Twitter Logo Youtube Circle Icon LinkedIn Icon


Serbia > Legal Developments > Corporate & Commercial > Law firm and leading lawyer rankings


Press releases and law firm thought leadership

This page is dedicated to keeping readers informed of the latest news and thought leadership articles from law firms across the globe.

If your firm wishes to publish press releases or articles, please contact Shehab Khurshid on +44 (0) 207 396 5689 or


Transaction complete: Mid Europa Partners sells Bambi

The leading private equity investor in Central and Eastern Europe Mid Europa Partners sold Bambi, the leading Serbian biscuit and confectionary maker, to Coca-Cola HBC. The sale was completed on 18 June, and Bambi, one of the most recognisable brands in Serbia, will continue its development under Coca-Cola HBC.

Welcome to the Slovenian Legal Market

This article is written by Marko Ketler and originally published in Issue 6.4 of the CEE Legal Matters Magazine.

Investing in the Slovenian Automotive Production Industry

This article was written by Igor Angelovski and was originally published in Issue 6.2 of the CEE Legal Matters Magazine. 

Karanovic & Partners wins the Law Firm of the Year Award

We are proud to announce that Karanovic & Partners is the 2019 winner of the prestigious Law Firm of the Year award, in the Eastern Europe and the Balkans category. 

Serbia: The Registration Of Ultimate Beneficial Owners

February 2019 - Corporate & Commercial. Legal Developments by Karanovic & Nikolic.

More articles by this firm.

As of 31 December 2018, the Central Registry of Ultimate Beneficial Owners was established within the Serbian Business Registers Agency (the “Registry”), in line with the Law on Ultimate Beneficial Owners (“Official Gazette of the RoS no. 41/2018).

Serbia Enacts a New Data Protection Law

November 2018 - Corporate & Commercial. Legal Developments by Karanovic & Nikolic.

More articles by this firm.

In light of the new EU data protection scheme, shaped by the GDPR, Serbia has enacted a new Data Protection Law on 9 November 2018, with its' applicability postponed for 21 August 2019. The new law was long-awaited: it has been 10 years since the existing law was passed, which was even at that moment already outdated (e.g. it recognized only consent in the written form and almost completely restricted data transfers to non-European countries).

The new law presents a copy of the GDPR to a large extent – perhaps too large, as the critics of the new law (including the Serbian Data Protection Authority, "DPA") argued that the implementation of the GDPR was performed badly, without the much needed harmonization with the Serbian legal framework. In addition, the GDPR's recitals (all 173 of them) were not copied or otherwise implemented in the new law, potentially creating a number of issues in its future interpretation. The new law also failed to regulate certain important data protection aspects, such as video surveillance, which are regulated in the EU via other community and national pieces of legislation. 

That being said, the new law undoubtedly marks a revolution in the way personal data should be handled in Serbia, similarly to what GDPR did for the EU - and perhaps even more so, since the EU's previous data protection framework was far less outdated then in the case of Serbia. It is rightfully expected to result in an extensive range of adjustment activities performed by Serbian companies, not just legal but also technical and organizational ones, in order to prepare for the comprehensive changes that will be introduced in nine months.

Some of the most important changes are summarised below.

The scope of the new law

The new law will not apply only to the processing of data carried out by Serbian controllers and processors, but also by the ones based outside of Serbia whose processing activities relate to the offering of goods or services (even for free) to or monitoring the behaviour of Serbian data subjects within Serbia. For example, a company outside of Serbia targeting consumers in Serbia will be subject to the new law, which was not the case so far. As a result, a number of these controllers and processors will need to appoint their representatives in Serbia, to be addressed by the DPA and the data subjects on all issues related to processing.

 Data processing consent: new forms and stricter requirements

As opposed to the existing law, which recognizes only hand-signed consent in the written form - creating significant issues in the digital age, the new law explicitly introduces other forms as well, such as online and oral consent, or consent by other clear affirmative action, provided that the controller is able to demonstrate that the data subject has indeed consented.

