Article 95
A fine ranging from RSD 50,000 to RSD 2,000,000 will be imposed for a misdemeanor against the controller and/or processor that is a legal entity if they:
1) process the personal data contrary to the principles of processing referred to in Article 5, paragraph 1 of this Law;
2) process the personal data for other purposes, contrary to Articles 6 and 7 of this Law;
3) fail to clearly separate personal data based on findings of facts from the personal data based on a personal assessment (Article 10);
4) fail to, by using reasonable measures, ensure that incorrect, incomplete personal data and personal data that is not updated is not transmitted and/or not made available (Article 11, paragraph 1);
5) process the personal data without consent from the data subject, and cannot demonstrate that the data subject has given consent to the processing of his/her personal data (Article 15, paragraph 1);
6) process special types of personal data contrary to Articles 17 and 18 of this Law;
7) process the personal data regarding criminal judgments, punishable offenses, and safeguards contrary to Article 19, paragraph 1 of this Law;
8) fail to provide the data subject information referred to in Article 23, paragraphs 1 through 3, and Article 24, paragraphs 1 through 4 of this Law;
9) fail to make available to or fail to provide information referred to in Article 25, paragraphs 1 and 2 of this Law to the data subject;
10) fail to provide the information requested, fail to provide access to data, and/or fail to provide a copy of data processed by them (Article 26, paragraphs 1 and 2 and Article 27);
11) restrict partially or entirely the right to access to personal data to the data subject contrary to Article 28, paragraph 1 of this Law;
12) fail to rectify incorrect data or fail to supplement incomplete data, contrary to Article 29 of this Law;
13) fail to erase data of the data subjects without delay in the cases referred to in Article 30, paragraph 2 of this Law;
14) fail to limit the processing of personal data in the cases referred to in Article 31 of this Law;
15) fail to erase personal data (Article 32);
16) fail to notify the recipient regarding rectification, erasure, and limitation of processing (Article 33, paragraph 1);
17) fail to communicate to the data subject the decision to refuse to rectification, erasure and/or limitation of processing, as well as the reason for such refusal (Article 34, paragraph 1);
18) fail to suspend processing of data following a complaint filed by the data subject (Article 37, paragraph 1);
19) if a decision is made that results in legal effects for the data subject based on the automated processing solely, contrary to Articles 38 and 39 of this Law;
20) when determining the method of processing, as well as during processing, fail to take appropriate technical, organizational, and staff-related measures, contrary to Article 42 of this Law;
21) if the relations between the joint controllers are not regulated as prescribed by Article 43, paragraphs 2 through 4 of this Law;
22) entrust the processing of personal data to a processor contrary to Article 45 of this Law;
23) if data is processed without an order or contrary to the order of the controller (Article 46);
24) fail to notify the Commissioner of the breach of security of the data contrary to Article 52 of this Law;
25) fail to notify the data subject of the breach of the security of the data contrary to Article 53 of this Law;
26) fail to perform an impact assessment to the protection of the security of the data as provided for in Article 54 of this Law;
27) fail to notify the Commissioner and/or fail to seek an opinion from the Commissioner prior to commencing processing activity (Article 55, paragraphs 1 and 3);
28) fail to designate a data protection officer in the cases referred to in Article 56, paragraph 2 of this Law;
29) fail to discharge their obligations vis-à-vis the data protection officer as referred to in Article 57, paragraphs 1 through 3 of this Law;
30) if the transfer of personal data to other countries and to international organizations is carried out contrary to Articles 63 through 71 of this Law;
31) fail to ensure implementation of an effective mechanism for confidential reporting of cases of infringements of this Law (Article 80);
32) process the personal data for the purposes of archiving in the public interest, for scientific or historical research purposes or for statistical purposes contrary to Article 92 of this Law.
The controller and/or the processor that is a legal entity will be sanctioned for a misdemeanor with a fine amounting to RSD 100,000 if they:
1) fail to inform the recipient of the special conditions for the processing of personal data prescribed by the law and of their obligation to comply with these conditions (Article 11, paragraph 5);
2) fail to deliver to the data subject a reasoned decision and/or fail to notify the person within the time limit referred to in Article 28, paragraphs 3 and 5 of this Law;
3) continue processing for the purpose of direct advertising if the data subject has filed a complaint against such processing (Article 37, paragraph 3);
4) fail to designate their representative in the Republic of Serbia, contrary to Article 44 of this Law;
5) fail to maintain the prescribed records on processing (Article 47) or does not record the processing activities (Article 48);
6) fail to make the contact details of the data protection officer publicly available and fail to deliver them to the Commissioner (Article 56, paragraph 11).
A fine ranging from RSD 5,000 to RSD 150,000 will be imposed for the misdemeanor against the natural person who has failed to comply with professional secrecy regarding the personal data disclosed to them while performing their tasks (Article 57, paragraph 7 and Article 76).
An entrepreneur will be sanctioned for the misdemeanor referred to in paragraph 1 of this Article with a fine ranging from RSD 20,000 to RSD 500,000.
The natural person and/or the responsible person within a legal entity, a public authority and/or an authority of the territorial autonomy and a local self-government unit, as well as the responsible person with a branch office or a business unit of a foreign legal entity, will be sanctioned for the misdemeanor referred to in paragraph 1 of this Article with a fine ranging from RSD 5,000 to RSD 150,000.
An entrepreneur will be sanctioned for the misdemeanor referred to in paragraph 2 of this Article with a fine amounting to RSD 50,000.
The natural person and/or the responsible person within a legal entity, a public authority and/or an authority of the territorial autonomy and of a local self-government unit, as well as the responsible person with a branch office or a business unit of a foreign legal entity will be sanctioned for the misdemeanor referred to in paragraph 2 of this Article with a fine amounting to RSD 20,000.