An Attorney’s View From
Bosnia & Herzegovina:
GDPR And EU Membership

Personal data are being collected and processed every day in all segments of business and private life of each individual. Such data are being exchanged both in the actual and virtual world. The development of new technologies and an increasingly connected planet have made it possible that significant troves of personal data are being collected, used, exported and stored in servers that can be found all around the world. The advent of advanced technology has made it possible that personal data are being used and misused to unimaginable boundaries. Moreover, these technologies have enabled a massive amount of data to be processed, where information about individual habits and interests, location, and physical movement are tracked. Data is transferred quickly between countries where privacy is largely protected according to local data privacy rules. Based on the previously mentioned, it is apparent that there is a need for constant evolution and modernization of the legal regulations that are regulating the protection of personal data. In this article, I will discuss the General Data Protection Regulation, also known as the “GDPR,” in the context of Bosnia and Herzegovina.

When it comes to the situation in Bosnia and Herzegovina (hereinafter: B&H), B&H has taken the obligation to enter into force the Stabilization and Association Agreement to harmonize its legislation regarding the protection of personal data with the EU law and international privacy legislation. It has also undertaken to establish an independent supervisory body with sufficient financial and human resources in order to effectively monitor and guarantee the implementation of the national legislation on the protection of personal data.¹

The legislative framework pertaining to the protection of personal data includes the Constitution of B&H, adopted international documents, and domestic regulations. The Constitution of B&H guarantees the protection of all human rights and fundamental freedoms envisaged by the European Convention on Human Rights and Fundamental Freedoms and its Protocols, namely the right to private and family life, home, and correspondence. Article II of the B&H Constitution states: “The rights and freedoms set forth in the European Convention for the Protection of Human Rights and Fundamental Freedoms and its Protocols shall apply directly in Bosnia and Herzegovina. These shall have priority over all other law.”²

Convention 108 & Personal Data Protection

Furthermore, B&H has ratified the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108)³ herein: the Convention 108⁴, which is of crucial importance for the protection of the right to privacy. The Convention 108 guarantees the right to privacy, thereby protecting the personal data of every natural person.⁵ Pursuant to the B&H Constitution and the aforementioned Convention 108, B&H has adopted the Personal Data Protection Law (“Official Gazette of B&H”, Nos. 49/06, 76/11 and 89/11) herein referred to as “the Law”. This Law reflects the provisions of Directive 95/46 EC of the European Parliament and of the Council from October 24, 1995 herein referred to as “Directive”, which regulates the protection of individuals with regard to the processing of their personal data and the free movement of such data. This Directive established a number of key legal principles: “fair and lawful processing, purpose limitation and specification, minimal storage term, transparency, data quality, security, special categories of data, and data minimization.”⁶ The previously mentioned principles have been incorporated in each of the 28 European Union Member States through national data protection law.⁷ By incorporating the Directive, which is mandatory for the EU members and candidate countries, B&H has shown its commitment to harmonizing its laws with European standards and its aquis⁸ (the body of common rights and obligations that is binding on all the EU member states) in a formal way. The candidate countries, like B&H, have to accept the acquis⁹ before they can join the EU and make the EU law part of their own national legislation.¹⁰

However, it is necessary to emphasize that the last update and harmonization of the Law was carried out in 2011, when the Parliamentary Assembly of Bosnia and Herzegovina passed the Law on Amendments to the Personal Data Protection Law.¹¹ With this Amendment certain derogations from terminological, but also substantive nature, have been removed in relation to Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and the free movement of such data.¹² Some of the most important changes that have been brought by this amendment to the Law have introduced new provisions on the transfer of data abroad, the processing of personal data via video surveillance, and the use of personal data that were generated and collected at the time of the former Socialist Federal Republic of Yugoslavia.

