CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

General Data Protection Law ("LGPD") 13,709/2018, a comprehensive data protection law comparable to the GDPR. 

Law on Protection of Personal Data Bosnia and Herzegovina (Official Gazette of Bosnia and Herzegovina No. 49/06, 76/11 and 89/11) and connected by-laws – especially the Rulebook on the maintenance and special technical security measures for personal data (Official Gazette of Bosnia and Herzegovina, No. 67/09).

Unofficial English text of the Law on Protection of Personal Data (Official Gazette of Bosnia and Herzegovina No. 49/06) can be found here and Amendments to the Law on the Protection of Personal Data (Official Gazette of Bosnia and Herzegovina No. 76/11) can be found here.

The Law on Protection of Personal Data covers the protection of personal data in the territory of Bosnia and Herzegovina processed by all public institutions, as well as by natural and legal persons, unless otherwise specified.

The scope explicitly excludes personal data processed by natural persons for private purposes.

2. Data protection authority

National Authority of Data Protection ("ANPD”) 

Personal Data Protection Agency (PDPA): www.azlp.ba

3. Anticipated changes to local laws

The LGPD came into force on 18 September 2020. However, the law was amended in 2020, postponing the application of the administrative sanctions to 1 August 2021. 

As part of its effort to join the EU, Bosnia and Herzegovina is obliged to harmonise its legislation with EU legislation. This includes the GDPR.

Draft of the new Law on Protection of Personal Data is prepared, and will be considered by the legislature. 

4. Sanctions & non-compliance

Administrative sanctions: 
  • warning; 
  • fine of up to 2% of the entity, group or conglomerate in Brazil’s revenue in its last fiscal year limited to BRL 50m for infraction;
  • daily fine;
  • publication of infraction;
  • blockage of personal data that relates to infraction for regularisation; 
  • erasure of personal data that refers to infraction.
Criminal sanctions: 

None.

Others: 

Individual claims for damages and losses caused for violation of personal data. 

Claims from the Consumer Protection Units and Public Prosecutor for damages and losses caused for violation of the data subject's personal data. 

Administrative sanctions:

The PDPA is authorised to supervise the enforcement of the Law on Protection of Personal Data. Breach of the Law on Data Protection is a misdemeanour and the PDPA can also impose fines of up to BAM 100,000 (EUR 50,000) for non-compliance with the Law.

The Law on Protection of Personal Data sets out separate fines for: the legal entity acting as the data controller; its legal representative (e.g., management); and its employees.

Criminal sanctions:

Sanctions are possible as unauthorised collection processing and sharing of personal data can be subject to criminal prosecution and result in criminal fines or imprisonment.

Others:

N/A

5. Registration / notification / authorisation

Provision for notification to the ANPD and data subjects of security incidents that may cause a risk or relevant damage to data subjects. 

There is no requirement to register data processing activities, databases or cross-border flow with the ANPD. There is no provision for payment of the data protection fee. 

The data controller must submit its personal data registries to the PDPA. The PDPA compiles all personal data registries in the PDPA General Registry. In cases of automated personal data processing, further requirements may apply, such as prior notification to the PDPA and additional organisational and technical security requirements.

PDPA approval may be necessary in certain instances, for example, in cases of transfers of personal data to countries that do not provide adequate measures of personal data protection and where the regulated exemptions are not met. 

6. Main obligations and processing requirements

The Controller and Data Processor must comply with the principle of good faith and the following principles: purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, liability and demonstration of compliance with the law. 

The Data Controller and Data Processor shall keep records of the processing of personal data. 

The Controller shall appoint an "in charge person" (DPO) who shall act as a communication channel between the Controller, Data Subject and the ANPD.

The processing agents shall adopt security, technical and administrative measures to protect personal data from unauthorised access, or illicit or accidental incidents that leads to the destruction, loss, alteration, communication or any other form of illicit or inadequate access. 

The Controller must notify the ANPD and the data subjects of any security incident that could result in a risk or relevant damage to data subjects.

Although this is not an exhaustive list, controllers must generally ensure that:

  • their personal data registries are adequately created and registered;
  • data processing agreements are concluded with data processors in accordance with the applicable rules;
  • data subjects’ consent is obtained in form and contents as and when required under the law;
  • data subjects’ rights are complied with (e.g., the right to be informed);
  • technical and organisational security measures are in place.

