Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Bosnia & Herzegovina - Data Protection Overview
Back

Bosnia & Herzegovina - Data Protection Overview

August 2022 

1. Governing Texts

As part of the EU approximation process, Bosnia and Herzegovina ('BiH') has taken the obligation to harmonise all of its legislation with the EU laws. Therefore, BiH is obliged to harmonise its legislation with the Acquis Communautaire, which includes the harmonisation of the Law on the Protection of Personal Data No. 49/06 ('the Law') with EU regulations in the field of personal data protection.

The main data protection law in BiH is the Law on the Protection of Personal Data No. 49/06 ('the Law'). The Agency for Personal Data Protection in Bosnia and Herzegovina ('AZLP') prepared the draft of the new Law on Personal Data Protection (only available in Serbian here) ('the Draft Law') based on General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') of the European Parliament and of the European Council. Implementation of the GDPR will be resolved within that framework.

1.1. Key acts, regulations, directives, bills

The main data protection law in BiH is the Law.

Several other rulebooks, which relate to data processing, retention, security, and supervision, are also applicable (only available in Bosnian here).

1.2. Guidelines

The AZLP regularly issues opinions on data protection matters and makes them available on its website (only available in Bosnian here).

1.3. Case law

The Court of the BiH has issued several decisions relating to data protection, which can be accessed on the AZLP's website (only available in Bosnian here).

2. Scope of Application

2.1. Personal scope

The Law shall apply to personal data, which is any information relating to an identified or identifiable natural person that is processed by all public authorities, natural and legal persons, unless otherwise stipulated by other legislation.

The Law shall not apply to personal data being processed by natural persons exclusively for personal needs and to accidental personal data collection, unless these data are subject to further processing.

Data subject is a natural person whose identity can be determined or identified, directly or indirectly, in particular by reference to a personal identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity.

2.2. Territorial scope

The purpose of the Law is to secure in the territory of BiH for every individual, regardless of their nationality or residence, respect for human rights and fundamental freedoms, and in particular the right to privacy and data protection with regard to the processing of personal data relating to them.

The controller who is not seated on the territory of Bosnia and Herzegovina and who uses in the data processing the automatic or other equipment located on the territory of BiH shall determine the representative for such processing, unless the equipment is used only for the purpose of transit of data over Bosnia and Herzegovina.

However, the AZLP has powers to perform supervision, through inspection, over fulfilment of obligations stipulated by the Law only in the territory of BiH over local establishments, i.e. entities with its registered seat in BiH.

2.3. Material scope

The Law is applicable to personal data that is processed by all public authorities, natural and legal persons, unless otherwise stipulated by other legislation. The Law shall not apply to personal data being processed by natural persons for the sole purpose of personal activity or activities of the household.

Processing of personal data constitutes any operation or set of operations performed upon data, whether automatic or not, in particular collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available data access, alignment or combination, blocking, erasure, or destruction.

Special categories of personal data may not be automatically processed unless the appropriate protection has been provided.

Upon the expiry of the period necessary for the fulfilment of the purposes for which the data was collected, such data may be processed only for statistical, scientific, and historical purposes. The data collected and stored for such purposes shall not be used for other purposes.

Personal data may be processed for statistical, historic, or scientific purposes without the consent of the data subject. When processed for the aforesaid purposes, personal data must be made anonymous.

When personal data is processed for the aforesaid purposes, the right to protect privacy and personal life of the data subject must be complied with.

The controller shall not issue a decision producing legal effects in regard to the data subject or a decision which may considerably affect the data subject while being aimed at evaluating certain personal characteristics of the data subject, solely on the basis of automatic data processing. Regardless of aforesaid, the decision issued solely on the basis of automated data processing shall generate legal effects for the data subject in the following cases:

  • in a procedure of entry into a contract or implementation of the contract, provided that the request of the data subject is fulfilled or that there are appropriate protection measures of their lawful interests such as a procedure that allows them to protect their position; or
  • if the controller is authorised by a law, which also defines protection measures relevant to lawful interests of the data subject, to issue such a decision.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The competent authority is the AZLP.

