Serbia's Law on Personal Data Protection (LPDP) extends its applicability to data processing activities that involve monitoring data subjects within Serbia, even when the data controller or processor is not established in the country.

Text of Relevant Provisions

LPDP Art.3(4)(2):

"This Law shall apply to the processing of personal data of data subjects who have their domiciles and/or habitual residence in the territory of the Republic of Serbia by a controller and/or processor which do not have their seat and/or domicile or habitual residence in the territory of the Republic of Serbia, where the processing activities are related to: the monitoring of activities of data subjects, as far as their activities take place within the Republic of Serbia."

Original (Serbian):

"Овај закон примењује се на обраду података о личности лица на које се подаци односе која имају пребивалиште, односно боравиште на територији Републике Србије од стране руковаоца, односно обрађивача који немају седиште, односно пребивалиште или боравиште на територији Републике Србије, ако су радње обраде везане за: праћење активности лица на које се подаци односе, ако се њихове активности одвијају на територији Републике Србије."

Analysis of Provisions

The LPDP extends its territorial scope to include data processing activities that involve monitoring data subjects within Serbia, even when the data controller or processor is not established in the country. This provision is found in Article 3(4)(2) of the LPDP.

The law applies when two conditions are met:

1. The data subjects have their "domiciles and/or habitual residence in the territory of the Republic of Serbia".
2. The processing activities are related to "the monitoring of activities of data subjects, as far as their activities take place within the Republic of Serbia".

This provision ensures that the LPDP protects Serbian residents even when their data is processed by entities outside of Serbia, as long as those entities are monitoring the activities of data subjects within Serbian territory.

The term "monitoring of activities" is not explicitly defined in the provided text. However, it likely encompasses various forms of tracking or observing the behavior of individuals, which could include online tracking, location monitoring, or other forms of surveillance.

Implications

This provision has significant implications for businesses and organizations that process personal data:

1. Extra-territorial application: Companies outside of Serbia that monitor the activities of Serbian residents must comply with the LPDP, even if they have no physical presence in Serbia.
2. Online services: Websites, apps, and other online services that track user behavior (e.g., through cookies, analytics tools) of Serbian residents may fall under the scope of the LPDP.
3. IoT and smart devices: Companies offering Internet of Things (IoT) devices or smart technology that monitor user activities within Serbia may be subject to the LPDP.
4. Location-based services: Services that track the physical location of users within Serbia could be considered as monitoring activities and thus fall under the law's scope.
5. Market research: Companies conducting market research or consumer behavior studies involving Serbian residents may need to comply with the LPDP.
6. Compliance requirements: Non-Serbian entities engaging in monitoring activities of Serbian residents will need to familiarize themselves with and implement LPDP requirements, potentially including appointing a representative in Serbia.

This extraterritorial reach of the LPDP aligns with similar provisions in other modern data protection laws, such as the EU's General Data Protection Regulation (GDPR), reflecting a global trend towards protecting data subjects regardless of the location of the data processor or controller.