The Data Protection in the Financial Sector Note provides an overview of the financial regulation relevant to data protection.
Bosnia and Herzegovina (“B&H” or “BiH”) has a complex constitutional structure and consists of two distinct entities, Federation of BiH (“FB&H" or “FBiH”) and Republika Srpska (“RS”), with Brčko District as a separate administrative unit. In addition, FBiH is further divided into ten Cantons. This means that legislation is introduced at the several administrative levels - depending on the constitutional division of legislative competencies. For the purposes of this contribution, the legislation of the RS and FBiH as the two largest administrative units is considered.
Data Protection in Bosnia and Herzegovina is mainly regulated under the Law on Protection of Personal Data (hereinafter “PDPL” or the “Law”) (local “Zakon o zaštiti ličnih podataka”) - adopted at the state level.
The aim of this piece of legislation is to ensure full protection of the right to privacy and protection of personal data in respect of collection or processing such data at the territory of Bosnia and Herzegovina. In respect of the applicability of the General Data Protection Regulation i.e. Regulation (EU) 2016/679 (hereinafter “GDPR”), B&H is not a member state to the EU and therefore this regulation is not directly applicable in B&H. It is however of influence in practice and the data protection regulator in B&H – the Personal Data Protection Agency (hereinafter: "PDPA") – encourages controllers and processors to, in addition to complying with the domestic data protection legislation, also ensure compliance with the GDPR.
In this regard it should be noted that a new law on personal data protection is in draft form and pending parliamentary considerations. Its aim is to bring domestic regulations in alignment with the GDPR.
This is in accordance with the B&H's long-term goal to join the EU in pursuit of which it aims to align its legislation with EU standards until 2021 under the country's undertakings in the executed BiH Stabilization and Association Agreement.
The financial services sector largely consists of the banking and insurance institutions and microcredit organisations. All of the participants are under a duty to follow the PDPL as well as the sector - specific rules regarding confidentiality of data and bank secrets provided for in the lex specialis regulating work and operations of these organisations.
The following are the main pieces of legislation in B&H governing data protection and the financial services sector participants:
- Law on Protection of Personal Data (Official Gazette of B&H No. 49/06, 76/11 and 89/11) and related secondary legislation. In particular, the Rulebook on the manner of keeping and special measures of technical protection of personal data (Official Gazette of B&H No. 67/09)
- Anti-money laundering and countering terrorist activities financing law of B&H (Official Gazette of B&H No 47/14 and 46/16)
- Law on Banks of Republika Srpska (Official Gazette of RS No. 41/17, 19/18 and 54/19)
- Law on Banks of Federation of Bosnia and Herzegovina (Official Gazette of FB&H No. 27/17)
- Law on the protection of financial services users (Official Gazette of FB&H No. 31/14)
- Law on Domestic Payments of FBiH (Official Gazette of FB&H No. 48/15 and 79/15)
- Law on Domestic Payments of RS (Official Gazette of RS No. 52/12, 92/12 and 58/19)
- Insurance Law of FBiH (Official Gazette of FB&H No. 23/17)
- Law on Insurance Companies of RS (Official Gazette of RS No. 7/05, 1/06, 64/06, 74/10, 47/17 and 58/19)
1.2. SUPERVISORY AUTHORITIES
In Bosnia and Herzegovina, the Personal Data Protection Agency (in local “Agencija za zaštitu ličnih podataka”) is the relevant regulatory authority founded under the PDPL in 2006 and holds regulatory competency for the entire territory of Bosnia and Herzegovina. In general, its competencies are to supervise the implementation of the PDPL and other applicable regulations regarding data protection, to act upon data subject's complaints as well as, although not limited to, order blocking, deletion or destroying of personal data, temporarily or permanently ban processing of data, issue warnings or reprimands to controllers, supervise transfer of personal data outside of B&H and impose fines/penalties in the relevant misdemeanour proceedings.
The banking and microcredit sectors in Bosnia and Herzegovina are regulated by two regulators – the Banking Agency of RS and the Banking Agency of FBiH. Furthermore, the insurance, reinsurance and insurance intermediation companies are under the supervision of the B&H Insurance Agency, Insurance Agency of RS and the Agency for Insurance Supervision of FBiH. Also, most of financial services participants must be incorporated as joint stock companies and therefore can fall under the competence of the FBiH and RS Securities Commission and the FBiH and RS Securities Registries (depending on the seat of incorporation, i.e., in FBiH or RS respectively).
2. PERSONAL AND FINANCIAL DATA MANAGEMENT
2.1. LEGAL BASIS FOR PROCESSING
It is made clear under the PDPL by the legislator that the personal data processing can only conducted in accordance with the outlined governing principles. Based on these, processing of personal data must be done fairly and lawfully, for special, explicit and lawful purposes and to the extent and scope and time necessary to meet the processing purpose. Only authentic and accurate personal data can be processed whereby incorrect data must be deleted or corrected.
