Sadržaj/Table of Contents
- General Principles of Transfer
- Transfers Subject to Appropriate Protection Levels
- Transfers Subject to Appropriate Safeguards
- Transfers of Data Processed by the Competent Authorities for Special Purposes, with Application of Adequate Protection Measures
- Binding Corporate Rules
- Transfer or Disclosure of Personal Data Based on a Decision of an Authority of Another Country
- Transfer of Data in Special Situations
- Special Situations Regarding the Transfer of Data Processed by the Competent Authorities for Special Purposes
- Transfer of Data Processed by the Competent Authorities for Special Purposes to a Recipient in another Country
- International Cooperation Regarding Personal Data Protection
General Principles of Transfer
Article 63
Any transfer of personal data which is undergoing processing or is intended for further processing after transfer to another country or an international organization may take place only if, subject to the other provisions of this Law, the conditions laid down in this Chapter of the Law are complied with by the controller and processor, including for onward transfers of personal data from another country or an international organization to a third country or another international organization, in order to ensure an appropriate level of protection of natural persons which is equal to the level guaranteed by this Law.
If the processing is carried out by the competent authorities for special purposes, the transfer of data which is undergoing processing or which is intended for further processing after the transfer thereof to other country or international organisation can be performed only if the following conditions are jointly fulfilled:
1) the transfer need to be carried out for special purposes;
2) the personal data is transferred to the controller in another country or international organization, which is a competent authority for carrying out tasks for special purposes;
3) The government has determined the list of states, parts of their territories, or one or multiple sectors of specified economic activities in those countries and international organizations that are providing an appropriate level of personal data protection in compliance with Article 64 of this Law, and the transfer of data is carried out to one of those countries, to a part of its territory or to one or multiple sectors of a specified economic activity in that country or to an international organization, or, if this is not a case, the application of appropriate safeguards has been ensured in compliance with Article 66 of this Law, or, if the application thereof has not been ensured, provisions on the transfer of data in special situations from Article 70 of this Law are applied;
4) in the case of further transfer of personal data from another country or international organization to a third country or international organization, the competent authority which has performed the first transfer or another competent authority in the Republic of Serbia has approved further transfer after having taken into account all the circumstances of significance for further transfer, including the gravity of the criminal offense, the purpose of the first transfer and the level of personal data protection in the third country or international organization to which data is to be transferred further.
Transfers Subject to Appropriate Protection Levels
Article 64
Transfer of personal data to another country, into a part of its territory or in one or multiple sectors of specified economic activities in that country or to an international organization, without prior authorization, can be performed, providing that it has been determined that such other country, part of its territory or one or multiple sectors of specified economic activities in such country or such international organization has provided the appropriate level of protection for personal data.
It is considered that an appropriate level of protection referred to in paragraph 1 of this Article has been provided in the countries and international organizations which are members of the Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data, and/or in the countries, in the parts of their territories or in one or multiple sectors of specified economic activities in such countries or international organizations which the European Union has determined to provide appropriate safeguards.
The Government may determine that a country, a part of its territory, an activity sector and/or a field of legal regulation or an international organisation does not provide an appropriate level of protection referred to in paragraph 1 of this Article, except in the case of the members of the Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data, taking into account:
1) the principle of the rule of law and respect for human rights and fundamental freedoms, applicable legislation, including regulations in the field of public security, defense, national security, criminal law, and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules and professional rules in this field and/or taking of measures for the protection of personal data, including rules for the onward transfer of personal data to third countries or international organization, which are applied in the case-law and practice of other public authorities in another country or international organization, as well as effectiveness of enforceability of data subject rights and in particular effectiveness of administrative and judicial proceedings for the protection of rights of the data subjects whose personal data is being transferred;
2) the existence and effective functioning of the supervisory body for the protection of personal data in another country or the supervisory body in charge of supervision over the international organization in this field, with authorization to ensure implementation of the data protection rules and to initiate proceedings for the protection of personal data in cases of noncompliance, to provide assistance and to advise the data subjects in exercising their rights, as well as to cooperate with the supervisory authorities of other countries;
3) the international commitments the third country or international organization has undertaken or other obligations arising from legally binding international treaties or other legal instruments, as well as from its membership in multilateral or regional organizations, in particular concerning the protection of personal data.
It is considered that an appropriate level of protection has been provided if an international agreement has been concluded with another country or international organization on the transfer of personal data, as well.
Compliance with the conditions referred to in paragraph 3 of this Article will be determined in the procedure for concluding an international agreement on the transfer of personal data.
