Serbia: Automated Means Criterion

The Automated Means Criterion is a key factor in determining the applicability of Serbia's Law on Personal Data Protection (LPDP).

Text of Relevant Provisions

LPDP Art.3(1):

"This Law shall apply to processing of personal data which is performed, in its entirety or in a part thereof, by automated means, as well as to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system."

Analysis of Provisions

The Automated Means Criterion in Serbia's LPDP extends the law's applicability to personal data processing that is carried out wholly or partially through automated means. This provision is significant as it captures a wide range of data processing activities, including those that utilize digital or electronic systems.

The law's scope is defined by two key elements:

"processing of personal data which is performed, in its entirety or in a part thereof, by automated means": This clause ensures that the law applies to any data processing that involves automated systems, even if only a portion of the processing is automated.
"processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system": This extends the law's reach to non-automated processing, provided the data is part of or intended for a structured set of personal data.

The inclusion of both automated and non-automated processing in structured filing systems demonstrates the law's comprehensive approach to data protection. It recognizes that personal data can be vulnerable in various forms of processing, not just those that are fully automated.

Implications

The broad scope of the Automated Means Criterion has several implications for businesses and organizations:

Wide applicability: Almost all modern data processing operations involve some form of automation, meaning most businesses handling personal data will likely fall under the law's purview.
Partial automation: Even if only a part of the data processing is automated, the entire process becomes subject to the law. This could include, for example, data collection through online forms followed by manual processing.
Structured manual processing: Organizations using traditional paper-based filing systems for personal data are not exempt if these systems are structured and searchable.
Future-proofing: By including data "intended to form part of a filing system," the law anticipates and covers scenarios where data might be collected manually with the intention of later digitization or structured filing.
Technological neutrality: The law's applicability is not tied to specific technologies, allowing it to remain relevant as new data processing methods emerge.

Jurisdiction Overview

Serbia

🎦 Monitoring Data Subjects Within Jurisdiction 📍 Processing by Local Establishment 🖥️ Automated Means Criterion 🗃️ Filing System Criterion 🏡 Personal and Domestic Use Exemption 🛍️ Offering Goods and Services to Data Subjects in Jurisdiction 💼 Processing by Entity Registered or Incorporated in Jurisdiction Physical Location/Residency of Data Subject in Jurisdiction 💽 Prospective Filing System Inclusion