This page is intended for foreign companies that are establishing or operating a business in Serbia and need to understand their data protection obligations under Serbian law. Whether the company processes employee data, customer data, website visitor data, or handles data transfers between Serbia and its parent company’s jurisdiction, compliance with Serbia’s data protection framework is a legal requirement with practical consequences.
Serbia’s data protection law — the Personal Data Protection Act (Zakon o zaštiti podataka o ličnosti, commonly referred to as the PDPA), effective since August 21, 2019 — is substantially aligned with the EU’s General Data Protection Regulation (GDPR). For companies that are already GDPR-compliant, the transition to Serbian compliance is largely familiar. For companies that are not yet operating under a GDPR-equivalent framework, the Serbian PDPA imposes a modern, comprehensive data protection regime that requires structured compliance measures.
The practical enforcement environment in Serbia remains less aggressive than in the EU — maximum fines are currently capped at approximately EUR 17,000, compared to the GDPR’s EUR 20 million / 4% of global turnover. However, this is expected to change. Serbia’s Data Protection Strategy for 2023–2030 explicitly contemplates increasing penalties to GDPR-comparable levels, and the Commissioner’s enforcement practice has become increasingly fact-specific and outcome-oriented since 2025. Foreign companies are advised to treat Serbian data protection compliance seriously from the outset, not only because enforcement is tightening, but because EU-headquartered parent companies and counterparties increasingly require their Serbian subsidiaries and service providers to demonstrate GDPR-equivalent compliance.
The PDPA mirrors the GDPR in almost all substantive aspects. The key principles, rights, and obligations are directly transposed from the EU regulation, including lawfulness, fairness, and transparency of processing; purpose limitation and data minimisation; accuracy and storage limitation; integrity and confidentiality; and accountability. The PDPA defines personal data, data subjects, controllers, processors, and other key concepts in terms identical or closely equivalent to the GDPR. For companies already familiar with GDPR terminology and obligations, the Serbian framework will be immediately recognisable.
Despite the close alignment, several practical differences exist:
The Commissioner for Information of Public Importance and Personal Data Protection (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti) is the independent supervisory authority responsible for monitoring and enforcing the PDPA. The Commissioner has investigative powers (including on-site inspections), corrective powers (including orders to cease processing, delete data, or bring operations into compliance), and advisory powers. The Commissioner’s annual reports, published since 2020, provide increasingly detailed guidance on enforcement priorities and interpretive positions.
The PDPA applies to the processing of personal data in the context of the activities of a controller or processor that has a “business seat” (registered office) in Serbia, regardless of whether the processing itself takes place in Serbia. This means that a Serbian subsidiary of a foreign company is subject to the PDPA for all personal data it processes, even if the data is stored on servers outside Serbia or processed by the parent company’s systems in another jurisdiction.
The PDPA also applies to controllers and processors outside Serbia that process personal data of individuals in Serbia, if the processing relates to offering goods or services to individuals in Serbia, or monitoring the behaviour of individuals in Serbia. This mirrors the GDPR’s extraterritorial scope and is relevant for foreign companies that sell to Serbian customers or track Serbian users online without having a local entity.
The PDPA recognises six legal bases for processing personal data, directly transposed from the GDPR: consent, performance of a contract, legal obligation, vital interests, public interest, and legitimate interests. For most foreign companies operating in Serbia, the most commonly relied-upon bases are performance of a contract (for customer and supplier data), legal obligation (for employee data, tax reporting, regulatory compliance), and legitimate interests (for business-to-business marketing, security monitoring, and operational analytics).
Consent is required where no other legal basis applies, and must meet the same standards as under the GDPR: freely given, specific, informed, and unambiguous. Consent obtained through pre-ticked boxes, bundled conditions, or ambiguous language is not valid.
For foreign companies hiring employees in Serbia, employee data processing is one of the most immediate compliance requirements. Employers process significant volumes of personal data: identification documents, employment contracts, salary information, health data (sick leave certificates), performance evaluations, disciplinary records, and surveillance data (if CCTV or monitoring systems are in place). Each category of data requires a valid legal basis, and employees must be informed about how their data is processed through a privacy notice.
The Commissioner has identified employee data processing as a key enforcement priority, with particular attention to video surveillance in the workplace (which requires a data protection impact assessment), monitoring of employee communications and internet usage (which must be proportionate and transparently disclosed), and processing of health-related data (which is subject to enhanced protections as special category data).
The PDPA requires the appointment of a Data Protection Officer in the same circumstances as the GDPR: when the controller is a public authority, when the core activities involve regular and systematic monitoring of data subjects on a large scale, or when the core activities involve large-scale processing of special categories of data. The DPO does not need to be based in Serbia and does not need specific Serbian qualifications — the requirement is professional knowledge of data protection law and practices.
For many foreign subsidiaries in Serbia — particularly IT companies processing customer data, e-commerce platforms, and companies with employee monitoring systems — a DPO appointment may be required. Even where not mandatory, appointing a DPO (or designating a privacy contact) demonstrates compliance commitment and facilitates communication with the Commissioner.
We advise on PDPA compliance, prepare privacy notices and data processing agreements, conduct DPIAs, and represent clients in proceedings before the Commissioner.
For foreign companies with Serbian subsidiaries, the transfer of personal data between Serbia and other jurisdictions is a central compliance issue. Employee data sent to the parent company for payroll processing, customer data shared with group entities for CRM purposes, and IT data stored on cloud servers outside Serbia — all constitute cross-border transfers that must comply with the PDPA’s transfer rules.
Personal data may be transferred to countries that the Serbian government has determined to provide an adequate level of data protection. Serbia has not yet issued its own list of adequate countries. In practice, transfers to EEA countries are generally considered permissible, as the PDPA is itself modelled on the GDPR. Transfers to other countries require appropriate safeguards.
In the absence of an adequacy determination, transfers may be made using standard contractual clauses (SCCs) between the data exporter in Serbia and the data importer abroad, binding corporate rules (BCRs) approved by the Commissioner, or other mechanisms prescribed by the PDPA that mirror the GDPR’s Article 46 safeguards. For most foreign companies, SCCs are the primary transfer mechanism. The PDPA does not specify a particular form of SCCs, and companies commonly use the EU Commission’s standard contractual clauses adapted for Serbian law.
Where neither adequacy nor appropriate safeguards are available, transfers may be made under specific derogations: explicit consent of the data subject, necessity for the performance of a contract, important reasons of public interest, or establishment or defence of legal claims. These derogations should be used as exceptions, not as the primary basis for systematic data transfers.
The PDPA imposes data breach notification obligations that largely track the GDPR. A personal data breach must be reported to the Commissioner without undue delay, and where feasible within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Where the breach is likely to result in a high risk to individuals, the data subjects must also be notified without undue delay.
The notification to the Commissioner must include a description of the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach. Foreign companies should establish a data breach response procedure before a breach occurs — the 72-hour window leaves little time for improvisation.
Controllers and processors that are not established in Serbia but are subject to the PDPA (because they offer goods or services to individuals in Serbia or monitor their behaviour) must appoint a representative in Serbia. The representative acts as a point of contact for the Commissioner and data subjects on all matters related to data processing. This mirrors Article 27 of the GDPR.
In practice, compliance with this obligation among foreign technology companies has been inconsistent. Some global platforms (Google, Yahoo, Upwork) have appointed Serbian representatives, while many others have not. The Commissioner has flagged this as an area of concern, and enforcement is expected to increase.
Based on the Commissioner’s enforcement practice and the practical compliance needs of foreign companies operating in Serbia, the following priorities are recommended:
Data protection compliance should be part of your setup from day one. We prepare privacy documentation, data processing and transfer agreements, and DPIAs — integrated with your company formation, employment, and IT arrangements.
Substantive alignment.
Breach notification.
PDPA in force.
Toward GDPR levels.
Navigating Serbia’s dynamic business environment requires sharp legal insight and reliable support. Injac Attorneys at Law delivers tailored legal solutions across Corporate Law, M&A, Dispute Resolution, Employment, IP, Real Estate, Data Protection, and Tax. Count on us as your trusted legal partner in every transaction.