The Government will monitor the situation in the field of personal data protection in other countries, in parts of their territories, or in one or multiple sectors of specified activities in such countries or international organizations based on available information collected and information collected by international organizations, which is significant for reviewing the existence of an appropriate level of protection.
The list of countries, parts of their territories, or one or multiple sectors of specified activities in such countries and of international organizations which are considered to have provided an appropriate level of protection and/or for which the Government has determined that an adequate level of protection is no longer ensured in the Official Gazette of the Republic of Serbia.
Transfers Subject to Appropriate Safeguards
Article 65
A controller or processor may transfer personal data to another country, part of its territory or to one or multiple sectors of specified activities in such country or to an international organization for which the list referred to in Article 64, paragraph 7 of this Law has not determined the existence of an adequate level of protection only if the controller and/or the processor has provided adequate safeguards for such data and on condition that enforceable data subject rights and effective legal remedies for data subjects are ensured.
The appropriate safeguards referred to in paragraph 1 of this Article may be provided for, without requiring any specific authorization from the Commissioner, by:
1) a legally binding act drawn up between public authorities;
2) standard data protection clauses drawn up by the Commissioner in compliance with Article 45 of this Law, which fully regulate the legal relationship between the controller and the processor;
3) binding corporate rules in compliance with Article 67 of this Law;
4) an approved code of conduct pursuant to Article 59 of this Law, together with the binding and enforceable implementation of adequate safeguards, including as regards data subjects’ rights, by the controller or processor in another country or international organization;
5) issued certificates referred to in Article 61 of this Law, together with commitments undertaken to apply adequate safeguards, including regarding data subjects’ rights, by the controllers or processors in another country or international organization.
Adequate safeguards referred to in paragraph 1 of this Article can additionally be provided for based on a special authorization of the Commissioner by:
1) contractual clauses between the controller or processor and the controller, processor, or recipient in another country or international organization;
2) provisions to be inserted into an agreement between public authorities that ensure the effective and enforceable protection of the data subject’s rights.
The Commissioner grants the authorization referred to in paragraph 3 of this Article within 60 days from the submission date of the application for authorization.
The provisions of paragraphs 1 through 4 of this Article do not apply to the transfer of data processed by the competent authorities for special purposes.
Transfers of Data Processed by the Competent Authorities for Special Purposes, with Application of Adequate Protection Measures
Article 66
If the processing is performed by the competent authorities for special purposes, the transfer of personal data to another country, a part of its territory, or one or multiple sectors of specified activities in such country or to an international organization for which the existence of an adequate level of protection has not been determined by the list referred to in Article 64, paragraph 7 of this Law will be permitted in one of the following cases:
1) If adequate safeguards for personal data are provided for in a legally binding act;
2) If the controller has assessed all the circumstances relating to the transfer of personal data and has determined that adequate safeguards for the personal data exist.
The controller is obliged to notify the Commissioner of the transfer, which is performed based on paragraph 1, item 2) of this Article.
The controller is obliged to document the transfer performed based on paragraph 1, item 2) of this Article, as well as to make the documentation on such transfer available to the Commissioner at their request.
Documentation on the transfer referred to in paragraph 3 of this Article will include information on the date and time of transfer, the competent authority that receives the data, the reasons for the transfer, and the data transferred.
Binding Corporate Rules
Article 67
The Commissioner shall approve binding corporate rules, provided that such rules taken together fulfill the following conditions:
1) they are legally binding, they apply to and are enforced by every member concerned of the multinational company or a group of undertakings, including their employees;
2) expressly provide for exercising of the rights of data subjects regarding the processing of their personal data;
3) fulfill the conditions laid down in paragraph 2 of this Article.
