How the Data Protection Representative is Designated

Controllers and processors of personal data who do not have their registered office or place of residence in the Republic of Serbia are required, in accordance with the Law on Personal Data Protection, to designate a representative in the Republic of Serbia if their processing operations are carried out in the Republic of Serbia and related to:

• offering of goods or services to the data subjects in the Republic of Serbia;
• monitoring of the behaviour of the data subjects, when the activities are carried out in the Republic of Serbia;
An exception to the requirement to designate a representative for these controllers and processors is only provided if:
• the processing is occasional, does not involve the processing of special categories of data, or the processing of personal data relating to criminal convictions and offences on a large scale, and is unlikely to result in a risk to the rights and freedoms of natural persons;
• the controller or processor is a public authority or body;

The Data Protection Representative is a natural person or legal person with residence or registered office in the Republic of Serbia who is authorised to represent the controller, i.e., the processor with regard to their respective obligations under the Law.

Controllers and processors are required to publish the identity and contact details of their Data Protection Representative.

The Representative acts on behalf of the controller and processor in the territory of the Republic of Serbia, and data subjects may contact him on all matters relating to the processing of personal data in order to ensure compliance with the Law.

In addition to the above, the Representative is obliged to cooperate with the Commissioner for Information of Public Importance and Personal Data Protection and is obliged to provide him with all the necessary information at his request.

The Representative acts on behalf of the controller and the processor and his/her designation does not affect their responsibility in the event of a personal data breach. Complaints, lawsuits, and other legal claims will be brought against the controller or processor regardless of whether a Representative has been designated.

Controllers and processors who fail to designate a representative in accordance with the Law are liable to a misdemeanour punishable by a fine ranging from 50,000.00 RSD to 2,000,000.00 RSD.

Our law office provides services for the designation and performance of the duties of the Data Protection Representative. For more information, please contact us at: [email protected] or [email protected]

TSG Advokati Beograd

Law on Personal Data Protection

Data Protection Representative

Commissioner for Information of Public Importance and Personal Data Protection