As digital transformation accelerates worldwide, data privacy and cybersecurity regulations are becoming increasingly crucial for businesses across the globe, including in Serbia. With this rise in digitalization, Serbian lawmakers and regulatory authorities are working to strengthen data protection frameworks, largely influenced by the European Union’s General Data Protection Regulation (GDPR). However, the journey is complex, as Serbia faces challenges in fully aligning its laws with EU standards. This article examines Serbia’s current data protection landscape, the alignment efforts with GDPR, and the growing importance of cybersecurity for Serbian businesses.

 

Serbia’s Data Protection Law and GDPR Influence

Serbia’s primary data protection framework is the Law on Personal Data Protection (PDP Law), adopted in 2018 and modeled closely on the EU’s GDPR. The PDP Law aims to align with GDPR’s principles, such as consent, data minimization, and accountability, offering Serbian citizens similar rights and protections as those in the EU. These include the right to access, rectify, and erase personal data, as well as the right to restrict data processing, similar to GDPR provisions.

However, despite its GDPR-based foundation, the PDP Law faces limitations in terms of enforcement and specific legal adaptations. Serbian regulators have highlighted that, unlike the GDPR, Serbia’s PDP Law lacks certain interpretive clarifications found in GDPR’s recitals, which can create ambiguities in applying compliance standards effectively for local businesses. The Serbian law also has limited penalties for data breaches, with maximum fines reaching around EUR 17,000, in contrast to GDPR’s significantly higher penalties, which can reach up to EUR 20 million or 4% of a company’s annual global revenue. This has been cited as a reason some Serbian businesses may not prioritize data protection compliance to the same degree as their EU counterparts.

 

The 2023–2030 Data Protection Strategy

In response to these gaps, Serbia introduced the 2023–2030 Personal Data Protection Strategy, a comprehensive roadmap for strengthening data privacy laws and aligning more closely with EU standards. One of the key goals of this strategy is for Serbia to obtain an “adequacy decision” from the European Commission, which would recognize Serbia’s data protection standards as meeting EU requirements. This designation could ease data transfers between Serbia and the EU, enhancing economic cooperation and expanding market opportunities for Serbian businesses in the European market.

The strategy focuses on updating legal definitions, improving enforcement mechanisms, and clarifying data protection provisions that are currently vague or under-regulated. Key areas targeted for new legislation by the end of 2024 include regulations on video and audio surveillance, biometric data, and genetic information. Serbian lawmakers are also exploring revisions to strengthen the authority and resources of the Commissioner for Information of Public Importance and Personal Data Protection, responsible for overseeing data privacy issues.

Additionally, the strategy calls for heightened public awareness and education on data privacy rights through school curricula and training programs, emphasizing the importance of data protection in the digital era. This public education effort reflects the country’s broader goal to foster a culture of privacy and digital responsibility among citizens and businesses alike.

 

Cybersecurity Measures and Challenges

As Serbia continues to build its data protection framework, cybersecurity has emerged as another critical area of focus. Serbia’s Law on Information Security mandates that organizations adopt security policies and appoint personnel responsible for cybersecurity management. Businesses in key sectors, such as finance and critical infrastructure, are required to report cybersecurity incidents to the national CERT (Computer Emergency Response Team) to help mitigate and prevent large-scale cyber threats.

However, cybersecurity laws in Serbia face challenges in meeting the demands of an increasingly interconnected economy. The regulatory framework lacks certain elements seen in more mature cybersecurity ecosystems, such as compulsory cybersecurity assessments or more comprehensive security requirements for digital service providers. Furthermore, Serbian businesses have cited a lack of resources and training in cybersecurity best practices as an obstacle to compliance, particularly among small and medium-sized enterprises (SMEs), which may not have dedicated IT security teams.

The 2023–2030 strategy acknowledges these gaps and proposes measures to expand the regulatory scope. For instance, the strategy emphasizes the need for standardized cybersecurity procedures across sectors, encouraging companies to adopt better risk management practices, particularly those involved in handling sensitive personal or financial data. It also aims to strengthen cybersecurity monitoring mechanisms and improve collaboration between private companies and governmental cybersecurity agencies.

 

Business Implications for Serbian Companies

For Serbian businesses, aligning with both data protection and cybersecurity regulations represents a considerable challenge but also offers potential competitive advantages. Companies operating within the EU or conducting business with EU clients must already comply with GDPR standards, and failure to adhere to data protection laws could expose them to fines, legal liabilities, and reputational damage.

Investing in robust data protection and cybersecurity frameworks can be seen as a long-term investment for Serbian companies, especially as digital transformation brings new opportunities and risks. Companies that prioritize compliance may benefit from greater trust and loyalty among consumers, as data privacy increasingly influences consumer behavior. Moreover, as Serbia moves closer to EU alignment, compliant companies will likely find it easier to access new markets and streamline data transfers with European partners.

For sectors such as e-commerce, finance, healthcare, and telecommunications, where data protection is particularly critical, building secure data systems and adopting transparency in data handling can offer a strategic edge. By preemptively addressing these regulatory requirements, businesses can avoid costly adjustments down the line and remain agile in the face of evolving international standards.

 

The Path Ahead: Recommendations and Strategies

To navigate the evolving regulatory landscape, Serbian businesses should consider the following strategies:

  1. Data Protection Officer (DPO) Appointment: Businesses meeting specific thresholds (e.g., large-scale data processing) are recommended to appoint a DPO, ensuring that data privacy protocols are monitored and regularly updated. This can help prevent costly data breaches and improve compliance with Serbian and EU standards.
  2. Employee Training and Awareness: Data protection is only as strong as the weakest link in an organization. Regular employee training on privacy policies, cybersecurity practices, and data handling protocols is essential to safeguard against human error, one of the leading causes of data breaches.
  3. Regular Audits and Risk Assessments: Conducting regular data protection and cybersecurity assessments allows businesses to identify vulnerabilities early and take proactive measures. Audits can ensure compliance with Serbia’s PDP Law and GDPR requirements, mitigating risks and building resilience against cyber threats.
  4. Data Minimization and Anonymization: By adopting GDPR principles such as data minimization and anonymization, businesses can reduce the risk of exposing personal data in case of a cyber incident, thus protecting customer trust and reducing liability.
  5. Collaboration with Regulatory Authorities: Engaging with the Commissioner’s office and other relevant authorities can provide businesses with guidance and clarity on compliance requirements, reducing the likelihood of unintentional violations and associated penalties.

 

Conclusion

Serbia’s data privacy and cybersecurity framework is gradually evolving to meet EU standards, driven by the need to protect citizens’ privacy rights and enable smooth data exchanges with European partners. However, significant work remains to enhance regulatory enforcement, clarify legal definitions, and expand cybersecurity requirements for the digital age. For Serbian businesses, adapting to these regulations is more than a compliance obligation—it is an opportunity to build customer trust, enhance data management practices, and position themselves for future growth within the EU market.

As Serbia advances toward EU accession, the alignment with GDPR and stronger cybersecurity laws will likely continue to shape the business landscape. By proactively investing in data protection and cybersecurity measures, Serbian companies can not only comply with regulations but also gain a strategic advantage in an increasingly privacy-conscious market.