Serbia's Data Protection Law Applicability to Entities Registered or Incorporated in the Country

The Law on Personal Data Protection (LPDP) of Serbia uses the factor of processing by entities registered or incorporated in Serbia as a key determinant for its applicability.

Text of Relevant Provisions

LPDP Art.3(3):

"This Law shall apply to the processing of personal data performed by a controller and/or processor with the seat and/or domicile or habitual residence in the territory of the Republic of Serbia, in the course of activities performed in the territory of the Republic of Serbia, irrespective of whether the processing activity is performed in the territory of the Republic of Serbia or not."

Analysis of Provisions

The LPDP explicitly extends its applicability to data processing activities carried out by controllers or processors that have their "seat and/or domicile or habitual residence" within Serbia. This provision establishes a clear connection between the law's applicability and the entity's legal presence in the country.

The law applies to such entities "in the course of activities performed in the territory of the Republic of Serbia", indicating that the processing must be related to activities conducted within Serbia. However, it's important to note that the law applies "irrespective of whether the processing activity is performed in the territory of the Republic of Serbia or not". This means that even if the actual data processing occurs outside of Serbia, the law still applies as long as the entity has its seat, domicile, or habitual residence in Serbia and the processing is related to activities in Serbia.

The use of the terms "seat", "domicile", and "habitual residence" provides a broad scope for the law's applicability:

• "Seat" typically refers to the registered office or principal place of business for legal entities.
• "Domicile" and "habitual residence" are more commonly used for natural persons, potentially covering individual entrepreneurs or sole proprietors.

This comprehensive approach ensures that the law covers various types of entities and individuals who might be involved in data processing activities.

Implications

The implications of this provision are significant for businesses and other entities:

1. Serbian companies: All companies registered in Serbia must comply with the LPDP for their data processing activities related to operations in Serbia, regardless of where the actual processing takes place.
2. Foreign companies with Serbian branches or subsidiaries: If a foreign company has a registered branch or subsidiary in Serbia, the data processing activities of that branch or subsidiary related to its Serbian operations fall under the LPDP.
3. Remote processing: Even if a Serbian-based entity outsources its data processing to a foreign country, it remains subject to the LPDP as long as the processing is related to activities in Serbia.
4. Individual entrepreneurs: The inclusion of "domicile" and "habitual residence" suggests that individual entrepreneurs or freelancers based in Serbia are also covered by the law.
5. Extraterritorial effect: Serbian entities must comply with the LPDP even when processing data of non-Serbian residents, as long as the processing is related to their activities in Serbia.

This factor effectively ensures that all entities with a significant presence in Serbia are bound by the country's data protection regulations, promoting a comprehensive data protection regime within the jurisdiction.