Bogdan Ivanišević speaks to Startit about the initiative to postpone implementation of Data Protection Act

Newly appointed head of Serbian data protection supervisory authority recently stated that implementation of Data Protection Act 2018 should be postponed. Possible delay in implementing the new law attracted attention from the local media and specialized organizations. One of those, Startit, interviewed BDK Advokati partner Bogdan Ivanišević on this topic, together with Rodoljub Šabić – former head of Serbian data protection supervisory authority, and representatives of the Share Foundation.

Bogdan stressed that companies with presence in the Serbian market have been preparing for the implementation of the new law under assumption that it would come into force on 21 August this year. The decision to postpone its implementation would have considerable negative impact on such businesses. They would have to “go back” and erase a good part of what they did in the past year to prepare for the new law, Bogdan added.

Bogdan illustrated the consequences of delay in implementation of the law with a situation that companies may face in practice. “People had in mind that under the new law legitimate interest is often the legal basis for data processing, instead of individual’s consent which is the dominant legal basis under the data protection act from 2008. They counted with not having to notify the supervisory authority about the intended data processing because the new law does not require notification. They may have arranged for a transfer of data to a non-European country, in the understanding that in accordance with the new law it would not be required to seek transfer authorisation from the supervisory authority.” Bogdan added that, if the companies could have anticipated that the new law would not be implemented, they would have turned to the supervisory authority and collected the consents, instead of waiting for the 21st of August.

He emphasized that postponement in the application would not be to the benefit of the supervisory authority, data controllers, and data processors. “The implementation would push them into taking more seriously the need to build the capacity to act in accordance with the new law”, Bogdan concluded.