Data protection and cybersecurity laws in Bosnia and Herzegovina

Data protection

1. Local data protection laws and scope

Law on Protection of Personal Data Bosnia and Herzegovina (Official Gazette of Bosnia and Herzegovina No. 49/06, 76/11 and 89/11) and connected by-laws – especially the Rulebook on the maintenance and special technical security measures for personal data (Official Gazette of Bosnia and Herzegovina, No. 67/09).

Unofficial English text of the Law on Protection of Personal Data (Official Gazette of Bosnia and Herzegovina No. 49/06) can be found here and Amendments to the Law on the Protection of Personal Data (Official Gazette of Bosnia and Herzegovina No. 76/11) can be found here.

The Law on Protection of Personal Data covers the protection of personal data in the territory of Bosnia and Herzegovina processed by all public institutions, as well as by natural and legal persons, unless otherwise specified.

The scope explicitly excludes personal data processed by natural persons for private purposes.

2. Data protection authority

Personal Data Protection Agency (PDPA): www.azlp.ba

3. Anticipated changes to local laws

As part of its effort to join the EU, Bosnia and Herzegovina is obliged to harmonise its legislation with EU legislation. This includes the GDPR.

Draft of the new Law on Protection of Personal Data is prepared, and will be considered by the legislature. 

4. Sanctions & non-compliance

Administrative sanctions:

The PDPA is authorised to supervise the enforcement of the Law on Protection of Personal Data. Breach of the Law on Data Protection is a misdemeanour and the PDPA can also impose fines of up to BAM 100,000 (EUR 50,000) for non-compliance with the Law.

The Law on Protection of Personal Data sets out separate fines for: the legal entity acting as the data controller; its legal representative (e.g., management); and its employees.

Criminal sanctions:

Sanctions are possible as unauthorised collection processing and sharing of personal data can be subject to criminal prosecution and result in criminal fines or imprisonment.

Others:

N/A

5. Registration / notification / authorisation

The data controller must submit its personal data registries to the PDPA. The PDPA compiles all personal data registries in the PDPA General Registry. In cases of automated personal data processing, further requirements may apply, such as prior notification to the PDPA and additional organisational and technical security requirements.

PDPA approval may be necessary in certain instances, for example, in cases of transfers of personal data to countries that do not provide adequate measures of personal data protection and where the regulated exemptions are not met. 

6. Main obligations and processing requirements

Although this is not an exhaustive list, controllers must generally ensure that:

  • their personal data registries are adequately created and registered;
  • data processing agreements are concluded with data processors in accordance with the applicable rules;
  • data subjects’ consent is obtained in form and contents as and when required under the law;
  • data subjects’ rights are complied with (e.g., the right to be informed);
  • technical and organisational security measures are in place.

7. Data subject rights

Under the PDPA, the following rights are provided to individuals, subject to certain exemptions:

  • The right to be informed regarding collection of data prior to starting such collection and the source (unless collected from the data subject), i.e., the third party providing the information;
  • The right to access to personal data;
  • The right to objection in general;
  • The right to objection to direct marketing; and
  • The right to request correction, deletion or blocking of data.

Other rights are also envisaged, such as the right to withdraw consent for data collection and processing, file a complaint to the PDPA, object to transfer of data, request compensation, etc.

8. Processing by third parties

A data processing agreement must be concluded. The mandatory form and content of such agreements are regulated under the Law on Protection of Personal Data.

9. Transfers out of country

Personal data can be transferred out of Bosnia and Herzegovina to a country that applies adequate security measures as prescribed by the Law on Protection of Personal Data.

The transfer of personal data outside Bosnia and Herzegovina to a country that does not provides adequate security measures is permissible only in specifically prescribed instances.

10. Data Protection Officer

Not expressly provided under primary legislation, however under secondary legislation an administrator of personal data registries is envisaged.

The administrator is, inter alia, responsible for the due performance of security measures, registration, and protection of personal data.

In addition, a controller with a seat outside of the territory of Bosnia and Herzegovina and uses automated or other equipment located on the territory of Bosnia and Herzegovina for the data processing shall determine a representative for such processing, unless the equipment is used only for the purpose of transit of data over Bosnia and Herzegovina.

11. Security

Both the data controller and data processor must take appropriate technical and organisational security measures to protect personal data, especially in cases of automated personal data processing. Specific requirements are provided for under secondary legislation, namely “Rulebook on the maintenance and special technical security measures for personal data”.

12. Breach notification

No explicit obligations to notify data subjects and the PDPA for private legal entities acting as data controllers and data processors.

Secondary legislation however requires that the data processor, the administrator of personal data registries, and the natural person employed or engaged by the data controller to perform activities related to personal data processing, notify the data controller’s responsible person of an attempt to gain unauthorised access to the data protection security system.

13. Direct marketing

The Law on Protection of Personal Data specifies a general opt-out regime for direct marketing. It makes no differentiation between different forms of direct marketing (email, regular mail, and phone).

