Serbia Official Gazette No. 87/2018 — Personal Data Protection Law
SmartSuite provides the system for managing controls, evidence, mappings, assessments, and reporting. Framework text may require a separate license unless explicitly provided.
Overview
Serbia OfficialGazette No. 87/2018 — Personal Data Protection Law is a nationaldata protection regulation that helps organizations safeguardpersonal data and ensure compliance with privacy requirements. Thelaw establishes the principles, rights, and obligations for theprocessing and protection of personal data within Serbia, aligningwith modern standards for data privacy.
Published by theGovernment of the Republic of Serbia, this law applies to both publicand private sector entities that collect, use, store, or processpersonal data. It covers comprehensive areas including data subjectrights, legal bases for processing, information security measures,breach notification, and oversight by the Commissioner forInformation of Public Importance and Personal Data Protection.
Organizationsachieve compliance by implementing technical and organizationalsecurity controls, conducting data protection impact assessments, andmaintaining documentation to support regulatory inspections. The lawforms the basis for privacy and security governance programs,facilitating risk management and aligning Serbian organizations withbroader European data protection frameworks such as the GDPR.
Why it Matters
Serbia’sPersonal Data Protection Law establishes essential requirements forsafeguarding personal information and maintaining public trust inorganizational data practices.
Key benefitsinclude:
• Improve legal compliance
Enableorganizations to meet mandatory data protection obligations andmitigate the risk of regulatory penalties or enforcement actions.
• Strengthen accountability measures
Require internaldocumentation and processes that demonstrate how personal data ishandled responsibly and transparently.
• Enhance data subject rights
Supporteffective mechanisms for individuals to access, correct, or erasetheir personal information as required by law.
• Increase audit readiness
Facilitaterecordkeeping and evidence management, making it easier todemonstrate compliance during external audits or inspections.
• Promote organizational trust
Fosterconfidence among customers and partners by showing a clear commitmentto protecting the privacy of personal data.
How it Works
The SerbiaOfficial Gazette No. 87/2018 — Personal Data Protection Lawestablishes a comprehensive regulatory framework for the processingand protection of personal data. It structures its requirementsaround core principles such as lawfulness, transparency, dataminimization, and accountability, closely aligning with the GDPRmodel. Key regulatory requirements address the rights of datasubjects, obligations of data controllers and processors, data breachnotification, and the appointment of data protection officers.
In practice,organizations implement the Personal Data Protection Law bydeveloping and maintaining security controls, conducting regular riskassessments, and establishing clear governance structures to managecompliance. Typical activities include mapping their operationalprocesses to legal requirements, drafting privacy notices, trainingstaff, updating incident response plans, and maintaining records ofprocessing activities to support ongoing monitoring and regulatorycompliance.
With SmartSuite,organizations can operationalize the Personal Data Protection Law byutilizing control libraries to track compliance, leveraging riskregisters to document and address data privacy risks, and managingpolicy governance across departments. The platform also supportsevidence collection, compliance tracking, remediation workflows, anddashboard reporting, helping organizations maintain audit readinessand demonstrate accountability in data protection practices.
Key Elements
• Personal Data Processing Principles
Defines coreprinciples for lawful, transparent, and fair processing of personaldata.
• Data Subject Rights Management
Establishesprocedures for recognizing and enabling individuals’ rightsregarding their personal data.
• Controller and Processor Obligations
Specifies dutiesand responsibilities for organizations handling and safeguardingpersonal data.
• Data Protection Impact Assessments
Outlinesrequirements for evaluating privacy risks and implementing mitigatingmeasures before processing activities.
• Supervisory Authority Oversight
Describes thepowers and competencies of the national data protection authority tomonitor compliance.
• Cross-Border Data Transfer Mechanisms
Detailsmechanisms for the lawful international transfer and sharing ofpersonal data.
Framework Scope
Serbia OfficialGazette No. 87/2018 — Personal Data Protection Law is adopted byentities processing personal data within Serbia, including publicauthorities and private organizations. It governs all personal dataprocessing activities in both digital and paper formats, and istypically implemented to comply with regulatory mandates and enhancedata protection governance and privacy management programs.
Framework Objectives
Serbia OfficialGazette No. 87/2018 — Personal Data Protection Law definesstandards for safeguarding personal data and ensuring regulatorycompliance.
• Safeguard individuals’ personal data through effectivesecurity controls and measures
• Strengthen organizational governance and accountability for dataprocessing activities
• Enhance compliance with privacy regulations and national dataprotection requirements
• Promote transparency in data management and risk managementpractices
• Support audit readiness by maintaining records and demonstratinglawful data processing
• Reduce cybersecurity risk and improve operational resilience inhandling sensitive information Serbia’s Personal Data ProtectionLaw (Official Gazette No. 87/2018) aligns closely with the EU GDPRand shares key principles with frameworks like ISO/IEC 27701 and OECDPrivacy Guidelines. Organizations typically implement this law toachieve regulatory compliance, especially when processing thepersonal data of Serbian residents or operating within Serbia’sjurisdiction.
