A NEW FUNCTION OF PERSONAL DATA IN THE LIGHT OF THE CONTRACT FOR THE SUPPLY OF DIGITAL CONTENT AND DIGITAL SERVICES

­The paper addresses solutions of the recently adopted Digital Content Directive (abbreviated: DCD) with the focus on its major novelty being the possibility of a consumer to provide his personal data in lieu of a price in return for a digital content or a digital service. Though this social phenomenon has been known in practice for quite some time, the DCD is the first instrument of the European Union (abbreviated: EU) that accepted such reality by laying down a legal framework tailor-made to such contractual performance. Prior to its adoption, the main concern was how to reconcile two aspects of personal data: the fact that the right to the protection of personal data presents a fundamental human right, on one hand, and a rising use of such data as an object of contractual performance in the digital environment, on the other hand. The need to conciliate these two dimensions of personal data led to some revisions of the European Commission’s Proposal of the DCD. These changes led, inter alia, to a clear reference in the DCD to the already existing regime for the protection of personal data at the EU level epitomised in the General Data Protection Regulation * This paper was presented at the International Scientific Conference Legal Tradition and New Legal Challenges, held on October 3rd and 4th, 2019, at the University of Novi Sad Faculty of Law.


INTRODUCTION
The modern society is characterized by the expansion of the Internet, information technology and electronic communications. In such conditions, one increasingly relies on computers, mobile phones and other electronic devices to conduct one's business, organise the daily tasks and meet one's personal needs. The data that a person needs are increasingly emerging in digital form (digital content) and this is equally true of services (digital services). 1 For example, books and magazines that were previously printed on paper have now received their electronic versions (e.g. digital content supplied by Amazon), audio-visual content, such as music and movies, are available on the Internet (e.g. digital content supplied by YouTube, Deezer, HBO), and there are numerous platforms offering geolocation digital services (e.g. Google Maps). Moreover, digital services supplied by social networks (e.g. Facebook, Tweeter) are widespread, at the same time the use of mobile phones is virtually impossible without digital content such as applications, while the usage of cloud computing digital services 2 (e.g. Google Drive) is on the rise. 3 This transition from the "Analog" to the "Digital" world necessarily affects the privacy and importance of personal data. Personal data (e.g. name and surname, personal residence, e-mail address, etc.) is no longer valuable only to the person to whom they relate, but are also highly demanded by the companies that supply digital content and digital services to improve the quality of their services, determine the profile of their users, tailoring content to their habits and needs, adver-1 According to a survey conducted by Eurostat, within the EU in 2018, 89% of households had internet access, while in Serbia it was 73%. The same survey showed that during the year, over 50% of EU citizens ordered certain products or services online, while in Serbia over 30%. For more on this survey, see: Eurostat, Community survey on ICT usage in households and by individuals, https://ec.europa.eu/eurostat/statistics-explained/index.php?title=Digital_economy_ and_society_statistics_-_households_and_individuals, accessed 07.09.2019.
2 For more on the notion of cloud computing, see: Sanja Radovanović, "Upotreba računarskog programa u Cloud Computing-u", Zbornik radova Pravnog fakulteta u Novom Sadu, 3/2013, 343.-344. 3 On the forms of digital content and digital services, see: tising, etc. For providers of digital content and digital services, this kind of data is often more valuable than the money itself, which has led to massive processing of personal data and the creation of vast collections of data around the world. 4 New business models, i.e. contracts for the supply of digital content or digital services, entail precisely that traders are collecting personal data from consumers in lieu of money, this representing a kind of "paying with data", as something that is a frequent occurrence that cannot be overlooked. 5 In this manner, consumers pay a certain "price" for seemingly "free services". 6 The EU has responded to the emergence of such contracts, by regulating certain aspects of these contracts with the DCD 7 , that has entered into force on 11 June 2019, and according to which, the EU Member States are required to harmonise their national legislation and apply such provisions starting from 1 January 2022. 8 The DCD has caused a great deal of controversy, the spotlight being primarily on the issue of the justification of regulating such contracts from the aspect of data protection rights, that is, whether the EU has legalised the monetisation of personal data and deviated from full protection of personal data as a fundamental human right. 9 This question can be answered only upon extensive analysis of the entire issue and examination of the relationship of DCD with the GDPR 10 , which is the basis of EU personal data protection rights, which became applicable on 25 May 2018. 11 An analysis of these issues will consequently indicate whether there is a need to adopt the DCD solutions into Serbian law. 4 Andrej Diligenski, Dragan Prlja, Dražen Cerović, Pravo zaštite podataka GDPR, Beograd 2018, 7. 5 Axel Metzger et al., "Data-Related Aspects of the Digital Content Directive", Journal of Intellectual Property, Information Technology and E-commerce Law Vol. 9, 1/2018, 93. 6 In addition to being described as having economic value as money payable to the trader, personal data is very often an integral part of the service provided by the trader. For example, it is impossible to provide a service for measuring one's physical activity without the data on the location of the consumer, because then one would not know the distance he/she has travelled. See: Natalie Helberger, Frederick

