Data Protection Officer

Data Protection Officer – DPO




One of the services we provide to our clients is the opportunity to perform the person’s duty for personal data protection, in situations where the controller or processors are required by law to appoint that person, or for other reasons they decide to have professional help and support for implementation of this important law and a series of obligations prescribed by this demanding act. Namely, as the Belgrade Bar Association’s Board of Directors has officially taken the stand that a lawyer can be hired in these businesses, i.e. that they are not incompatible with the legal activity, there are no legal obstacles for lawyers to be hired externally by their clients.

Therefore, in addition to the implementation of the solution of the law on personal data protection in the business of clients, drafting the necessary general acts, drafting  records of processing operations, their management, as well as all types of consulting, we also provide formal engagement services as DPO, and that includes enrollment to the register of persons who are in charge of data protection at supervisory authority.

Hence, on your behalf we can perform everything what is necessary in accordance with the Law, both as a DPO and as external consultants for the part of the business related to personal data, existing clients, those who are potential and targeted clients, but also employees or persons who are on another basis engaged.

Among other things, services also include timely informing and advising the controller or processor and or employees who processing personal data for their legal entity or other legal entity. Also, you will be informed in time about all law’s amendments, new bylaws, opinions and instructions of the supervisory authority, which are important for your business. Services also include communication with the Supervisory Authority, as request of the supervisory authority, but also as regarding other important issues and at the same time we will be a contact for all communication to the supervisory authority. This especially includes possibly implementation of the impact assessment procedure when it is necessary and assistance in drafting that act.

When assessing the impact, i.e. deciding whether such an assessment is necessary, we analyze the nature, scope, circumstances and purpose of processing, in order to make the correct decision about the real needs of achieving a certain purpose compared to the potential dangers of such processing.



The new General Regulation (EU ) 2016/679 of the European Parliament and of the council with regard to the processing of personal data on the free movement of such data, No. 2016/679, of 27 April 2016, which enters into force on May 25 2018, and brings new rules that should raise the level of personal data protection of an individual to a significantly higher level. The changes that this Regulation brings, are mostly reflected in the territorial and personal use, then the types of data that are considered personal and much stricter criteria for collecting and processing personal data. The regulation, as a general act provides a framework for more detailed regulation, and allows the Member States of the Union to regulate certain ways of data processing differently, especially when it comes to sensitive data such as biometric, or sensitive categories of persons such as minors. 

For noncompliance with the prescribed rules, the regulation has prescribed strict sanctions, in the form of administrative fines, which range up to a dizzyingly 20 million Euros or 4% of the company’s annual turnover, depending on which value is higher. Of course, the highest penalties are reserved only for categories of processors and controllers who violate the rules with intent or gross negligence, if is the case of sensitive categories of data, also depending on the previous behavior of the controller in terms of data protection and cooperation with the supervisory authority. In any case, the fines are very high and poses a huge risk to the business of companies that have been processing some kind of data as part of their business.

Therefore, the Regulation prescribes the obligation or possibility to provide professional assistance in the form of hiring person for data protection

Engagement of person is an obligation in situations when processing is performed by a public authority, if the main activity of the controller or processor consists of data processing activities that include regular and mass monitoring of data subjects or if their main activity consists mass processing of special category of data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, then data concerning health or data concerning a natural person’s sex life or sexual orientation. The obligation also applies when it comes to data related to criminal and misdemeanor convictions, which register must be kept only under the control of an official body.

It is important to emphasize that this obligation does not apply to courts within the exercise of judicial powers or the performance of a judicial function.

For the sake of economy, but also efficiency, it is possible for a group of related companies or a group of several public authorities to appoint one authorized person for data protection. However, this has been conditioned by ensuring a high level of communication between the person and each related company. When it comes to public agency, it is important to consider the size of the public agency and the required scope of work, and to assess is it possible for one person to perform the function of DPO with more than one body, or more people need to be hired.

In other cases, controllers and processors may engage an authorized person to protect personal data. So, they do not have that obligation, but certainly considering the complexity of legal provisions and the issue of data protection itself, surely recommendation is to have an internally or externally engaged person who is trained to take care of data protection.

The authorized person can also be controller’s or processor’s employee and they are appoint on the basis of professional competence on field of data protection and the ability to respond to the requirements of that kind of job. The authorized person does not even have to be in a permanent employment relationship, but can be hired on another basis.

The data about authorized person have to be published, i.e. the name and surname, as well as the contact details of the DPO must be registered with the Commissioner, in accordance with his form. The Commissioner keeps a register of all Personal data protection persons.

The scope of work of the Person in charge of data protection prescribed by the Regulation in particular includes:

  • Active participation in the preparation of the general act / Privacy Policy, proposing its amendments as well as responsibility for its implementation
  • Control and taking measures regarding to data protection
  • Supervision of the data processing process
  • Proposing and initiating disciplinary proceedings in case of violation of the law or regulation, if this category of work obligations violation is provide by the Controller’s disciplinary rule book or other strict act.
  • Caring about data that are characterized as sensitive
  • Propositioning and taking measures to informing the persons whose data are processed, in accordance with the law and other regulations
  • Constant control of processing in order to check the necessity of processing, the required scope and Lawfulness of the purpose of data processing
  • Control of the data storage limits and ensuring to compliance with the principle of minimization the processing time
  • Ensuring the availability of rights to persons whose data have been collecting and processing, in accordance with their rights
  • Informing person about the changing the purpose of processing and creating and requesting additional consent when it is necessary
  • Informing the person and the supervisory authority about security problems or other types of  law’s and regulation’s rules breach, within the period provided by the Regulation.
  • Keeping or organizing records of data processing activities, as well as regular updating of that records
  • Ensuring adequate treatment of the employees personal data
  • Education and training of the employees in order to more effectively implement the Regulation’s rules, which has purpose to minimize the risk of the protection’s rules breach
  • Monitoring regulations, and informing the competent persons at the Controller about new rules that must be implemented in business and general and individual acts
  • Competent person’s reporting at the Controller about the data state and security measures that have been taken



If your business needs data protection service or personal DPO solution, our law office is right place for you. With years of experience and data protection practicing, we have been already established in data protection law, for many years. Our lawyer, Dragan Milić is one of the most popular lecturer in this legal area, and hundreds of Data protection officers attended his seminars and education courses.