Serbia Gets its Standard Contractual Clauses

Serbia Gets its Standard Contractual Clauses

Authors: Bogdan Ivanisevic and Milica Basta, BDK Advokati

The Serbian Commissioner for Information of Public Importance and Personal Data Protection (“Commissioner”) issued on 16 January 2020 the long-awaited Standard Contractual Clauses (“Serbian SCCs”) that became applicable on 30 January 2020.

Serbian SCCs are not designed as a cross-border transfer instrument first and foremost. Rather, the clauses apply to a controller-processor relationship irrespective of where the controller and the processor operate. In line with that, Serbian SCCs follow the structure of the data processing agreement as prescribed by Article 28 of the GDPR, i.e. by the corresponding Article 45 of the Serbian DP Act (2018).

At the same time, the clauses also have the role of a transfer instrument, and that is why data exporters have been eagerly awaiting their adoption. Like GDPR (Art. 46), Serbian DP Act identifies standard contractual clauses as one of the appropriate safeguards for a transfer of personal data. Currently, data exporters in Serbia can scarcely rely on any alternative safeguards for transfers outside Europe. Codes of conduct or certification mechanisms are still poorly, if at all, developed, and only a limited number of international groups of companies have binding corporate rules (BCRs). Without standard contractual clauses, most exporters would have to seek Commissioner’s transfer approval, which on average takes many months to obtain.

On the other hand, controller-to-controller standard contractual clauses are still missing, because the Serbian DP Act does not authorize the Commissioner to adopt them. For such clauses to ever be issued, the law will have to be changed.

A peculiar feature of the Serbian DP Act is that it makes transfer-serving standard contractual clauses one and the same document with standard contractual clauses to be used by a controller and a processor in a purely domestic relationship. A comparison with the Standard Contractual Clauses for the purposes of Article 28(3) of the GDPR, adopted in January 2020 by the Danish data protection authority, is instructive. The Danish Clauses expressly state that they “shall not be confused with standard data protection clauses [as provided for in the transfer-related Chapter V of the GDPR] and cannot be relied upon by the parties as a transfer tool”. In contrast, under the Serbian DP Act, there are now two distinct types of standard contractual clauses – one governing the legal relationship between the data controller and the data processor in a non-transfer context and one serving for transfers.

Once the European Commission adopts a new version of the EU standard contractual clauses (controller-to-processor), it will be possible to assess whether some important features of the EU document are missing from the Serbian SCCs.

For the time being, a comparison can be made between the Serbian SCCs and the recent recommendations addressed by the European Data Protection Board (the Board) to the Danish supervisory authority, regarding the April 2019 draft of the subsequently enacted Standard Contractual Clauses. Some of the provisions which the Board thought should have made their way into the Clauses are absent from the Serbian SCCs, but they do not seem to be of fundamental importance. For example, the Board considered it important (without further elaborating) to expressly state in the Danish Clauses that, irrespective of the allocation of liabilities among the data controller, data processor, and sub-processor, the rights of the data subjects vis-a-vis each of the three remain unaffected. The final text of the Danish Clauses includes that sentence (Art. 7.7). Serbian SCCs do not include such a sentence, but the omission does not strike an observer as crucial.

As an exception, what might turn out to be important is the absence from the Serbian SCCs of a provision, or a set of provisions, stipulating in detail the technical and organisational measures to be taken by the data processor to provide assistance to the data controller in its efforts to comply with various obligations (concerning data subjects’ rights, data breach, data protection impact assessment, and prior consultation with the supervisory authority). Danish Clauses have included a sub-section (C3) on this, following the Board’s strong recommendation to that effect.

Going back to the primary reason why the Serbian SCCs are much talked-about issue among Serbian data protection practitioners: companies operating in Serbia have a reason to be content with the adoption of the SCCs, an instrument likely to facilitate future data transfers to a significant extent.

Authors: Bogdan Ivanisevic and Milica Basta, BDK Advokati

The Serbian Commissioner for Information of Public Importance and Personal Data Protection (“Commissioner”) issued on 16 January 2020 the long-awaited Standard Contractual Clauses (“Serbian SCCs”) that became applicable on 30 January 2020.

Serbian SCCs are not designed as a cross-border transfer instrument first and foremost. Rather, the clauses apply to a controller-processor relationship irrespective of where the controller and the processor operate. In line with that, Serbian SCCs follow the structure of the data processing agreement as prescribed by Article 28 of the GDPR, i.e. by the corresponding Article 45 of the Serbian DP Act (2018).

At the same time, the clauses also have the role of a transfer instrument, and that is why data exporters have been eagerly awaiting their adoption. Like GDPR (Art. 46), Serbian DP Act identifies standard contractual clauses as one of the appropriate safeguards for a transfer of personal data. Currently, data exporters in Serbia can scarcely rely on any alternative safeguards for transfers outside Europe. Codes of conduct or certification mechanisms are still poorly, if at all, developed, and only a limited number of international groups of companies have binding corporate rules (BCRs). Without standard contractual clauses, most exporters would have to seek Commissioner’s transfer approval, which on average takes many months to obtain.

On the other hand, controller-to-controller standard contractual clauses are still missing, because the Serbian DP Act does not authorize the Commissioner to adopt them. For such clauses to ever be issued, the law will have to be changed.

A peculiar feature of the Serbian DP Act is that it makes transfer-serving standard contractual clauses one and the same document with standard contractual clauses to be used by a controller and a processor in a purely domestic relationship. A comparison with the Standard Contractual Clauses for the purposes of Article 28(3) of the GDPR, adopted in January 2020 by the Danish data protection authority, is instructive. The Danish Clauses expressly state that they “shall not be confused with standard data protection clauses [as provided for in the transfer-related Chapter V of the GDPR] and cannot be relied upon by the parties as a transfer tool”. In contrast, under the Serbian DP Act, there are now two distinct types of standard contractual clauses – one governing the legal relationship between the data controller and the data processor in a non-transfer context and one serving for transfers.

Once the European Commission adopts a new version of the EU standard contractual clauses (controller-to-processor), it will be possible to assess whether some important features of the EU document are missing from the Serbian SCCs.

For the time being, a comparison can be made between the Serbian SCCs and the recent recommendations addressed by the European Data Protection Board (the Board) to the Danish supervisory authority, regarding the April 2019 draft of the subsequently enacted Standard Contractual Clauses. Some of the provisions which the Board thought should have made their way into the Clauses are absent from the Serbian SCCs, but they do not seem to be of fundamental importance. For example, the Board considered it important (without further elaborating) to expressly state in the Danish Clauses that, irrespective of the allocation of liabilities among the data controller, data processor, and sub-processor, the rights of the data subjects vis-a-vis each of the three remain unaffected. The final text of the Danish Clauses includes that sentence (Art. 7.7). Serbian SCCs do not include such a sentence, but the omission does not strike an observer as crucial.

As an exception, what might turn out to be important is the absence from the Serbian SCCs of a provision, or a set of provisions, stipulating in detail the technical and organisational measures to be taken by the data processor to provide assistance to the data controller in its efforts to comply with various obligations (concerning data subjects’ rights, data breach, data protection impact assessment, and prior consultation with the supervisory authority). Danish Clauses have included a sub-section (C3) on this, following the Board’s strong recommendation to that effect.

Going back to the primary reason why the Serbian SCCs are much talked-about issue among Serbian data protection practitioners: companies operating in Serbia have a reason to be content with the adoption of the SCCs, an instrument likely to facilitate future data transfers to a significant extent.