The company that collects personally identifiable information, prior to collection, is obliged to inform the persons to whom the data relate about their identity and about relevant circumstances about collecting and processing of data (further: Data).
In accordance with the Law on Personal Data Protection (hereinafter: the Law), personal information is any information pertaining to a natural person, regardless of the form in which is expressed and regardless on the information carrier (paper, tape, film, electronic media and sl.).
The consent for the processing of the data must be given in a written form, which contains the indication of the data being processed, the purpose of the processing and the manner of its use.
Each company that collects Data has the following obligations:
- To establish and keep a database which, among other things, contains all the above information;
- To provide the Commissioner with a notice of intention to establish a database, prior the establishment;
- To inform the Commissioner about the beginning of data collection.
Supervision over the implementation and compliance of the Law is in the Jurisdiction of the Commissioner for information of public importance.
In case of non-compliance with the provisions of the law, fines ranging from 50,000 to 1,000,000 dinars are prescribed.
We underline that the area of personal data protection is in development and in the process of harmonization with European legislation. In the forthcoming period, amendments to laws and by-laws are expected. Also, in May 2018, a new General Data Protection Regulation (GDPR) will come into force in the countries of the European Union. GDPR made significant changes of this legal area on the territory of the EU. This Regulation also provides the so-called extraterritorial effect, which means that it also applies in non-EU companies, if in their business they process data on the territory of the EU. We will see how the legislator in Serbia will implement the provisions of GDPR.