Bosnia & Herzegovina: AZLP clarifies application of personal data law on foreign controllers
The Agency for Personal Data Protection in Bosnia and Herzegovina ('AZLP') published, on 17 August 2022, its opinion, as issued on 7 April 2022, in which it responded to queries from a foreign company acting as a controller and engaging the services of a processor based in Bosnia and Herzegovina for the purposes of conducting a survey within the territory. In particular, the AZLP noted that the foreign controller had sought advice on the application of Law on the Protection of Personal Data No. 49/06 ('PDPL'), namely whether the foreign controller is required to designate a representative in Bosnia and Herzegovina. In response, the AZLP confirmed that the PDPL applies to foreign controllers that intend to process the personal data of citizens of Bosnia and Herzegovina, regardless of their citizenship or residence.
Furthermore, the AZLP concluded that the foreign controller in this case is required to appoint a representative under Article 12(a) of the PDPL, as well as to comply with other obligations such as maintaining records of processing and registering with the AZLP through its representative. Finally, the AZLP indicated that the appointed representative may be a legal entity or agency.
You can download the opinion, only available in Bosnian, here.