Serbia: Physical Location/Residency of Data Subject in Jurisdiction

The factor of Physical Location/Residency of the Data Subject is explicitly used in Serbia's Law on Personal Data Protection (LPDP) to determine the scope of the law's applicability. This factor ensures that the law applies to the processing of personal data belonging to individuals who are domiciled or habitually residing in Serbia, even when the processing is carried out by foreign entities.

Text of Relevant Provisions

LPDP Art.3(4):

*"This Law shall apply to the processing of personal data of data subjects who have their domiciles and/or habitual residence in the territory of the Republic of Serbia by a controller and/or processor which do not have their seat and/or domicile or habitual residence in the territory of the Republic of Serbia, where the processing activities are related to:

1. the offering of goods and/or services, irrespective of whether or not a payment of the data subject is required for such goods and/or service, to such data subjects in the territory of the Republic of Serbia;
2. the monitoring of activities of data subjects, as far as their activities take place within the Republic of Serbia."*

Original (Serbian):

*"Ovaj zakon primenjuje se na obradu podataka o ličnosti lica koja imaju prebivalište i/ili uobičajeno boravište na teritoriji Republike Srbije od strane rukovaoca i/ili obrađivača koji nemaju sedište i/ili prebivalište ili uobičajeno boravište na teritoriji Republike Srbije, ukoliko su aktivnosti obrade povezane sa:

1. ponudom robe i/ili usluga, bez obzira na to da li od tih lica zahteva plaćanje za tu robu i/ili uslugu, tim licima na teritoriji Republike Srbije;
2. praćenjem aktivnosti tih lica, u meri u kojoj se njihove aktivnosti odvijaju na teritoriji Republike Srbije."*

Analysis of Provisions

• LPDP Article 3(4) stipulates that the law applies to the processing of personal data of individuals who are domiciled or have habitual residence in Serbia, even when the data controller or processor is not physically located within Serbia. This extension of the law’s applicability to foreign entities is contingent on the processing activities being related to either the offering of goods/services to individuals in Serbia or the monitoring of their activities within Serbia.
• The provision highlights two primary scenarios that trigger the application of Serbian data protection law:
  1. Offering of goods or services: The law applies when a foreign entity offers goods or services to individuals in Serbia, regardless of whether a payment is required. This is crucial in protecting Serbian residents' data from being processed by foreign e-commerce platforms or online service providers.
  2. Monitoring of activities: The law also applies to any monitoring activities conducted by foreign entities that involve tracking or profiling individuals while they are within Serbian territory.
• This approach is designed to ensure that the personal data of individuals in Serbia is protected, even when processed by entities that have no physical presence in the country. It reflects a trend towards the extraterritorial application of data protection laws, similar to the European Union's GDPR, which has influenced Serbia’s legislative framework.

Implications

• For businesses, particularly those operating online or across borders, this means that they must comply with Serbian data protection laws if they target or monitor individuals residing in Serbia. This applies even if the business has no physical operations or legal presence in Serbia.
• Companies that offer goods or services to Serbian residents, or engage in activities such as online behavioral advertising or tracking of Serbian users, must ensure that their data processing practices align with Serbian data protection requirements.
• An example would be a foreign online retailer that sells products to customers in Serbia. Even if the retailer is based entirely outside of Serbia, it would still need to comply with the LPDP when processing the personal data of Serbian residents.