The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council and the European Commission (EC) strengthen and unify the protection of personal data in the European Union (EU). It also deals with the presentation of personal data outside the EU, which is unique in this field because it “hits” countries that are not members of the EU, but use the data of citizens who are citizens of one of the member states of the Union.
The Regulation entered into force on May 25, 2018 and replaced the Personal Data Protection Directive (Directive 95/46/EC). For now, this ordinance has indirect consequences for Serbia and Serbian consumers, although its importance will grow due to the harmonization of domestic legislation through the process of Serbia’s accession to the EU.
The GDPR clearly defines its scope, and foresees that any organization that processes the data of EU citizens in any way will have to comply with the new rules on the protection of personal data, even if it is based outside the EU. Under the GDPR, organizations that violate these provisions may be fined 4% of annual global revenue or €20,000 (whichever is greater).
Serbia is waiting for a new law on the protection of personal data, which should be fully in line with the GDPR and thus be within the EU standards. This is very important for companies engaged in market research, as well as for citizens of Serbia who, using the Internet, regularly submit certain personal data and give consent (often and unconsciously) for their data to be used for analysis and research.
In the field of market research, the key provisions of the GDPR relate to the collection and use of any personal data, as well as the purposes of the research itself. Namely, it must be clear to the respondent at all times what the research is about, what the specific question is for, that an explanation is given as to what the specific personal data is for in relation to the specific question from the questionnaire, and that contact information or data that can connect the specific respondent with the answers cannot be disclosed. Therefore, in the analysis, it is allowed to use data related to gender, age, education and the like, but if the respondent voluntarily leaves a phone number or e. address, they may not be used in the analysis, nor may they connect the answers given by the respondent with contacts, name, surname, address or anything that would connect the answers with a specific person. Also, contact data must not be used for any purpose other than what the respondent has given permission for, and the respondent should be clear about how to delete or request to delete their contact information.
Our company got to know and prepared for the new circumstances in time, and our business, which we have been conducting until now in accordance with the domestic Personal Data Protection Act and ESOMAR standards, has been harmonized with GDPR norms since May 25. Most of the changes were made to our market research software, which is fully compliant both with domestic legislation and with the conditions prescribed by the GDPR.