GDPR challenges for Serbian businesses and IP registries

The General Data Protection Regulation (Regulation 2016/679, 2016 OJ (L 119) 1) (GDPR) entered into force on May 25 2018. One of the major changes introduced by the GDPR is that it applies to businesses located outside the European Union if they are processing the personal data of data subjects who are in the European Union, under certain conditions. The GDPR imposes quite a challenge to companies based in Serbia whose activities fall under its scope, as they are obliged to comply with both local law and GDPR requirements.

Business challenges
The Serbian Personal Data Protection Act (PDPA) was enacted in 2009 and has not been subject to substantial change until now. It contains outdated provisions and is silent on many topics regulated by the GDPR. For example, the PDPA does not oblige businesses to appoint a data protection officer, to conduct privacy impact analysis of their data processing or to adopt privacy policies. The PDPA also does not regulate behavioural marketing, big data analytics, profiling, the Internet of Things and many other aspects of the everyday business activities of companies across different sectors. Although the PDPA’s general rules regarding data processing do apply to these areas, they are not sufficient to reliably regulate these matters, particularly in comparison with the GDPR.

Businesses operating in Serbia that fall under the application of the GDPR must adjust their activities to the GDPR requirements, primarily their online activities. Privacy policies, use of cookies and other tools for customer profiling and targeting, which are not regulated by the current Serbian data protection legislation, must be in line with the GDPR requirements.

IP implications
The application of the GDPR relates to a data subjects’ right of access to the processed data and limitations to this right. Data subjects’ right of access could lead to the disclosure of a company’s IP rights or know-how, depending on the content of the subject’s request. Fortunately, the GDPR regulates such requests, allowing access to the processed data only where it does not adversely affect the rights and freedoms of others.

The GDPR also affects the availability of personal data contained in official IP registers, such as the online database of trademark owners or the register of the national domain names, both of which may contain personal data. In order to comply with the GDPR, these registers must adapt to simultaneously allow access to the registries and protect personal data contained therein.

Comment
Although the GDPR is applicable only to data subjects from the European Union, it is likely that Serbian businesses which must comply with the GDPR will implement its standards, even when processing data of those not located in the European Union.

There are indications that this double regulatory regime for data protection, which will be imposed on a significant number of entities in Serbia, may not last for long; the GDPR has triggered the need for a new, up-to-date legal regime for data protection within Serbia. Several new drafts of the Personal Data Protection Act have been discussed, with the latest one containing the majority of solutions prescribed by the GDPR. The compliance requirements related to the processing of personal data in Serbia will therefore be similar to EU requirements.