Serbia Official Gazette No. 87/2018 — Personal Data Protection Law

Why it Matters

Serbia's Personal Data Protection Law establishes essential requirements for safeguarding personal information and maintaining public trust in organizational data practices.

Key benefits include:

• Improve legal compliance

Enable organizations to meet mandatory data protection obligations and mitigate the risk of regulatory penalties or enforcement actions.

• Strengthen accountability measures

Require internal documentation and processes that demonstrate how personal data is handled responsibly and transparently.

• Enhance data subject rights

Support effective mechanisms for individuals to access, correct, or erase their personal information as required by law.

• Increase audit readiness

Facilitate recordkeeping and evidence management, making it easier to demonstrate compliance during external audits or inspections.

• Promote organizational trust

Foster confidence among customers and partners by showing a clear commitment to protecting the privacy of personal data.

How it Works

The Serbia Official Gazette No. 87/2018 — Personal Data Protection Law establishes a comprehensive regulatory framework for the processing and protection of personal data. It structures its requirements around core principles such as lawfulness, transparency, data minimization, and accountability, closely aligning with the GDPR model. Key regulatory requirements address the rights of data subjects, obligations of data controllers and processors, data breach notification, and the appointment of data protection officers.

In practice, organizations implement the Personal Data Protection Law by developing and maintaining security controls, conducting regular risk assessments, and establishing clear governance structures to manage compliance. Typical activities include mapping their operational processes to legal requirements, drafting privacy notices, training staff, updating incident response plans, and maintaining records of processing activities to support ongoing monitoring and regulatory compliance.

With SmartSuite, organizations can operationalize the Personal Data Protection Law by utilizing control libraries to track compliance, leveraging risk registers to document and address data privacy risks, and managing policy governance across departments. The platform also supports evidence collection, compliance tracking, remediation workflows, and dashboard reporting, helping organizations maintain audit readiness and demonstrate accountability in data protection practices.

Key Elements

• Personal Data Processing Principles

Defines core principles for lawful, transparent, and fair processing of personal data.

• Data Subject Rights Management

Establishes procedures for recognizing and enabling individuals' rights regarding their personal data.

• Controller and Processor Obligations

Specifies duties and responsibilities for organizations handling and safeguarding personal data.

• Data Protection Impact Assessments

Outlines requirements for evaluating privacy risks and implementing mitigating measures before processing activities.

• Supervisory Authority Oversight

Describes the powers and competencies of the national data protection authority to monitor compliance.

• Cross-Border Data Transfer Mechanisms

Details mechanisms for the lawful international transfer and sharing of personal data.

Framework Scope

Serbia Official Gazette No. 87/2018 — Personal Data Protection Law is adopted by entities processing personal data within Serbia, including public authorities and private organizations. It governs all personal data processing activities in both digital and paper formats, and is typically implemented to comply with regulatory mandates and enhance data protection governance and privacy management programs.

Framework Objectives

Serbia Official Gazette No. 87/2018 — Personal Data Protection Law defines standards for safeguarding personal data and ensuring regulatory compliance.

Safeguard individuals' personal data through effective security controls and measures

Strengthen organizational governance and accountability for data processing activities

Enhance compliance with privacy regulations and national data protection requirements

Promote transparency in data management and risk management practices

Support audit readiness by maintaining records and demonstrating lawful data processing

Reduce cybersecurity risk and improve operational resilience in handling sensitive information

Framework in Context

Serbia's Personal Data Protection Law (Official Gazette No. 87/2018) aligns closely with the EU GDPR and shares key principles with frameworks like ISO/IEC 27701 and OECD Privacy Guidelines. Organizations typically implement this law to achieve regulatory compliance, especially when processing the personal data of Serbian residents or operating within Serbia's jurisdiction.

Common Framework Mappings

Serbia's Personal Data Protection Law is often mapped to international frameworks for streamlined compliance, cross-border data protection, and harmonized privacy practices in organizations operating or partnering globally.

Mapped frameworks include:

CIS Critical Security Controls

EU GDPR

HIPAA

ISO/IEC 27001

ISO/IEC 27002

ISO/IEC 27701

NIST Cybersecurity Framework

NIST Privacy Framework

NIST SP 800-53

SOC 2