Data processing without data subject's consent can be conducted only (i) if it is done in accordance with the applicable statutory provisions or to comply with the competencies granted under statute, (ii) if necessary to enter into or perform contractual obligations, (iii) for protection of data subject's vital interests or to protect public interest, (iv) to protect statutory rights and interest of a controller or a third party and the processing is not contrary to the data subject's rights to protection of personal and private life and (v) it is necessary to carry out the legitimate activities of political parties, movement, trade union organisations, except where data subject's fundamental rights and freedoms prevail over the such activities.
Data subject consent is defined as any concrete and conscious indication of a data subject's free will to grant his/her consent to processing of his/her personal data. In case of special categories of personal data however, additional statutory requirements apply in respect of the data subject consent. Such consent must be granted in writing, signed by the data subject, clearly state the relevant data for which it is issued, state the name of the controller, purpose and period of time for which the consent has been issued. The data subject must be given a possibility to withdraw the consent at any time, unless explicitly agreed upon. If requested, and in case of processing of such special categories of personal data, the controller must be able to, at all times, demonstrate to the PDPA that specific data subject consent has been obtained and that it complies with the specified statutory requirements.
Generally, processing of special categories of personal data is prohibited unless specific conditions are satisfied as prescribed in the PDPL, such as, for example, obtainment of the specific data subject consent. Special categories of personal data are racial origin, national or ethnic origin, political opinion or party affiliation, union membership, religious, philosophical or other belief, health, genetic code, sex life, criminal conviction, and biometric data.
2.2. PRIVACY NOTICES AND POLICIES
There are no express requirements for financial institutions to provide customers with their privacy policies and practices (although these are available on such institutions' websites) , however, in case those policies or rules are in some way incorporated into other documents (such as the general terms and conditions) communicated to the customers at a certain point of the contractual relationship (e.g. at contract signing), specific conditions may apply.
Under the PDPL, before collecting any personal data, the controller must notify a data subject, unless the data subject has already been informed, on the following:
a) the purpose of processing,
b) controller, receiving authority or third party to whom the data will be accessible,
c) if provision of personal data falls under a proscribed legal obligation,
d) consequences in case that the data subject refuses to provide personal data,
e) cases in which the data subject has a right to refuse to provide personal data,
f) if the personal data collection is voluntary, and
g) on their right to access and the right to correct data referring to him/her.
2.3. DATA SECURITY AND RISK MANAGEMENT
Under the PDPL, the data controller and, within the scope of its competences, the data processor must ensure data security and, therefore, implement technical and organisational measures to provide for such security throughout the collection/processing of any personal data. This includes, but is not limited to, adoption of rules of procedure and policies regulating data security measures.
In terms of sector specific regulations governing the area of data security and risk management, there are numerous secondary pieces of legislation that apply across the financial services providers (i.e., for banks, insurance companies and microcredit organisations). In general, these proscribe an obligation on the institutions to ensure an information system which enables comprehensive and reliable gathering of data necessary for monitoring and analysing of all risks to which the institution is exposed.
2.4. DATA RETENTION/RECORD KEEPING
The PDPL does not regulate specific retention periods for any personal data. It is however provided that personal data must only be held for the duration required to complete the purpose for which the data is collected. Additionally, the controller is under an obligation to keep personal data in a format that allows identification of the data subject only for the duration required to meet the data processing and collection purpose.
Other regulations, such as those governing anti-money laundering (please see below) or accounting and auditing provide for further rules on retention periods. For example, under the accounting and auditing rules, tax and accounting-relevant documentation and information retention periods can vary from 5 years to permanent record keeping.
3. FINANCIAL REPORTING AND MONEY LAUNDERING
Under the AML regulations, all persons/entities subject to the AML obligations must comply with the provisions of the Law on Protection of Classified Information of BiH and the PDPL. All persons/entities subject to AML obligations, may use data, information and documentation collected in accordance with the AML law as intelligence for the purpose of preventing and detecting money laundering and financing terrorist activities, as well as related predicate offenses, and in other cases as required by the AML law.
Retention periods differ depending on the entity or authority in question.
Persons subject to AML law are obliged to keep the information, data and documentation on clients, established business relations with clients and transactions made, obtained in accordance with the AML law, for at least 10 years after the termination of a business relation, completion of a transaction, client identification in a casino, game premises or the client’s access to a safe. Persons subject to AML law are obliged to keep the information and supplementing documentation on authorised persons, the professional training of employees and conducted internal controls, for at least 4 years after the date of appointment of authorised persons, completion of professional training and conducting internal control.
4. BANKING SECRECY AND CONFIDENTIALITY
Banking secrecy is regulated under the Law on Banks of FBiH and Law on Banks of RS.
Banking secret is defined as data, fact or finding which has become known to shareholders, bank employees, members of the bank bodies (and in RS additionally - company committees) in the performance of operations and discharge of the duties within their competence, as well as persons of a company conducting an external audit of the bank and other persons which, due to the nature of their work, have access to this data, and whose disclosure to an unauthorized person would or could cause harmful consequences for the bank and its clients. Additionally, both Law on Banks state that the banking secret is to be considered as a business secret.
