Karanovic & Partners
The following law(s) specifically govern personal data / information:
Personal data protection is regulated in Bosnia and Herzegovina (“BH”) by the Law on Protection of Personal Data ("Data Protection Law").
The key data protection principles in this jurisdiction are:
The key principles that apply to data protection in BH are as follows: (i) personal data should be processed for specified, explicit and legitimate purposes, (ii) processing should be carried out lawfully and fairly, (iii) processing should be limited to data which is necessary for realization of the processing's purpose or purposes, (iv) processed data should be accurate and, where necessary, kept up to date, and incorrect and incomplete data must be deleted or corrected, (v) processed data should not be retained longer than necessary for the purposes for which they are processed, and (vi) personal data obtained for various purposes may not be combined or merged.
They are contained in the Privacy Act, and pertain to:
The supervisory authority / regulator in charge of data protection is:
Personal Data Protection Agency in Bosnia and Herzegovina(" Agency").
Is there a requirement to register with a supervisory authority / regulator?
Yes, data controllers are obliged to keep records (of prescribed content) for each database containing personal data which they establish. They are also obliged to register their databases with the Agency. Registration of the database is made by submitting the application in the prescribed form to the Agency. The application form includes information regarding:
- Data controller:
- Address of its registered seat,
- The database:
- Processing purpose,
- Legal ground for its establishment,
- Identification of exact processing activities,
- Types of processed data,
- Categories of data subjects, and
- Transfer of data abroad.
If there is a subsequent change in the registered data, for example changing initial processing activities, the change needs to be reported to the Agency within 14 days from the date the change occurred.
Is there a requirement to notify the supervisory authority / regulator?
Before processing personal data, data controllers are required to submit a notification/request for intention to establish a personal data filing system.
In addition, in cases when data is to be transferred to a third country and no transfer safeguards are available, such transfer needs to be approved by the Agency. Upon the controller’s request, the Agency should approve the transfer request provided that sufficient guarantees are provided by the controller in relation to the protection of privacy and fundamental rights and freedoms of individuals in that country, or if provision of similar rights arises from the provisions of a special agreement.
Is it possible to register with / notify the supervisory authority / regulator online?
The submission of the documents needed for the registration / notification can be done only in person or via post.
The key data subject rights under the data protection laws of this jurisdiction are:
Data subjects have the following rights: (i) right to request information on a particular processing, (ii) right to access processed data and to obtain their copy, (iii) right to rectification, (iv) right to deletion, (v) right to restriction of the data processing, (vi) right to object to the data processing (e.g., if the processing is based on the legitimate interest or performed for direct marketing purposes) and to the processing's cessation, (vii) right to withdraw consent (where consent is a legal ground for the processing), and (viii) right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or significantly affects them.
Is there a requirement to appoint a data protection officer (or equivalent)?
There is no statutory obligation that the entity which processes personal data has a data protection officer. However, the controller can have an administrator of the database. Such an administrator is a natural person authorized and responsible for managing the database and ensuring privacy and protection of personal data processing, in particular regarding implementation of security measures, storage and protection of data.
Do data protection impact assessments need to be carried out in certain circumstances?
Does this jurisdiction have any specific data breach notification requirements?
The applicable data protection legislation does not impose data security breach notification duties on the controller. However, a duty on the database's administrator, processor or other person handling the data is to inform the controller of any attempt of unauthorized access to information system for the database's management.
The following restrictions apply to the international transfer of personal data / information:
Personal data may be transferred to another country or an international organization that implements adequate safeguards for personal data set by applicable legislation in BH. Adequacy of safeguards is evaluated based on specific characteristics of each particular transfer, such as the types of personal data, purpose and period of the processing, the country to which data is to be transferred, statutory rules in force in the respective country and other relevant circumstances.
Additionally, personal data may also be transferred to a country which does not provide adequate safeguards in the aforementioned sense, in the following cases: (i) the disclosure of personal data is provided by special law or international treaty binding on BH; (ii) prior consent was obtained from the person whose data is transferred and the person was informed of the potential consequences of the data transfer; (iii) the disclosure of personal data is necessary for fulfilling the contract between the data subject and the controller or the fulfillment of pre-contractual obligations undertaken at the request of the person whose data is processed; (iv) the disclosure of personal data is necessary to save the life of the person to whom the data pertains or when it is in their vital interests; (v) the personal data is transferred from the files or records which are, in accordance with the law or other regulations, available to the public; (vi) the transfer of personal data is necessary for public interest reasons; (vii) the transfer of personal data is necessary for concluding or fulfilling a contract between the controller and a third party when the contract is in the interest of the data subject.
Exceptionally, even if none of the aforementioned cases is applicable, the data can be legitimately transferred out of BH if the Agency approves such transfer, provided that the data controller in that country provides adequate safeguards for the protection of privacy and fundamental rights and freedoms of individuals or provision of similar rights arises from the provisions of a special agreement.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The following rules specifically deal with marketing:
No, the general rules on data protection apply. The Data Protection Law contains rules on direct marketing and entitles the data subject to oppose to the data controller’s future use or transfer of their personal data or to be notified before their data is transferred for the first time to third parties for direct marketing purposes.
Do different rules apply to business-to-business and business-to-consumer marketing?
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
Yes, Law on Electronic Legal and Business Transactions (“Official Gazette of BH”, no. 88/07) contains rules specially dealing with electronic marketing. Pursuant to the aforementioned, the service provider is obliged to:
- ensure that commercial communication, is clearly and unambiguously recognizable as such;
- designate the natural or legal person at whose request the commercial communication is made;
- indicate promotional offers, such as price reductions, premiums and rewards, as such, as well as the conditions that must be met for their use;
- indicate promotional competitions as well as the conditions that must be met in order to participate in them.
The following rules specifically deal with cookies:
The consequences of non compliance with data protections laws (including marketing laws) are:
The highest fines for breaches amount to BAM 100,000 (approx. EUR 50,000) for a legal entity and BAM 15,000 (approx. up to EUR 7,000) for a legal entity's representative or a natural person, per offence.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
Multinational organisations should be aware of the following upcoming data protection developments:
Since the current main law governing data protection and privacy in BH has significant deficiencies (such as in the field of data transfer, regime or legal grounds for data processing, rules on video surveillance etc.), the competent authorities initiated the procedure for adoption of a new, EU General Data Protection Regulation compliant data protection law in BH in 2018. However, due to the Covid-19 pandemic outbreak as well as the complex political situation in BH, the new law has not yet been adopted. However, we expect that the new law will be adopted during the course of 2021.