On the other hand, the conditions for obtaining consent have become much stricter – it must be freely given, specific, informed and unambiguous. For example, there is a presumption that consent will not be valid unless separate consents are obtained for different processing operations, where appropriate, and the request for consent - when presented in a written document, must be clearly distinguishable from all other matters, using clear and plain language - i.e. catch-all clauses will not be valid. In addition, consent will not be considered freely given if the performance of a contract is conditional on the consent to the processing of personal data that is not necessary for its performance.

Consent is not the only legal ground for data processing – others exist as well, such as the performance of the contract, compliance with legal obligations or processing necessary for legitimate interests, and will in fact be used much more often than consent.

New and expanded data subjects' rights 

The new law significantly expands the existing right of individuals to receive information about the processing of and access to their personal data. Data controllers must provide transparent information to data subjects in a more comprehensive manner, and in particular must inform data subjects of certain rights - such as the ability to withdraw consent, and the period for which the data will be stored. The information needs to be provided in a concise, transparent, intelligible and easily accessible way, using clear and plain language. However, this will be hard to achieve given the fact that the elements that need to be included in the information are quite excessive, which should be carefully addressed by the companies when analysing and updating their existing information notices.

In addition, the new law introduces a new right to data portability, and provides additional details concerning the erasure of personal data. The right to data portability gives an individual the right to demand that the controller provides him with his personal data, or to transmit them directly to another controller, in a machine readable format, if the relevant processing was automatic and based on consent or the fulfilment of a contract. The right to erasure binds the controller to erase the data without undue delay upon the individual's request if the personal data is no longer necessary for the purpose of processing, if there is no legal basis for processing - including cases where consent has been withdrawn, or if the data is otherwise processed contrary to the law, and even requires that the controller uses reasonable measures to notify other controllers processing the same data about the received erasure request.

Removal of the database registration obligation

One of the important novelties under the new law is the removal of the existing obligation to register personal databases with the DPA, which was mostly ignored so far in Serbia. Under the new law, controllers and processors will only be required to internally maintain the database records and, in certain cases, even that obligation will not apply to companies with up to 250 employees. The maintenance of the Central Register of Databases, established under the existing law, has even been terminated with immediate effect by the new law.

Data Protection Officer

The controllers and processors will be required to designate a data protection officer ("DPO"), whose primary tasks will be to ensure compliance with the data processing legislation and to communicate with the DPA and the data subjects on all data protection matters. This obligation applies if: (i) the processing is carried out by a public authority, (ii) the core activities of the controller/processor require the regular and systematic monitoring of data subjects on a large scale, or the large scale processing of special categories of personal data - e.g. health data or trade union memberships, or criminal convictions/offences data.

The DPO may be employed or engaged under a service contract, and in any case must have sufficient expert knowledge. A group of companies may appoint a single data protection officer, provided that he is equally accessible by each company.

The controllers and processors are required to ensure the DPO's independence in the performance of his tasks, meaning that no instructions may be given to him, that he reports directly to the manager of the controller/processor and that he may not be dismissed or penalised for performing his tasks.

Accountability, data security and privacy by design & by default

Same as with the GDPR, the new law introduces burdensome accountability obligations on data controllers, which are required to "demonstrate compliance". This includes their obligation to: (i) implement, maintain and update appropriate technical and organisational measures to ensure a level of security appropriate to the risk - taking into account the state of the art, the associated implementation costs etc., (ii) have in place certain documentation, such as data protection policies and records of processing activities, (iii) implement data protection by design and by default, and, (iv) conduct a data protection impact assessment for processing operations which are considered more of risk to the rights and freedoms of individuals.

Data protection by design requires the controllers to adopt, as well as maintain and update when needed, appropriate measures - such as pseudonymisation, data minimisation, etc., which will integrate the safeguards necessary for processing. Data protection by default, on the other hand, requires the controllers to adopt measures so that, by default, only the processing which is necessary for the specific purpose will be possible (e.g. that, by default, privacy settings on one's social network profile do not make his data public).

Liberalised data transfer concept

The data transfer regime has been completely revamped and liberalised under the new law, which is a much welcomed change from the current overly restrictive concept - which requires controllers to obtain prior approval from the DPA for transfers to non-European countries. The new law explicitly applies to both direct and indirect data transfers, unlike the existing law for which it is not fully clear whether it covers indirect transfers at all.