Common Framework Mappings
Serbia’sPersonal Data Protection Law is often mapped to internationalframeworks for streamlined compliance, cross-border data protection,and harmonized privacy practices in organizations operating orpartnering globally.
Mappedframeworks include:
CIS CriticalSecurity Controls
EU GDPR
HIPAA
ISO/IEC 27001
ISO/IEC 27002
ISO/IEC 27701
NISTCybersecurity Framework
NIST PrivacyFramework
NIST SP 800-53
SOC 2
- ClassicifationCategoryData Protection & PrivacyDomainPrivacyFramework FamilyGlobal Privacy Regulations
- Regulatory ContextTypeRegulationLegal InstrumentLawSectorCross-SectorIndustryCross-Industry
- Region / PublisherRegionEuropeRegion DetailRepublic of SerbiaPublisherJavno preduzeće Službeni glasnik (Službeni glasnik Republike Srbije — the Public Enterprise Official Gazette of the Republic of Serbia) ([slglasnik.com](https://www.slglasnik.com/node/1837?utm_source=openai))
- VersioningVersion2018Effective DateAugust 21, 2019Issue Date13 November 2018
- AdoptionAdoption ModelRegulatory ComplianceImplementation ComplexityHigh
- Official ReferenceOpen Link in New TabSource
License included / downloadable: Yes
Serbia's Personal Data Protection Law (Official Gazette No. 87/2018) is published by the Republic of Serbia and is publicly available via the Official Gazette and government websites.License included with platform
How SmartSuite Supports SAMA CSF
Manage Saudi Arabia SAMA Cybersecurity Framework (v1.0) by organizing financial sector security controls, tracking implementation across systems, and maintaining evidence supporting regulatory compliance and operational resilience.
Financial Control Framework Library
Structure SAMA control domains with ownership, scope, and implementation status across systems.
Risk Assessment and Regulatory Mapping
Link cybersecurity risks to SAMA controls and financial regulatory requirements.
Policy and Governance Management
Centralize security policies, standards, and approvals aligned to SAMA expectations.
Identity, Access, and Security Operations
Manage authentication, privileged access, monitoring, and operational controls across environments.
Incident Response and Threat Management
Track incidents, investigations, and response workflows aligned to financial sector requirements.
Compliance Monitoring and Audit Reporting
Provide dashboards showing control coverage, risk posture, and readiness for SAMA audits.
Related frameworks
GDPR is an EU regulation that protects individuals' personal data and strengthens organizations' accountability for privacy.
ISO/IEC 27001:2022 is an international ISMS standard that helps organizations manage information security risks and protect data.
ISO/IEC 27018 provides guidelines for protecting personally identifiable information processed in public cloud services.
ISO/IEC 27701 extends ISO/IEC 27001 to help organizations manage privacy and protect personally identifiable information.
Frequently Asked Questions For Serbia Official Gazette No. 87/2018 — Personal Data Protection Law
The Serbia Personal Data Protection Law establishes the legal framework for safeguarding personal data in Serbia. Its purpose is to regulate the collection, processing, and storage of personal data to protect individual privacy rights and ensure data is handled lawfully.
Yes, compliance with the Serbia Personal Data Protection Law is mandatory for all data controllers and processors operating within Serbia, or handling the personal data of Serbian citizens. Non-compliance can result in significant penalties and legal actions enforced by the Commissioner for Information of Public Importance and Personal Data Protection.
The law applies to any organization, public or private, that collects, processes, or stores personal data within Serbia. It also covers organizations outside Serbia if they process the personal data of Serbian residents in connection with goods, services, or monitoring behavior within Serbia.
Key requirements include obtaining valid consent from data subjects, ensuring transparency in data processing, implementing adequate technical and organizational security measures, and maintaining records of processing activities. Organizations must also designate a Data Protection Officer (DPO) in certain circumstances and conduct Data Protection Impact Assessments (DPIAs) for high-risk processing.
Implementation involves identifying all personal data processing activities, mapping data flows, and establishing data protection policies and procedures. Organizations must also train employees on data privacy, implement security controls, and set up mechanisms to handle data subject requests and breaches.
The Serbia Personal Data Protection Law is closely aligned with the GDPR, incorporating similar principles, rights, and obligations for data controllers and processors. However, there are some local adaptations and differences, so organizations should review both frameworks for full compliance if operating across jurisdictions.
Ongoing compliance includes regular updates to data processing records, continuous risk assessments, staff training, monitoring security measures, and timely response to data subject requests and incidents. Annual reviews and updates to policies and procedures are also recommended to address evolving legal and operational requirements.
SmartSuite helps organizations manage compliance with the Serbia Personal Data Protection Law by providing modules for risk tracking, control management, and centralized evidence collection. It enables automated audit readiness workflows, reporting dashboards, and streamlined documentation to demonstrate alignment with legal requirements and support regulatory inspections.
Put CRI Profile into action with SmartSuite
Map controls, collect evidence, run assessments, manage remediation, and report readiness - all from a single connected system.