personal Data Breach to the Commissioner 

Article 52 

The controller is obliged to notify the Commissioner of the breach of personal data that can result in a risk to the rights and freedoms of natural persons without undue delay, or, where possible, within 72 hours after becoming aware of the breach. 

If the controller does not act within 72 hours after becoming aware of the breach, they are obliged to provide an explanation of the reasons for not having acted within such time limit. 

After becoming aware of a personal data breach, the processor is obliged to notify the controller of such breach without undue delay. 

The notification referred to in paragraph 1 of this Article must at least include the following pieces of information: 

1) the description of the nature of the personal data breach, including the types of data and the approximate number of data subjects concerned where possible, as well as the approximate number of personal data pieces the security of which has been breached; 

2) the name and contact details of the data protection officer or information on any other possible method of obtaining information on the breach; 

3) a description of the possible consequences of the breach; 

4) a description of the measures taken or proposed to be taken by the controller relating to the personal data breach, including measures taken to mitigate its possible adverse effects. 

If complete information referred to in paragraph 4 of this Article cannot be provided simultaneously, the controller provides available information in stages, without undue delay.

The controller is obliged to document each personal data breach, including the facts relating to the personal data breach, its effects and the remedial action taken. 

The documentation referred to in paragraph 6 of this Article enables the Commissioner to determine whether or not the controller has acted in compliance with the provisions of this Article. 

In case of a breach of personal data processed by the competent authorities for special purposes, which is transferred to the controller in another country or an international organization, the controller is obliged to, without undue delay, provide the information referred to in paragraph 4 of this Article to the controller in such other country or international organization, in compliance with the international agreement. 

The Commissioner prescribes the form for the notification referred to in paragraph 1 of this Article and regulates the notification method in more detail. 

Communication of a Personal Data Breach to the Data Subject 

Article 53 

If the personal data breach may result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. 

In the communication referred to in paragraph 1 of this Article, the controller is obliged to describe in clear and plain language the nature of the personal data breach and to state at least the information referred to in Article 52, paragraph 4, items 2) through 4) of this Law. 

The controller is not obliged to notify the person referred to in paragraph 1 of this Article if: 

1) they have applied appropriate technical, organizational and staff-related protection measures to the personal data affected by the personal data breach, in particular, if the personal data has been rendered unintelligible to any person who is not authorized to access it, such as through encryption or other measures; 

2) they have taken subsequent measures which ensure that the personal data breach involving high risk to the rights and freedoms of data subjects referred to in paragraph 1 may no longer produce consequences for such data subject; 

3) notification of the data subject would require disproportionate use of time and resources. In such a case, the controller is instead obliged to ensure the provision of notification to the data subject by means of public notification or in another effective manner.

If the controller has not communicated the personal data breach to the data subject, the Commissioner may, having considered the potential that the personal data breach result in a high risk, require the controller to do so or may determine that the conditions referred to in paragraph 3 of this Article are met. 

In case of a breach of personal data processed by the competent authorities for special purposes, the controller may postpone or restrict the communication of the data subject, in compliance with the conditions and on the grounds of the reasons referred to in Article 25, paragraph 3 of this Law. 

3. Data Protection Impact Assessment and Prior Consultation with the Commissioner 

Data Protection Impact Assessment 

Article 54 

If a type of processing, in particular using new technologies and taking into account the nature, scope, circumstances and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, before commencing the processing, carry out an assessment of the impact the planned processing operations will have on personal data protection. 

A joint assessment may be carried out if several similar processing operations present similar high risks for personal data protection. 

When carrying out a data protection impact assessment, the controller is obliged to seek the opinion of the data protection officer if such officer is designated. 

The data protection impact assessment referred to in paragraph 1 of this Article shall mandatorily be performed in the case of: 

1) a systematic and comprehensive evaluation of the position and characteristics of the natural person which is carried out by automated processing of personal data, including profiling, and based on which decisions are made which are of significance for the legal position of the individual or similarly significantly affecting them; 

2) processing of special types of personal data referred to in Article 17, paragraph 1 and Article 18, paragraph 1 or of personal data relating to criminal convictions and punishable offenses referred to in Article 19 of this Law, on a large scale; 

3) a systematic monitoring of a publicly accessible area on a large scale. 

The Commissioner is obliged to draw up and to make public on their website a list of the kinds of processing operations which are subject to the requirement for a data protection impact assessment referred to in paragraph 1 of this Article and they may additionally make public a list of the kinds of processing activities for which no data protection impact assessment is required. 

