Date: 05/07/2019

Briefing Session on Implementation of the Personal Data Protection Law

With less than two months remaining until implementation of the new Personal Data Protection Law begins on 21 August 2019, AmCham organized a well-attended roundtable for its members in which they discussed the legal, technical and organizational aspects of this law’s implementation.

Participating in the roundtable were Milica Basta from the law firm BDK, Milan Nikolić from Telenor and Marko Marjanović from Microsoft, who shared their vision of the new law with members. The discussion was led by Miloš Stojković, president of the AmCham Committee for the Digital economy.

The round table started with the panelists providing a review of the existing legal framework, the basic concepts and obligations in the personal data protection field and the consequences of recently adopted by-laws in this area. Speaking about changes related to the upcoming data protection regime, Milica Basta emphasized the importance of introducing legitimate interest as the new basis for data processing and pointed out that consent for data processing does not need to be provided exclusively in writing. She also briefly presented the abolition of the procedure whereby a request for data files is reported to the Commissioner and its replacement with internal procedures which oblige managers and data processing staff involved in internal record keeping processing operations to implement a procedure to assess the impact of processing personal data, seeking the Commissioner's preliminary opinion, as well as informing the Commissioner and others about data protection infringements.

Participants also discussed how companies can align their business processes with the new legal framework, with Milan Nikolić listing the four elements of sustainable management systems for personal data – staff training, communication with users, data protection measures and timely resolution of complaints and incidents.
Marko Marjanović provided some technical solutions for the protection of personal data and introduced tools to enable and facilitate the implementation of geofencing for the territory of the EU, software for classification of documents containing personal data, access data / system logs etc.

Regarding the presentation of data, discussion took place on the conditions data controllers must meet in order to export data from Serbia legally, given that many companies in Serbia export data on their customers and employees as part of their business. In this regard, the lack of a requirement for special authorization from a supervisory authority in order to export data was highlighted. The Government of the Republic of Serbia has not decided which countries data can be exported to without authorization, and the supervisory authority has not adopted standard contractual clauses for the transfer of data abroad.