The banking secret particularly involves the following data:
a) data known to the bank and pertaining to personal data, financial status and transactions as well as to the property or business relations of natural and legal persons which are clients of that or another bank,
b) data about the balance and activity on individual accounts of natural and legal persons opened in the bank.
The designated individuals in possession of secret information acquired through conducting responsibilities and obligations in the institution are under a duty to keep such information as strictly confidential and are expressly prohibited from using such information for their own personal interests or disclosing such information to third parties.
Confidential information which has become known to persons handling such information in accordance with the Law on Banks may use it solely for the purpose of which that information has been obtained and may not disclose it to third parties, nor may they facilitate such parties in finding out and using this information, except in cases prescribed by the Law on Banks.
Both of the FBiH and RS Law on Banks provide for 26 various situations on when the information considered as a bank secret can be disclosed. Examples involve (i) disclosure to a third party with the client's written consent, (ii) upon written request of tax authorities, inspection and other control authorities and (iii) pursuant to statutory obligations.
Insurance industry participants are also subject to the mandatory provisions of the PDPL. In addition to this, under the FBiH Insurance Law an insurance company is obliged to keep as confidential all data, information, facts and circumstances obtained in doing business with an individual insurance company, the insurer or with another insurance claim holder. All data obtained in accordance with the Insurance law, and in particular every transfer of data between the authorities shall be subject to professional secret.
6. PAYMENT SERVICES
EU regulations such as the PSD2 are not directly applicable in B&H since B&H is not a member state to the EU. Domestic payment transactions are governed by the Laws on Domestic Payments of RS and FBiH. Under these laws, domestic payment transactions can only be carried out via a limited list of "authorised organisations". These organisations are banks, licenced bank branch offices and other expressly authorised organisations (e.g. post offices).
As previously specified, in terms of data protection, these organisations are required to comply with the PDPL and the financial institutions – specific regulations.
7. DATA TRANSFERS AND OUTSOURCING
Outsourcing (in local "eksternalizacija”) for banking institutions is regulated in the Law on Banks of FBiH and RS. Outsourcing is defined as contractual entrusting of performance of certain bank activities to an (in RS, authorised) service provider which the banking institution would otherwise perform itself. Numerous regulatory requirements apply, however, the primary obligation of all banks is to ensure there is an adequate risk management system in place in respect of the outsourced activities. Furthermore, the bank must ensure that the outsourcing does not interfere with its performance of the usual bank operations, its risk management and internal control systems. The competent banking supervisor must be enabled to at all times exercise supervision over any of the "materially significant" activities of the bank that have been outsourced. In fact, if a bank intends to outsource materially significant activities, it is under a duty to notify the competent banking agency which shall subsequently perform the required assessment process and either confirm that outsourcing is in compliance with the applicable laws or will request fulfilment of additional conditions or prohibit such outsourcing all together.
There is an express prohibition to outsource provision of any (core) banking and financial services for which a bank has been expressly authorised by the competent regulator. The outsourcing process and conditions have been further regulated by secondary legislation and guidelines introduced by the Banking Agency of RS and FBiH.
In addition to the above stated, the PDPL also applies and in case that the third party/cloud is situated outside of B&H, personal data may be transferred outside of B&H provided that the recipient country ensures adequate personal data protection measures. This adequacy is estimated on a case by case basis and depends on a variety of factors such as the type of personal data, country to which this data is transferred, purpose of processing and etc. PDPL also provides instances where personal data may be transferred to another country that does not provide adequate personal data protection measures (e.g. if the data subject's consent had been obtained or the PDPA has approved such transfer).
8. BREACH NOTIFICATION
Under the PDPL, in case of a data breach, there is no legal obligation to notify the affected individuals or PDPA. Under Article 30 of the PDPL, an individual may (but is not obligated to) file a complaint to the PDPA. Also, under the applicable secondary legislation, data processors must inform the data controller in case of an attempt of access into the data protection security system. In this case, there are no statutorily prescribed requirements that apply in respect of the procedure to be followed.
Under the PDPL, fines are prescribed for infringement of specific obligations and range from EUR 2.500 up to EUR 50.000 depending on the nature of infringement. Fines are also proscribed for the responsible person of controller and the employee of the controller in the range from EUR 100 to EUR 5.000 and from EUR 50 up to EUR 2.500 respectively.
Under the applicable rules governing banking secrets, the Law on Banks of FBiH provides a fine ranging between EUR 20.000 to EUR 100.000, while the Law on Banks of RS provides fines ranging between EUR 500 to EUR 2.500 for natural persons and from EUR 20.000 up to EUR 100.000 for legal persons, depending on the infringement itself. Furthermore, additional fines are imposed on the management members, responsible persons and the person in breach. Furthermore, both of the banking regulators i.e., the RS and the FBiH Banking Agencies hold wide discretionary powers in performing supervisory activities over the banking sector in B&H and can order revocation of banking licences if the required conditions are met and depending on the individual circumstances of the case.
Under the AML rules, fines range between EUR 10.000 to EUR 100.000 for a widely defined range of infringements.