In spite of the fact that the information security insurance of Serbian residents has been an interesting issue for quite a long time, it is currently evident that not by any means the new law will give the level of assurance on a standard with the EU subjects. In August 2018, the EU took a reasonable position on the most recent Draft Law on Personal Data Protection (hereinafter: Law): if the proposed draft gets embraced, Serbia should change the whole lawful structure for individual information insurance on the main day it enters the EU. For reasons unknown, the planning of the new law for as far back as five years was futile.

Consequently, the inquiry emerges – did the Ministry of Justice lost all sense of direction in interpretation once more? This resembles another “misconception” in the arrangement realized by “dialect contrasts”. The past one occurred when the Ministry of Justice expressed that it was happy with the report of the Venice Commission on draft changes to the sacred arrangements. Nonetheless, after the general and expert open scrutinized it, it worked out that the Venice Commission had intense and significant complaints, which had nothing to do with dialect subtleties, in spite of the fact that the Ministry attempted to legitimize, in addition to other things, with “contrasts in interpretation”.

As an update, the present Law on Personal Data Protection was received in 2008. It was clear in 2013 that the legitimate system expected to change, with the shaping of a working gathering for drafting the new law. “Harmonization with the EU acquis” was the primary helper behind the choice to change the law. The working gathering was because of complete its work in May 2013.

By and by, the main draft of the Law was distributed just about four years after the fact, toward the finish of 2017. Since the declaration, the draft has been genuinely reprimanded in Serbia. Brussels likewise indicated various inadequacies to the Ministry. Sadly, the effect on the Ministry was constrained. The third draft included just corrective changes that did not basically blend the zone of ​​privacy and security of individual information with the EU legitimate structure.

Toward the start of August, Serbian media distributed an announcement from the Ministry of Justice that the third (and for the time being, the keep going) Draft Law on Personal Data Protection was emphatically evaluated by the European Commission (EC) and Eurojust. At the point when solicited by individuals from the common segment to empower the general population to peruse the positive survey without anyone else, the Ministry of Justice answered this was a choice, as the assessment “does not exist as a solitary content”.

All things considered, certain common society associations tended to the Ministry of European Integration, by utilizing the system given by the Law on Free Access to Information of Public Importance. Through that, people in general at last got the two records:

General, temporary remarks by the European Commission to the Draft Law and

Particular, lawful specialized remarks on individual articles of the Draft Law

By breaking down the unequivocal proclamations of the EC, we condensed a few reasons why Serbia won’t meet the lawful measures of individual information insurance as to be comparable to the next EU individuals. In spite of the announcements of the Ministry of Justice about the EC’s sure audit, plainly no perusing can permit elucidation prompting an idealistic end. As we would like to think, the EU’s decision is clear: the Draft Law neglects to fulfill the EU measures.


When all is said in done remarks, the EU “addresses” the Ministry of Justice on the fundamental guidelines of EU law, which ought to be notable to the competitor nation. The EU controls, (for example, the General Regulation on Personal Data Protection (hereinafter: GDPR)) have a coupling legitimate power and are specifically relevant in all EU part states. They are connected straightforwardly and don’t require the reception of extra national controls or regulatory measures, as supranational (European) laws. They fill the need to accomplish unification of rights at the EU level.

Then again, we illuminate that the EU Directive is an authoritative demonstration that should set up an objective that all EU Member States need to accomplish. Be that as it may, each state chooses autonomously on the way in which this objective is to be accomplished. The mandate fills the need to accomplish harmonization and not unification.

The most noteworthy change in the field of individual information assurance inside the EU is the substitution of the 1995 Personal Data Protection Directive with the General Data Protection Regulation, with the end goal to accomplish the entire unification.