The assessment must contain at least: 

1) a comprehensive list of the envisaged processing operations and the purposes of the processing, including the description of the legitimate interest pursued by the controller, if applicable; 

2) an assessment of the necessity and proportionality of the processing operations in relation to the purposes of the processing; 

3) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1 of this Article; 

4) a description of the measures intended to be taken in relation to the existence of the risks, including safeguards, as well as the technical, organizational and staff-related measures to ensure the protection of personal data and to provide proof of the compliance with the provisions of this Law, taking into account the rights and legitimate interests of data subjects and other persons concerned. 

Paragraph 6 of this Article does not apply to the impact assessment of the processing carried out by the competent authorities for special purposes. 

The impact assessment of the processing carried out by the competent authorities for special purposes shall at least include a comprehensive description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of the data subjects, a description of measures intended to be taken to address the risks, including the safeguards, as well as the technical, organizational and staff-related measures to ensure personal data protection and to provide proof of compliance with the provisions of this Law, taking into account the rights and legitimate interests of the data subjects and other persons concerned. 

Compliance with the approved code of conduct referred to in Article 59 of this Law by the relevant controllers or processors must be taken into due account in assessing the impact of the processing operations performed on protecting personal data. 

Paragraph 9 of this Article does not apply to the processing carried out by the competent authorities for special purposes. 

If appropriate, the controller shall seek the opinions of data subjects or their representatives on the intended processing operations without prejudice to the protection of commercial or public interests or the security of processing operations. 

If a separate law prescribes individual processing operations and/or groups of processing operations, and the processing is performed in compliance with Article 12, paragraph 1, item 3) or item 5) of this Law, and the personal data protection impact assessment has already been carried out as part of a general impact assessment on the occasion of the adoption of that law, paragraphs 1 through 9 of this Article do not apply, unless if it is determined that it is necessary to carry out another such assessment. 

If necessary, and at least in the case of a change in the risk levels concerning the processing operations, the controller is obliged to carry out a review to assess whether processing operations are performed in compliance with the data protection impact assessment performed. 

Prior Consultation with the Commissioner 

Article 55 

If the data protection impact assessment, which has been carried out in compliance with Article 54 of this Law, indicates that the intended processing operations will result in a high risk in the absence of measures taken to mitigate the risk, the controller is obliged to consult the Commissioner before commencing the processing operation. 

Paragraph 1 of this Article does not apply to the processing carried out by the competent authorities for special purposes. 

If the processing is performed by the competent authority for special purposes, the controller and/or the processor shall be obliged to consult with the Commissioner before commencing the processing operations, which will result in the creation of a filing system of data in case that: 

1) the data protection impact assessment, which has been carried out in compliance with Article 54 of this Law, indicates that the intended processing activities will result in a high risk in the absence of measures taken to mitigate the risk; 

2) the kind of processing, particularly where new technologies, safeguards, or procedures are applied, presents a high risk to the rights and persons of the data subjects. 

If the Commissioner is of the opinion that infringements of the provisions of this Law could be caused by the intended processing operations referred to in paragraphs 1 and 3 of this Article, and in particular if the controller has insufficiently identified or mitigated, the Commissioner is obliged to, within 60 days from the date of receipt of the request, provide written advice to the controller or to the processor, if they submitted the request, as well as to, if necessary, exercise the powers referred to in Article 79 of this Law. 

The time limit referred to in paragraph 4 of this Article can be extended by 45 days, taking into account the complexity of the intended processing operations, and the Commissioner is obliged to inform the controller or the processor, if they submitted the request, of the postponement and of the reasons for postponement of advice, within 30 days from the date of receipt of the consultation request. 

The time limits referred to in paragraphs 4 and 5 of this Article shall stay until the Commissioner has received all the requested information necessary for providing an opinion. 

Enclosed with the consultation request, the controller is obliged to provide the Commissioner with information on: 

1) the respective responsibilities of the controller and, where applicable, of the joint controllers and processors involved in the processing, in particular for processing performed within a group of economic operators; 

2) the purposes and means of the intended processing; 

3) the technical, organizational and staff-related measures, as well as on the safeguards for the rights and freedoms of the data subjects in compliance with this Law; 

4) the contact details of the data protection officer, if designated; 

5) the data protection impact assessment provided for in Article 54 of this Law; 

6) any other information requested by the Commissioner. 

Paragraph 7 of this Article does not apply to the processing carried out by the competent authorities for special purposes. 