Data subjects have the right to:

  • oppose the data controller’s future use or transfer of their personal data for the purpose of direct marketing;
  • to be notified before their personal data is transferred for the first time to a third party for direct marketing purposes.

14. Cookies and adtech

No explicit provision, but if any personal data is collected or processed, any policies or procedures regulating cookies and similar technologies to be reviewed against the Law on protection of Personal Data.

15. Risk scale

Moderate

Cybersecurity

1. Local cybersecurity laws and scope

Bosnia and Herzegovina is composed of two distinct administrative entities, the Federation of Bosnia and Herzegovina (“FBiH”) and Republika Srpska (“RS”), as well as condominium District Brčko (“DB”) as a separate administrative unit. Legislation applicable to this overview has been introduced at different administrative levels, as follows:

State level (Bosnia and Herzegovina):

  • Criminal Law of Bosnia and Herzegovina (Official Gazette of Bosnia and Herzegovina, No. 3/03, 32/03, 37/03, 54/04, 61/04, 30/05, 53/06, 55/06, 32/07, 8/10, 47/14, 22/15, 40/15, 35/18)
  • Law on Criminal Procedure (Official Gazette of Bosnia and Herzegovina No. 3/03, 32/03, 36/03, 26/04, 63/04, 13/05, 48/05, 46/06, 76/06, 29/07, 32/07, 53/07, 76/07, 15/08, 58/08, 12/09, 16/09, 93/09, 72/13, 65/18)
  • Law on the Protection of Personal Data (Official Gazette of Bosnia and Herzegovina No. 49/06, 76/11, 89/11)
  • Law on the Protection of Classified Data (Official Gazette of Bosnia and Herzegovina, No. 54/05, 12/09)
  • Law on Communication of Bosnia and Herzegovina (Official Gazette of Bosnia and Herzegovina, No. 33/02, 31/03, 75/06, 32/10, 98/12)
  • Law on Electronic Signature (Official Gazette of Bosnia and Herzegovina, No. 91/06)
  • Law on Electronic Document Bosnia and Herzegovina (Official Gazette of Bosnia and Herzegovina, No. 58/14)
  • Law on Prevention of Money Laundering and Financing of Terrorism (Official Gazette of Bosnia and Herzegovina, No. 47/14, 46/16)
  • Rulebook on the maintenance and special technical security measures for personal data (Official Gazette of Bosnia and Herzegovina, No. 67/09)

Federation of Bosnia and Herzegovina:

  • Criminal Law of FBiH (Official Gazette of FBiH No. 36/03, 37/03, 21/04, 69/04, 18/05, 42/10, 59/14, 76/14, 46/16, 75/17)
  • Law on Criminal Procedure FBiH (Official Gazette of FBiH No. 35/03, 37/03, 56/03, 78/04, 28/05, 55/06, 27/07, 53/07, 9/09, 12/10, 8/13, 59/14, 74/20)
  • Law on Electronic Document of FBiH (Official Gazette of FBiH No. 55/13)

Republika Srpska:

  • Criminal Law of RS (Official Gazette of RS No. 64/17, 104/18)
  • Law on Criminal Procedure of RS (Official Gazette of RS No. 53/12, 91/17, 66/18)
  • Law on Electronic Signature of RS (Official Gazette of RS No. 106/15, 83/19)
  • Law on Electronic Document of RS (Official Gazette of RS No. 106/15)
  • Law on Electronic Business Activities of RS (Official Gazette of RS No. 59/09, 33/16
  • Law on Information Security of RS (Official Gazette of RS No. 70/11)

District Brčko:

  • Criminal Law of DB (Official Gazette of RS, No. 10/03, 45/04, 6/05, 21/10, 47/11, 9/13, 33/13, 47/14, 26/16, 13/17, 19/20-consolidated text)
  • Law on Criminal Procedure (Official Gazette of RS, No. 44/10, 9/13, 34/13, 27/14, 3/19, 16/20)
  • Instruction on mode of execution of protection of classified data on computers (Official Gazette of DB, No. 29/06)

2. Anticipated changes to local laws

Legislation governing information security, security of networks and IT systems has been announced and is planned to be introduced in the upcoming period. Additionally, draft legislation governing e-signatures has also been prepared and is likely to receive parliamentary consideration.

As a general note, considering its EU Member State accession path, Bosnia and Herzegovina is taking action towards harmonising its laws to those of the EU. This is likely to mean harmonisation with EU legislation in the field of cybersecurity.

3. Application 

The laws and regulations cover Bosnia and Herzegovina’s obligations arising from the Convention on Cybercrime (Budapest, 23 November 2001), ratified by the Presidency of Bosnia and Herzegovina on 25 March 2006.