Thusly, as an EU part hopeful, Serbia does not have to “exchange” or “decipher” GDPR into its enactment (except if particularly showed in the control, or when such occasion is fundamental for its usage), and specifically not in an erroneous way or in a way straightforwardly as opposed to the arrangements of this General Regulation. The result of such activities will be that right now Serbia turns into an EU part, any arrangements that are in opposition to the General Regulation will naturally end up invalid. All things considered, it appears that Serbia, as a competitor nation, does not regard such standards, but rather presents its own adaptation of GDPR in a few sections of the Draft Law, or totally disregards the arrangements of the General Regulation. Accordingly, the feedback of the EU is, as we would like to think, totally legitimized.


GDPR lawyer

It is extremely weird that the Working Group has chosen to put into one law the issue which is controlled inside the GDPR at the level of the EU, from one perspective, and the Police Directive, on the other. Any individual who has quite recently endeavored to skim the GDPR (even without attempting to comprehend the many-sided quality and expansiveness of the whole direction) could consider it to be a to a great degree broad lawful act. Then again, the Police Directive, as a lex specialis, controls exclusively the issue of the expert of state experts in the accumulation and handling of individual information during the time spent distinguishing criminal offenses.

In the EU, these are two administrations that have dependably been isolated. While before GDPR went into power, the main administration was inside the extent of Directive 95/46 EC, the forces of the police and different experts were beforehand recommended by General Decision 2008/977/JHA. There is additionally an intelligent method of reasoning behind this: the need to perceive the particular needs of state experts in the avoidance, examination, and arraignment of wrongdoing culprits.

The arrangement of changes that came into power in May 2018 inside the EU has kept up a double administration. While GDPR identifies with the security of individual information all in all, the Police Directive alludes to the accumulation of information with the end goal of counteractive action, examination, identification, and indictment of criminal offense culprits. As a rule, general information handling (the subject of GDPR) infers higher constraints on controllers however imagines more lawful bases for such preparing. The controller can pick one of the six lawful bases for legal information handling.

The Police Directive gives more extensive forces to certain state specialists, however just on one legitimate ground – when there is a need to “do an errand by an able expert when such an assignment depends on national or EU law”. More extensive police controls at times meddle with the fundamental privileges of the people whose information are gathered, which are generally given under GDPR. For instance, when gathering information to research a criminal offense, experts are not obliged to advise the people whose information they gather, or, in other words of the central GDPR rules.

Remembering this clarification, it remains totally vague why the working gathering chose to manage the territories in a single law, which the EU couldn’t bind together in a solitary legitimate instrument.

The EC condemns the Draft Law for this structure, as it thinks that its conflicting. The EC expresses that such a significant number of exemptions gave in the Draft (which ought to have been the subject of a totally extraordinary lex specialis law) speak to a potential issue for legitimate conviction and leave a wide space for potential maltreatment. For instance, it is expressed that the Draft anticipates more than 40 special cases to the run the show.

The end originating from such feedback is that the EU concurs with the Commissioner’s comments to some degree, comments which he has so far pointed out in a furious discussion with the Ministry of Justice, progressing since the production of the principal Draft.

The Commissioner legitimately, as we would like to think, accentuated:

“this unavoidably leaves the feeling that the Draft Law is composed more in light of a legitimate concern for “security structures” than in light of a legitimate concern for natives’ rights”.

This is really disturbing on the grounds that the primary objective of GDPR is to put an individual and his rights profoundly.


In the general remarks on the Draft, Brussels reminds the Ministry that the privilege to the assurance of individual information is a crucial right of the EU, or, in other words consideration must be paid to the lucidity of the Law.

The EC closes: “this is something that can’t be said for the present Draft”.

We clear up that the idea of individual information security originated from the Right to protection as a Human Right, and it has not yet increased full self-governance globally. All things considered, the significance, which the EU pays to the field of information security, is best represented by the way that it is perceived as an autonomous right in Article 8 of the EU Charter of Fundamental Rights. The EU Charter accommodated this privilege regardless of the Right to Respect for Private and Family Life (Article 7 of the Charter), not at all like, for instance, the European Convention on Human Rights and Fundamental Freedoms.