If the processing is carried out by the competent authority for special purposes, the controller referred to in paragraph 3 of this Article is obliged to provide to the Commissioner information on impact assessment on the protection of personal data referred to 

in Article 54 of this Law, and at the request of the Commissioner, other pieces of information of significance for their advice on the processing operations as well, in particular on the risk to the protection of personal data of the data subject and the safeguards for their rights. 

The Commissioner may additionally draw up and make public on their website the list 

of processing operations concerning which consultations must be requested. 

The public authorities proposing the adoption of the laws and legal regulations based on the laws, which include provisions on processing personal data, must request consultations with the Commissioner during their preparation. 

4. Data Protection Officer 

Designation 

Article 56 

The controller and the processor may designate a data protection officer. 

The controller and the processor shall be obliged to designate a data protection officer if:

1) the processing is carried out by a public authority, except for the processing performed by the court for the purpose of exercising its judicial powers; 

2) the core activities of the controller or the processor consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; 

3) the core activities of the controller or the processor consist of processing on a large scale of special types of personal data in compliance with Article 17, paragraph 1, or personal data relating to criminal convictions and offenses referred to in Article 19 of this Law. 

Provisions of paragraphs 1 and 2 of this Article do not apply to the processing of the competent authorities for special purposes. 

If the processing is performed by the competent authorities for the special purpose, the controller is obliged to designate a data protection officer, except in the case of data processing performed by the courts for the purpose of exercising their judicial powers. 

A group of economic operators may designate a joint data protection officer under the condition that such a person is equally available to each group member. 

If the controllers or the processors are public authorities or competent authorities, a single data protection officer may be designated, taking into account the organizational structure and size of such public authorities. 

A separate law may prescribe that the controllers and/or the processors or the associations that are representing them, must designate a data protection officer. 

The data protection officer shall be designated based on their professional qualities and, in particular, their expert knowledge and experience in the field of protection of personal data, as well as the ability to fulfill the obligations referred to in Article 58 of this Law. 

The data protection officer may be employed with the controller or processor or may fulfill the tasks based on a service contract. 

The controller or the processor is obliged to publish the contact details of the data protection officer and provide them to the Commissioner. 

The Commissioner maintains the records of the data protection officers, which include the names and surnames of the data protection officers, their contact details, as well as the names and contact details of the controller and/or the processor. 

The Commissioner prescribes the form of the records referred to in paragraph 11 of this Article and regulates the method of maintaining it. 

Position of the Data Protection Officer 

Article 57 

The controller and the processor are obliged to ensure that the data protection officer is involved, properly and in a timely manner, in all tasks relating to personal data protection. 

The controller and processor are obliged to enable the data protection officer to perform the tasks referred to in Article 58 by providing resources necessary to carry out those obligations, access to personal data and processing operations, as well as their specialist training. 

The controller and processor ensure that the data protection officer is independent in exercising their obligations. 

The controller or the processor may not penalize the data protection officer or terminate the employment and/or the service contract with them due to the performance of obligations referred to in Article 58 of this Law. 

For the performance of obligations referred to in Article 58 of this Law, the data protection officer reports directly to the highest management level of the controller or the processor. 

Data subjects may contact the data protection officer regarding all issues related to pthe rocessing of their personal data, as well as to the exercise of their rights prescribed by this Law. 

The data protection officer is bound by secrecy or confidentiality concerning the performance of his or her obligations referred to in Article 58 of this law, in compliance with the law. 

The data protection officer may fulfill other tasks and duties, and the controller or processor is obliged to ensure that the performance of any such tasks and duties does not result in a conflict of interests for the data protection officer. 

If the controllers are competent authorities carrying out the processing for special purposes, provisions of paragraphs 1 through 5 and 8 of this Article do not apply to the processor. 

Obligations of the Data Protection Officer 

Article 58 

The data protection officer shall have at least the obligation to: 

1) inform and advise the controller or the processor as well as the employees who carry out processing operations of their legal obligations regarding the protection of personal data; 

2) monitor implementation of the provisions of this Law, other laws, and internal regulations of the controller or processor in relation to the protection of personal data, including the issues of assignment of responsibilities, awareness raising and training of employees participating in the processing operations, as well as audits; 

3) provide advice, where requested, as regards the data protection impact assessment and monitor the actions conducted based on such assessment in compliance with Article 54 of this Law; 

4) cooperate with the Commissioner, act as a contact point for cooperation with the Commissioner and consult with them regarding the issues relating to processing, including notification and acquiring opinions referred to in Article 55 of this Law. 

