The Ministry of Finance of the Republic of Serbia has recently issued an opinion no. 011-00-313/2022-04 (“the Opinion”), which refers to taxation of fees paid by resident legal entities to non-residents for leasing servers abroad.
According to the Opinion, if a resident legal entity pays to non-resident legal entity the fee for leasing server abroad exclusively for data storage, there is no obligation to pay a withholding tax by virtue of the Serbian Law on Corporate Profit Tax.
Rationale of the Opinion
Namely, according to Article 40, paragraph 1 of the above-mentioned Law on Corporate Profit Tax, unless stipulated otherwise by a double taxation treaty, the withholding tax at 20% rate shall be calculated and paid for the profit earned by the non-resident legal entity from resident legal entity on the following bases
1) dividends and share in profit of legal entity, including dividend under Article 35 of this law;
2) fee from copyright and related rights, as well as intellectual property rights;
3) interest;
4) fee from rental and sub-rental of movables and immovable property in the territory of the Republic of Serbia;
5) fee from the services of market research, accounting and auditing services and other services in the field of legal and business counselling, irrespective of the place of their provision or use and/or place where they will be provided or used.
Accordingly, in a situation where the resident legal entity pays to non-resident legal entity the fee for leasing server abroad, which the resident (as the lessee) uses exclusively for data storage, while no fee for any other service is being paid (e.g., use of non-resident’s software for processing and distribution of such data), the fee paid by the resident to non-resident is not subject to withholding tax.
Personal data protection issues
Nevertheless, this situation should also be observed in terms of regulations on personal data protection, notably the Serbian Law on Personal Data Protection.
Namely, the Law on Personal Data Protection defines personal data processing as any activity or set of activities that are done automatically or non-automatically with personal data or sets thereof, such as collection, noting, classification, grouping and/or structuring, storage, adjusting or modifying, disclosing, insight, use, disclosing by transfer and/or submission, copying, dissemination or other form of making available, comparing, restricting, deleting or destroying.
Therefore, storage, i.e., keeping personal data on servers that are physically located abroad represents an activity of personal data processing by their transfer in terms of the aforesaid Law on Personal Data Protection.
The Law on Personal Data Protection further stipulates that any transfer of personal data whose processing is in progress or which are intended for further processing after their transfer to another state or international organisation may only be done if, under other provisions of this law, the controller and processor act in compliance with the legally prescribed requirements, including further transfer of personal data from other states or international organisations to a third state or international organisation, for the purpose of ensuring appropriate level of protection of natural persons that is equivalent to the level guaranteed by this law. In other words, a precondition for lawful transfer by virtue of the Law on Personal Data Protection is compliance of data processing with all obligations established by this law.
In relation thereto, it should be noted that compliance of transfer with the provisions is established in each individual case, according to all relevant circumstances thereof.