GDPR for Websites in Serbia

GDPR applies directly if your site processes data of EU citizens (visitors or customers from the EU). Serbia also adopted the Law on Personal Data Protection (ZZPL) in 2018 which is largely aligned with GDPR and applies to every site processing data of Serbian citizens. In practice, most Serbian sites must comply with ZZPL, and those with EU visitors with GDPR.

The Commissioner for Information of Public Importance can impose fines for ZZPL breaches. For legal entities, fines go up to €18,803.42; for sole proprietors up to €4,700.85. GDPR fines can reach 20 million EUR or 4% of annual turnover (whichever is higher). Beyond fines, non-compliance damages reputation and user trust.

Strictly speaking, if you use only essential cookies (session, login, cart), you do not need a consent banner. However, if you use Google Analytics, Facebook Pixel, YouTube embeds or any marketing/analytics tool, you are required to have a cookie banner with granular consent options.

You can use free generators (e.g. PrivacyPolicies.com, Termly.io) as a starting point, but adapt it to your site. The policy must be in plain language and include: who processes the data, what data is collected and why, legal basis, retention period, sharing, user rights and contact. For complex cases, consult an IT lawyer.

BeoHosting provides the technical infrastructure for compliance: free SSL for data encryption, servers with security measures (firewall, DDoS protection, backup), and the ability to install cookie consent plugins for WordPress. BeoHosting also stores data per ZZPL and provides a Data Processing Agreement (DPA) on request.