Impact of the GDPR in Bosnia & Herzegovina

Personal Data Protection Act of Bosnia and Herzegovina (Official Gazette of Bosnia and Herzegovina No. 49/06, 76/11 and 89/11) (“PDPA”) and connected secondary legislation – especially the Rulebook on the maintenance and special technical security measures for personal data (Official Gazette of Bosnia and Herzegovina, No. 67/09).

Local legislation in Bosnia and Herzegovina (“BiH”) defines general personal data and special categories of personal data in a fairly similar manner to the GDPR, although, the GDPR provides more specific provisions in certain areas, such as special categories of data, (e.g., precise definitions of genetic, health and biometric data, which is not the case for the BiH legislation).

In general, under the PDPA, controllers must ensure:

• their personal data registries are adequately created and registered;
• data processing agreements are concluded with data processors in accordance with the applicable rules; 
• data subjects’ consent is obtained in form and content as and when required under the law;
• data subjects’ rights are complied with (e.g., the right to be informed); and
• technical and organisational security measures are in place.

The GDPR is more expansive on the topic and provides for further obligations for both controllers and processors that cannot be found under the PDPA, such as data breach notification requirements, the requirement to perform a data protection impact assessment, etc. 

In general, the BiH legislation provides the following rights to individuals, subject to certain exemptions: 

• the right to be informed regarding data collection prior to starting such collection and the source of the information (unless collected from the data subject), i.e., the third party providing the information;
• the right to access personal data;
• the right to objection in general;
• the right to objection to direct marketing; and 
• the right to request correction, deletion or blocking of data.

Both the GDPR and the PDPA regulate similar data subjects’ rights, although in comparison to the PDPA, the GDPR is more expansive in providing for additional rights, such as a separate right to restrict processing and another to data transport.

Although the overarching aim of the legislation is to protect individuals’ data privacy across the board, when it comes to the supervisory authorities, in BiH, data subjects can file an objection/complaint (in local: prigovor) to the local supervisory authority if his/her rights are breached and request, inter alia, suspension of activities that caused the breach, correction of personal data to render it authentic and correct, or have the data blocked or destroyed.  

In a similar manner, the GDPR proscribes a number of powers and authorisations to the supervisory authorities, and these are classified under investigative (e.g., notifying the controller/processor of alleged infringement, otaining access to all personal data etc.), corrective (e.g., issuing warnings to controllers/processors), or advisory (e.g., issuing opinions, advising controllers, etc) categories.

A Data Protection Officer/Representative is not expressly provided for by the PDPA; however, secondary legislation provides for the appointment of certain personnel in charge of security and the protection of personal data.

In comparison, under the GDPR, this role is given much more attention and some of the data protection officer’s duties include working towards compliance with the GDPR and other relevant data protection laws, monitoring specific processes (such as monitoring the data protection impact assessment performances), awareness-raising, training, etc.

No major differences since under both frameworks each data subject has the right to lodge a complaint with the supervisory authority and seek an effective judicial remedy before the competent courts.

Monetary fines for breaches of the PDPA can amount to up to BAM 100,000 (EUR 50,000). In comparison, fines under the GDPR are much more severe and depend on the type of breach.

None to note.

The PDPA has been in force since 2006 and is a relatively effective piece of legislation, gaining particular attention in the last decade alongside the increasing data privacy concerns and the local regulator’s supervisory agenda. Nevertheless, the law in BiH has not yet been aligned with the GDPR although new legislation has been drafted to achieve the needed harmonisation and is currently pending parliamentary consideration.  

In practice, although the local mandatory legislation has not yet been harmonised with the GDPR, this piece of EU legislation plays an important role across the business markets and industries in Bosnia and Herzegovina. This is due to the operation of the GDPR-specific rules regulating its application within the EU and outside addressing the cross-jurisdictional presence of EU businesses in BiH and vice versa. 

In addition, the local data protection regulator encourages compliance with the GDPR in anticipation of the expected harmonisation of national laws, provided that compliance with the obligations under the PDPA is ensured first.

As part of its effort to join the European Union (“EU”) and with the Stabilization and Association Agreement, Bosnia and Herzegovina has undertaken to harmonize its domestic legislation with the EU legislation by 1 June2021; therefore, this obligation also applies to the harmonisation of the PDPA with the new EU legislation on the protection of personal data and the GDPR. 

Although it remains to be seen when the new legislation will be adopted, in practice any entities, businesses, undertakings or similar that act as controllers or processors of personal data must be aware of the requirement to ensure compliance with and application of the PDPA and the accompanying framework of secondary rules and the role and interplay of these with the GDPR, particularly due to any rules that impose application of the latter outside of the EU.