Data Law Navigator | Bosnia and Herzegovina

Information on Data Protection and Cyber Security laws from CMS experts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security
 

Data Protection

Last updated 24 October 2018

Risk scale

Laws

Law on Protection of Personal Data BiH (Official Gazette of BiH No. 49/06, 76/11, 89/11) and connected by-laws – especially the Rulebook on the maintenance and special technical security measures for personal data (Official Gazette of BiH, No. 67/09)

Authority

Anticipated changes to law

As part of its effort to join the EU, BiH is obliged to harmonise its legislation with EU legislation. This includes the GDPR.

Per the PDPA’s agenda for 2019 published on 3 September 2018, draft of the new Law on Protection of Personal Data shall be prepared. Based on a report dated 14 May 2018, the PDPA’s preparation of the proposed draft of the new law is in its final phases.

If applicable: stage of legislative implementation of GDPR

See above.

Scope

The Law on Protection of Personal Data covers the protection of personal data on the territory of BiH processed by all public institutions, as well as natural and legal persons, unless otherwise specified in lex specialis.

The scope explicitly excludes personal data processed by natural persons for private purposes, and the incidental collection of personal data, unless such personal data is further processed.

Two types of data are protected: (1) personal data and (2) special category data.

Personal data is defined as any information relating to a natural person by which the person’s identity is or can be identified. The Law provides for specific requirements concerning the processing and transfer of personal data.

Special category data is defined as all personal data that reveal a natural person’s: health conditions; genetic code; racial, national or ethnic background; political opinion or membership of a party; union membership; religious, philosophical or other beliefs; sexual life; criminal convictions; and biometric data.

The Law on Protection of Personal Data BiH provides a general prohibition on the processing of special category data. However, the same Law also provides a limited exhaustive list of exemptions to this general rule.

Penalties/enforcement

The PDPA is authorised to supervise the enforcement of the Law on Protection of Personal Data. The PDPA can also impose fines of up to BAM 100,000 (around EUR 50,000) for non-compliance with the Law.

The Law on Protection of Personal Data sets out separate fines for: the legal entity acting as the data controller; its legal representative (e.g. management); and its employees.

Breach of the Law on Data Protection is a misdemeanour.

Unofficial information from the PDPA suggests that it has issued a significant number of fines.

Registration / notification

The data controller must submit its personal data registries to the PDPA. The PDPA compiles all personal data registries in the PDPA General Registry.

Before setting up automatic personal data registries, the data controller needs to submit a request to the PDPA stating its intention to set up data registries.

If the automatic processing of personal data represents a risk to the rights and freedoms of data subjects, upon receipt of the data controller’s request the PDPA reviews the data controller’s’ processing activities. Data processing activities can start only after the PDPA’s approval or after the expiry of a two-month period following receipt of the request.

The PDPA always conducts a prior review of:

  •  the processing of special category data;
  •  the processing of personal data that the data controller intends to use in assessing the personality of the data subject, and to make a decision based on the data processing. 

As a general rule, personal data processing agreements and personal data processing and transfer agreements must be notified to the PDPA.

However, the PDPA must approve the transfer of personal data outside BiH to another country which does not provide adequate measures of personal data protection. The Law lists the specific situations in which such transfers are allowed.

Main obligations and processing requirements

Prior consent – mandatory as a general rule. The Law on Protection of Personal Data sets out exceptions, e.g. if the data processing is necessary for the fulfilment of tasks performed in the public interest.

Information requirements – prior to giving their consent, data subjects must be informed about: the specific personal data for which the consent is given; the name of the data controller; the purpose of the data processing; and the timeframe for which the consent is given.

Security measures – data controllers must provide for sufficient technical measures that ensure the security of personal data.

Notification requirements to the PDPA – as outlined above.

Data subject rights

Data subjects have the right to:

  • withdraw consent for the processing of personal data at any point, unless the data controller and the data subject agree otherwise
  • request to be informed about: the status of the processing of their personal data; the purpose of the processing; the legal basis and duration of the processing; the source of the personal data; as well as who received or who will receive the personal data and for which purpose.
  • object to the transfer of their personal data to the data user, unless this is in the public interest.
  • file a complaint to the PDPA if they establish or suspect that the data controller or data processor have infringed their rights under the Law on Protection of Personal Data
  • request compensation, through litigation, for material and/or immaterial damage if their privacy rights are infringed under the Law on the Protection of Personal Data.

Processing by third parties

A data processing agreement must be in place in which the data processor agrees to: only act on behalf of the data controller; take appropriate technical and organisational security measures to protect personal data; and to be bound by the same data protection obligations as the data controller.

The agreement must be notified to the PDPA and kept on the premises of the data controller at all times.

Transfers out of country

Personal data can be transferred out of BiH to a country that applies adequate security measures as prescribed by the Law on Protection of Personal Data. As per a recent published opinion of the PDPA, EU member countries are deemed to provide adequate security measures.