Under the new law, controllers will be entitled to transfer personal data abroad if one of the following conditions (amongst others) is met:

  • personal data is to be transferred to a country that ratified the Council of EuropeConvention for the Protection of Individuals with regard to the Automatic Processing of Personal Data;
  • data transfers are performed to a country included on the EU list or the Serbian Government's list of countries providing an adequate level of data protection;
  • data transfers are performed to a country which has a bilateral agreement with Serbia regulating data transfers;
  • the transfer is based on the standard contractual clauses prepared by the Serbian DPA;
  • the transfer is based on binding corporate rules or a code of conduct approved by the Serbian DPA, or on certificates issued in accordance with the new law;
  • the Serbian DPA has issued a specific approval for the transfer to be performed on the basis of an agreement between the data exporter and the data importer; and,
  • the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks.

This should enable much more options for the transfer of data to non-European countries, especially once the DPA prepares the standard contractual clauses - which should be based on the ones approved by the EU Commission. In addition, it is expected that the process of obtaining the DPA's approval for such transfers will be more efficient, and should be completed within 60 days - currently the procedure often lasts for more than one year.

Personal data breach obligations

Data breach obligations present a significant novelty introduced by the new law, as they previously existed only for controllers in specific sectors. Under the new law, data controllers will generally be required to document each data breach, as well as to notify the DPA of most of them, without undue delay and, when feasible, within 72 hours after becoming aware of the breach. In addition, data processors will have to notify the controllers of the breach without undue delay.

If the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller is also required to communicate the personal data breach to the concerned individual as well, without undue delay. However, this does not apply if the controller has implemented appropriate technical and organisational measures - e.g. encryption, which rendered the relevant data unintelligible to any unauthorised person, or if the notification would involve disproportionate efforts, in which case a public communication or a similar measure must be made in order to properly inform the individuals.

Sanctions and enforcement

The new law is generally harmonised with the GDPR in almost all aspects, with certain local specificities, except with respect to sanctions – the maximal fines which may be imposed on companies are up to approx. EUR 17,000, rather than GDPR's EUR 20 million or 4% of the company's global annual turnover. As before, the DPA is still authorised to issue warnings to data controllers and data processors, order the correction or deletion of the collected data, rectification of other detected irregularities etc., but is now also able to directly fine the controllers and processors in certain situations, with fines in the amount of approx. EUR 850 - currently, only the Court of Offences is entitled to impose fines.  

However, formally speaking, under the Law on Administrative Procedure, the DPA is also authorised to enforce its orders by threatening the company with a fine of up to 10% of its annual income in Serbia, in case it fails to comply with the order. This is a relatively new option for Serbian authorities that has not yet been tested in practice, to the best of our knowledge.  

What the future brings?

Now, it is the controllers' and processors' turn: by the summer of 2019, they will have to ensure the compliance of their data processing operations with the new law, which will not be a quick or easy task. At the same time, the DPA will also have a lot on its plate in order to prepare for the new law, especially with resolving a number of its ambiguities raised during the public debate, preparing the standard contractual clauses, and raising the public's awareness concerning the approaching data protection overhaul.

Laying the Foundations: ZF Group Building a Factory in Serbia

The Karanović & Nikolić team, led by Senior Partner Marjan Poljak and Senior Associates ⃰ Ana Stanković and Ana Luković, advised ZF Friedrichshafen on the project of opening an electric vehicle parts factory in Pančevo, Serbia. The German company, a global leader specialising in the design, research and development, and manufacturing activities in the automotive industry, laid the foundations and began construction on 21 June 2018.

Karanović & Nikolić advised ZF in this greenfield investment on all local law aspects of this project. The team provided full support in a number of different areas, including corporate, real estate, employment etc.

The new 25.000 square metres factory, which is being built on a land parcel of 10.8 hectares, will produce parts for electric and hybrid-electric vehicles and will service premium automotive manufacturers. The project will be realized in two stages and will open more than 1,000 new jobs. The planned investment amounts to more than EUR 100 million.

