Modern business operations are such that almost no company is involved with personal data—whether of employees, candidates, clients, or service users.
Despite this, several years after the implementation of the General Data Protection Regulation (GDPR) and the Law on Personal Data Protection, legal practice in Serbia still shows significant inconsistencies in the application
of personal data protection regulations.
As lawyers who face these challenges daily, we have noticed that many clients continue to misunderstand the scope of their obligations or entirely neglect compliance requirements. This can be dangerous.
Although Serbia lacks subordinate legislation that would further clarify the Law on Personal Data Protection (which is based on GDPR), the law nonetheless imposes obligations on anyone who collects, stores, or processes personal data
in any way. Non‑compliance can lead to severe penalties—both financially and reputationally.
Legal Framework of Data Protection in Serbia
Serbia adopted the Law on Personal Data Protection (ZZPL), which harmonizes domestic law with European standards to some extent. However, unlike the EU’s detailed regulations, our law remains quite general, lacking sufficiently
precise guidance for practical application.
This regulatory gap allows varied interpretations. In practice, this often results in inconsistent application. It is especially problematic that the necessary subordinate legislation has not been enacted.
Do you process personal data?
Most employers instinctively answer “no,” stressing that they do not sell or forward data, manage customer databases, nor use a CRM system.
However, if you maintain employee records, store résumés, contracts, medical certificates, email addresses, or phone numbers—you are processing personal data.
Under the law, the processing of personal data includes any action performed on that data—recording, storing, accessing, modifying, deleting, organizing, copying—whether automated or not. Therefore, even if you merely have an Excel spreadsheet with employee data, you are subject to the law. Thus, any legal entity that employs workers is automatically a data controller.
There is no “passive” data storage exempt from the law.
What qualifies as “personal data”?
Personal data is not limited to names and surnames. The law also protects:
· Unique identification numbers (e.g., JMBG), home address, passport or ID number
· Email addresses, IP addresses, geolocation data
· Photographs, video footage, biometric and health data
· Bank account details, card data, as well as internal HR records
Every employer is subject to the law simply by maintaining employee documentation, using video surveillance, conducting job postings, or communicating via email marketing.
When does GDPR apply, and when does Serbia’s Law apply?
· GDPR applies when processing data of individuals residing in the EU, regardless of where your company is based.
· Serbia’s Law on Personal Data Protection (ZZPL) applies when processing data of individuals living in Serbia.
Thus, the key criterion is not company location, but where the individuals whose data you process reside.
Practical examples
· Case 1: A Serbian IT company developing an application for a German firm must comply with GDPR because the application will be used by persons in the EU, even though the developer is in Serbia.
· Case 2: An international corporation headquartered in the EU but with a local office in Serbia must comply with ZZPL
for its employees in Serbia, even if they are EU citizens.
· Case 3: An e-commerce site registered in Serbia selling goods across the region must apply GDPR to EU customers and ZZPL to domestic customers.
These examples show that the distinction between GDPR and ZZPL is fluid, and companies must keep this in mind. People move constantly—not just across borders, but also across the internet, leaving their data everywhere in the world.
What is not personal data processing?
Neither GDPR nor ZZPL apply to:
· Personal contacts saved by individuals for private purposes (e.g., phone contacts, personal email accounts)
· Anonymous data (if individuals cannot be identified at all)
· Unstructured, disorganized records (though in practice the boundary is unclear—what truly qualifies as unstructured?)
Data controller obligations—what does the Law on Personal Data Protection require?
The law establishes six fundamental principles that every data controller must observe:
1. Transparency – Clear notice about what data you collect, for what purpose, for how long, and on what legal basis (e.g., privacy policy on website, clause in contract).
2. Purpose Limitation – Collect only data necessary for a specific clearly defined purpose (e.g., for employment
contracts or order delivery). Sending marketing messages without explicit consent is prohibited.
3. Data Minimization – Collect only what is genuinely needed. Many websites request unnecessary information “just in case,” which breaches this principle.
4. Accuracy – Update and correct inaccurate data.
This is particularly important for long-term employee or client databases. Old data no longer needed should be properly deleted.
5. Storage Limitation – Define retention periods. Data must not be kept longer than necessary (e.g., video surveillance footage should not be stored indefinitely). Internal policies must clearly set storage durations for each data category.
6. Security – Implement technical and organizational measures. Data must be protected from unauthorized access and
available only to authorized personnel. This includes encryption, access control, as well as staff training.
Penalties for non-compliance
A significant difference between GDPR and our law lies in the fines. While EU regulations allow fines up to 20 million euros or 4% of annual turnover, the maximum fine in Serbia is 2 million dinars.
However, the risk should not be underestimated. The Commissioner for Information of Public Importance is increasing enforcement, and fines are being issued more frequently. Moreover, companies operating internationally may be subject to European legislation, meaning GDPR and its strict penalties.
How to comply with Serbia’s Law on Personal Data Protection?
1. Inventory all activities in which your company collects data—from HR, client databases, to web analytics. Many clients are surprised at the extent of data processed.
2. Implement internal procedures and policies (e.g., Privacy Policy, Data Protection Rules). These must be functional, not just formal.
3. For each data category, determine the legal basis for processing—consent, contract, legal obligation, or legitimate interest. Each basis carries different requirements.
4. Train employees on basic obligations related to data handling.
5. Introduce technical security measures—password-protected access, encryption, locked filing systems. There is no universal solution—each business
needs an individual approach.
6. If any step is unclear or complicated—consult a lawyer for interpretation of legal provisions in your specific case.
Conclusion
Personal data protection is no longer optional—it’s mandatory. Companies routinely handle sensitive personal information, whether of employees, candidates, or users.
The EU constantly evolves its GDPR enforcement practices, and Serbia, as an EU candidate, must harmonize its own practices. Increased enforcement and higher fines are expected.
Ignorance of the law does not exempt from responsibility. Don’t wait for the authorities. If you’re not sure whether your company complies with Serbia’s Law on Personal Data Protection and GDPR—now is the time to verify.
Aircraft Leasing under the Law of the Republic of Serbia and International Sources
Aircraft are essentially movable objects which, in legal transactions, enjoy the status of immovable property, and therefore aircraft leasing is a specific procedure.It is regulated
Redundancy pay on termination of employment due to redundancy (Serbia)
In the text Redundancy: a guide through a complex employment-law process we discussed what constitutes redundancy, in which situations an employer may declare it, and
Video surveillance of employees in Serbia: a guide for employers
The need for security – of data, property, people – has led employers to increasingly install video surveillance in their business premises. However, recording employees
Register of Beneficial Owners – new law, new obligations for companies
When the new Law on the Central Register of Beneficial Owners was adopted in March 2025, its main provisions were given deferred application of as
Personal Data Protection in Serbia and GDPR Comparative Practice
Modern business operations are such that almost no company is involved with personal data—whether of employees, candidates, clients, or service users.Despite this, several years after
Visas and Work Permits for Foreigners in Serbia
Employers in Serbia are facing a labor shortage, while at the same time observing their competitors overcoming this issue by hiring foreign workers.This raises the following
