Personal data protection is becoming a major research topic in the last decades. With the technological advances, this issue was given a completely new perspective, due to increased possibilities for both use and misuse. Personal data have become a very valuable resource for different organizations worldwide in various sectors. However, regardless the efforts and constant legislation processes, personal data protection has still not been adequately managed, especially in developing countries such as Serbia. The motivation for this research was the big leak of personal data collected by the Serbian Privatisation Agency that occurred in 2014. During the research we analyzed legal, organizational and technical aspects of personal data management in six public institutions that are the largest personal data processors in Serbia. In this paper we provide the overview of the current situation and the recommendations for policy makers related to personal data protection in Serbia with a focus on the public sector.