Personal Data Protection Law Objectives

The aim of the Law is to ensure the right to privacy and the protection of personal data during the process of collecting, processing and using this data of all persons regardless of their nationality or residence in the territory of B&H. This Law is applied to personal data processed by all public authorities, natural and legal persons, except for personal data collected and processed by the Intelligence and Security Agency of Bosnia and Herzegovina.¹³ In accordance with the Law, the personal data is any information relating to an identified physical person or a person whose identity can be identified (Article 3 of the Law). For example, personal data include: name and surname, place of residence, date of birth, unique ID number, bank accounts data, passport number, photograph, fingerprints, and other data. In addition to this, the Law also recognizes special categories of personal data for which a higher degree of protection is envisaged. These are data related to racial or ethnic origin, political opinion or party affiliation, union membership, religious, philosophical or other beliefs, health status, genetic code, sexual life, criminal verdicts and biometric data (Article 3 of the Law). Nevertheless, the personal data are not only information that identify individuals directly but also combination of information that single out an individual. This is most evident in the cases of online advertising companies that track our activities online, like the webpages we visited or liked, and based on that they send us advertisements.¹⁴

The processing of personal data is defined by the law as any action on personal data such as collecting, using, modifying, detecting, or destroying that has to be performed in accordance with certain principles (Article 3 of the Law). This processing must be done in a fair and lawful manner. Except as provided by the Law, processing of personal data may be performed on the basis of consent of the personal data bearer itself, i.e. persons to whom the data relates. Following the harmonization of the Law with the aforementioned Directive 95/46EC, which stipulates that consent must be unambiguous, written consent is required only in the case of special categories of personal data, while consent for the processing of other personal data may be given by other means (Article 5 of the Law). Approval may be withdrawn at any moment unless the data carrier and controller have explicitly agreed that withdrawal of consent is not possible (Article 5 of the Law). Consent, inter alia, is not required if data processing is necessary for the data bearer to enter into contractual relations at his own request or to fulfil the obligations already fulfilled, to perform tasks in the public interest or for statistical purposes.

Data Processing

When processing personal data, special attention must be dedicated to the purpose of processing (Article 4 of the Law). For example, if the purpose of processing is to determine a customer’s identity by taking a copy of the ID card from this person, then the previously mentioned principle is violated, because the identification can be done based on the insight into the ID card, without taking a copy. Collecting a copy of the ID, in terms of protecting the right to privacy, significantly exceeds the required identification threshold and creates an unjustified risk of misuse of personal data.

Data Controller and the Rights of Individuals

The Controller¹⁵, who is processing data, must always determine the purpose of the processing, and process it according to the extent, scope, and time period necessary for its fulfilment. Once this time period expires, the collected data can only be used for statistical, archival and scientific purposes, with personal data being anonymous, i.e. put in a form that can not be used for identification.

As a rule, personal data collected for different purposes cannot be unified or combined (Article 8 of the Law). The processor of personal data is required to compile a personal information security plan and to undertake technical and organizational measures to prevent unauthorized access to personal data, their alteration, destruction, unauthorized transfer, illegal processing, or even of such data. Measures may include employee training, physical and technical measures for the protection of workrooms and equipment, confidentiality and security of passwords for access to an information system, and other measures (Article 11 of the Law).

Every individual has the right to be informed in advance that his personal data will be collected or disclosed (Article 22 of the Law). As part of such notice, the carrier of the personal data has the right, inter alia, to obtain information on the processing purpose, the controller, the third party to whom the data will be available, and whether the disclosure of the personal data is compulsory or voluntary. Also, the carrier has the right to access to the personal data processed and to seek correction of inaccurate data. These rights can only be excluded or limited in accordance with the Law. For example, information on the processing of personal data or access to personal data may be denied to the carrier if providing this information could damage the legitimate interests of B&H. Legitimate interests include state and public security, defense, investigation, detection of criminal offenses and prosecution of executors, but only to the extent which is prescribed by law.