ZF operates in 40 countries around the world and has a global workforce of over 146,000 employees. In 2017, it recorded sales of EUR 36.4 billion. The company invests more than six percent of its sales in research and development annually, in particular for the development of efficient and electric drivelines.

ZF group is committed to its Vision Zero – zero accidents and zero emissions being the end goal of all the company's activities.


* Independent attorneys at law in cooperation with Karanović & Nikolić.

Interview with Patricia Gannon: The Importance of Female Leadership in Law Today

Patricia Gannon, founding partner at Karanović & Nikolić, was recently appointed Chair of the European Forum at the International Bar Association. In this interview, she discusses her role at the helm of the largest global gathering of legal professionals and tackles the important topic of diversity in law, as well as female leadership from her unique perspective as female co-founder of a leading law firm from Southeast Europe.

You have recently been appointed to the role of Chair of the European Forum at the IBA. What does this important position entail?


Patricia:As a firm, Karanović & Nikolić has been heavily involved with the IBA since our foundation. In particular, I have personally been active in a number of committees over the years as they represent a great way to stay on top of professional change. Most recently, the European Regional Forum, which is the forum responsible for managing and organizing all of the IBA conferences and events throughout Europe. The Forum is made up of 9,000 individual lawyer members and is the largest Forum within the IBA.


I have served as an officer for the last 5 years – culminating in a number of years of practical experience involving conference and event organizing. Today, there are 10 officers reporting in from different law firms all over Europe, we also have an advisory board of 25 senior lawyers, and approximately 50 council members representing every country in Europe. The council members are responsible for liaising between the European Forum and their own countries.

What do you feel that you bring to that role and what are your aims and hopes for the year?

Patricia: I bring a certain dynamic to the role which hasn't always been seen and I am keen to innovate a little more in order to move the IBA towards becoming a more modern organization, really reflecting the changes in the legal profession. This year, in addition to running the normal day-to-day conferences, we are looking for special funding from the IBA for a number of exiting projects.

One of them includes a review of the UK Modern Slavery Act on production and supply chain in the fashion industry. We hope to come to an understanding on the impact of extraterritorial legislation on corporates operating in this field. This is an exciting project which is relevant to consumers everywhere, as they are increasingly concerned about the human and environmental impact of clothes production.

I am working on a very exciting meeting in Rome – it is the Annual Meeting of the IBA scheduled for October, and it will include a number of very exciting sessions dealing with the hottest legal topics in the world. The ERF sessions include "Remaking Rome – the Treaty of Rome and what Europe Needs Now".

We will be working with other committees in a session on European luxury brands titled "Do you know where your clothes come from?". There will also be a session organized by all fora titled "The Future of Food – a Global Issue for Humanity", where we look at legal and policy issues relating to food production, resources, packaging, regulation, genetically modified content etc.

You are interested in the IBA diversity group. Will this relate to your role as the Chair of the European Forum?

Patricia:Global membership in the IBA today is about 70 percent male and 30 percent female – which is not entirely in recognition of the make-up of the profession generally. In certain countries it is almost 50-50, and this is including the judiciary, prosecutors, house-counsel, solicitors and barristers. Different parts of the profession are more female than others. Overall, considering the 70-30 percent membership, I feel that the 30 percent has not historically been represented appropriately throughout the organization and, in fact, a special task force is being established within the IBA to deal with diversity in general, including gender.

In my role as Chair of the European Forum, I made it my priority at one of my first meetings to ensure that 50 percent of all the representatives in my Council are female. I am very pleased to say that today 47 percent of the Council members are female. As a result of that, I expect to see a new dynamic with greater productivity and focus. Out of that pool of talented women, I hope to see more and more of them promoted across the ranks of the IBA. It's a process of change which the legal profession, as any other needs to address.

It must be interesting, not only being a woman, but also representing a law firm from this part of Europe?

