LOCATIONS
Belgrade | Serbia

Office

Bulevar Mihajla Pupina 6/IV
11070 Beograd
Republic of Serbia


Serbia

+381 11 3210 200

Map and directions

New official opinion on the Cross-Border Transfer of Personal Data in Serbia

September 2017 – On 14 August 2017, Serbia’s Commissioner for Information of Public Importance and Personal Data Protection (“the Commissioner”) issued, at the request of the American Chamber of Commerce in Serbia, a new opinion in relation to the transfer of personal data outside of Serbia. This opinion has clarified the relatively new position of the Commissioner, according to which the necessity of filing for prior approval for cross-border data transfer depends on the location of the first server on which data is stored after being transferred from Serbia.

Under the current Personal Data Protection Law, personal data may be transferred outside of Serbia, without prior approval of the Commissioner only to a country that is a party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“the Convention”). The Convention was ratified by all members of the Council of Europe, with the addition of Mauritius, Senegal, Tunisia and Uruguay.

In cases where personal data collected in Serbia is being transferred to a country that is not party to the Convention (in most cases data is transferred to the US or India), the data controller must obtain prior approval of the Commissioner for such cross-border transfer of personal data. The procedure for issuing such approval is not sufficiently regulated under the current Personal Data Protection Law, which caused many uncertainties in practice in the past and contributed to delays of a year or more before receiving the approval.

There have been many situations in practice where data, before reaching its final destination, would pass through other countries, and this raised the question whether it is necessary to acquire prior approval of the Commissioner if data is transferred from Serbia to a country which is party to the Convention first and then from that country to a country which is not party to the Convention. At a recent public gathering, the Commissioner announced that in such cases, as of the beginning of this year, requests for such prior approvals were rejected, as the Commissioner declared that such cases are outside its jurisdiction.

The new official opinion confirms a change of approach. The Commissioner now states that a data controller must obtain prior approval for the cross-border transfer of data only if data is being transferred directly to a country that is not a party to the Convention. This means that if data, upon leaving Serbia, is first stored on a server which is located, for example, in Ireland, and then is further transferred to a server in the US, it will not be necessary to acquire prior approval of the Commissioner, even if known in advance that data will be processed in the US in the end.

The Commissioner explained in its opinion that, when data is transferred from Serbia to a country that is party to the Convention, the further transfer of such data is governed by the laws of the country to which the data was initially transferred. This means that a potential decision on approval of such further transfer falls within the jurisdiction of the data protection authority in the country to which data was initially transferred, and not within the jurisdiction of the Commissioner in Serbia.

The Commissioner’s opinion should, hopefully, decrease the workload of the Commissioner’s office, as it is expected that many data controllers will not apply for the cross-border transfer approval if they can meet the condition that the location of the first server on which data is stored upon leaving Serbia is within the European Union. Such expected decrease of workload might also shorten the current long wait for cross-border transfer approvals, while we wait for a new law on personal data protection to be finally adopted. However, as it turns out, this waiting on a new law might also be long lasting. Namely, the reply letter of the Commissioner, sent to the Prime Minister of Serbia and published on the official website of the Commissioner on 30 August 2017 implies that the Model of Personal Data Protection Law, which the Commissioner’s office carefully and meticulously prepared, taking into consideration numerous comments of expert community, will most probably not be adopted as such by the Government and introduced into the formal legislative procedure, but might eventually serve as the basis for the work of a new working group formed by the Serbian Ministry of Justice.

We will continue to follow this issues as events unfold. For more information, contact Dragana Bajić, Managing Associate, at .