Introduction In the contemporary legal landscape, data privacy stands as a paramount concern, with the General Data Protection Regulation (GDPR) serving as the cornerstone legislation governing the processing of personal data within the European Union (EU) and beyond. Article 30 of the GDPR imposes a pivotal obligation on data controllers and processors to maintain a meticulous Record of Processing Activities (ROPA). This article endeavors to elucidate the intricacies surrounding Article 30, offering practical insights and dissecting the evolving practices of Data Privacy Authorities concerning ROPA compliance. Understanding Article 30 of GDPR GDPR Recital 82 states: “In order to demonstrate compliance […]
DetailsOn July 10, 2023, the European Commission (“Commission“) adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“DPF”). The decision concludes that the United States (“US”) ensures an adequate level of data protection – comparable to that of the European Union (“EU“). What does this mean for EU Individuals and Businesses? The much-anticipated decision brings a conclusive resolution to the legal uncertainties surrounding the export of EU users’ data by US companies, an issue that has troubled thousands of businesses in recent years. The General Data Protection Regulation (“GDPR“) empowers the Commission to determine, through an implementing act, whether […]
DetailsAlthough the Personal Data Protection Act (“Act“) has been in effect for four years, it seems that its provisions have not yet been fully implemented in practice, nor have all companies in Serbia fully adapted to them. Non-compliance with the obligations prescribed by the Act especially starts hurting when inspections are carried out by the Commissioner, and a new round is being announced. So, let’s take a moment to revise what companies should pay attention to when it comes to complying with the Act. Back to basics The general obligations of companies are contained in the principles of the Act. […]
DetailsWhy Schrems? The EU’s trust in the processing of personal data seems to be shaken. With the famous case Maximillian Schrems v Facebook Ireland Limited pending before the Austrian Supreme Court (“Court“) for a while now, Maximillian Schrems requested the Court to refer four questions to the Court of Justice of the European Union (“CJEU“) concerning the lawful use of personal data of all Facebook users from the EU. So, who is Maximilian Schrems? Maximillian Schrems is a law student from Austria and a personal data protection activist who has been extremely vocal about data protection before EU authorities. […]
DetailsWhat do Facebook, WhatsApp and TikTok have in common? Well, they are social media giants, with billions of users all around the world. But there is something else that these platforms have in common that is worthy of attention. Lately, they have all been “hunted down” by regulators over their data policies. So, we wanted to take the time to say a few words on the TikTok case. What makes the TikTok case special? As most of you already know, TikTok is a social media platform used to make short-form videos that last between 15 and 60 seconds. The videos […]
DetailsIn addition to numerous novelties and changes in Serbian legislation, the beginning of this year was also marked by the legal regulation of archiving materials and similar documentation, which attracted significant attention. The new Archival Material and Archival Activity Act (the “Act“) is not only an important step towards improving the protection of archival material and regulating archival activity but also towards developing awareness of the importance of preservation of archival material, since that helps “protect” the history of our country. Until recently Serbia did not have a specific act that would comprehensively regulate the issue of archival material and […]
DetailsAlthough it has been more than a year since the new Personal Data Protection Act (“Act”) entered into force in Serbia, some of its provisions are not yet fully applicable. One clear-cut example is Article 44 of the Act, which requires foreign companies (therefore those who does not have a registered business seat in Serbia) to appoint a Personal Data Protection Representative for Serbia (“Representative”). Who is the Representative? This provision, (as well as the majority of the Act’s provisions), was adopted from Article 27 of the General Data Protection Regulation (“GDPR”) and refers to any personal data controller and […]
DetailsNot so long ago, on May 25, 2018 the General Data Protection Regulation (GDPR) came into force. The GDPR has been a subject of great interest and discussion, even prior to its implementation, due to its application on entities all over the world – inside or outside the European Union (EU). Although the GDPR has, practically, changed the legal framework in relation to the rules on data protection, and introduced a whole set of new obligations while imposing massive fines for non-compliance, the real implications of the application of the GDPR are yet to be seen, especially on non-EU entities. […]
Details