Are there any data breach notification requirements?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
Serbia’s Data Protection Law (2018) includes a requirement that the data protection Commissioner must be notified of data breaches that are likely to result in a high risk to the rights and freedoms of natural persons. The Commissioner should be notified no later than 72 hours after becoming aware of a breach, when feasible. Individuals must also be informed of a data breach, without undue delay, if the breach is likely to result in a high risk to the rights and freedoms of natural persons (Art. 52 and Art. 53).
HR Best Practices: Incidents in the employment context which might trigger a requirement to notify include a laptop left on a train, or an email containing HR information sent massively to incorrect addresses. In the event of a possible data breach relating to HR data, the best solution is to take action to correct the breach.