7. Data subject rights

The Data Subject has the following rights:

  • confirmation of existence of personal data;
  • access to data;
  • correction of incomplete, inadequate or out of date data;
  • anonymisation, block, or erasure of unnecessary, excessive or incompliant processed data;
  • portability of data;
  • erasure of personal data obtained with consent; 
  • information regarding the sharing of data with private and public entities;
  • information on the possibility of not providing consent and the negative consequences;
  • revocation of consent;
  • complaint about data processing to the ANPD;
  • opposition to data processing obtained without consent, if it is not in compliance with the law;
  • review of automated decision making of personal data that may affect the data subject´s interests. 

Under the PDPA, the following rights are provided to individuals, subject to certain exemptions:

  • The right to be informed regarding collection of data prior to starting such collection and the source (unless collected from the data subject), i.e., the third party providing the information;
  • The right to access to personal data;
  • The right to objection in general;
  • The right to objection to direct marketing; and
  • The right to request correction, deletion or blocking of data.

Other rights are also envisaged, such as the right to withdraw consent for data collection and processing, file a complaint to the PDPA, object to transfer of data, request compensation, etc.

8. Processing by third parties

Processing by third parties is subject to the data subject’s consent. 

A data processing agreement must be concluded. The mandatory form and content of such agreements are regulated under the Law on Protection of Personal Data.

9. Transfers out of country

The international transfer of personal data is allowed in the following cases: 

  • to countries or international organisations that provide the appropriate level of personal data protection required by the LGPD;
  • where the controller demonstrates that compliance with the principles, data subject rights and data protection regime established in the LGPD, is assured either by: a) specific contractual provisions for a given transfer; b) standard terms and conditions; c) global corporate rules; d) seals, certificates or codes of conduct; 
  • where the transfer is required for international legal cooperation between government intelligence, investigation and police bodies; 
  • where the transfer is required for life protection or physical integrity of the data subject or any third party; 
  • where the ANPD authorises such a transfer; 
  • where the transfer results in a commitment undertaken under an international cooperation agreement; 
  • where the transfer is required for enforcement of a public policy or legal attribution of the public utility; 
  • where the data subject has provided specific and highlighted consent for such a transfer, with previous information on the international nature of the operation, clearly distinguishing it from any other purposes; or
  • where required for compliance with a statutory or regulatory obligation by the controller or whenever necessary for the performance of agreements or preliminary procedures relating to agreements to which the data subject is a party, at the request of the data subject or in the regular exercise of rights in lawsuits, administrative or arbitration proceedings.

Personal data can be transferred out of Bosnia and Herzegovina to a country that applies adequate security measures as prescribed by the Law on Protection of Personal Data.

The transfer of personal data outside Bosnia and Herzegovina to a country that does not provides adequate security measures is permissible only in specifically prescribed instances.

10. Data Protection Officer

An “in charge” person shall be appointed by the Controller to:

  • accept complaints and communication by data subjects, provide clarification and take measures;
  • receive communication from the ANPD and take appropriate measures;
  • instruct staff and contractors in respect of data processing practices; and
  • perform any other instructions by the Controller or established by complimentary rules. 

Not expressly provided under primary legislation, however under secondary legislation an administrator of personal data registries is envisaged.

The administrator is, inter alia, responsible for the due performance of security measures, registration, and protection of personal data.

In addition, a controller with a seat outside of the territory of Bosnia and Herzegovina and uses automated or other equipment located on the territory of Bosnia and Herzegovina for the data processing shall determine a representative for such processing, unless the equipment is used only for the purpose of transit of data over Bosnia and Herzegovina.

11. Security

The LGPD establishes that the ANPD may provide for minimum standard technical security measures. 
The processing agents shall adopt security, technical and administrative measures to protect personal data from unauthorised access, or illicit or accidental incidents that leads to the destruction, loss, alteration, communication or any other form of illicit or inadequate access. 

Both the data controller and data processor must take appropriate technical and organisational security measures to protect personal data, especially in cases of automated personal data processing. Specific requirements are provided for under secondary legislation, namely “Rulebook on the maintenance and special technical security measures for personal data”.