PERSONAL DATA IN THE EU AND UNDER SERBIAN LAW
The right to the protection of personal data in the EU relies on the regulation that is primarily contained in the GDPR. This regulation replaced the earlier Data Protection Directive 12 , which could not adequately respond to technological developments and the increasing frequency of illegal data processing. 13 The GDPR ensured a uniform application of the rules on the protection of personal data 14 , as it is directly applicable in all EU Member States, unifying various national regulations in this field and achieving a high degree of legal certainty regarding the processing of personal data. In general, the GDPR could be said to be a valid response to the technological and sociological phenomena, which the previous Data Protection Directive fell short of being. 15 In addition to a very large number of recitals, the GDPR contains in its binding part the norms on the subject-matter, objectives, scope of its application, provides certain definitions, regulates principles and lawfulness of data processing, rights of individuals, privacy by design, privacy by default, records of processing activities, security of data processing, risk assessment, data protection impact assessment, notifications of personal data security breach, who is considered to be an authorized data protection officer etc. The GDPR also contains a large number of open clauses, leaving national legislators with the ability to regulate specific issues. 16 The GDPR applies to the processing of personal data wholly or partly by automated means and to processing other than automated means of personal data which form part of a filing system or are intended to form part of a filing system. However, it does not apply to the processing of personal data: 1) in the course of an activity that falls outside the scope of EU law, 2) by the Member States when carrying out activities that fall within the scope of Chapter 2 of the Title V of the Treaty on European Union, 3) by a natural person in the course of a purely personal or household activity, 4) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including safeguarding against and prevention of threats to public security, 5) by the EU institutions, bodies, offices and agencies, and 6) in the course of the liability rules of intermediary service providers. 17 12 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal of the European Union, L 281, 23.11.1995. 13 A. Diligenski, D. Prlja, D. Cerović, op. cit,11. 14 Irene Loizidou Nicolaidou, Constantinos Georgiades, "The GDPR: New Horizons", in: Tatiana Regarding territorial scope, the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. Also, it applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: 1) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union or 2) the monitoring of their behaviour as far as their behaviour takes place within the Union. 18 According to the GDPR definition, personal data means any information relating to an identified or identifiable natural person ('data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 19 As can be seen, this is an extremely broadly defined notion of personal data.
Furthermore, the GDPR, albeit in a recital, also states what is considered under personal data in an online environment, since it has determined that an individual can also be identified by an online identifier. Consequently, it provides that natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces (so-called "digital footprints") that, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of natural persons and identify them. 20 There is also other legislation within the EU regulating the right to privacy and the protection of personal data, among those worth mentioning is the Directive on privacy and electronic communications 21 , pertaining to the processing of personal data and the protection of the right to privacy in the field of publicly available electronic communications services that are provided through public communications networks in the EU. This EU legislation could in the future be replaced by a Regulation, the Draft of which had already been compiled. 22 When it comes to Serbian legislation, the new Personal Data Protection Act 23 , that had entered into force on 21 November 2018, applicable as of 21 August 2019, provides regulations that are almost identical to those of the GDPR. In this way, Serbia has received a modern regulation in this area, while it remains to be seen what its implementation will look like in practice.

Common European Sales Law Proposal and Digital Single Market Strategy
Working on the DCD was not the sole EU legislative project to regulate certain aspects of contracts for the supply of digital content or digital services. It was preceded by a 2011 Common European Sales Law Proposal 24 (abbreviated: CESL Proposal), while the DCD rules represent somewhat a modification of its rules.
