Doing business with Serbian companies: How Serbia follows the GDPR

In case you’re looking to partner up with a company outside the EU, there are probably a lot of questions on your mind. If you’re being responsible, one of those questions is about data safety, and that’s something we also had to think about before starting a project.

That is why we decided to partner up with IT experts from Serbia, who have now been with us for years. Why?

The GDPR is a document regulating data safety across the European Union, so, naturally, many are uncertain about partnering with companies outside the EU who do not have to abide by it. However, at Valcon, we did our due diligence and researched which country would be the best match for European companies. This article is all about Serbian and European laws and how your data is just as safe in their hands. These locations are also used by some of the Netherlands’ leading companies, including large financial institutions. They have assessed the security and are confident in using these locations.

What law protects client safety?

In the EU: GDPR

The GDPR is a law in the EU and it stands for General Data Protection Regulation. It deals with just that – protecting and regulating Personal Data. It is also annexed by a rule which mainly aims to protect persons in terms of their data and its movement to and within a third country.

In Serbia: The PDP Act

The Serbian PDP Act, or Personal Data Protection Act, regulates the same areas as the European GDPR: protecting people’s data and its movement. In its essence, this Act is a mixture of the GDPR and another European directive which is responsible for establishing rules to protect individuals in terms of their data by law enforcement. This directive’s objective is to protect the fundamental human rights to privacy and justice.

However, to perfectly align data processing laws between the EU and Serbia, there are other necessary regulations in place, but these should be implemented on a case-by-case basis.

The GDPR vs. the PDP Act

As you can see from the descriptions above, these two documents are extremely similar and cover the same area. Let’s take a closer look at their similarities, which are far greater in number than their differences.

Both these documents distinguish between controllers and processors, where controllers determine the purpose for the processing of data. The PDP states that the processors responsibilities are the same as they are under the GDPR, and the controller also has the same responsibilities under both laws. This includes:

  • Complying with the Act,
  • Implementing security measures (encryption; confidentiality, integrity, and resilience of processing systems and services; availability and access to Personal Data in a timely manner in the event of an incident; regular testing, assessing, and evaluating of effectiveness),
  • Recording and keeping said records in accordance with the Act,
  • Cooperating with authorities on data protection,
  • Appropriately reporting on security breaches,
  • Complying with the Act’s restrictions on personal data transfers,
  • Appointing a Data Protection Officer,
  • Appointing a representative in Serbia if the controller is based outside it (and is subject to the PDP Act),
  • Keeping data subjects informed about processing,
  • Extending the data subjects’ rights in accordance with the Act.

The case is similar with data subjects, whose rights are the same under both. These include the rights:

  • To be informed,
  • To access,
  • To rectification and supplement,
  • To erasure of personal data,
  • To restriction of processing,
  • To personal data portability,
  • To object.

Another element that is similar in the PDP Act and in the GDPR are the remedies. In legal terms, this means the right to achieve justice in any matter in which legal rights are involved. They both pose that parties have the right to lodge a complaint to authorities, as well as the right to an effective judicial remedy against a controller or a processor.

When it comes to the differences, they are most notable when talking about criminal liability and penalties. In Serbia, all unauthorised collection of personal data is considered a felony; so, everyone who breaches the PDP Act can be held criminally liable. In terms of penalties, both documents propose monetary fines, although the upper limit to them is somewhat lower In Serbia. However, the PDP Act also proposes that those who breach it may need to reimburse the victim for potential damages, both material and non-material.

Can Dutch clients’ information be processed in Serbia?

In short, the answer is yes, and the same goes for all countries in the European Union. The GDPR similarly allows working with companies like Microsoft, Amazon, and Google, which also process personal data outside the EU, notably when support is provided.

Another question clients often ask is whether they need to obtain a work permit (tewerkstellingsvergunning) or a residential permit (verblijfsvergunning) when nearshoring non-EU workers. Part of our nearshoring services is that our workers work from and stay at the locations from where they work. They are employed/engaged by entities in those countries. This means that no work or residential permit is required.

But, it is required that an additional contract is signed, which is called the ‘standard contractual clause.’ When you engage Valcon for its nearshoring services, we will ensure that such a contract is part of our standard contract. Depending on the sector where our clients work, other requirements may apply. For example, financial and healthcare institutions require that a ‘Pre-employment screening’ process is followed for any workers engaged by it or that a local certificate of conduct (Verklaring Omtrent het Gedrag) is shared.

It’s possible, however, that additional measures be taken. Here are the steps you can follow:

1. Assess whether the data is Personal Data or not. If it’s not related to a person, then it isn’t, and the GDPR isn’t applicable. For example, source or test code isn’t personal data, but names, addresses, and photos are.

2. Pay attention to what processing really means. If you can access or see the data on your screen, it’s already been processed – it’s not just a matter of storage.

3. Apply additional safety measures. The most common ones are Standard Contractual Clauses or SCCs, which are contracts that ensure that both parties agree to commit to the GDPR.

4. Get a professional to help with the SCC. The legal terminology and filling in the information can sometimes be a bit confusing, so contacting a paralegal might be the right decision.


As you’ve seen, Serbia is a country whose data safety rules are nearly identical to those in the European Union. From the obligations and rights of various parties to the liability and penalties in cases of breach, the differences are minuscule. There are steps that you can take if you feel there is a need for additional safety measures – SCCs.

But other than the legal coverage, Serbia is the perfect answer to the labour shortage as well. This country is full of IT experts who fill the roles at Valcon perfectly. If you need proof of this, there are many customer success stories on our website, so feel free to read about the cool projects we’ve completed so far!

We’ve already emphasised the importance of carefully choosing an IT partner, and we follow our own advice. That’s why we think that Serbia and the Netherlands are an excellent match – not only are we legally compatible, but in terms of company culture as well.

With hundreds of talented IT professionals from all fields, Valcon is the right partner for your business. If you want more information about how we can grow your business together…

Want to learn more? If you want to learn more, please email [email protected] and we’ll be in touch right away.