12. Breach notification

The Controller is required to report any security incident to the ANPD and the data subjects in the event of incidents that may cause a risk or relevant damages to data subjects. It is also recommended to report the incidents to the company’s sector regulator or consumer protection units (if related to consumer relations). 

No explicit obligations to notify data subjects and the PDPA for private legal entities acting as data controllers and data processors.

Secondary legislation however requires that the data processor, the administrator of personal data registries, and the natural person employed or engaged by the data controller to perform activities related to personal data processing, notify the data controller’s responsible person of an attempt to gain unauthorised access to the data protection security system.

13. Direct marketing

The LGPD does not specifically provide for direct marketing, but it is understood that the data processing for direct marketing requires the data subject’s consent.

The Law on Protection of Personal Data specifies a general opt-out regime for direct marketing. It makes no differentiation between different forms of direct marketing (email, regular mail, and phone).

Data subjects have the right to:

  • oppose the data controller’s future use or transfer of their personal data for the purpose of direct marketing;
  • to be notified before their personal data is transferred for the first time to a third party for direct marketing purposes.

14. Cookies and adtech

The LGPD does not specifically deal with cookies and adtech, but it is understood that the data processing for cookies and adtech requires the data subject’s consent.

No explicit provision, but if any personal data is collected or processed, any policies or procedures regulating cookies and similar technologies to be reviewed against the Law on protection of Personal Data.

15. Risk scale

Moderate

Moderate

Cybersecurity

1. Local cybersecurity laws and scope

There are no dedicated laws related specifically to cybersecurity in Brazil. However:

  • The Consumer Code and the Internet Act provide for certain principles and rules; 
  • The Criminal Code (Decree Law 2,848/1940) establishes the crime of “invasion” of a computing device;
  • LGPD extends to any category of personal data (both offline and online).

Bosnia and Herzegovina is composed of two distinct administrative entities, the Federation of Bosnia and Herzegovina (“FBiH”) and Republika Srpska (“RS”), as well as condominium District Brčko (“DB”) as a separate administrative unit. Legislation applicable to this overview has been introduced at different administrative levels, as follows:

State level (Bosnia and Herzegovina):

  • Criminal Law of Bosnia and Herzegovina (Official Gazette of Bosnia and Herzegovina, No. 3/03, 32/03, 37/03, 54/04, 61/04, 30/05, 53/06, 55/06, 32/07, 8/10, 47/14, 22/15, 40/15, 35/18)
  • Law on Criminal Procedure (Official Gazette of Bosnia and Herzegovina No. 3/03, 32/03, 36/03, 26/04, 63/04, 13/05, 48/05, 46/06, 76/06, 29/07, 32/07, 53/07, 76/07, 15/08, 58/08, 12/09, 16/09, 93/09, 72/13, 65/18)
  • Law on the Protection of Personal Data (Official Gazette of Bosnia and Herzegovina No. 49/06, 76/11, 89/11)
  • Law on the Protection of Classified Data (Official Gazette of Bosnia and Herzegovina, No. 54/05, 12/09)
  • Law on Communication of Bosnia and Herzegovina (Official Gazette of Bosnia and Herzegovina, No. 33/02, 31/03, 75/06, 32/10, 98/12)
  • Law on Electronic Signature (Official Gazette of Bosnia and Herzegovina, No. 91/06)
  • Law on Electronic Document Bosnia and Herzegovina (Official Gazette of Bosnia and Herzegovina, No. 58/14)
  • Law on Prevention of Money Laundering and Financing of Terrorism (Official Gazette of Bosnia and Herzegovina, No. 47/14, 46/16)
  • Rulebook on the maintenance and special technical security measures for personal data (Official Gazette of Bosnia and Herzegovina, No. 67/09)

Federation of Bosnia and Herzegovina:

  • Criminal Law of FBiH (Official Gazette of FBiH No. 36/03, 37/03, 21/04, 69/04, 18/05, 42/10, 59/14, 76/14, 46/16, 75/17)
  • Law on Criminal Procedure FBiH (Official Gazette of FBiH No. 35/03, 37/03, 56/03, 78/04, 28/05, 55/06, 27/07, 53/07, 9/09, 12/10, 8/13, 59/14, 74/20)
  • Law on Electronic Document of FBiH (Official Gazette of FBiH No. 55/13)