While performing their obligations, the data protection officer acts in due regard to the risk associated with processing operations, taking into account the nature, scope, circumstances, and purposes of the processing. 

If the controllers are the competent authorities performing processing for special purposes, provisions of paragraph 1, items 1) and 2) of this Article do not apply to the processor.

5. Code of Conduct and Issuing of Certificates 

Code of Conduct 

Article 59 

Associations and other entities representing groups of controllers or processors may draw up codes of conduct for the purpose of more efficient implementation of this Law, in particular in respect of: 

1) fair and transparent processing; 

2) the legitimate interests of the controllers, taking into account the circumstances of concrete cases; 

3) the collection of personal data; 

4) the pseudonymization of personal data; 

5) the information provided to the public and to data subjects; 

6) the exercise of the rights of data subjects; 

7) the information provided to underage persons, their protection, as well as the manner in which the consent of the parent exercising parental right is to be obtained; 

8) the measures and procedures referred to in Articles 41 and 42 of this Law, as well as the measures aimed at ensuring the security of processing referred to in Article 50 of this Law; 

9) the notification of personal data breaches to the Commissioner and the communication of such personal data breaches to data subjects; 

10) the transfer of personal data to other countries or international organizations; 

11) the dispute resolution methods for amicable resolving disputes between controllers and data subjects regarding processing, without prejudice to exercising the rights of data subjects referred to in Articles 82 and 84 of this Law. 

The controllers and/or the processors to whom this Law does not apply, in order to ensure appropriate safeguards for the data subjects in the transfer of their personal data to other countries or international organizations based on Article 65, paragraph 2, item 3) of this Law, may accept or undertake to apply the code of conduct approved in compliance with paragraph 5 of this Article, through contractual or other legally binding acts by which they are obliged to apply such safeguards, in particular regarding the rights of the data subjects. 

A code of conduct referred to in paragraph 1 of this Article shall mandatorily contain provisions which enable the person referred to in Article 60, paragraph 1 of this Law to carry out the monitoring of the implementation of the code by the controllers or processors which undertake to apply it, which is without prejudice to the inspection and other tasks and powers of the Commissioner referred to in Articles 77 through 79 of this Law. 

The associations and other entities referred to in paragraph 1 of this Article intending to draw up a code of conduct or to amend an existing code of conduct shall be obliged to deliver the draft code or any of its amendments to the Commissioner for opinion. 

The Commissioner shall provide an opinion on the compliance on the proposed code of conduct or its amendments with the provisions of this Law, and if The Commissioner determines that the proposed code of conduct includes sufficient guarantees for the protection of personal data, the code of conduct or its amendment will be registered and made public on their website. 

Provisions of paragraphs 1 through 5 of this Article do not apply to the processing carried out by the competent authorities for special purposes. 

Control of Implementation of the Codes of Conduct 

Article 60 

Control of implementation of the code of conduct, in compliance with Article 59, paragraph 3 of this Law, can be performed by the legal person accredited to perform control in compliance with the law regulating accreditation. 

Conducting of control referred to in paragraph 1 of this Article shall be without prejudice to the inspection and other powers of the Commissioner referred to in Articles 77 through 79 of this Law. 

The legal person referred to in paragraph 1 of this Article may be accredited only if it has: 

1) demonstrated its independence and expertise in relation to the contents of the code of conduct to the satisfaction of the Commissioner; 

2) established procedures that allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor the controllers’ or processors’ implementation of the code of conduct as well as to review its effectiveness periodically; 

3) established procedure and authority to decide on complaints about infringements of the code of conduct or the manner in which it is being implemented by a controller or processor, as well as ensure transparency of that procedure and authority to the public and data subjects; 

4) demonstrated to the satisfaction of the Commissioner that the exercising of their powers cannot result in a conflict of interests. 

In a case of breach of a code of conduct by a controller or a processor, the legal person referred to in paragraph 1 of this Article takes appropriate actions in the prescribed procedure, including a temporary or permanent exclusion of the controller and/or processor from the implementation of the code of conduct. 

The legal person referred to in paragraph 1 of this Article is obliged to notify the Commissioner of the actions taken from paragraph 4 of this Article, as well as of the reasons for the imposition thereof. 

Taking measures referred to in paragraph 4 of this Article will be without prejudice to the powers of the Commissioner and application of the provisions of Chapter VII of this Law. 

