What is GDPR and why are companies possibly facing 20mln EUR fines come May?

25th May, 2018 is the date that every company engaged in personal data processing should remember,  because, on this date, the new general data protection regulation (GDPR) comes into force. The penalties for breaching this regulation can run up to 20 million EUR.

To that end, the Commissioner for Information of Public Importance and Personal Data Protection, Rodoljub Sabic, hosted the International Conference on 17th and 18th April 17, with the most eminent experts in this field participating, with the view of informing the public about the importance of GDPR and raise awareness of how this act will affect individuals.

What is GDPR?

The General Data Protection Regulation (GDPR) is actually a new legal framework that determines the way in which the personal data of EU citizens is used.

Under this act, any organization that processes data that pertains to both the EU and non-EU citizens, who live on the border with the EU, will have to comply with the new rules on personal data protection. This regulation specifically targets executives at different companies.

It also applies to companies outside of the EU

It is important to note that the GDPR also applies to companies which headquarters are outside the territory of the European Union, as it is the case with our companies. The act covers all Member States, and new technologies, such as mobile applications and social networks.

The fact is that everyone who resides on the territory of the European Union is protected by GDPR.

What kind of data is protected?

Any data that enables access to physical persons is covered by this regulation. This could be personal ID numbers (called JMBG in Serbia), email addresses, access to different websites, phone numbers and similar which not only contain the data on a certain person, but the information on how to reach them.

To whom does the regulation apply to?

This regulation applies to all companies which clients / users are located in the European Union, and these are primarily marketing agencies that monitor consumers in the European Union, online and marketing businesses, and numerous IT companies.


GDPR was adopted in 2016, and companies were given a two-year period to adapt to this innovative system, which is not that easy to use since there is no law that regulates data protection in our country, especially a law that is in compliance with the GDPR rules. Therefore, many companies are still in doubt whether these regulations apply to them, and are particularly concerned about how to access it.

The most serious breach, under this regulation, is a violation of the rights of natural persons. Natural persons have the right to data transparency, the ability to inspect their data, and also the right to change the data if there is an error.

If something goes wrong, the fines are rather draconian for the most serious violations and amount to 20 million EUR, or 4% of the company’s global annual revenues, depending which one is higher. Lesser penalties amount to 10 million EUR, or 2% of the annual revenue. There are also other penalties that are lower, depending on the data breach. The penalties are not the same, for instance, hospital data and some lesser important data.

One of the conference speakers was also Anto Rajkovaca, Director of the Croatian Personal Data Protection Agency, who talked about personal data protection officers.

“In 2012, we launched the position of a personal data protection officer in Croatia and currently there are around 3,000 in our country.  Their responsibility is to care for the legality of data processing, that is, whether the regulation and other related acts are adhered to, and to warn company executives of the necessity of implementing this regulation”, Rajkovaca said and added that personal data protection officers must be skilled to act in a variety of situations and have a wide knowledge about the national and European data protection law, as well as the knowledge of the business sector in which their companies operate.

Other conference speakers included Professor Milan Kukrika, Doctor Djordje Krivokapic from the Faculty of Organizational Sciences in Belgrade, Eduard Raducan, Director of the National Center for the Protection of Personal Data of the Republic of Moldova, H.E. Mr. Andrea Orizio, Head of the OSCE Mission to Serbia, and other prominent experts in the field of data protection.

(Blic, 18.04.2018)





Share this post

scroll to top