STOILJKOVIC LAW
Home
For ForeignersBlogAbout the FirmOur TeamContact

Personal data protection

GDPR and GDPR compliance for businesses, websites and digital business

STOILJKOVIC LAW provides legal support in the field of personal data protection — for companies, entrepreneurs, IT firms, online services, employers and foreign clients who process data of users, employees, clients, candidates or business partners.

Submit a Legal Inquiry See Support Areas

Protection of personal data is no longer just a formal obligation under the law.Every company that collects data through a website, application, CRM, newsletter, video surveillance, HR processes or contractual relations must know what data it processes, on what basis, how long it stores it and to whom it is transferred.

Legal support in the field of GDPR and ZZPL compliance includes analysis of the processing process, preparation of documentation, regulation of the relationship between the handler and the processor, risk assessment and practical recommendations that can actually be applied in business.

Our goal is to make data protection clear, transparent, and business-usable — without unnecessary theory, generic policies, and documents that don't fit the client's actual way of working.

Data protection areas in which we provide support

  • Compliance of business with ZZPL and GDPR rules
  • Privacy Policy for Site, Application and Online Service
  • Cookie policy and cookie consent solutions
  • Personal Data Processing Agreements — DPA
  • Data Protection Impact Assessment — DPIA
  • Processing Activity Logs and Data Mapping
  • Personal Data Protection Officer — DPO
  • Right persons to whom the data refer
  • Data processing of employees, candidates and collaborators
  • Video surveillance, access control and communication monitoring
  • International data transfer and supplier relations
  • Proceedings in case of data breach and communication with the Commissioner
  • Legal support for IT, e-commerce, marketing, HR, SaaS, outsourcing and other business models that process personal data

The biggest risk in data protection is usually not that the company does not have a single document, but that the documentation does not follow the actual processing processes.That's why we first analyze how data is actually collected, used, stored and shared, and only then do we prepare the legal framework.

How we can help you

Processing analysis and mapping

We review what data you process, for what purposes, on what legal basis, who accesses it, how long it is stored and whether there are any risk points in the existing way of working.

Documentation creation

We prepare privacy policies, notices, internal procedures, records of processing activities, data processing agreements and other documents required for compliant business.

Contracts and suppliers

We regulate relations between handlers and processors, check DPA clauses, cloud and SaaS providers, sub-processors, international data transfer and liability of contracting parties.

Incidents and Surveillance

We provide support in case of data breach, personal requests, complaints, internal checks, communication with the Commissioner and preparation of responses in situations where a quick and precise reaction is required.

For whom this service is especially important

Data protection is especially important for companies that operate online, have a website or application, use analytics and marketing tools, collect user data, manage client bases, employ a large number of people or hire external suppliers who have access to data.

We put special focus on IT companies, SaaS platforms, e-commerce business, marketing agencies, employers, foreign founders in Serbia, companies that do business with EU clients and companies that have to harmonize local ZZPL obligations with the GDPR requirements of their partners.

Frequently Asked Questions

Is the privacy policy sufficient to comply with ZZPL and GDPR?

Not always.A privacy policy is an important document, but by itself it does not mean that a business is compliant.It is necessary to check the actual processing processes, legal bases, retention periods, rights of individuals, relationships with suppliers, security measures and internal documentation.

What is the difference between a handler and a handler?

The operator determines the purpose and method of data processing, while the processor processes the data on behalf of the operator.In practice, this is important for IT services, marketing, cloud solutions, bookkeeping, HR tools, outsourcing and other relationships where a third party has access to data.

When is a Data Processing Agreement - DPA required?

A DPA is required when one person processes personal data on behalf of another person.For example, it can be a relationship between a client and an IT provider, cloud provider, marketing agency, accounting agency, HR platform or other service provider that processes data on behalf of the client.

Does every company have to appoint a DPO?

Not every company has to have a personal data protection officer.The obligation depends on the type of organization, nature of processing, scope of processing, regular and systematic monitoring of persons, as well as processing of special types of data.However, even when a DPO is not mandatory, it is useful to have a clearly designated person or external advisor for these matters.

Is the employer allowed to process employee data?

Yes, but only in accordance with data protection rules.The employer must know what data he really needs, on what basis he processes it, to whom he delivers it, how long he keeps it and how he informs his employees.Video surveillance, records of working hours, access to official devices and communication monitoring should be arranged especially carefully.

What to do if a data breach occurs?

It is necessary to quickly determine what happened, what data is covered, what is the risk for persons, what measures were taken and whether there is an obligation to notify the Commissioner or the person to whom the data refer.In these situations, it is especially important to document the course of events and the decisions that were made.

What should be sent with a legal inquiry?

It is enough to briefly describe what the company does, what data it collects, through which channels it collects it, whether you have a website, application, employees, newsletter, video surveillance, suppliers or clients from abroad, as well as the documentation you already use.After an initial inspection, we can suggest the most practical next step.

Submit a legal inquiry

If you need help with personal data protection, GDPR or ZZPL compliance, privacy policy, DPA agreement, DPO issues, employee data processing, cookies, video surveillance or data transfer, please send a brief description of your business and the documentation you have.

Contact us

This page is informative and does not constitute legal advice.For a specific assessment, it is necessary to analyze all relevant facts, processing processes, documentation, contractual relations, technical measures and business objectives.

Back to Services