Accreditation of the legal person referred to in paragraph 1 of this Article will be revoked if it is established that it no longer fulfills the conditions for accreditation or if actions taken by the body infringe the provisions of this Law. 

Provisions of paragraphs 1 through 7 of this Article do not apply to the public authorities and the processing carried out by the competent authorities for special purposes. 

Issuing of Certification 

Article 61 

With a view of demonstrating compliance with the provisions of this Law by the controllers and processors and taking into account in particular the needs of small and medium enterprises, data protection certification mechanisms can be established with appropriate seals and data protection marks. 

A certificate with appropriate seals and marks can be issued to a controller and/or a processor that are not subject to this Law, with the aim of demonstrating that the protection measures are taken by the controller and processor within the transfers of their personal data to other countries or international organizations under Article 65, paragraph 2, item 5) of this Law, in compliance with paragraph 5 of this Article, providing that they accept binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including the protection of the rights of data subjects. 

The certification procedure is voluntary and transparent. 

The existence of a certificate issued may not impact the legal obligations of the controller and processor or the inspection and other powers of the Commissioner referred to in Articles 77 through 79 of this Law. 

A certificate is issued by the certification body referred to in Article 62 of this Law or the Commissioner, based on the criteria prescribed by the Commissioner, in compliance with the powers referred to in Article 79, paragraph 3 of this Law. 

The controller and processor who apply for the certificate is obliged to provide the certification body referred to in Article 62 of this Law and/or to the Commissioner, where the application is addressed to them, with access to their processing activities that are necessary to conduct the certification procedure. 

The certificate is issued to the controller and processor for a period that cannot be longer than three years, and it is renewable if they continue to fulfill the same conditions and criteria prescribed for certificate issuing. 

The certificate referred to in paragraph 7 of this Article is revoked if the certification body and/or the Commissioner, if the application is addressed to them, determines that the controller and/or the processor no longer complies with the criteria prescribed for certification. 

The Commissioner maintains and publishes the list of certification bodies and certificates issued on their website, with relevant seals and marks. 

Provisions of paragraphs 1 through 9 of this Article do not apply to the processing carried out by the competent authorities for special purposes. 

Certification Bodies 

Article 62 

The certification body, which has an appropriate level of expertise in relation to data protection and which has been accredited in compliance with the law regulating accreditation, issues, renews and revokes certificates, inclusive of the seals and marks, after informing the Commissioner of the decision intended to be taken, which will be without prejudice to the inspection and other powers of the Commissioner referred to in Articles 77 through 79 of this law. 

The certification body referred to in paragraph 1 of this Article can be accredited only if it has: 

1) demonstrated their independence and expertise in relation to the subject matter of the certification to the satisfaction of the Commissioner; 

2) undertaken to respect the prescribed criteria referred to in Article 61, paragraph 5 of this Law; 

3) prescribed the procedure for issuing, periodical reviews and revoking of certificates, seals and marks; 

4) prescribed procedure and designated authorities to act upon the complaints against the controller and processor about the processing activities conducted in a manner contrary to the certificate issued and to make them available to the public and to the data subjects; 

5) demonstrated to the Commissioner’s satisfaction that discharging their tasks cannot result in a conflict of interests. 

The Commissioner prescribes the criteria for accreditation of certification bodies based on the conditions referred to in paragraph 2 of this Article. 

Accreditation is issued to a certification body for a period of up to five years and is renewable, provided that the certification body continuously fulfills the prescribed conditions and criteria for accreditation. 

Accreditation of a certification body shall be revoked if it is determined that it no longer fulfills the accreditation conditions and criteria or if it is determined that the certification body breaches the provisions of this Law. 

The certification body is responsible for adequate assessment of compliance with the criteria for issuing, renewing, and revoking certificates and is obliged to provide the Commissioner with the reasons for issuing, renewing, or revoking certificates. 

The Commissioner publishes the accreditation criteria referred to in paragraph 3 of this Article. 

Certificates issued by the certification bodies of other countries or international organizations are valid in the Republic of Serbia, providing that they are issued in compliance with the ratified international agreements to which the Republic of Serbia is a signatory. 

If a certification body that has performed certification is accredited by a national body of another country that has signed an agreement with the Accreditation Body of Serbia that mutually recognizes the equivalence of the accreditation systems to the extent specified by the agreement signed, the certificates of such certification bodies can be accepted in the Republic of Serbia, without re-conducting the certification procedure. 

Provisions of paragraphs 1 through 9 of this Article do not apply to the processing carried out by the competent authorities for special purposes.