Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations.
Data transfers typically include the following examples:
- personal data communicated over the telephone, by email, fax, letter, through a web tool or in person to another country;
- IT systems or data feeds which lead to personal data being stored on databases hosted internationally;
- people/entities outside the country being able to access or "see" personal data held in Serbia; and,
- the use of personal data by third parties through external solutions, e.g., outsourcing, offshoring and cloud computing.
Employers in Serbia can transfer data outside the country without the consent of the Commissioner when the country or international organization the data will be transferred to is considered to have an adequate level of protection. This includes:
- signatories of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data;
- instances where the EU has determined that the country or international organization ensures an adequate level of protection; or,
- when the Government of the Republic of Serbia has determined that a country or international organization ensures an adequate level of protection (i.e., it has been added to the list of adequate countries/international organizations);
- when an international agreement on the transfer of personal data is concluded.
When the employer is transferring personal data to a country outside Serbia which doesn’t ensure an “adequate” level of protection, the transfer is allowed if the entity receiving the personal data (such as a parent company) meets certain Commission-approved safeguards and employee rights and legal protections are available.
Commission-approved safeguards include:
- legally binding acts created by competent authorities;
- standard data protection clauses adopted by the Commissioner;
- binding corporate rules;
- an approved code of conduct; and,
- an improved and issued certificate.
In May 2020, the Commissioner adopted and approved standard data protection clauses.
As an alternative, other safeguards can be used, but require the specific, individual authorization from the Commissioner. These include:
- contractual clauses between parties transferring the personal data; and,
- provisions inserted into administrative arrangements between public authorities that include enforceable and effective protection of data subject rights.