The laws and regulations have different material and geographical scopes, such as:

  • the “Rulebook on the maintenance and special technical security measures for personal data” regulates technical and organisational security measure obligations for all personal data controllers and personal data processors in Bosnia and Herzegovina;
  • the Law on Protection of Classified Data of Bosnia and Herzegovina applies to all institutions, legal entities and citizens of Bosnia and Herzegovina, and to international or regional organisations (if regulated by an international agreement). It sets out obligations for: all state, RS, and FBiH administrative organs at all government levels; persons performing public duties; and all legal entities that have access to or use classified data, including their employees;
  • the Law on Electronic Signature of Bosnia and Herzegovina regulates: the use of electronic signatures in closed systems (regulated by contracts among a known number of contracting parties); and open electronic communication with the court and other institutions;
  • the Law on Electronic Document of Bosnia and Herzegovina applies to public institutions and all other legal entities, entrepreneurs, and natural persons, whenever they participate in activities before relevant institutions that include the use of equipment and programs for the production, transfer, download, and maintenance of information in electronic form; and
  • the Law on Electronic Business Activities of RS applies to providers of information society services on the territory of RS.

4. Authority

Bosnia and Herzegovina (also applicable for FBiH)

  • Department for Informatics and Telecommunication Systems (Security Ministry of Bosnia and Herzegovina): www.msb.gov.ba

FBiH

R

  • Unit for Preventing High-tech Crime (Ministry for Internal Affairs of RS): www.mup.vladars.net
  • Ministry for Scientific and Technological Development, Higher Education and Information Society: www.vladars.net

5. Key obligations 

The laws and regulations cover different aspects of cyber security requirements, such as:

  • the “Rulebook on the maintenance and special technical security measures for personal data” requires data controllers and data processors to: appoint an administrator of personal data registries who is responsible for the orderly performance of security measures; adopt a security measures plan, implement prescribed or other regulated organisational and technical safeguards;
  • the Law on Protection of Classified Data of Bosnia and Herzegovina requires data that may cause a threat to national security or the national interest of Bosnia and Herzegovina to be classified. It also regulates security procedures for access to classified data;
  • the Law on Electronic Signature of Bosnia and Herzegovina requires special technical measures and procedures for the safe use of electric signatures;
  • the Law on Electronic Document of Bosnia and Herzegovina requires: maintenance of electronic documents in electronic archives that must ensure requirements stipulated in the law; special security treatment of electronic documents containing classified data; and
  • the Law on Electronic Business Activities of RS requires providers of information society services to: transparently provide detailed information about the provider, the contract conditions, and service prices; immediately notify the relevant RS institution if they establish that their services are being used for illegal activities, etc.

6. Sanctions & non-compliance 

Administrative sanctions:
  • Law on Protection of Classified Data of Bosnia and Herzegovina: fines of up to BAM 5,000 (EUR 2,500)
  • Law on Electronic Signature of Bosnia and Herzegovina: fines of up to BAM 16,000 (EUR 8,000)
  • Law on Electronic Document of Bosnia and Herzegovina: fines of up to BAM 15,000 (EUR 7,500)
  • Law on Electronic Business Activities of RS: fines of up to BAM 15,000 (EUR 7,500)
Criminal sanctions:
  • Criminal Law of Federation of Bosnia and Herzegovina:
    • criminal offences against systems of electronic data processing (six criminal offences such as computer sabotage, unauthorised access and etc.)
    • fines and/or imprisonments of up to 12 years for the most serious offences.
  • Criminal Code of Republika Srpska:
    • criminal offences against the security of computer data (seven criminal offences such as computer sabotage, unauthorised access and etc.)
    • fines and/or imprisonment of up to ten years for the most serious offences.
  • Criminal Law of District Brčko:
Other:

N/A

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

  • Bosnia and Herzegovina – a CERT within the Security Ministry of Bosnia and Herzegovina (established March 2017).
  • RS – the Agency for Information Society in RS established a CERT (June 2015), which is now operating within the Ministry for Scientific and Technological Development, Higher Education and Information Society.
  • FBiH – The Government of the Federation of Bosnia and Herzegovina has adopted a Decision on the appointment of a working group for responding to computer incidents (CERT) for the institutions of the Federation of Bosnia and Herzegovina in 2018 and as of July 2020, CERT establishment project for institutions of FBiH is in the final stage.

8. National cybersecurity incident management structure

In 2017 the Bosnia and Herzegovina Council of Ministers adopted the “Decision on the adoption of information systems policies management in the Bosnia and Herzegovina institutions for 2017-2022”, which aims to set up an information security management system (ISMS) in accordance with relevant ISO standards.

The precondition for setting up this structure is the adoption of legislation on information security, security of networks and IT systems of Bosnia and Herzegovina which is still pending.

9. Other cybersecurity initiatives 

Yes, there are several governmental authorities-led strategies focusing on cybersecurity.    

Foto vonSanja Voloder
Sanja Voloder
Counsel
Sarajevo
Foto vonStefan Ćosović
Stefan Ćosović
Associate
Sarajevo