The binding corporate rules referred to in paragraph 1 of this Article must determine at least:
1) the structure and contact details of the multinational company or the group of undertakings, as well as of each of its members;
2) the transfer or sets of transfers of personal data, including the types of personal data, the types of processing activities and their purposes, the type of data subjects affected and the name of the country to which data is transferred;
3) the legally binding nature of the corporate rules, both internally within a multinational company or a group of undertakings and externally;
4) the application of the general data protection principles, in particular processing purpose limitation, data minimization, limited storage periods, data integrity, permanent data protection measures, the legal basis for processing, processing of special types of personal data, measures to ensure data security, and the requirements in respect of onward transfers of personal data to other persons or bodies which are not bound by the binding corporate rules;
5) the rights of data subjects regarding the processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 38 of this Law, the right to file a complaint with the Commissioner, i.e. an action before the court in accordance with Article 82 and 84 of this Law, as well as the right to obtain compensation for a breach of the binding corporate rules;
6) the acceptance by the controller or processor with the domicile, residence, or seat in the territory of the Republic of Serbia of liability for any breach of these rules committed by any other member of the group who does not have the domicile, residence or seat in the territory of the Republic of Serbia, except if the controller or processor demonstrates that such other member of the group is not liable for the event that has given rise to the damage;
7) how the information on the binding corporate rules, in particular on the provisions of items 4) through 6) of this paragraph, is provided to the data subjects, in addition to the provision of other pieces of information referred to in Articles 23 and 24 of this Law;
8) the authorizations of the data protection officer, designated in compliance with Article 58 of this Law, or of any other person authorized to supervise the implementation of the binding corporate rules within a multinational company or a group of undertakings, including supervision over training and decision-making on the complaints within a multinational company or a group;
9) the complaint procedure;
10) the mechanisms within a multinational company or a group of undertakings for verifying compliance with the binding corporate rules. Such mechanisms include data protection audits and corrective actions to protect the data subject’s rights. Results of such verification must be communicated to the person referred to in item 8) of this paragraph, as well as to the governing body of the multinational company or group of the undertaking, and must be made available to the Commissioner as well, at their request;
11) the method of reporting and maintaining recordings on changes to the binding corporate rules and the method of notifying those changes to the Commissioner;
12) the cooperation method with the Commissioner to ensure implementation of the binding corporate rules by any member of the multinational company or a group of undertakings individually, in particular the method of making available to the Commissioner the results of verifications referred to in item 10) of this paragraph;
13) the method of reporting to the Commissioner on the legal obligations to which the member of the multinational company or the group of undertakings is subject in another country, which could have a substantial adverse effect on the guarantees provided by the binding corporate rules;
14) the appropriate data protection training for persons with permanent or regular personal data access.
The Commissioner may regulate the method of exchange of information between the controllers, processors, and the Commissioner in application of paragraph 2 of this Article in more detail.
If the conditions referred to in paragraph 1 of this Article are fulfilled, the Commissioner will approve the binding corporate rules within 60 days of submitting the application for approval.
Provisions of paragraphs 1 through 4 of this Article do not apply to the transfer of data processed by the competent authorities for special purposes.
Transfer or Disclosure of Personal Data Based on a Decision of an Authority of Another Country
Article 68
Decisions of a court or an administrative authority of another country requiring a controller or processor to transfer or disclose personal data may only be recognized or enforced in the Republic of Serbia if they are based on an international agreement, such as a mutual legal assistance treaty concluded between the Republic of Serbia and such other country, which is without prejudice to other grounds for transfer pursuant to the provisions of this Chapter of the Law.
Paragraph 1 of this Article does not apply to the transfer of data processed by the competent authorities for special purposes.
Transfer of Data in Special Situations
Article 69
If the transfer of personal data is not performed in compliance with the provisions of Articles 64, 65, and 67 of this Law, such data can be transferred to another country or international organization only in one of the following cases:
1) the data subject has explicitly consented to the proposed transfer after having been informed of the possible risks of such transfers for the data subject due to the absence of a decision on adequate protection level and appropriate safeguards;
2) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the request of the data subject;
3) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
4) the transfer is necessary for the reason of an important public interest prescribed by the law of the Republic of Serbia, providing that the transfer of individual types of personal data is not restricted by this Law;
5) the transfer is necessary for the submission, exercise, or defense of legal claims;
6) the transfer is necessary to protect the vital interests of the data subject or of another natural person, if the data subject is physically or legally incapable of giving consent;
7) the transfer is made of individual pieces of personal data comprised in a public register, which is available to the public or to any person which can demonstrate a legitimate interest, but only to the extent that the conditions laid down by the law for inspection in such special case are fulfilled.
If the transfer may not be performed in compliance with paragraph 1 of this Article and Articles 64, 65, and 67 of this Law, personal data may be transferred to another country or to an international organization only if the following conditions are jointly fulfilled:
1) the transfer of data will not be repeated;
2) data of a limited number of natural persons is being transferred;
3) the transfer is necessary in order to achieve a legitimate interest of the controller which is overriding the interests and/or the rights or freedoms of the data subjects;
4) the controller has ensured the application of adequate protection measures for the personal data based on a prior assessment of all the circumstances relating to the transfer of such data.
The controller and/or processor is obliged to provide proof in the records on the processing activities referred to in Article 47 of this Law on the assessment performed and on application of adequate protection measures referred to in paragraph 2, item 4) of this Article.
The controller is obliged to notify the Commissioner of the transfer of data performed in compliance with paragraph 2 of this Article.