What’s more, paying little respect to the EU measures and the promotion procedure, decipherability and lucidity of the law ought to be of foremost significance to assist the nationals of Serbia. In the event that this isn’t the situation, both state specialists and different elements will have the capacity to manhandle the ambiguous letter of the law in the light of our entitlement to protection.


The European Commission condemns the Draft similar to the aftereffect of simple replicating of specific arrangements of the GDPR (where certain modifications are essential), and in addition on the grounds that specific arrangements are in opposition to the arrangements of the General Regulation.

Incomprehensibly, what originates from the EC’s feeling is that where the direction itself leaves space for further concretization and adjustment to national enactment, such an open door is ignored. Then again, a portion of the essential legitimate ideas of the General Regulation are characterized in a way resistant with the GDPR. Such a methodology represents a potential issue since there is space for elucidation and misapplication of arrangements inside Serbia in connection to the EU individuals.

One of the precedents of resistance with GDPR is the meaning of “assent” of the individual whose information are being prepared.

All together for any subject to gather or process individual data, they should have a specific legitimate ground for such activity. Article 6 of the GDPR accommodates a sum of six conceivable lawful bases for information handling.

In Recital 32, GDPR explains on the idea of assent, expressing that it must be given by an unmistakable confirmed act setting up a uninhibitedly given, particular, educated and unambiguous sign of the information subject’s consent to the handling of individual information, for example, by a composed explanation or an oral proclamation.

In any case, as the EU unmistakably states in its remarks to Article 4 of the Draft Law, the Draft Law gives a definition that does not precisely coordinate the meaning of GDPR. This is exceptionally perilous given that assent is the key legitimate idea in GDPR and information assurance law when all is said in done.

Aside from being unique, the Draft Law gave a meaning of assent, which has been dubious and non-exact, and in one of the drafts should incorporate exceptionally tricky circumstances. For instance, the beforehand proposed arrangement stipulates that a man will be esteemed to be in consistence with the accumulation and handling of individual information through video observation, by entering the video reconnaissance zone, gave that there is a video reconnaissance here.

The EU has clarified that this instance of giving assent is hazardous from the part of GDPR. In the most recent variant of the Draft, this precedent is by all accounts overlooked, yet practically speaking, it might enter through a more extensive understanding of the expression “certifiable act” gave in Article 4, passage 1, thing 12 of the Draft.

The explanation for this lies in the reality, as the EC unequivocally states as its would like to think, that the working gathering did not consider the GDPR Recitals, which help decipher and clear up the dialect contained in the standards.

Then again, gathering individual information by means of video reconnaissance was a standout amongst the most questionable issues in the past discussion on the Draft Law. The Commissioner especially underlined that this issue is exceptionally dangerous by and by, as it isn’t unmistakably directed inside the current legitimate structure.

It is obvious from the remarks of the European Commission that resistance with GDPR is apparent in numerous different perspectives. For instance, it has been over and again accentuated that “real intrigue” isn’t the equivalent as “legitimate commitment”, that information exchange arrangements are not sufficient, and that there is an issue of absence of chance to guarantee pay through court.

In this manner, it appears that GDPR isn’t yet coming to Serbia all things considered (at any rate not appropriately).


With regards to the legitimate idea of the Commissioner, the Draft alludes to the Law on Access to Information of Public Importance in a few arrangements. Be that as it may, the present law under this name is from 2004 and its correction is in advancement, so it isn’t clear what will be the epilog for this questionable subject.

In these conditions, unmistakably the third draft ought not be the last one. At last, the EU constructed the feeling in light of this. The conclusion closes with a proposition to sort out a joint gathering between the Ministry, Commissioner and EU delegates with the end goal to draft another Draft Law. In such conditions, we trust it is inadmissible to disregard the EU’s position, not just because of the procedure of EU promotion, yet in addition because of the security of essential privileges of natives of the Republic of Serbia.

In any case, how the information assurance adventure in Serbia will end (and perhaps at the same time start) stays to be seen.