The Law on Personal Data Protection (LPDP) in Serbia extends its territorial scope to include data processing activities related to offering goods and services to data subjects in Serbia, even when the data controller or processor is not established within the country.

Text of Relevant Provision

LPDP Article 3(4)(1) states:

"This Law shall apply to the processing of personal data of data subjects who have their domiciles and/or habitual residence in the territory of the Republic of Serbia by a controller and/or processor which do not have their seat and/or domicile or habitual residence in the territory of the Republic of Serbia, where the processing activities are related to:

1) the offering of goods and/or services, irrespective of whether or not a payment of the data subject is required for such goods and/or service, to such data subjects in the territory of the Republic of Serbia;"

Analysis of Provisions

The provision extends the application of Serbian data protection law to non-Serbian entities processing personal data of Serbian residents when offering goods or services to them. Several key elements can be identified:

1. Territorial scope: The law applies to data subjects with "domiciles and/or habitual residence in the territory of the Republic of Serbia", emphasizing the focus on protecting Serbian residents.
2. Non-domestic controllers/processors: The provision specifically targets "controller and/or processor which do not have their seat and/or domicile or habitual residence in the territory of the Republic of Serbia", extending the law's reach beyond national borders.
3. Offering goods or services: The core activity triggering the law's application is "the offering of goods and/or services" to Serbian data subjects.
4. Irrelevance of payment: The provision explicitly states that it applies "irrespective of whether or not a payment of the data subject is required", ensuring that both free and paid offerings are covered.

This extraterritorial application aligns with the approach taken by other modern data protection laws, such as the EU's GDPR. The rationale behind this provision is to ensure that Serbian residents' personal data is protected regardless of the location of the entity processing their data, thus preventing potential loopholes in data protection based on the controller's or processor's geographical location.

Implications

This provision has significant implications for businesses operating outside of Serbia:

1. Extraterritorial reach: Companies without a physical presence in Serbia may still be subject to Serbian data protection law if they offer goods or services to Serbian residents.
2. Broad interpretation of "offering": The law does not specify what constitutes an "offering", which may lead to a broad interpretation. This could potentially include:
   • Websites accessible to Serbian users
   • Online services available in Serbian language
   • Marketing campaigns targeting Serbian consumers
3. Compliance requirements: Non-Serbian businesses targeting the Serbian market must ensure compliance with Serbian data protection law, which may involve:
   • Appointing a representative in Serbia
   • Implementing appropriate data protection measures
   • Providing privacy notices in Serbian
4. E-commerce considerations: Online retailers and service providers must be particularly aware of this provision, as their activities are likely to fall under "offering goods and services".
5. Free services included: The provision's application regardless of payment means that even free online services (e.g., social media platforms, free apps) must comply if they target Serbian users.

By extending its reach to non-domestic entities, Serbia aims to provide comprehensive protection for its residents' personal data in an increasingly globalized digital economy.