Privacy Regulations in Bosnia & Herzegovina
Bosnia & Herzegovina’s Law on the Protection of Personal Data No. 49/06 is a data privacy law that was passed in 2006. While Bosnia and Herzegovina and not currently a part of the European Union and as such, does not fall under the jurisdiction of the General Data Protection Regulation or GDPR, the country has been going through the process of formally joining the EU during the past several years. To this end, Bosnia and Herzegovina has made efforts to harmonize all of its current legislation with the laws of the EU, including laws pertaining to data protection and privacy. As such, the Law on the Protection of Personal Data No. 49/06 was updated to set forth the requirements that data controllers and processors within the country must adhere to when collecting and processing personal data.
How are data controllers and processors defined?
Under Bosnia and Herzegovina’s Law on the Protection of Personal Data No. 49/06, data controllers are defined as “any public authority, natural or legal person, agency or any other body, which, independently or together with another party, manages, processes and determines the purpose and the manner of personal data processing on the basis of laws or regulations”. Conversely the law defines data processors as as “a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller”. Moreover, the Law on the Protection of Personal Data No. 49/06 defines personal data as “any information relating to an identified or identifiable natural person”.
In terms of the scope and application of the law, the personal and material scope of the Law on the Protection of Personal Data No. 49/06, the material scope of the law is applicable to all individuals and organizations, including public authorities, unless otherwise stated by other laws within Bosnia and Herzegovina. Alternatively, the territorial scope of the law to both individuals and organizations within Bosnia and Herzegovina, as well as data controllers who are not physically located within the country but nevertheless make use of equipment that is within the country, unless said equipment is used solely for the purposes of transit.
What are the obligations of data controllers and processors?
In keeping Bosnia and Herzegovina’s efforts to harmonize their privacy legislation with that of the EU’s General Data Protection Regulation or GDPR, the Law on the Protection of Personal Data No. 49/06 sets forth a multitude of principles that data controllers and processors within the country must abide by when engaging in data protection activities. These principles include:
- Personal data must be processed in a manner that is both fair and lawful.
- Personal data may only be collected and processed for lawful, explicit, or special purposes, and data controllers and processors are forbidden from collecting or processing personal for any reason outside of these purposes.
Personal data can only be processed to the extent and scope that is needed to fulfill the purposes for which it is collected.
- Data processors are only permitted to process personal data that is accurate and authentic, and data processors are obliged to update personal data in their possession whenever necessary.
- Data controllers and processors are responsible for erasing or correcting personal data that has been found to be incomplete or inaccurate, within the context for which said personal data was collected or processed.
- Data processors are prohibited from processing personal data for any period of time longer than is necessary to fulfill the purposes for which it was collected.
- Data controllers and processors are responsible for storing personal data in a manner that allows for the identification of applicable data subjects, for a period no longer than is needed to fulfill the purposes for which personal data was collected or processed.
- Data controllers and processors are responsible for ensuring that the personal data that they collect or process has not been merged or combined in any way.
What are the rights of data subjects?
Under the Law on the Protection of Personal Data No. 49/06, data subjects within Bosnia & Herzegovina are entitled to the following rights as it pertains to their privacy:
- The right to be informed– Before collecting personal data from data subjects, data controllers are required to inform said data subjects on the purpose for which their personal data will be processed.
- The right to access– Data controllers are responsible for informing data subjects on their right to access their personal data prior to collecting said personal data.
- The right to rectification– Data controllers have the right to rectify personal data that they have provided to a data controller or processor.
- The right to erasure– Data subjects have the right to request that a data controlled or processor erase personal data pertaining to them that has been found to be incorrect or incomplete.
- The right to object or opt-out– Data subjects have the right to object or opt-out of the processing of their personal data.
- The right to compensation– Data subjects have the right to be compensated for damages that they experience as a result of violations of their rights under the law.
In terms of sanctions that can be imposed against data controllers and processors who fail to comply with the law, the Law on the Protection of Personal Data No. 49/06 is enforced by the Agency for Personal Data Protection in Bosnia and Herzegovina or AZLP for short. To this point, the AZLP has the authority to impose a variety of punishments on data controllers and processors who fail to comply with the law, including ordering the destruction of personal data, ordering the suspension of data processing, as well as a monetary penalty of up to 100,000 KM ($57, 955). Furthermore, data subjects are also entitled to compensation for damages under the Law on the Protection of Personal Data No. 49/06.
As Bosnia & Herzegovina is one of a handful of European countries that are currently undergoing the process of attempting to join the European Union, the country has taken steps to align its laws with that of the laws of other EU member states. To this extent, the Law on the Protection of Personal Data No. 49/06 was updated to approximate the EU’s General Data Protection Regulation or GDPR. While the Law on the Protection of Personal Data No. 49/06 does not provide data subjects within Bosnia & Herzegovina with the same level of protection as the EU’s GDPR law does for citizens of EU member states, there are undoubtedly major similarities between the two laws. As such, citizens of Bosnia & Herzegovina can have the peace of mind that their personal data is being protected at all times.