Republika Srpska:

  • Criminal Law of RS (Official Gazette of RS No. 64/17, 104/18)
  • Law on Criminal Procedure of RS (Official Gazette of RS No. 53/12, 91/17, 66/18)
  • Law on Electronic Signature of RS (Official Gazette of RS No. 106/15, 83/19)
  • Law on Electronic Document of RS (Official Gazette of RS No. 106/15)
  • Law on Electronic Business Activities of RS (Official Gazette of RS No. 59/09, 33/16
  • Law on Information Security of RS (Official Gazette of RS No. 70/11)

District Brčko:

  • Criminal Law of DB (Official Gazette of RS, No. 10/03, 45/04, 6/05, 21/10, 47/11, 9/13, 33/13, 47/14, 26/16, 13/17, 19/20-consolidated text)
  • Law on Criminal Procedure (Official Gazette of RS, No. 44/10, 9/13, 34/13, 27/14, 3/19, 16/20)
  • Instruction on mode of execution of protection of classified data on computers (Official Gazette of DB, No. 29/06)

2. Anticipated changes to local laws

Despite the lack of cybersecurity-specific law or regulator, an “E-Ciber” strategy was introduced in 2020: 

  • It aims to make Brazil into a “country of excellence” in the sector;
  • It has set out ten strategic ways to strengthen the cybersecurity arena, including: centralisation of the national cybersecurity system; an increase in international cooperation; an improvement in cyber governance in both the public and private sectors; and enhanced protection of critical infrastructure;
  • It also envisages the creation of a new cybersecurity law (yet to materialise).

Legislation governing information security, security of networks and IT systems has been announced and is planned to be introduced in the upcoming period. Additionally, draft legislation governing e-signatures has also been prepared and is likely to receive parliamentary consideration.

As a general note, considering its EU Member State accession path, Bosnia and Herzegovina is taking action towards harmonising its laws to those of the EU. This is likely to mean harmonisation with EU legislation in the field of cybersecurity.

3. Application 

Not applicable.

The laws and regulations cover Bosnia and Herzegovina’s obligations arising from the Convention on Cybercrime (Budapest, 23 November 2001), ratified by the Presidency of Bosnia and Herzegovina on 25 March 2006.

The laws and regulations have different material and geographical scopes, such as:

  • the “Rulebook on the maintenance and special technical security measures for personal data” regulates technical and organisational security measure obligations for all personal data controllers and personal data processors in Bosnia and Herzegovina;
  • the Law on Protection of Classified Data of Bosnia and Herzegovina applies to all institutions, legal entities and citizens of Bosnia and Herzegovina, and to international or regional organisations (if regulated by an international agreement). It sets out obligations for: all state, RS, and FBiH administrative organs at all government levels; persons performing public duties; and all legal entities that have access to or use classified data, including their employees;
  • the Law on Electronic Signature of Bosnia and Herzegovina regulates: the use of electronic signatures in closed systems (regulated by contracts among a known number of contracting parties); and open electronic communication with the court and other institutions;
  • the Law on Electronic Document of Bosnia and Herzegovina applies to public institutions and all other legal entities, entrepreneurs, and natural persons, whenever they participate in activities before relevant institutions that include the use of equipment and programs for the production, transfer, download, and maintenance of information in electronic form; and
  • the Law on Electronic Business Activities of RS applies to providers of information society services on the territory of RS.

4. Authority

Brazil does not have a cybersecurity-specific regulator. The regulatory authority for cybercrime is the Ministry of Justice and Public Security.

Bosnia and Herzegovina (also applicable for FBiH)

  • Department for Informatics and Telecommunication Systems (Security Ministry of Bosnia and Herzegovina): www.msb.gov.ba

FBiH

R

  • Unit for Preventing High-tech Crime (Ministry for Internal Affairs of RS): www.mup.vladars.net
  • Ministry for Scientific and Technological Development, Higher Education and Information Society: www.vladars.net

5. Key obligations 

Not applicable.