The carrier may also submit an objection to the processing or use of personal data. Any person may file a complaint with the Personal Data Protection Agency if he/she believes that his or her personal data is being processed unlawfully or is in danger of such a violation. Furthermore, this requires that the person who handles such processing be relieved of such actions, corrects the factual situation caused by the processing, corrects or supplement personal information so that they are authentic and accurate. Furthermore, everyone has the right to seek compensation from the data controller in the court proceedings for material or non-pecuniary damage if such damage is caused by a violation of the right to privacy (Article 30 of the Law).

In addition to the above mentioned obligations, the person who is processing the personal data has certain obligations towards the Personal Data Protection Agency. For each personal data database, the controller establishes and maintains a record that contains basic information about the collection. This shall include the name of the collection, the type of data being processed, the legal processing basis, the data source, the type of data transferred, the data and the legal basis for the transfer, and finally whether the transfer is carried out abroad with all the details of such transmission. The data from the records of each controller is submitted to the Agency, which merges them into the Main Register.¹⁶

According to the European Commission’s Progress Report for B&H in 2014, when it comes to the personal data protection, little progress has been made. The Report states:

“With regard to the protection of personal data, the Agency’s independence has been strengthened by the amendments to the Law on Salaries and by granting the same rights to the Agency, as well as to other independent regulatory agencies, in November 2013. The Agency’s budget and personnel coverage remained the same, while the number of complaints filed by the Agency and the Inspection Service has increased. In 2013, the Agency conducted 111 supervisory inspections and received 107 lawsuits. It executed 34 ex officio proceedings and issued seven fines. The Agency continued its training activities across the public sector to increase the capacity of personal data protection within the public administration and the police. A road map was developed for the implementation of measures to improve the protection of personal data in police agencies. There are still no implementing regulations in the law enforcement sector that are compatible with the protection of personal data. Overall, preparations in the area of personal data protection are still at an early stage in B&H.”¹⁷

In the EU there are constant discussions regarding the need to modernize privacy and privacy law due to the challenges posed by the evolution of economic, social relations and rapid technological change. With great progress came the need to ensure security in a unique way throughout the world. When it comes to B&H, national legislation and practice only transposes existing international standards in this area, while there are no indications of amendments to modernize the current law.

The GDPR: A Move Toward a Comprehensive Data Privacy Regime

The EU data protection legislation is facing huge changes. As a sign of evolution in the protection of private data, on the April 27, 2016, the EU adopted the Regulation (EU) 2016/679, herein referred to as: Regulation, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.¹⁸ This regulation aims at making Europe fit for the digital age and it will take effect after a two-year transition period, starting May 25, 2018. It represents an essential step to strengthen citizens’ fundamental rights and facilitate business by simplifying rules for companies in the digital market. On the other hand, adoption of a single law in the area of personal data protection will overcome issues caused by the previous fragmented regulation in this field across Member States and costly administrative burdens.¹⁹ This Regulation shall be directly applicable in all Member States²⁰, and in that way it will increase legal certainty and enhance consumer confidence in the single digital marketplace.²¹

The European Parliament, by way of this new regulation, makes it very clear that the protection of natural persons with regard to the processing of personal data and on the free movement of such data is of grave concern, taking into account the changes triggered by new technologies, such as the increasing use of internet and electronic means in our everyday life. As such, this new Regulation provides new and clearer rights to citizens and repeals the previous Data Protection Directive 95/46/EC²². At the same time it both prolongs and updates the EU aquis.

The GDPR regulates the processing by an individual, a company, or an organization of personal data relating to individuals in the EU, “in the context of the activities of an establishment” – Article 3 paragraph 1 of the GDPR.²³ The importance of this regulation lies in the fact that this Regulation at the same time strengthens and harmonizes the rules for protecting individuals’ privacy rights and freedoms within the EU. However, under certain conditions, it also provides protection outside of the EU territory.²⁴ The GDPR applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of subjects residing in the EU, regardless of the company’s location.²⁵ The GDPR fixes both general rules applying to any kind of personal data processing and specific rules applying to the processing of special categories of personal data such as health data or similar.²⁶

