Data Protection Officer

Pursuant to the provisions of Article 56 of the Law on Personal Data Protection (“Official Gazette of the RS”, No. 87/2018 of 13 November 2018; hereinafter: the LPDP), the Controller and the Processor of personal data ARE OBLIGED to appoint a Data Protection Officer in the following cases:

1. If processing is carried out by a public authority, except where processing is carried out by a court acting in the exercise of its judicial authority. A “public authority” means a state authority, an authority of territorial autonomy and a local self-government unit, a public enterprise, an institution and other public service, an organization, or any other legal or natural person exercising public powers.

2. If the core activities of the controller or processor consist of processing operations that, by virtue of their nature, scope, and/or purposes, require regular and systematic monitoring of a large number of data subjects.

3. If the core activities of the controller or processor consist of the processing of special categories of personal data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation), or of personal data relating to criminal convictions, criminal offences and security measures, provided that such processing is carried out on a large scale.

Data Controllers and Processors who are required to appoint a Data Protection Officer and fail to do so commit a misdemeanor punishable by a fine ranging from RSD 5,000 to RSD 2,000,000, depending on whether the Data Controller or Processor is a legal entity, an entrepreneur or a natural person. In addition, the responsible person in the legal entity, state authority, authority of territorial autonomy or local self-government unit, branch or representative office of a foreign legal entity shall also be punished.

All other Data Controllers and Processors ARE NOT OBLIGED, but MAY appoint a Data Protection Officer.

Each Data Controller or Processor who is required or who chooses to appoint a Data Protection Officer shall appoint only ONE natural person, and not several.

This clearly follows from the LPDP as well as from the EU General Data Protection Regulation, which served as the basis for the adoption of the national law, not only because the noun “person”, i.e. “officer”, is used in the singular in both texts, but also because of the attributes linked to the position of these persons within the organization (expressed independence and direct accountability to the Head of the Data Controller or Processor, i.e. the highest level of management), which would lose their importance and meaning if they were linked to several different natural persons.

Naturally, the above does not exclude the possibility of establishing a team of data protection experts who, for organizational or other practical reasons, may provide support to the appointed Data Protection Officer. The decision to establish such a team must be the result of a prior assessment by the Data Controller or Processor, taking into account the scope and types of personal data processing, the scope and complexity of overall business processes, the number of employees, the complexity of the organizational structure, financial capabilities, etc. In any case, if a support team is established, the roles and responsibilities of its members (who are not Data Protection Officers) should be clearly defined, just as the LPDP and the GDPR define them with regard to the Data Protection Officer.

Moreover, when a group of undertakings appoints a common Data Protection Officer (which it is entitled to do provided that the officer is equally accessible to each member of the group), this is again ONE natural person, as is the case where Data Controllers or Processors acting as public authorities or competent authorities assess that it is appropriate to appoint a single common Data Protection Officer, taking into account the organizational structure and size of those public authorities.

All those who APPOINT a Data Protection Officer, including those who are not required to do so under the LPDP, ARE OBLIGED to:

1. Publish the contact details of the Data Protection Officer, and
2. Submit them to the Commissioner.

Failure to do so constitutes a misdemeanor punishable by a fine of RSD 20,000, RSD 50,000, or RSD 100,000, depending on the same criteria applicable to the offence of failing to appoint a Data Protection Officer.

Based on the submitted data, the Commissioner keeps a Register of Data Protection Officers, which contains: – the first and last names of Data Protection Officers, – their contact details, and – the names and contact details of the controllers or processors.

The form and method of keeping the Register of Data Protection Officers are prescribed by the Rulebook on the Form and Method of Keeping the Register of Data Protection Officers (“Official Gazette of the RS”, No. 40/2019), an integral part of which is a form of the following content: