Data & Privacy - Serbia

The Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti, Official Gazette No. 87/2018) entered into force on 21 August 2019. It mirrors the GDPR's core architecture: lawful-basis requirements, data-subject rights (access, rectification, erasure, portability, objection), privacy-by-design, data-protection impact assessments, and breach notification obligations.

The Commissioner for Information of Public Importance and Personal Data Protection (Poverenik) is the independent national DPA. It is empowered to conduct inspections (over 1,280 supervisory inspections reported in recent years), receive complaints, issue binding corrective orders, and impose fines directly.

Controllers and processors must appoint a Data Protection Officer when processing is carried out by a public authority, or when core activities involve regular and systematic large-scale monitoring of data subjects, or large-scale processing of special categories of personal data — closely tracking GDPR Article 37.

Violations constitute misdemeanours: fines for legal entities range from RSD 50,000 to RSD 2 million (approx. EUR 425–17,000). The Commissioner may also impose fixed administrative fines (approx. EUR 850) for specific procedural breaches such as failing to publish DPO contact details. Enforcement is active but penalties remain modest compared to EU GDPR maximums.

Serbia has not received an EU adequacy decision. International transfers rely on standard contractual clauses or other safeguards under the PDPA. Transfer impact assessments are required for transfers to countries without equivalent protection, and EU CJEU rulings (e.g. Schrems II) are treated as persuasive authority by Serbian regulators.

In January 2025 a government working group began drafting a new or significantly amended PDPA. Priority areas include explicit regulation of cookies, video surveillance, AI-system data processing, and biometric/genetic data — gaps identified under the National Data Protection Strategy 2023–2030 adopted by the Serbian Government in August 2023. No new law has been enacted as of May 2026.