The GDPR has made obtaining a valid consent stricter because it prescribes that consent must be given by a clear affirmative act. Also, the data carriers may revoke their consent to data processing without any limitation.²⁷ Another novelty is the right to be forgotten²⁸ and the right to data portability from a data controller to another one is now expressly provided for.²⁹

One thing to note is that the GDPR does not apply to the processing of personal data of deceased persons or of legal entities. Also, the rules do not apply to data processed by an individual for purely personal reasons or for activities carried out in one’s home, provided there is no connection to a professional or commercial activity. When an individual uses personal data outside the personal sphere, for socio-cultural or financial activities, for example, then the data protection law has to be respected.³⁰ The GDPR joins anti-bribery and anti-trust laws and its penalties became significantly stricter.³¹ Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. It is important to note that these rules apply to both controllers and processors.³²

The GDPR Framework & Full EU Membership for Bosnia & Herzegovina

Taking into consideration the changes that the EU has implemented in its regulations vis a vis the protection of personal data, it is obvious that B&H, as candidate state for membership in the EU, needs to catch up with this trend and amend its regulation in accordance with the new developments in the EU acquis. It is decisive that B&H continues working on implementation of the adopted regulations and strengthening the human and financial capacities of the Personal Data Protection Agency and its independence, because effective protection of personal data is of crucial importance for B&H to become a member of the EU. Also, in B&H, awareness of the importance of the right to privacy, the protection of personal data and mechanisms for its protection must be developed. Individuals should be aware that protection of their human rights is guaranteed by conventions, domestic constitutional and statutory provisions, and that they have protection mechanisms available when they suspect that their personal data are being processed illegally. On the other hand, those who collect and process personal data must be aware of the basic principles of processing personal data and their obligations in this process, as well as the fact that in the case of non-compliance with these obligations, misdemeanor proceedings may be initiated and fines imposed.

To pave the way for B&H to become a full member of the EU, it is critical that B&H harmonize its sectorial laws. It must implement the regulations pertaining to the issues of protection of the right to privacy and the processing of personal data. To do accomplish this, B&H must ensure that its laws are up to date and in accordance with the requirements of the EU. Without accomplishing legislation that harmonizes divergent rules related to data privacy, it is unlikely it will move forward to become a full member of the EU.