The CESL Proposal was the first concrete step taken to create a single European Contract Law 25 and it was supposed to "create the first offer to the citizens of the EU to resist bonds of a national law." 26 Furthermore, it was conceived as an optional instrument that would apply in cross-border sales only if the parties so provided. 27 Therefore, it would apply on a voluntary basis and create another legal regime in addition to the existing rules of Member States' national laws. 28 It has been suggested that CESL applies to specific issues 29 in sales contracts, digital content supply contracts (irrespective of whether consumer pays a price), as well as service contracts (regardless of whether the price was stipulated or not) 30  not only to contracts between traders and consumers (B2C contracts), but also to contracts between business entities (B2B contracts). 31 Under this proposal, CESL was conceived as an instrument for the unification of different national rules, including those for the supply of digital content, but this project was abandoned as it did not find the support it needed in the EU Council. 32 Instead of the CESL Proposal, the European Commission (abbreviated: the Commission) in 2015 introduced the Digital Single Market Strategy 33 (abbreviated: DSMS), seeking to remove barriers to cross-border trade in goods and take an additional step in the functioning of the single market, given that it has been noted that these barriers are particularly present in the online sphere, preventing the businesses and consumers from fully benefitting from the digital economy. 34 DSMS addresses a number of issues, "amongst others it includes reforming European copyright law, harmonising contract law provisions pertaining to e commerce, reviewing rules for audio visual media, geo blocking, cross-border sales and online platforms, reforming EU telecoms rules, digital services, handling of personal data and building a secure data driven economy." 35 The DSMS states: "The Commission will make an amended proposal before the end of 2015: 1) covering harmonised EU rules for online purchases of digital content, and 2) allowing traders to rely on their national laws based on a focused set of key mandatory EU contractual rights for domestic and cross-border online sales of tangible goods." 36 It was on the basis of this provision that the EU drafted the DCD Proposal, which subsequently came into force and became applicable. Besides, the Commission drafted also the Online Sales Directive Proposal 37 (abbreviated: OSD Proposal) which is to this date yet not in force. 31 Art. 7 of the CESL Proposal. 32 Among other things, the EU Member States have not shown particular enthusiasm for creating a parallel legal regime with the national one, or for the content of CESL, since its optional character did not inspire confidence that contracting parties would opt for its' application. Additionally, the proposed solution would cause too big complexity of the regulation. See : Marco B.M. Loos, op.cit, 2017, 13. 33

DCD as an instrument of harmonisation
The Commission envisaged the DCD and the OSD as instruments for achieving the goals of the DSMS, namely the DCD as an instrument for harmonisation of national regulations in the field of digital content and digital services supply, and OSD as an instrument for harmonisation in the field of online and other distance sale of goods (save for digital content and digital services). 38 When it comes to the DCD, it contains a set of precise rules that facilitate maximum harmonisation 39 which means that EU Member States cannot provide different rules from those contained in the DCD, nor can they provide for a lower or higher level of consumer protection than the one provided by the DCD. 40 Such rules focus on certain aspects of B2C contracts for the supply of digital content or digital services, or on specific issues not regulated by other EU legislation. The DCD therefore regulates: 1) the conformity of digital content or a digital service with the contract, 2) remedies in the event of a lack of such conformity or a failure to supply, and the modalities for the exercise of those remedies, and 3) the modification of digital content or a digital service. 41 Consequently, the DCD has, by its detailed rules, filled the gap that existed in EU consumer law. 42 It complements the legal framework for regulating contracts for the supply of digital content and digital services, the basis of which also includes: the Consumer Rights Directive, 43 which regulates mainly precontractual 38 In the explanation of the DCD Proposal, the Commission elaborated why it opted for directives, stating that they leave Member States freedom to adapt the implementation to their national legislation and therefore do not have to contain such detailed rules (e.g. Member States themselves determine whether contracts for the supply of digital content and digital services are classified as sales, service, rental or sui generis contracts), unlike a regulation with which this must be the case because it is directly applicable, consequently possibly impairing the coherence of national legal systems. See: European Commission, Proposal for a Directive of the European Parliament and of the Council on certain aspects of contracts for the supply of digital content and digital services, https://eur-lex.europa.eu/legal-content/EN/ TXT / PDF / rush = CELEX: information requirements and the right of withdrawal; the E-Commerce Directive, 44 which provides partial regulation on electronic contracts; and the Unfair Terms Directive, 45 which contains a general clause on the unfairness control.