The transfer of personal data outside BiH to a country that does not provides adequate security measures is permissible only in specific prescribed situations. The PDPA must approve such transfers.

A data transfer and processing agreement is required.

Data Protection Officer

The “Rulebook on the maintenance and special technical security measures for personal data” requires the appointment of an administrator of personal data registries.

The administrator is responsible for the orderly performance of security measures, registration, and protection of personal data.

Security

The data controller and data processor must take appropriate technical and security measures to protect personal data, especially in automatic personal data processing.

The “Rulebook on the maintenance and special technical security measures for personal data” has additional regulations covering security measures – including an obligation to adopt a security measures plan.

Breach notification

No explicit obligations to notify data subjects and the PDPA for private legal entities acting as data controllers and data processors.

The “Rulebook on the maintenance and special technical security measures for personal data” requires that the data processor, the administrator of personal data registries, and the natural person employed or engaged by the data controller to perform activities related to personal data processing, must notify the data controller’s responsible person if there is an attempt to gain unauthorised access to the data protection security system.

Direct marketing

The Law on Protection of Personal Data specifies a general opt-out regime for direct marketing. It makes no differentiation between different forms of direct marketing (e-mail, regular mail, and phone).

Data subjects have the right to: oppose to the data controller’s future use or transfer of their personal data for the purpose of direct marketing; be notified before their personal data is transferred for the first time to a third party for direct marketing purposes.

Cookies

No explicit provisions.

Useful links

 

Cyber Security

Last updated 24 October 2018

Risk scale

Laws and regulations

The system of laws and regulations is decentralized and scattered between legislation at different administrative levels.

Different laws that partially relate to cyber security have been adopted at the state level (BiH), at the level of the two entities of BiH (i.e. the Federation of BiH – FBiH, and Republika Srpska - RS) and, as a separate administrative unit, the District Brčko (DB).

State level (BiH)

  • Criminal Law of BiH (Official Gazette of BiH, No. 3/03, 32/03, 37/03, 54/04, 61/04, 30/05, 53/06, 55/06, 32/07, 8/10, 47/14, 22/15, 40/15, 35/18)
  • Law on Criminal Procedure (Official Gazette of BiH No. 3/03, 32/03, 36/03, 26/04, 63/04, 13/05, 48/05, 46/06, 76/06, 29/07, 32/07, 53/07, 76/07, 15/08, 58/08, 12/09, 16/09, 93/09, 72/13, 65/18)
  • Law on the Protection of Personal Data (Official Gazette of BiH No. 49/06, 76/11, 89/11)
  • Law on the Protection of Classified Data (Official Gazette of BiH, No.  54/05, 12/09)
  • Law on Communication of BiH (Official Gazette of BiH, No. 33/02, 31/03, 75/06, 32/10, 98/12)
  • Law on Electronic Signature (Official Gazette of BiH, No. 91/06)
  • Law on Electronic Document BiH (Official Gazette of BiH, No. 58/14)
  • Law on Prevention of Money Laundering and Financing of Terrorism (Official Gazette of BiH, No. 47/14, 46/16)
  • Rulebook on the maintenance and special technical security measures for personal data (Official Gazette of BiH, No. 67/09)

FBiH

  • Criminal Law of FBiH (Official Gazette of FBiH no. 36/03, 37/03, 21/04, 69/04, 18/05, 42/10, 59/14, 76/14, 46/16, 75/17)
  • Law on Criminal Procedure FBiH (Official Gazette of FBiH No. 35/03, 37/03, 56/03, 78/04, 28/05, 55/06, 27/07, 53/07, 9/09, 12/10, 8/13, 59/14)
  • Law on Electronic Document of FBiH (Official Gazette of FBiH No. 55/13)

RS

  • Criminal Law of RS (Official Gazette of RS No. 64/17)
  • Law on Criminal Procedure of RS (Official Gazette of RS No. 53/12, 91/17, 66/18)
  • Law on Electronic Signature of RS (Official Gazette of RS No. 106/15)
  • Law on Electronic Document of RS (Official Gazette of RS No. 106/15)
  • Law on Electronic Business Activities of RS (Official Gazette of RS No. 59/09, 33/16
  • Law on Information Security of RS (Official Gazette of RS No. 70/11)

DB

  • Criminal Law of DB (Official Gazette of RS, No. 10/03, 45/04, 6/05, 21/10, 47/11, 9/13, 33/13, 47/14, 26/16, 13/17)
  • Law on Criminal Procedure (Official Gazette of RS, No. 44/10, 9/13, 34/13, 27/14)                                                                                                      
  • Instruction on mode of execution of protection of classified data on computers (Official Gazette of DB, No. 29/06)

Anticipated changes to law

At state level, it has been announced that a law on the information security and security of networks and IT systems of BiH will be adopted. A draft of the law is not publicly available.

A draft Law on Electronic Signature of FBiH has been prepared and the legislative procedure will be initiated soon.