1. Stabilization and association agreement between Bosnia and Herzegovina, of the one part, and the European Communities and their Member States, of the other part. Stabilization and Association Agreement, Article 79. Available at: https://www.dei.gov.ba/bih_i_eu/ssp/doc/Default.aspx?id=743&template_id=14&pageIndex=1 (Accessed March 18, 2018).
2. Annex IV to the Dayton Peace Agreement. Constitution of Bosnia and Herzegovina. Available at: https://www.ohr.int/ohr-dept/legal/laws-of-bih/pdf/001%20-%20Constitutions/BH/BH%20CONSTITUTION%20.pdf (Accessed March 18, 2018).
3. Convention 108 was, and still remains, the only legally binding international instrument in the data protection field.
4. National Assembly of Bosnia and Herzegovina. Decision on ratification of the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data. Official Gazette of Bosnia and Herzegovina – International Agreements, No. 7/04 and Decision on the ratification of the Additional Protocol to the Convention for the Protection of Individuals with regard to automatic processing of personal data, Supervisory Authorities and Cross-Border Data Flows. Official Gazette of Bosnia and Herzegovina – International Agreements, No. 7/04.
5. Council of Europe. Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Available at: https://rm.coe.int/1680078b37 (Accessed March 18, 2018).
6. DLA Piper. Data Protection Laws of the World. Available at: https://www.dlapiper.com/en/europe/insights/publications/2014/01/data-protection-laws-of-the-world-handbook/ (Accessed March 18, 2018).
7. Ibid.
8. The acquis is constantly evolving and comprises: the content, principles and political objectives of the EU Treaties; legislation adopted pursuant to the Treaties and the case law of the Court of Justice; declarations and resolutions adopted by the Union; instruments under the Common Foreign and Security Policy; international agreements concluded by the Union and those entered into by the member states among themselves within the sphere of the Union’s activities.
9. Adoption and implementation of the acquis are the basis of the accession negotiations.
10. European Commission. European Neighbourhood Policy and Enlargement Negotiations. Available at: https://ec.europa.eu/neighbourhood-enlargement/policy/glossary/terms/acquis_en (Accessed March 18, 2018).
11. National Assembly of Bosnia and Herzegovina. The Law on Amendments to the Law on Protection of Personal Data. Official Gazette of B&H, No. 76/11 and 89/11.
12. The European Parliament and Councile. Directive 95/46/EU. Adopted on October 24, 1995. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN (Accessed March 18, 2018).
13. National Assembly of Bosnia and Herzegovina. Law on Intelligence and Security Agency of Bosnia and Herzegovina. Official Gazette of B&H, Nos. 12/04, 20/04, 56/06, 32/07 and 12/09.
15. Controller is any public body, natural or legal person, agency or other body that manages and determines the purpose and manner of processing personal data on the basis of laws or regulations, independently or together with others.
16. The Main Register of the the Personal Data Protection Agency of B&H, Available at: https://www.azlp.gov.ba/gr/ (Accessed March 18, 2018).
17. European Commission. Bosnia and Herzegovina Progress Report. Available at: https://ec.europa.eu/neighbourhood-enlargement/sites/near/files/pdf/key_documents/2014/20141008-bosnia-and-herzegovina-progress-report_en.pdf (Accessed March 18, 2018).
18. European Commission. Data Protection in the EU. Available at: https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en (Accessed March 18, 2018).
19. Ibid.
20. However, there continues to be room for different interpretation and enforcement practices among the Member States. There is therefore likely to continue to be significant differences in both substantive and procedural data protection laws and enforcement practice among EU Member States when GDPR comes into force.
21. DLA Piper. Data Protection Laws of the World. Available at: https://www.dlapiper.com/en/europe/insights/publications/2014/01/data-protection-laws-of-the-world-handbook/ (Accessed March 18, 2018).
22. It has been implemented differently by the EU Member States into their respective national jurisdictions, resulting in the fragmentation of national data protection laws within the EU.
23. Chassang G. The impact of the EU general data protection regulation on scientific research. Ecancermedicalscience. 2017 Jan 3. Available at: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5243137/ (Accessed March 18, 2018).
24. Ibid.
25. The EU GDPR Portal. Available at: https://www.eugdpr.org/gdpr-faqs.html (Accessed March 18, 2018).
26. Chassang G. The impact of the EU general data protection regulation on scientific research. Ecancermedicalscience. 2017 Jan 3. Available at: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5243137/ (Accessed March 18, 2018).
27. Manna M. Regulation (EU) 2016/679: how the European personal data protection landscape will change. Lexology. May 31, 2016. Available at: https://www.lexology.com/library/detail.aspx?g=27ae467a-e2ed-4efc-ba4d-16d74c95e661 (Accessed March 18, 2018).
28. I.e. the right of data subjects to obtain the definitive deletion of their data processed and stored by data controllers.
29. Manna M. Regulation (EU) 2016/679: how the European personal data protection landscape will change. Lexology. May 31, 2016. Available at: https://www.lexology.com/library/detail.aspx?g=27ae467a-e2ed-4efc-ba4d-16d74c95e661 (Accessed March 18, 2018).
30. European Commission. What does the General Data Protection Regulation (GDPR) govern. Available at:
    https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en (Accessed March 18, 2018).
31. DLA Piper. Data Protection Laws of the World. Available at: https://www.dlapiper.com/en/europe/insights/publications/2014/01/data-protection-laws-of-the-world-handbook/ (Accessed March 18, 2018).
32. The EU GDPR Portal. Available at: https://www.eugdpr.org/gdpr-faqs.html (Accessed March 18, 2018).