Patricia: Yes, indeed! The IBA has relatively low membership numbers from Southeast Europe, and I hope that raising the organization's profile in SEE will raise membership and that we will get more active and learn from our colleagues both from Western Europe and across the globe. With that in mind, I will be opening the Balkan Legal Forum – our traditional bi-annual conference dealing with this region – which is to be held in Vienna on the 14th of June. I am very pleased to be involved in this highly relevant conference for all practitioners working in Southeast Europe. With approximately 150 attendees, it is the perfect opportunity to meet old friends who understand the complexity of doing business in the Balkans, making new connections and developing new ideas for investment opportunities.

As for Karanović & Nikolić and its role, we have been a corporate member of the International Bar Association for many years – which means that all the lawyers working with us are individual members of the IBA and can participate in its activities and learn from their peers through committee work. As a firm, we are keen to support all the organizations where lawyers can learn, develop and be in touch with current best practices, albeit from other markets. I think that we in Southeast Europe have some catching up to do in terms of the levels of professionalism that we need to provide to our international clients. The IBA is a great instrument for our further professional evolution.

Corporate Recent News Highlights

Recently in Serbia, a set of laws governing the business operations of companies has been adopted. Among them the most important is the new Company Law, which came into force on 1 February 2012.


Dr Slobodan Doklestic Partner, Karanovic & Nikolic

The Serbian Labor Law was adopted in 2005 and thereafter has been amended twice – in 2005 and 2009. Although this law is in many aspects commendable, it seems that some of its solutions call for prompt modernization.  

New regulatory framework for public-private partnerships in the Republic of Serbia

I. Legislative reform in the field of public-private
partnership ............................................(Pg. 2)
II. Previous experience with PPP projects in
Serbia ...................................................(Pg. 2)
III. New regulatory framework ..................(Pg. 3)
IV. Challenges in the implementation of the new
PPP framework .......................................(Pg. 6)


January 2012 - Corporate & Commercial. Legal Developments by Kinstellar.

More articles by this firm.

In May 2011, the Serbian parliament adopted a new company law, which is scheduled to take effect on 1 February 2012 (hereinafter: the “New Company Law”). The new legislation will replace the current company law that has been in force since 2004 (hereinafter: the “Old Company Law”)

Application of Business Activities Classification Act

From 12 August 2010 the Serbian Business Registers Agency ("Agency") shall commence with implementation of a new business activities classification system for Serbian companies. The new classification system is set out in the Business Activities Classification Act ("Act"), adopted on 16 December 2009. The goal of the Act is to harmonise the classification of companies' activities in Serbia with that of the EU.

New Law on Waters adopted

On 5th May, 2010 the Serbian Parliment enacted the new Law on Waters. The purpose behind legislative changes in this area was to harmonize the Serbian system of management of waters with the EU standards as well as with the national environmental legislation, to introduce a system of integral water management, and to generally adapt the existing regulations with the technical and other changes which occured in this area since the adoption of the old Law on Waters in 1991. In the energy sector, the new Law on Waters concerns energy producers which utilize public waters, such as primarily hydro-power plants and thermo-power plants. While the new Law on Waters retains the general licensing system for the use of public waters established under the old law, it introduces a certain level of liberalization and regulates the procedure for the issuance of these licenses in more detail.

New Draft Law Unveiled

The new draft Competition Law has recently been published by the Ministry of Trade. It features a number of novelties, the most significant one being the Competition Commission's ability to impose sanctions directly (up to 10% of annual turnover).

Cessation of the Right of use of the Construction Land

Recently we talked about what and which kinds of structures have to be constructed in order to transfer the right to the structure under construction. Purchase of a company or simulation of mortgage enforcement enable the desired transaction and/or acquisition of the structure under construction. It is not exactly what the investors like witnessing, but at least it does not prevent them from accomplishing their goal.

Transfer of title to the construction projects

How to transfer the title to a construction project? Why the most simple sale of a construction project causes problems in practice? How shall we, at purchasing a construction project, acquire the rights arising from the building permit or obtain the building permit in our own name? What is the influence of „legal constructions“ on the transaction quality and necessity thereof due to non-existence and/or inconsistency of regulations?

International Law Firm Networks

International comparative guides

Giving the in-house community greater insight to the law and regulations in different jurisdictions.

Select Practice Area

GC Powerlist -