22 Jun 2018

GDPR in Serbia (and Other Non-EU Countries) – A Foreign Investors’ Perspective

General Data Protection Regulation (GDPR) is currently a global hot topic – and for a good reason. It practically revamps the legal framework concerning Data Protection rules, introduces a whole set of new obligations while imposing massive fines for non-compliance.  While the GDPR came into the force recently, it is no surprise that many are worried how it will affect their organizations as the legislation, under certain conditions, is to be applied worldwide —both inside and outside of the EU.

Given that compliance with the GDPR will be no mean feat, requiring vast amount of time and resources, no matter how big or small the organization, the Data Protection regime imposed on Serbia and other non-EU countries can be considered somewhat ‘softer’, as it does not affect all companies. This alone can be considered a competitive advantage to foreign investors as it will make doing business in these countries easier in some cases.  Namely, as per the GDPR, non-EU companies will be subject to the new Data Protection rules if their personal data processing activities are related to:

  • the offering of goods or services to natural persons who are in the EU, irrespective of whether a payment is required from these persons; or
  • the monitoring of the behavior of natural persons who are in the EU, as far as their behavior takes place within the EU.

The GDPR does not precisely defines what it means to “offer goods or services”, especially bearing in mind that the cross-border offering of goods or services to natural persons is nowadays commonly done via online platforms, which can be accessed from all around the globe – including EU countries.  In order to assess the risk related to such platforms we must rely on to the GDPR’s recitals, which offer some insights. [1]

As per the recitals, simply having a website on which a person accessing it from an EU location (e.g. Budapest, Hungary) can purchase goods or services is not sufficient to impose the application of the GDPR.  On the other hand—if the website has a version in Hungarian language, if it clearly states that the goods or services can be purchased from Hungary and paid in EUR, and if there are, for instance, product reviews made by Hungarians—it will probably be apparent that the website targets EU residents in Hungary and the GDPR will apply.

Additionally, per the recitals, when it comes to monitoring of the behavior of natural persons who are in the EU—specifically, when natural persons are tracked on the internet with the goal of predicting their personal preferences, behaviors and attitudes, or to make decisions that concern them—the GDPR will probably be applicable.  In practice, this monitoring of the behavior mostly relates to profiling and relates to modern/sophisticated marketing and promotional strategies.

In line with the above-mentioned criteria, please note that if the foreign investor’s goal is to deal only with information on non-EU residents, such investor probably does not need to worry about the GDPR.[2]  For instance, if a US company intends to outsource some of its IT functions to Serbia, it should not be obliged to comply with the rules set out in the GDPR – which on its own can be considered as Serbia’s competitive  advantage when compared to the EU member states.

However, if investor’s business plan includes activities that fall under one of the above-mentioned criteria, such investor will be obliged to fully comply with the GDPR, almost as if operating in the EU.  This obligation applies whether that investor conducts business in Serbia or any other non-EU jurisdictions.  In most cases, achieving compliance with the new Data Protection rules will not be an easy ordeal – since this new regime imposes a whole set of obligations, most of which are broadly worded and require a tailored-made approach.

For instance, companies that (i) process personal data on a large scale or that (ii) process personal data as a part of their core business activity will be obliged to appoint a Data Protection Officer.  In this case, meaning of the terms “large scale” and “core business activity” is subject to interpretation, which in practice may require professional legal assistance.  Mistakes in this regard are easy to make yet may lead to massive fines, as elaborated below.

GDPR also codifies the “right to be forgotten”, otherwise known as a “right to erasure”.  Namely, this means that an individual, subject to certain restrictions, can demand that a company deletes all of his personal data.  An individual is also allowed to demand from a company to deliver him all of his personal data in a structured, commonly used format – this is known as a right to “data portability”.

These two obligations lead to several questions, first of all – can you identify all of the personal data that is in the possession of your organization and that relates to a single individual?  Can you do it in an automated manner, or will you need to use “brute force”?  While it should be possible to use brute force to resolve a single request, this method is often not suitable for dealing with multiple simultaneous requests. Hence, is it necessary to implement certain changes, or to introduce new procedures?  These questions are just examples of what an investor needs to worry about if the GDPR applies to his business, and, in our opinion, should be answered by both lawyers and IT experts – preferably in mutual cooperation with company’s HR and other business units.

There is one more obligation we would like to mention, which specifically affects non-EU residents – an obligation to appoint a representative in the EU. [3] This obligation has two important carve-outs, as it does not apply to:

  • occasional processing of personal data, if it does not include large scale processing of certain special categories of data, and if it is unlikely that such processing will result in a risk to the rights and freedoms of natural persons; or
  • public authorities and bodies.

If such representative needs to be established, it has to be located in one of the EU member states in which natural persons whose personal data are processed are also located.  In other words, if you are offering goods or services to e.g. French and Hungarian residents, and you fall under the obligation to appoint a representative, you must appoint the representative in either France or Hungary—meaning that appointing a representative in Cyprus, for example, would be insufficient.

The competent authorities and data subjects can address this representative regarding all of the GDPR-related issues, however they can choose to address the subject non-EU resident directly.  In case of non-compliance with the GDPR, the representative can be subject to enforcement proceedings, meaning that this role can be, in some cases, considered perilous.

As mentioned above and as often discussed in legal circles, the fines imposed by the GDPR are more than substantial, which is probably one of the main reasons the GDPR is given this much attention worldwide.  In case of a significant breach of Data Protection rules, these fines can amount up to EUR 20,000,000.00 or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.  Likewise, for some less significant infringements, fines shall go up to the higher of EUR 10,000,000.00 or 2% of the total worldwide annual turnover.

In addition to the mentioned fines, the risks inter alia include damage to a company’s reputation, and this particular risk is increasingly important due to the recent media attention given to personal data misuses.

To Conclude:

Since the GDPR came into the force on May 25, 2018, it is strongly advisable to commence with the necessary preparations to avoid noncompliance and mitigate the GDPR-related risks.  First step in the preparations would be an assessment whether the GDPR applies to the subject company – which may require a comprehensive analysis of the company’s business operations/practices.  If the conclusion of the analysis is that the GDPR is indeed applicable, then it is necessary to prepare and follow through a step plan that will cover all of the GDPR-imposed obligations.  Please note that, if the subject company’s business significantly relies on dealing with personal data, the mentioned process for achieving compliance should commence as soon as possible—as it might be difficult to rush it.

Please note that we have only mentioned some of the Data Protection-related obligations, since the GDPR itself is an 88-page long document with various obligations & nuances, and hence cannot be comprehensively described in this format.  However, if you decide that you are in need of a legal assistance regarding the application of GDPR in a non-EU jurisdiction, [4] we at Gecić Law remain at your disposal for any further information.

(Originally published: TerraLex)

[1] Please see recitals 23 and 24 of the GDPR.
[2] We have used the term “probably” since it is not yet clear to what extent will the GDPR be applied to non-EU residents working or traveling in the EU.
[3] For more detailed information on this obligation please see Articles 9, 10, and 27 of the GDPR.
[4] On a side note – most of the non-EU jurisdictions, Serbia included, have their own Data Protection rules that apply no matter the application of the GDPR.  Therefore, achieving full Data Protection compliance should be a two-track process, covering both the GDPR and local rules (however, compliance with the local rules is usually much less demanding).