Applicability of Serbia's Law on Personal Data Protection (LPDP)

Serbia's data protection framework is governed by specific legislation that regulates the processing of personal data. The primary role of this legislation is fulfilled by the Law on Personal Data Protection (Закон о заштити података о личности), which establishes the legal framework for personal data protection in the Republic of Serbia.

The Law on Personal Data Protection was adopted on November 9, 2018 and became effective on August 21, 2019.

Serbia's Law on Personal Data Protection (LPDP) establishes a robust framework for data protection through a combination of material and territorial applicability factors. The law's scope extends to both automated and manual processing activities while providing precise exemptions for personal/household use. Territorial provisions demonstrate extraterritorial reach through establishment-based criteria and protections for Serbian residents regardless of controller location.

Material Applicability Factors

The LPDP's material scope is governed by four key factors determining when the law applies to specific processing activities, regardless of geographical considerations.

Automated Means Criterion

LPDP Art.3(1):

"This Law shall apply to processing of personal data which is performed, in its entirety or in a part thereof, by automated means, as well as to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system."

Original (Serbian):

"Ovaj zakon primenjuje se na obradu podataka o ličnosti koja se vrši, u celini ili delom, automatizovanim sredstvima, kao i na obradu koja se vrši drugim sredstvima, a podaci o ličnosti su deo evidencije ili su namenjeni da postanu deo evidencije."

This provision establishes that any processing involving digital systems or partial automation falls under the LPDP's scope. The criterion applies even when only specific processing stages use automation, such as automated data collection followed by manual analysis. This captures modern hybrid processing models where human decision-making interfaces with automated systems.

Filing System Criterion

LPDP Art.3(1):

"This Law shall apply to [...] processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system."

Original (Serbian):

"Ovaj zakon primenjuje se na [...] obradu koja se ne vrši automatizovanim sredstvima podataka o ličnosti koji su deo sistema evidencije ili su namenjeni da budu deo sistema evidencije."

The law applies to structured manual records accessible via specific criteria, such as alphabetized patient files or customer indexes. This prevents circumvention through non-digital means while requiring organizations to implement physical security measures comparable to digital protections.

Prospective Filing System Inclusion

LPDP Art.3(1):

"This Law shall apply to [...] personal data [...] intended to form part of a filing system."

Original (Serbian):

"Ovaj zakon primenjuje se na [...] podaci o ličnosti [...] namenjeni da budu deo sistema evidencije."

This future-oriented provision applies the law from the moment of data collection if there's intent to organize it systematically. For example, handwritten interview notes collected for future database entry must comply immediately, preventing regulatory gaps during data consolidation phases.

Personal and Domestic Use Exemption

LPDP Art.3(2):

"This Law shall not apply to the processing of personal data performed by a natural person for their own needs and/or for the needs of their household."

Original (Serbian):

"Ovaj zakon se ne primenjuje na obradu podataka o ličnosti koju vrši fizičko lice za sopstvene potrebe i/ili za potrebe svog domaćinstva."

This exemption excludes private communications, family photo albums, and personal diaries from LPDP's scope. However, the boundary blurs with social media use: a private family WhatsApp group likely qualifies, while public Instagram posts may not.

Territorial Applicability Factors

The LPDP asserts jurisdiction through five territorial factors ensuring protection of Serbian residents' data regardless of processing location.

Processing by Local Establishment

LPDP Art.3(3):

"This Law shall apply to [...] processing [...] by a controller and/or processor with the seat and/or domicile or habitual residence in Serbia [...] irrespective of processing location."

Original (Serbian):

"Ovaj zakon primenjuje se na obradu [...] od strane rukovaoca i/ili obrađivača koji imaju sedište i/ili prebivalište ili uobičajeno boravište u Republici Srbiji [...] bez obzira na mesto obrade."

Serbian-registered companies must comply globally, including foreign subsidiaries processing Serbian data. A Belgrade-based e-commerce platform remains subject to LPDP when using cloud servers abroad, requiring cross-border data transfer mechanisms.

Offering Goods/Services to Serbian Residents

LPDP Art.3(4)(1):

"Applies to processing related to offering goods/services to Serbian data subjects, irrespective of payment."

Original (Serbian):

"Primenjuje se na obradu u vezi sa ponudom robe/usluga licima u Srbiji, bez obzira na plaćanje."

Foreign companies targeting Serbian markets through Serbian-language websites or local currency pricing must comply. Free apps collecting Serbian user data fall under this provision, requiring GDPR-style compliance measures despite no revenue generation.

Monitoring Serbian Data Subjects

LPDP Art.3(4)(2):

"Applies to processing involving monitoring of activities occurring within Serbia."

Original (Serbian):

"Primenjuje se na obradu koja uključuje praćenje aktivnosti na teritoriji Srbije."

This encompasses website tracking pixels monitoring Serbian IP addresses and retail heatmaps analyzing customer movements in Belgrade stores. Foreign analytics services must implement geoblocking or LPDP-compliant consent mechanisms.

Physical Presence of Data Subjects

LPDP Art.3(4):

"Applies to processing data of subjects with domicile/habitual residence in Serbia."

Original (Serbian):

"Primenjuje se na obradu podataka o licima sa prebivalištem/uobičajenim boravištem u Srbiji."

Protection follows Serbian citizens abroad temporarily but excludes long-term expatriates. A Serbian student in Germany remains protected regarding data processed about their Serbian residence.

Entity Registration/Incorporation

LPDP Art.3(3):

"Applies to processors registered/incorporated in Serbia regardless of processing location."

Original (Serbian):

"Primenjuje se na obrađivače registrovane/osnovane u Srbiji bez obzira na mesto obrade."

Foreign parent companies using Serbian subsidiaries for data processing must ensure subsidiary compliance. Joint ventures with Serbian partners automatically fall under LPDP regardless of data flow paths.

Conclusion

Serbia's LPDP establishes comprehensive applicability through material factors covering all modern processing methods and territorial factors asserting jurisdiction over domestic entities and foreign processors targeting Serbian residents. The law's extraterritorial provisions mirror GDPR standards while maintaining unique national characteristics through explicit filing system requirements and precise domestic use exemptions.