ZZPL

Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti), Official Gazette RS No. 87/2018

Flag of RS
SerbiaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
August 21, 2019
Enacted
November 9, 2018
Enforcing Authority
Commissioner for Information of Public Importance and Personal Data Protection
Consent Model
Opt-in
Applies To
Any organization processing personal data of individuals in Serbia

Overview

Serbia's ZZPL is modeled on GDPR principles but with significantly lower penalties. As an EU candidate country, Serbia is expected to align fully with EU data protection standards as part of the accession process. Cookie-specific legislation is being drafted as of early 2025.

What This Means for Your Website

  • Prior consent is required before placing cookies that process personal data of Serbian visitors
  • Interactive cookie banners must provide full disclosure of cookie types
  • Users must be able to accept or reject cookies and change their settings later
  • Penalties are modest (~EUR 17,000 maximum) compared to GDPR levels

Key Requirements

The Commissioner for Information of Public Importance and Personal Data Protection enforces the ZZPL. Maximum penalties are RSD 2,000,000 (approximately EUR 17,000), significantly below GDPR levels. The law follows GDPR principles for consent requirements, and cookie-specific legislation is being drafted to provide more explicit cookie rules.

How ConsentStack Handles This

ConsentStack presents Serbian visitors with an interactive consent banner providing full cookie type disclosure. Users can accept or reject and modify their preferences at any time.

Penalties

RSD 50,000-2,000,000 (~EUR 430-17,000). Significantly lower than GDPR maximums.

Maximum Fine
RSD 2,000,000 per violation

Key Requirements

  • Prior consent before placing cookies that process personal data
  • Interactive cookie banner with full disclosure of cookie types
  • Users must be able to accept or reject and later change settings
  • Consent must be freely given, specific, informed, and unambiguous
  • Data subject rights aligned with GDPR principles

Notable Provisions

  • Penalty range significantly lower than GDPR (max ~EUR 17,000)
  • Cookie-specific legislation being drafted as of January 2025
  • EU candidate country — GDPR alignment expected
  • ZZPL modeled on GDPR principles

Other Europe Regulations

GDPREuropean Union + EEA
The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.
PECRUnited Kingdom
PECR is the UK's cookie-specific law, requiring consent before storing or accessing cookies. The DUAA 2025 significantly increased penalties from GBP 500,000 to GBP 17.5 million and introduced analytics exceptions on an opt-out basis. Only strictly necessary cookies are exempt.
ePrivacy DirectiveEuropean Union + EEA
Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.
FDPAFrance
France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.
UK GDPRUnited Kingdom
The UK GDPR is the retained EU GDPR post-Brexit, with consent standards identical to the EU version. The UK adequacy decision was renewed December 2025, valid until December 2031. Combined with PECR, it forms the legal framework for cookie consent in the UK.
TDDDGGermany
Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.

Frequently Asked Questions

Does Serbia have a cookie-specific law?

Not yet. Cookie consent falls under the general ZZPL data protection framework. Cookie-specific legislation is being drafted as of early 2025.

What are the cookie penalties in Serbia?

Up to RSD 2,000,000 (approximately EUR 17,000) — significantly lower than GDPR penalties.

Is Serbia aligning with GDPR?

Yes. As an EU candidate country, Serbia is expected to fully align with EU data protection standards during the accession process.

Stay compliant with ZZPL

ConsentStack helps you implement Opt-in consent for Serbia automatically.

Get started free