Given the foregoing, the importance of DCD and the positive effect it brings is indisputable. This is the first (and only) EU regulation exclusively related to the supply of digital content and digital services. 46 The DCD recognizes the value of digital age products and the need to place their supply under the necessary legal framework, setting the law closer to existing social reality, including its digital forms. Had the EU not adopted the DCD, it would have been possible that not all EU Member States would regulate contracts for the supply of digital content or digital services. Provided that they would have regulated this subject matter, their rules would very likely be different from one another.
In spite of all the above, the DCD is suffering criticism from the expert public. Opponents of the principle of maximum harmonisation believe that the DCD can lead to a lowering of consumer protection standards in some countries, 47 fragmentation of national legal systems, as well as the undermining of consumer protection on other legal grounds.  L 95/29, 21.04.1993. 46 At present, only two EU Member States have specific rules relating to digital content and digital services supply contracts, namely the UK and the Netherlands. In Germany, for example, by analogy, the general rules of law applicable to tangible goods are applied, while in France this is not the case, and these contracts are not regulated in any way. See: European Parliament, Briefing EU Legislation in Progress: Contracts for suply of digital content to counsumers,http://www. keep the pace with these developments. 49 Indeed, a hectic advancement of the digital technology seems to have left behind the legal regulation that is coping to reach the social realities in many aspects -one of them being certainly a very present phenomenon of "paying" with personal data in lieu of money in order to access ever demanding digital contents and digital services. A possibility of a consumer to give his consent and thus allow the trader to process his personal data for commercial purposes opened a question if such consumer deserves to be protected like a "regular" consumer, i.e. the one paying money, and provided yes, if both shall be awarded the same level of protection. This subject matter brought, for the first time, under the same realm traditionally separated rules on the protection of personal data and consumer protection. 50 It is indisputable that personal data carry a great potential to generate revenues in sense that they can be used for various commercial purposes such as: advertising, enhancing the already existing products or developing new ones, tailoring digital contents and services to the consumers' preferences expecting greater consumers' attention and consequently higher profits, including transactions aimed at selling personal data already in possession of one market player to another in order to gain access to potential users and/or buyers. The fact that personal data can be regarded as an economic asset infer that transactions built upon a consent to process such data in return of digital content or service cannot be regarded as gratuitous. 51 Namely, for a service or a good to be considered free, nothing may be required in return. As soon as there is an obligation of a consumer to consent to the processing of his personal data vis a vis an obligation of a trader to enable him an access to the digital content or supply of the digital service, there is no gratuitous, but only a quid pro quo relation. Therefore, advertising such services as free shall be considered unfair commercial practice aiming at deceiving potential consumers and enticing them to enter into a transaction without being fully aware of all the risks connected therewith. 52 In fact, business models of a newer age rely on processing of personal data belonging to their users as sort of an alternative "currency", or rather as a substitute for money. 53 These new business patterns have urged the legislator to provide a legal framework so as to ensure that their consumers also enjoy a set of rights and legal remedies comparable to the consumers who pay a price when acquiring 49  access to some digital content or digital service. 54 Furthermore, there is no reason to discriminate between these two categories of consumers in relation to their reasonable expectations, by contending that consumers who provide their personal data have a lower level of expectations when it comes to the quality and functionality of the digital content or service compared to those paying a price. 55 Taking into account that not only money, but also personal data reflect certain value, there is no justification to treat differently these two categories of consumers. 56 An "equalisation" of these two categories of consumers has led to the significant increase in the total number of the consumers who could qualify for the protection guaranteed under the DCD. This development can indeed be regarded as rectifying the previous state of the regulation which ignored the vast group of non-paying users of digital content and services, although they used to "surrender" some aspects of their privacy without necessarily being aware of it. Even though eliminating discriminatory treatment between these two classes of consumers was one of the main purposes to be achieved with the DCD, the very nature of the two possible contractual performances: paying a price or providing personal data, prevented guaranteeing to both groups exactly the same set of rights and legal remedies -the aspect that will be elaborated later.