Note: BiH is undergoing harmonisation of its entire legal system to EU legislation, as part of its efforts to join the EU as a member state. This also implies harmonisation with legislation relating to cyber security.

Application

The laws and regulations cover BiH’s obligations arising from the Convention on Cybercrime (Budapest, 23 November 2001), ratified by the Presidency of BiH on 25 March 2006.

The laws and regulations have different material and geographical scopes. For example (non-exhaustive):

  • the “Rulebook on the maintenance and special technical security measures for personal data” regulates technical and security measure obligations for all personal data controllers and personal data processors in BiH;
  • the Law on Protection of Classified Data of BiH applies to all institutions, legal entities and citizens of BiH, and to international or regional organisations (if regulated by an international agreement). It sets out obligations for: all state, RS, and FBiH administrative organs at all government levels; persons performing public duties; and all legal entities that have access to or use classified data, including their employees;
  • the Law on Electronic Signature of BiH regulates: the use of electronic signatures in closed systems (regulated by contracts between a known number of contracting parties); and open electronic communication with the court and other institutions;
  • the Law on Electronic Document of BiH applies to public institutions and all other legal entities, entrepreneurs, and natural persons, whenever they participate in activities before relevant institutions that include the use of equipment and programs for the production, transfer, download, and maintenance of information in electronic form; and
  • the Law on Electronic Business Activities of RS applies to providers of information society services on the territory of RS.

Authority

State level (BiH)

  • Department for Informatics and Telecommunication Systems (Security Ministry of BiH): www.msb.gov.ba

RS 

FBiH

  • Department for Fight Against Computer Criminal (Federal Police Administration – FPA): www.fup.gov.ba

Key obligations

The laws and regulations cover different aspects of cyber security requirements. For example (non-exhaustive):

  • the “Rulebook on the maintenance and special technical security measures for personal data” requires data controllers and data processors to: appoint an administrator of personal data registries who is responsible for the orderly performance of security measures; adopt a security measures plan;
  • the Law on Protection of Classified Data of BiH requires data that may cause a treat to national security or the national interest of BiH to be classified. It also regulates security procedures for access to classified data;
  • the Law on Electronic Signature of BiH requires special technical measures and procedures for the safe use of electric signatures;
  • the Law on Electronic Document of BiH requires: maintenance of electronic documents in electronic archives that must ensure requirements stipulated in the law; special security treatment of electronic documents containing classified data; and
  • the Law on Electronic Business Activities of RS requires providers of information society services to: transparently provide detailed information about the provider, the contract conditions, and service prices; immediately notify the relevant RS institution if they establish that their services are being used for illegal activities.

Penalties/enforcement

Some laws provide for enforcement regulations in the form of monetary fines for misdemeanours.

Criminal laws in RS, FBiH, and DB provide for monetary fines and imprisonment for criminal offences in relation to cyber security.

Example misdemeanour penalties (non-exhaustive):

  • Law on Protection of Classified Data of BiH: fines of up to BAM 5,000 (around EUR 2,500)
  • Law on Electronic Signature of BiH: fines of up to BAM 16,000 (approximately EUR 8,000)
  • Law on Electronic Document of BiH: fines of up to BAM 15,000 (around EUR 7,500)
  • Law on Electronic Business Activities of RS: fines of up to BAM 15,000 (around EUR 7,500)

Criminal offences:

  • Criminal Law of FBiH:
    • criminal offences against systems of electronic data processing (six criminal offences)
    • fines and/or imprisonments of up to 12 years for the most serious offences.
  • Criminal Code of RS:
    • criminal offences against the security of computer data (seven criminal offences)
    • fines and/or imprisonment of up to 10 years for the most serious offences.
  • Criminal Law of DB:
    • criminal offences against systems of electronic data processing (six criminal offences)
    • fines and/or imprisonments of up to 12 years for the most serious offences.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

  • BiH –a CERT within the Security Ministry of BiH (established March 2017).
  • RS – the Agency for Information Society in RS established a CERT (June 2015). 
  • FBiH – establishment of a CERT was initiated in 2017. A working group, in cooperation with the FPA, is tasked with devising a plan regulating the CERT’s structure and competences.

Is there a national incident management structure for responding to cybersecurity incidents?

Unofficial information from the authorities suggests that the relevant units of the FPA, the Ministry for Internal Affairs RS, and the Security Ministry of BiH are working together and have set up a functional internal response system.

In 2017 the BiH Council of Ministers adopted the “Decision on the adoption of information systems policies management in the BiH institutions for 2017-2022”, which aims to set up an information security management system (ISMS) in accordance with relevant ISO standards.

The precondition for setting up this structure is the adoption of the Law on information security and security of networks and IT systems of BiH. It is not yet clear when this law will be adopted.

Useful links

 

< back to Overview

Authors

Picture of Emina Mameledzija
Emina Mameledžija
Associate
Sarajevo