top of page

International Data Transfer Without Fear of Multi-Million Fines for GDPR Violation

In the age of information technology, where data flows seamlessly across various applications, platforms, servers, and external service providers, the confinement of data within a single country or organization has become nearly impossible.

Furthermore, the adoption of global business practices is on the rise, with national borders no longer presenting obstacles to the launch of products or services. This evolving business landscape inevitably leads to international data exchange.

Whether you're a B2B company collaborating with a client abroad, sharing information about employees engaged in a client's project, or a global CRM solution provider exchanging data about its employees, it's evident that mutual data sharing, including personal information, is integral to facilitating these relationships.

Explore the necessary steps to avoid substantial fines for violating personal data protection regulations.


First and foremost, determine the relevant legal framework to understand the rules you must adhere to. If your company is based in Serbia, compliance with the Law on Personal Data Protection is mandatory. Additionally, GDPR may apply under certain conditions for extraterritorial enforcement. If your company is EU-based, GDPR is applicable, and other regulations, such as the Swiss FADP or UK GDPR, may also come into play. Establishing your role in the data transfer—whether as a data controller, processor, or sub-processor—dictates the specific obligations you need to fulfill.


Ensure you've entered into the necessary contracts regulating the processing of personal data and international data transfers. Both the domestic Law on Personal Data Protection and GDPR require the regulation of contractual relationships with parties involved in sharing personal data. This contractual agreement is termed a Data Processing Agreement (DPA). The content of the contract is contingent upon your role and the role of the other party. When engaging in international data transfers, determining the destination countries is critical, as it influences the application of Standard Contractual Clauses (SCC) or other mechanisms facilitating adequate data transfer.

Why is concluding Data Processing and International Data Transfer Agreements (DPA) crucial?

Because substantial fines are at stake! Personal data protection regulations outline hefty fines for failing to establish necessary data processing agreements. For instance, the domestic Law on Personal Data Protection imposes fines of up to 2 million dinars, while GDPR penalties can reach up to 10 million EUR (or 20 million for international transfers) or 2% of your global annual revenue (or 4% for international transfers), whichever is higher.


As previously mentioned, determining the countries for personal data transfer and identifying "risky" countries is crucial. "Risky" or "third countries" lack adequate personal data protection levels. From the EU perspective, these may include the USA, China, Russia, and even Serbia. Practically, every data transfer from the EU to these countries is considered risky, necessitating the application of EU Standard Contractual Clauses (SCC) or other GDPR-defined mechanisms.

From a domestic regulatory standpoint, the USA is also deemed inadequate in providing personal data protection, along with other countries like China. Hence, transferring data from Serbia to any of these countries requires the application of Commissioner for Personal Data Protection Standard Contractual Clauses (SCC SRB).


Having addressed the above steps—concluding contracts, applying SCC, you might feel a sense of relief.

Yet, you haven't fully completed your compliance journey.

In line with GDPR and the new EU SCC effective from December 27, 2022, you're obligated to conduct a Data Transfer Impact Assessment (DTIA).

DTIA represents a relatively recent obligation in personal data protection, emerging from the well-known Schrems II decision by the EU Court of Justice, which focuses on data transfer from the EU to third countries.

The court emphasizes that relying solely on EU SCC for data transfers is insufficient. It's essential to assess the risks and consequences of such transfers, ensuring the regulations in the recipient country align with EU standards. Additionally, identifying potential risks, even with applied safeguards, is crucial.

What is DTIA?

Executing a DTIA in advance serves the purpose of identifying and mapping out potential risks in the planned transfer of personal data to a third country.

This process requires documentation and should be carried out before the actual data transfer occurs. The outcome of the DTIA essentially provides an answer to the question of whether you are eligible to transfer data outside the EU.

Who is required to conduct DTIA?

Both the data controller and the data processor, involved in exporting data from the EU/EEA, bear the obligation to conduct DTIA.

This obligation stems from the aforementioned Schrems II decisions, EDPB guidelines for international data transfers, and the EU SCC themselves.

So, if you have adopted EU SCC, the obligation to conduct DTIA applies to your situation.

If you believe that this obligation can be avoided because your company is registered in Serbia, that assumption is incorrect.

Common scenarios where you will be obliged to conduct, or at least participate in, DTIA are those involving business collaboration with EU-based companies.

Given that your EU business partner must adhere to GDPR compliance and your Serbian company operates in a country without an adequate level of data protection, the EU company will have to undertake DTIA. However, to address questions within DTIA related to the regulations of the Republic of Serbia and data treatment practices, you will need to provide responses and elucidate the practices of Serbian state authorities. Consequently, the responsibility for DTIA falls on your shoulders, and the continuation of collaboration with the EU company hinges on your responses to DTIA.

What are the repercussions if DTIA is not conducted?

The consequences of neglecting DTIA can be multifaceted.

Primarily, there is a risk of facing substantial (multi-million) fines for GDPR violations, amounting to 20 million EUR or 4% of your global annual revenue, whichever is higher.

Furthermore, individuals whose data you have processed may take legal action against you, seeking compensation for breaches of their data privacy, as international transfers were conducted without implementing adequate protective measures.

Ultimately, failure to conduct or participate in DTIA, as per the request of your business partners, exposes you to the potential termination or non-realization of business collaboration.


bottom of page