In the digital era, the protection of personal data has become a fundamental priority for both citizens and businesses. The General Data Protection Regulation (GDPR), together with the Personal Data Protection Law of the Republic of Serbia (ZZZPL), sets strict standards for the processing of personal data. Our law firm provides comprehensive legal support to help you meet these obligations, safeguard your rights, and address potential privacy violations.

What is GDPR and why is it important in Serbia?
The GDPR is a legal framework of the European Union adopted in 2018, which regulates the protection of personal data of EU citizens. Although Serbia is not an EU member, the GDPR applies to all organizations in Serbia that:

-process the data of EU citizens (e.g. companies selling products or services in the EU market);

-collaborate with EU partners that require GDPR compliance;

-wish to align their activities with international standards.

In addition to the GDPR, Serbia has its Personal Data Protection Law (ZZZPL), adopted in 2018 and harmonized with the GDPR, which applies to all organizations and individuals processing the personal data of Serbian citizens. This law imposes obligations such as transparency, data security, and respect for citizens’ privacy rights.

In 2025, the Commissioner for Information of Public Importance and Personal Data Protection intensified oversight of compliance, and penalties for violations can reach up to RSD 2 million for legal entities—or even higher in the case of GDPR sanctions (up to EUR 20 million or 4% of annual turnover for serious breaches). This makes compliance with GDPR and ZZZPL a priority for every company and an opportunity for citizens to protect their rights.

What are the key obligations under GDPR and ZZZPL?
Organizations that process personal data (e.g. names, addresses, emails, health data) must comply with the following requirements:

Lawful data processing: Data may only be collected with the consent of the individual or on a legal basis.

Transparency: Citizens must be informed about how their data is used, for what purpose, and for how long it is stored.

Data security: Businesses must implement technical and organizational measures (e.g. encryption, database protection) to prevent data leaks.

Citizens’ rights: Individuals have the right to access, rectify, erase (“right to be forgotten”), restrict processing, and transfer their data.

Appointment of a Data Protection Officer (DPO): Certain organizations must appoint a data protection expert.

Incident reporting: Data breaches must be reported to the Commissioner within 72 hours.

Why is this important for you?

For businesses: Non-compliance with GDPR and ZZZPL may result in significant penalties, loss of customer trust, and reputational damage. Compliance ensures competitiveness in international markets and builds customer confidence.

For citizens: If your data is misused (e.g. unauthorized publication online, data leaks from a database), you are entitled to legal protection and compensation.

Current challenges in Serbia: In 2025, the Commissioner recorded an increase in citizen complaints regarding unauthorized data use, especially in healthcare, banking, and e-commerce sectors. Small and medium-sized enterprises are often insufficiently informed about their obligations, leading to unintentional violations.

Practical examples:

Data breach: A client discovered that their personal data (name, address, identification number) had leaked from a corporate database. Our firm initiated proceedings before the Commissioner, resulting in a penalty for the company and compensation for the client.

Corporate compliance: We assisted a retail company in aligning its operations with the ZZZPL by drafting privacy policies and training staff, thereby avoiding potential penalties after an inspection.

Online privacy violation: We represented a client whose photos were published on social media without authorization, securing removal of the content and obtaining compensation.

How can we help?
Our law firm provides specialized legal services for GDPR and ZZZPL compliance and the protection of citizens’ rights in cases of data violations. Our services include:

Compliance review: Analyzing business processes and documentation to identify compliance areas and recommend necessary adjustments.

Drafting documentation: Preparing privacy policies, consents, data processing agreements, and incident management procedures.

Staff training: Organizing workshops for your staff on data rights and legal obligations.

Legal representation: Assisting citizens whose data has been misused and representing them before the Commissioner or the courts.

Cybersecurity consulting: Collaborating with IT security experts to provide comprehensive protection.

Filing complaints: Supporting citizens in exercising their rights of access, erasure, or rectification of data before organizations or the Commissioner.

Contact us
If you are a business seeking to comply with GDPR and ZZZPL, or a citizen whose data has been misused, our law firm is here to provide professional assistance. Contact us by phone, via email at info@nikoliclegal.rs, or through the contact form on our website.