FROM THE PROPOSAL OF THE DCD TO ITS FINAL WORDING
Even though providing personal data in lieu of money in an exchange for various digital contents and services has become a common practice, prior to the adoption of the DCD, this reality had not been tackled in legal sources. This is why this novelty triggered not only a considerable doctrinal debate, but also enticed the reaction of the EU authorities, among which the most prominent role was taken by the European Data Protection Supervisor (abbreviated: EDPS). The central part of this discussion was dedicated to the juxtaposition of protection of 54  personal data as a fundamental human right, on one hand, and personal data as commodity, on the other hand. Indeed, the major question to be answered was coupled with the issue of how to reconcile the protection of personal data as a fundamental human right with the social reality reflected in the fact that consumers increasingly tend to acquire access to digital content and digital services upon giving their consent to the trader to process their personal data. Due to the comments expressed by the legal experts and bodies, final wording of the DCD underwent certain changes. While some of them concerned its terminology, others influenced the very substance of the DCD.
One of the major terminological remarks was expressed by the EDPS. Without ignoring the existing social phenomenon of providing personal data instead of money, the EDPS urged the EU legislator to substitute the term counter-performance in relation to personal data in order to distance it from their monetisation, i.e. from degrading them to the mere consumers' interests. 57 At the insistence of the EDPS, the phrase counter-performance was later excluded from the wording of the DCD. However, it is disputable if this terminological change really added something to the quality of the DCD. Although the motives of the EDPS were rational to some extent, it can be hardly asserted that this alteration brought any substantial change in the structure of the synallagmatic contract, which per definitionem assumes a relationship between performance of one contractual party and counter-performance of another party of the contract. Thus, this "makeover" seems not to have modified the very construction of the relationship between the consumer and the trader. 58 The fact that a contractual performance of one party is somewhat characteristic in sense that it refers to the providing of personal data does not deny it the quality of performance as such.
One of the most prominent comments concerning the substance of the proposed solutions, which was voiced not only by the EDPS, but by all legal experts who reviewed the DCD's Proposal, was related to the initially suggested provision according to which the DCD should be applicable only provided that consumer "actively imparted his personal data" to the trader. Implicitly this formulation excluded from the DCD's scope of application a counterpart of actively provided personal data -passively provided personal data. This solution was heavily criticised for a few reasons. First of all, such distinction was not anchored and as such not grounded in any applicable legal sources governing personal data protection. Furthermore, there was no plausible explanation why consumers who would be clandestinely tracked and whose personal data would anyway be used for making profit would be deprived of the protection enjoyed by the consumers who willingly provide their personal data. Accordingly, such discrimination of consumers 57 European Data Protection Supervisor, op. cit, 3, 7, 10. 58 See Art. 3 of the DCD. based on the way their data had been collected would in turn only serve as an incentive for the traders to rely on the methods of passive personal data collecting, in order to be exempted from the application of the DCD. 59 This remark influenced the final wording of the DCD, which now refers to the personal data without specifying how they have been collected.

PROVIDING OF PERSONAL DATA AS AN OBJECT OF A CONTRACTUAL OBLIGATION
Committing oneself to consent to the processing of personal data in return for a digital content or service is not contrary to the current legal regulation. In other words, there is no such rule (neither in the Charter of Fundamental Rights of the EU nor in the GDPR) that prevents a consumer to entitle another contracting party, a trader to process his personal data as an object of a contractual obligation. Therefore, such a consent can serve as a valid object of a contractual obligation. 60 Even though this was not prevented by the law, until the adoption of the DCD this possibility had not been expressly stated in any of the EU legal sources. Moreover, soft law instruments adopted at the EU level such as Principles of European Contract Law 61 and Draft Common Frame of Reference 62 do not explicitly stipulate such a possibility, either. This is not surprising, taking into account that both regulatory models were framed at the time when the digital market was in its initial stage of development when one could barely anticipate the current importance of the personal data processing.
Nevertheless, the trader would need such consent only provided that he cannot process personal data based on some other legal ground. Provided that the trader is already entitled to process personal data of his consumers based on other legal grounds that exist if processing "is necessary for the performance of a contract", or "necessary for compliance with a legal obligation to which the controller is subject" 63 , the trader will not "lose" his time to acquire a consumer's consent. On the other hand, if such legal basis does not exist, or if the breadth of the processing would outstrip the legal ground of the processing, the trader would be obliged to acquire such consent.
