Data Governance

Marinovic points to Serbia’s need for more specialized staff to meet GDPR demands

The data protection supervisory authority in Serbia has voiced criticism over the central Balkan state’s approach to data protection.

In an appearance on state television recently, Marinovic said that the implementation of the Data Protection Act 2018 should be pushed further into the future.

Serbia’s new Information Commissioner argued that the Act should come into law on 21st August of this month, in respect of the nine-month grace period afforded when the law was adopted in Novemeber 2018.

Now, Marinovic has expressed his desire for a further one-year delay, citing the suspicious credibility of elements of the law’s policy. He claims that “society at large”, “governmental agencies, data controllers and data processors” are “not ready” for the Data Protection Act – a stance that critics say is lacking detail.

Marinovic has also said that the agency which he now heads is suffering from a shortage of suitably qualified data protection specialists, a claim that has substance in light of the fact that the Serbian supervisory authority has received no new workers since the introduction of the General Data Protection Regulation (GDPR).

The new EU data laws call upon European nations to take a proactive approach to mobilizing the new standards of the GDPR, which in turn calls on larger workforces and more comprehensive staffing measures within respective regulatory bodies.

This fresh call to postpone Serbia’s Data Protection Act will come as bad news for companies that have gone to lengths to accommodate the new EU laws. If the Serbian government decides to defer to Marinovic’s demands, organisations would have to re-strategise to ensure that they still fully meet the requirements of 2008’s version of the law.

The outdated Data Protection Act does not recognise “legitimate interests” as a legal basis for data processing. It also insists upon a written form of consent for data use and obliges controllers to tell the regulator of every set of processing operations which must then be registered with the data protection authority.