Serbia Jurisdiction: Prospective Filing System Inclusion

The factor of Prospective Filing System Inclusion is explicitly addressed in Serbia's Law on Personal Data Protection (LPDP). This factor ensures that the law applies to data processing activities conducted without automated means if the personal data is intended to be part of a filing system.

Text of Relevant Provisions

LPDP Art.3(1):

"This Law shall apply to processing of personal data which is performed, in its entirety or in a part thereof, by automated means, as well as to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system."

Original (Serbian):

"Ovaj zakon primenjuje se na obradu podataka o ličnosti koja se vrši, u celini ili delom, automatizovanim sredstvima, kao i na obradu koja se vrši drugim sredstvima, a podaci o ličnosti su deo evidencije ili su namenjeni da postanu deo evidencije."

Analysis of Provisions

• LPDP Art.3(1) explicitly extends the scope of Serbia’s data protection law to include non-automated processing of personal data, provided that the data "form part of a filing system or are intended to form part of a filing system." This provision is designed to ensure that data processing activities are subject to the law as soon as there is an intention to organize or structure the data into a filing system.
• The phrase "intended to form part of a filing system" is critical because it captures data processing activities that might not yet be fully organized but are planned to be included in a systematic collection. This prevents data controllers from evading legal obligations by delaying the structuring of data into a filing system.
• The rationale behind this inclusion is to ensure comprehensive protection of personal data by bringing all relevant processing activities under the scope of the law, regardless of whether the data is currently part of a formal filing system. This approach closes potential loopholes where manual data processing could otherwise escape regulation.

Implications

• For businesses operating in Serbia, this means that any manual processing of personal data is subject to the LPDP if there is an intention to later organize the data into a filing system. Companies must be aware that even at the initial stages of data collection and processing, they are required to comply with data protection regulations.
• An example of this would be a business collecting customer information manually, intending to later input this data into a digital customer management system. Even before the data is entered into the system, the company must ensure compliance with the LPDP because the data is intended to form part of a structured filing system.
• This provision emphasizes the need for businesses to consider data protection compliance from the outset, as the law's applicability is triggered by the intention to structure the data, not just by the actual structuring itself.