The controller is obliged to provide the data subject with the information referred to in Articles 23 and 24 of this Law, as well as information on the transfer of data referred to in paragraph 2 of this Article, including information on the controller’s specific legitimate interest that is being realized by such transfer.
The transfer of data referred to in paragraph 1, item 7) of this Article may not pertain to all pieces of personal data or to complete types of personal data contained in the register.
If the data from the register is intended to be available only to the persons having a legitimate interest, in compliance with paragraph 1, item 7) of this Article, the transfer may be made only at the request of those persons or if those persons are to be the recipients of data.
Provisions of paragraph 1, items 1) through 3) and paragraph 2 of this Article do not apply to the activities of public authorities in the performance of their competencies.
Provisions of paragraphs 1 through 8 of this Article do not apply to the transfer of data processed by the competent authorities for special purposes.
Special Situations Regarding the Transfer of Data Processed by the Competent Authorities for Special Purposes
Article 70
If the transfer of personal data processed by the competent authorities for special purposes is not carried out in compliance with the provisions of Articles 64 and 66 of this Law, such data can be transferred to another country or to an international organization only if such transfer is necessary in one of the following cases:
1) to protect the vitally important interests of the data subject or of another natural person;
2) to protect the legitimate interests of the data subjects, if that is provided for by the law;
3) to prevent an imminent and serious threat to the public safety of the Republic of Serbia or another state;
4) in an individual case, if it is a case of processing for special purposes;
5) in an individual case, with the aim to submit, exercise, or defend a legal claim if such aim is directly related to special purposes.
The transfer of personal data cannot be performed if the competent authority performing the transfer determines that the public interest referred to in paragraph 1, items 4) and 5) of this Article is overridden by the interest of protecting the fundamental rights and freedoms of the data subjects.
The competent authority is obliged to document the transfer performed based on paragraph 1 of this Article and make such documentation available to the Commissioner at their request.
The documentation on transfer referred to in paragraph 3 of this Article includes information on the date and time of the transfer, the competent authority receiving the data, the reasons for the transfer, and the data transmitted.
Transfer of Data Processed by the Competent Authorities for Special Purposes to a Recipient in another Country
Article 71
By way of exception from the provision of Article 63, paragraph 2, item 2) of this Law and irrespective of the application of the international agreement referred to in paragraph 2 of this Article, the competent authority processing the data for special purposes may directly transfer the personal data to a recipient in another country only if other provisions of this Law are complied with and if the following conditions are aggregately met:
1) the transfer is necessary for exercising of a legal authorization of the competent authority which is carrying out the transfer for special purposes;
2) the competent authority that is carrying out the transfer has established that the interest of the protection of fundamental rights or freedoms of the data subjects is not overriding the public interest for the protection of which data transfer needs to be carried out;
3) the competent authority that is carrying out the transfer considers that the transfer to the competent authority in another country for special purposes is inefficient or that it does not correspond to the achievement of such purposes, and in particular if the transfer cannot be carried out in due time;
4) the competent authority in another country is without undue delay notified of the transfer, unless such notification is inefficient or does not correspond to the achievement of the purpose;
5) the competent authority carrying out the transfer has notified the recipient in another country of the purposes of data processing, as well as that the processing can only be carried out for such purposes, by the recipient only and only if such processing is necessary.
The international agreement referred to in paragraph 1 of this Article is any agreement concluded between the Republic of Serbia and one or more other countries, that regulates cooperation in criminal matters or police cooperation.
The competent authority carrying out the transfer is obliged to notify the Commissioner of the transfer carried out based on paragraph 1 of this Article.
The competent authority is obliged to document the transfer carried out based on paragraph 1 of this Article, as well as to make such documentation available to the Commissioner, at their request.
The documentation on transfer referred to in paragraph 4 of this Article shall include information on the date and time of the transfer, the recipient of data, the reasons for transfer and the data transmitted.
International Cooperation Regarding Personal Data Protection
Article 72
The Commissioner takes appropriate measures in relations with the authorities competent for the protection of personal data in other countries and international organizations with a view to:
1) developing international cooperation mechanisms to facilitate the effective enforcement of laws relating to personal data protection;
2) providing international mutual assistance in the enforcement of laws relating to personal data protection, including through notification, referral to protection procedures and legal assistance in supervision, as well as to exchange of information, subject to appropriate safeguards for the protection of personal data and fundamental rights and freedoms;
3) engaging stakeholders in discussions and activities aimed at the development of international cooperation in the enforcement of laws relating to personal data protection;
4) fostering and promoting the exchange of information on personal data protection legislation and its application, including on the issues of jurisdictional conflicts with other countries in this field.