For a consent to be legally binding within the realm of the contract for the supply of digital content and digital services, it ought to meet all the requirements contained in Art. 7 of the GDPR. 64 Moreover, the possibility to withdraw the consent for the processing of personal data is also applicable in the context of this contract. This means that a consumer may not waive his right to withdraw his consent, which further opens a question of the legal nature of the consumer's performance, given that it can be thwarted at any time. 65 The possibility of a consumer to withdraw his consent at any time implies that a trader can be left without further possibility to continue with the processing of consumer's personal data, and at the same time without a chance to obtain such consent before a court. Unenforceability of a consumer's duty vis a vis a trader rightly led some authors to the conclusion that such an obligation could be qualified as sort of an imperfect, i.e. natural obligation. 66 Given that the legal base of a consumer's commitment contained in his consent to the processing of his personal data can fall off at any moment during the contract's performance, one can wonder why at all the trader would be interested in accepting such a performance despite its inherent risk. Taking into account the fact that the withdrawal of the consent produces effect only ex nunc, the trader's interest actually lies in the expectation to gain as much as possible economic benefits from the processing of consumer's personal data before the potential withdrawal of his consent. 67 Surprisingly, the DCD does not govern the consequences of the withdrawal of the consent. Instead, it leaves them to the national regulation. 68 This further implies that the withdrawal of the consent does not necessarily lead to the termination of a contract. However, apart from contract termination it is hard to imagine what possible corollaries the withdrawal could entail.

VALUE OF PERSONAL DATA AND PROBLEMS CONNECTED THEREWITH
Even though no one disputes that personal data carry economic value, at this stage of development it is hard to establish it, exactly or approximately. The impossibility to assess the value of personal data causes some troubles. While some of them are important when deciding whether or not to enter into contract, other can come into play during its performance, whilst some become apparent only upon its termination. To begin with, when one brings a decision whether or not to enter into a contract, he or she should in advance know what is being exchanged. 69 A principle of an equal value of mutual prestations, i.e. principle of equivalence in civil-law relations is one of the major postulates of synallagmatic contracts. However, taking into account that a consumer does not know what value will be created through the processing of his personal data, it is questionable whether he can bring a "well informed decision" to enter or not to enter into contract. 70 Indeed, one may pose a question if consumers would at all consent to the processing of their data had they known for what purposes and how their data will be used. Moreover, consumers are usually not informed of the security measures, if any, taken by the trader in order to prevent consumers' data being compromised (for instance, through potential hacker attacks). 71 This aspect testifies a great information asymmetry between the consumer, on one hand, and the trader on the other.
Besides, the impossibility to assess the value of personal data also influenced some implications in case of non-conformity of delivered digital content or service and in case of a termination of a contract. Namely, some legal remedies are tailored to the traditional payment method. For instance, a legal remedy that can be triggered in case of non-conformity of the delivered digital content or service such as price reduction is applicable only in respect of the consumers who paid a price. This implies that a consumer who provided his personal data has in fact one legal remedy less compared to the consumer who paid a price. This has been somewhat compensated in that the former is entitled to terminate the contract, regardless of the gravity of such non-conformity, while on the other hand paying consumers may terminate the contract only provided that a non-conformity is not minor. 72 A further consequence of the impossibility to establish the exact value of the personal data becomes apparent in the event of termination of the contract. Provided that the consumer has paid a price, "the trader shall reimburse the consumer for all the sums paid under the contract". 73 Restitution, as it is known, is a corollary of the contract termination. Restitution, understood in its common sense, is not possible if a consumer has provided his personal data to the trader. Thus, in this situation, special rules contained in the already applicable GDPR such as the right of access (Art. 15 of the GDPR), the right to data portability (Art. 20 of the GDPR) and the right to erasure (Art. 17 of the GDPR) are applicable. 74 Logically, the provisions of the GDPR are applicable as far as personal data are concerned. Taking that into account, these rules may not be relevant in relation to the data that cannot be qualified as data that are attributable to a specific natural person. Therefore, if the consumer has provided data other than personal data, or if such data were created through the use of the already supplied digital content or digital service, the trader, save where provided otherwise, ought to refrain from using such data, and upon the consumer's request the trader shall make such data available to him. 75 This provision has been provided so as to prevent the so-called "lock-in" effect 76 , which could otherwise discourage consumers from exercising their right to terminate the contract.