The laws and regulations cover different aspects of cyber security requirements, such as:

  • the “Rulebook on the maintenance and special technical security measures for personal data” requires data controllers and data processors to: appoint an administrator of personal data registries who is responsible for the orderly performance of security measures; adopt a security measures plan, implement prescribed or other regulated organisational and technical safeguards;
  • the Law on Protection of Classified Data of Bosnia and Herzegovina requires data that may cause a threat to national security or the national interest of Bosnia and Herzegovina to be classified. It also regulates security procedures for access to classified data;
  • the Law on Electronic Signature of Bosnia and Herzegovina requires special technical measures and procedures for the safe use of electric signatures;
  • the Law on Electronic Document of Bosnia and Herzegovina requires: maintenance of electronic documents in electronic archives that must ensure requirements stipulated in the law; special security treatment of electronic documents containing classified data; and
  • the Law on Electronic Business Activities of RS requires providers of information society services to: transparently provide detailed information about the provider, the contract conditions, and service prices; immediately notify the relevant RS institution if they establish that their services are being used for illegal activities, etc.

6. Sanctions & non-compliance 

Administrative sanctions:

Under the LGPD:

  • warning; 
  • fine of up to 2% of the entity, group or conglomerate in Brazilian revenue in its last fiscal year limited to BRL 50m for infraction;
  • daily fine;
  • publication of infraction;
  • blockage of personal data that relates to infraction for regularisation; 
  • erasure of personal data that refers to infraction.
Criminal sanctions:

A breach of an IT device could be subject to a fine and imprisonment (from three months to two years).

Others: 

Under the LGPD:

Individual claims for damages and losses caused for violation of personal data. Claims from the Consumer Protection Units and Public Prosecutor for damages and losses caused for violating the data subject's personal data. 

Administrative sanctions:
  • Law on Protection of Classified Data of Bosnia and Herzegovina: fines of up to BAM 5,000 (EUR 2,500)
  • Law on Electronic Signature of Bosnia and Herzegovina: fines of up to BAM 16,000 (EUR 8,000)
  • Law on Electronic Document of Bosnia and Herzegovina: fines of up to BAM 15,000 (EUR 7,500)
  • Law on Electronic Business Activities of RS: fines of up to BAM 15,000 (EUR 7,500)
Criminal sanctions:
  • Criminal Law of Federation of Bosnia and Herzegovina:
    • criminal offences against systems of electronic data processing (six criminal offences such as computer sabotage, unauthorised access and etc.)
    • fines and/or imprisonments of up to 12 years for the most serious offences.
  • Criminal Code of Republika Srpska:
    • criminal offences against the security of computer data (seven criminal offences such as computer sabotage, unauthorised access and etc.)
    • fines and/or imprisonment of up to ten years for the most serious offences.
  • Criminal Law of District Brčko:
Other:

N/A

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

CERT.br is the Brazilian National Computer Emergency Response Team.

A list of CSIRTs can be found here: www.cert.br

  • Bosnia and Herzegovina – a CERT within the Security Ministry of Bosnia and Herzegovina (established March 2017).
  • RS – the Agency for Information Society in RS established a CERT (June 2015), which is now operating within the Ministry for Scientific and Technological Development, Higher Education and Information Society.
  • FBiH – The Government of the Federation of Bosnia and Herzegovina has adopted a Decision on the appointment of a working group for responding to computer incidents (CERT) for the institutions of the Federation of Bosnia and Herzegovina in 2018 and as of July 2020, CERT establishment project for institutions of FBiH is in the final stage.

8. National cybersecurity incident management structure

N/A

In 2017 the Bosnia and Herzegovina Council of Ministers adopted the “Decision on the adoption of information systems policies management in the Bosnia and Herzegovina institutions for 2017-2022”, which aims to set up an information security management system (ISMS) in accordance with relevant ISO standards.

The precondition for setting up this structure is the adoption of legislation on information security, security of networks and IT systems of Bosnia and Herzegovina which is still pending.

9. Other cybersecurity initiatives 

Cybersecurity law as envisaged by E-Ciber, but this has yet to materialise.

Yes, there are several governmental authorities-led strategies focusing on cybersecurity.    

Portrait of Carolina Vaissman Uribe
Carolina Vaissman Uribe
Senior Associate
Rio de Janeiro
Portrait of Sanja Voloder
Sanja Voloder
Attorney-at-Law
Sarajevo
Portrait of Stefan Ćosović
Stefan Ćosović
Associate
Sarajevo