Preparing for a Data Protection Inspection Supervision – Step-by-Step Guide for Companies

In today’s business environment, compliance with personal data protection regulations has become an essential part of risk and reputation management. Following the alignment of Serbian legislation with the European standards set out in the General Data Protection Regulation (“GDPR”), companies in Serbia are increasingly subject to inspection supervisions carried out by the Commissioner for Information of Public Importance and Personal Data Protection (“Commissioner”). Inspection supervisions are becoming more frequent, along with the growing need for companies to demonstrate compliance - not only formally, but also through consistent application of data protection rules in day-to-day operations.

Legal Framework: What Does the Law Require From You?

 The Law on Personal Data Protection (Official Gazette of RS, No. 87/2018) requires that all entities processing personal data must do so lawfully, transparently and responsibly.

The  key obligations of data controllers include:

• clearly defining the legal basis and purpose of the data processing;
• informing data subjects in a transparent manner about the processing of their personal data;
• obtaining consent for processing where required;
• respecting the rights of data subjects;
• implementing appropriate technical and organizational security measures;
• maintaining a record of processing activities.

What Does the Commissioner Examine During an Inspection Supervision?

An inspection supervision typically involves both a review of documentation and an assessment of how adopted procedures are implemented in practice. The Commissioner particularly focuses on the following aspects:

• whether the controller maintains a record of processing activities;
• whether data subjects are adequately informed, in a transparent manner, about key aspects of the processing of their personal data;
• whether valid consents have been obtained where necessary;
• how the data controller handles data subject requests (e.g. right of access, rectification, erasure);
• whether employees are familiar with internal data protection rules and adequately trained to comply with the relevant legal requirements;
• what technical and organizational security measures are in place;
• whether data processing agreements have been concluded with external processors;
• whether the controller transfers personal data abroad and, if so, whether such transfers are carried out in accordance with the Law on Personal Data Protection.

Practical Steps for Successful Preparation

 Preparing for inspection supervision requires a systematic and proactive approach. Compliance with personal data protection regulations should not be treated as a one-time task triggered only by an upcoming inspection supervision, but rather as an ongoing process that enables the company to be continuously prepared and confident in its compliance.

To achieve this, it is important to take the following steps:

1. Organize documentation – Prepare in advance all relevant data protection documents, including privacy policies, internal procedures, data processing notices, consents, records of processing activities, and data processing agreements. All documentation should be properly maintained and readily accessible.
2. Train your employees – Regular training sessions and raising awareness about the importance of compliance with the Law on Personal Data Protection help reduce the risk of mistakes.
3. Review contracts with partners – Ensure that all contracts with external partners comply with the applicable legal requirements.
4. Conduct regular internal audits – Carry out regular internal compliance checks and address any potential shortcomings before an inspection supervision takes place.
5. Appoint a Data Protection Officer (DPO) – Do this even if your organization is not legally required to appoint one. The DPO can be an internal employee or an external expert, such as a lawyer.

Final Remarks: Inspection Supervision as an Opportunity to Improve Business Practices

 Inspection supervision should not be a cause for concern, but rather an opportunity to assess and improve your business operations in line with legal requirements. Proper preparation and ongoing compliance protect your organization from high monetary fines and reputational harm.

 If you are unsure about your level of compliance or need support in preparing for inspection supervision, expert legal advice or the assistance of a data protection professional can make a significant difference.

Sonja Stojčić
Senior Associate
sonja.stojcic@prlegal.rs; legal@prlegal.rs;