RELATIONSHIP BETWEEN THE DCD AND THE GDPR
Although the DCD Proposal generally encountered a support within the academic circles, at the same time it was heavily criticised due to its divergence from the already established framework for the protection of personal data epitomised in the GDPR and the E-Privacy Directive. According to the Proposal, it was unclear if the DCD was about to introduce a new, parallel set of rights with regard to personal data, which as special rules derogate the application of the already applicable rules. Judging upon its initial wording, it seemed that the Proposal ignored the already existing regime for the protection of personal data, introducing some rights that already had their comparable counter-parts in the GDPR. For instance, the right of a consumer to retrieve data upon termination of the contract and the obligation of a supplier to refrain from the use of the data provided as counter-performance 77 were comparable to the right to data portability and the right of access contained in the GDPR. 78 After its revision, the final wording of the DCD explicitly states that all matters related to the personal data are governed by the GDPR. Furthermore, in case of conflict between the DCD, on one hand, and the GDPR and E-Privacy Directive, on the other hand, priority will be given to the latter. 79 In other words, the level of protection that has already been achieved by the GDPR may not be lowered or in any way jeopardised by the adoption of the DCD. 80 The same conclusion, as already mentioned, pertains to the conditions that a consent to the processing of personal data ought to meet in order to be regarded a valid basis for a contractual relationship.

AN OVERVIEW OF THE CURRENT STATE OF SERBIAN LAW WITH REGARD TO THE SUPPLY OF DIGITAL CONTENT AND DIGITAL SERVICES
Unlike the EU legislator, the Serbian one has not yet regulated the contracts for the supply of digital content or digital services in an appropriate manner. The Consumer Protection Act 81 (abbreviated: the CPA) contains hardly any specific regulation, except a narrow and insufficient definition of digital content and one exemption to the right to contract out if a transaction concerns the supply of digital content. The CPA addresses the issue of the supply of digital content, without even mentioning any kind of digital services, under a very broad notion of distance contracts, without specifying any tailor-made rules. Furthermore, CPA is silent on the case when a consumer provides his/her personal data for the digital content received from the trader. Therefore, it is questionable whether the contract for the supply of digital content can be considered as separately named contract under Serbian law, provided that our current legislation does not offer detailed set of rights and duties of the parties to such a contract. This implies that available rules are insufficient, bringing us to the conclusion that existing provisions of the CPA need to be further elaborated, especially taking into account that consumers from Serbia, just like consumers from other countries with an Internet access, increasingly access various digital contents and use digital services.

CONCLUSION
Considering the foregoing, we are of the opinion that the contract for the supply of digital content and digital services, and especially the provision of personal data as a potential object of consumers' contractual performance vis a vis the trader, shall be governed in Serbian legislation pursuant to the DCD solutions. This shall be done for a few reasons. Primarily, due to Serbia's aspiration to accede the EU, the process that requires harmonisation of its legal rules with acquis communautaire. Secondly, due to the quality of the DCD provisions -by its adoption the EU legislator did not turn a blind eye to the new business practices favouring consumers' personal data over money. Indeed, the DCD "legalised" such a practice by providing a set of rights and legal remedies to be enjoyed by the consumers who provide their personal data in lieu of money to the traders. Thirdly, a level of computer literacy among domestic consumers is rising. Accordingly, providing personal data in exchange for digital content and digital services has also become a social reality in Serbia that deserves an adequate legislative response.
Having concluded that there is a need to incorporate DCD solutions into Serbian legal system, it is left to suggest the most appropriate piece of legislation for that. Though the Law on Obligations (abbreviated: LoO) is a main legal source governing contractual mattes, consumer contracts are not covered therein. This is so because consumer contracts have come into existence much later than the last changes of the LoO, and are governed in the CPA. Taking into account characteristics of consumer contracts, Serbian legislator favoured regulating them in a lex specialis over their incorporation in the LoO. Having that in mind, our opinion is that contracts for the supply of digital content and digital services shall be governed in the CPA. This contract shall be elaborated more in detail so as to include supply of digital services, besides digital content. At the same time, it shall explicitly include the possibility of a consumer to provide his personal data in lieu of money. Current regulation pursuant to which this contract presents only a type of a distance contract is not sufficient, given that its main feature does not emanate from the fact that it is being concluded between the distance parties. Conversely, it shall be deemed characteristic for its subject matter -the supply of a content or a service in a digital form, and for its potential performance -providing personal data instead of paying a price.