A large number of companies in Serbia have not yet determined whether they need to abide by the European Union’s general data protection regulation (GDPR), which will come into force on 25th May.
It is not known as yet what kind of changes will this regulation impose on businesses in Serbia.
Although the GDPR, adopted by the European Parliament on 14th June, 2016, is a regulation that is primarily applicable in the EU, certain provisions will be applied to both legal and natural persons from non-EU countries if they meet certain conditions.
According to Marija Milojevic from KPMG, this regulation is applicable outside the EU territory in case personal data processing is related to the provision of goods or services to persons in the EU or the monitoring of their behaviour.
Among other things, the provisions stipulate that such companies should have a representative in the EU who will be in charge of certain issues related to data protection, as well as to keep records of the activities relating to processing personal data in certain cases.
As Serbia is not on the European Commission’s list of the countries that have to implement adequate personal data protection measures, the GDPR prescribes having additional safeguards if EU data ends up in Serbia (contractual clauses, codes of conduct, mandatory corporate rules) – Milojevic adds.
The GDPR stipulates fines of up to 20 million euros, or 4.0 percent of the company’s global annual revenue in the event of the violation of certain provisions.
However, these penalties will not be applied by the relevant authorities in Serbia, and therefore, the EU companies are the one that will bear the risk, because the EU authorities are in charge of the regulation supervision and penalties.
It is worth noting that, due to the potential risks to them, the EU companies are unlikely to want to cooperate with Serbian companies that do not abide by the GDPR to the extent that it is needed, says Marija Milojević.
She adds that the Draft of the new Law on Personal Data Protection largely coincides with the provisions of the GDPR, and if it is adopted by the year end, companies in Serbia will have to abide by almost the same provisions as all legal and natural persons from the EU regarding the protection of personal data.
Milojevic specifies that, among other things, that also implies companies engaged in the personal data protection appoint a person that will solely deal with this issue, as well as the obligation to keep a uniformed register and to report every detected violation within 72 hours.
“Practice shows that that many companies had no-one to deal with the personal data and its protection, and that in large systems, services are decentralized with some data stored on paper, some in the company’s server,” says Milojevic.
Therefore, it is necessary, she says, that companies first analyze the existing situation, interview all the services that process and store personal data in order to determine which data is stored in paper and which in electronic form, in the country and abroad.
According to Milojevic, in terms of personal data protection systems in Serbia, banks are the most advanced as they are often targeted by high-tech criminals. For instance, they implement specific tools that could identify unauthorized access and use of personal data.
Another important development in the information security is the fact that many insurance policies are now being protected from cyber criminals as insurance companies often guarantee the compensation of damages to their clients if the safety of their personal data is breached, Milojevic added.
This post is also available in: Italiano