3.2. Main powers, duties and responsibilities

The AZLP has powers to:

  • perform supervision, through inspection, over fulfilment of obligations stipulated by the Law;
  • keep the Central Registry;
  • accept incentives and complaints of citizens concerning breaches of the Law;
  • adopt implementing regulations, guidelines or other legal documents in line with the Law;
  • order blocking, erasing, or destroying of data, temporarily or permanent ban of processing, issue warning or reprimand to the controller;
  • file a request for filing the misdemeanour's proceedings pursuant to the Law;
  • provide advice and opinions in the area of personal data protection;
  • cooperate with similar authorities in other countries;
  • exercise other duties as foreseen by law; and
  • supervise the transfer of the personal data out of Bosnia and Herzegovina.

4. Key Definitions

Data controller: The 'controller' shall be understood to mean any public authority, natural or legal person, agency, or any other body, which, independently or together with another party, manages, processes and determines the purpose and the manner of personal data processing on the basis of laws or regulations (e.g. local company).

Data processor: The Law defines 'data processor' as a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. To engage a data processor, the controller has to enter into written agreement with the processor, defining the purpose (subject matter) and the period for which the contract has been concluded, as well as adequate guarantees for the processor in terms of technical and organisational protection of personal data. The processor will only act on the basis of the controller's instructions and in any case in compliance with the processing principles and other provisions of the Law. This also means that the processor cannot transfer its obligations to other processors without explicit instructions of the controller

Personal data: The Law defines 'personal data' as any information relating to an identified or identifiable natural person. Following such definition, the AZLP's position is that it is irrelevant by who or how the data subject can be identified as long as they can be identified. Furthermore, merging or combining personal data that were obtained for various purposes is prohibited. Exceptionally, personal data can be combined provided that the processing was based on a special law provision and that it was carried out by the same controller.

Sensitive data: The equivalent of sensitive data under the Law is the so called 'special category of personal data' and it is defined as any personal data revealing:

  • racial origin, nationality, national or ethnic origin, political opinion or party affiliation, trade union affiliation, religious, philosophical, or other belief, health, genetic code, sexual life;
  • criminal conviction; and
  • biometric data.

Health data: The Law provided no definition per se. Special categories of data includes any personal data revealing health data.

Biometric data: The Law provided no definition per se. Special categories of data includes any personal data revealing biometric data.

Pseudonymisation: Not applicable. However, the Law defines 'anonymous data' as data that cannot be related to a data subject in terms of their identification, in their original form or following processing thereof.

5. Legal Bases

5.1. Consent

The Law defines consent of a data subject as any freely given specific and informed indication of a data subject's wish by which the data subject signifies their consent to processing of their personal data.

The controller may process personal data only with the consent of a data subject.

Such consent for processing special categories of personal data shall have to be granted in writing, signed by the data subject, clearly stating the data for which the consent has been granted, and must contain the name of the controller, the purpose, and period of time for which the consent has been granted.

The consent may be withdrawn at anytime, unless otherwise explicitly agreed upon by the data subject and the controller. The controller will have to prove at the request of the competent authority, at any time, that there is the consent for the period of personal data processing. The controller shall be required to keep the consent during the processing period.

5.2. Contract with the data subject

The controller may process data without the consent of a data subject if it is necessary for the data subject upon their own request to enter into negotiations on a contractual relationship or to fulfil the obligations agreed upon with the controller.

5.3. Legal obligations

The controller may process data without the consent of a data subject if it is carrying out personal data processing as provided by law or which is required to comply with the duties specified by law.

5.4. Interests of the data subject

The controller may process data without the consent of a data subject if it is necessary for the protection of vital interests of the data subject when the consent of the data subject has to be obtained without undue delay or the processing has to be terminated and collected data destroyed.

5.5. Public interest

The controller may process data without the consent of a data subject if the personal data processing is required in order to complete the task carried out in the public interest.

5.6. Legitimate interests of the data controller

The controller may process data without the consent of a data subject if it is necessary for carrying out legitimate activities of political parties, political movements, civic associations, trade union organisations, religious communities, except where there are the prevailing interests for fundamental rights and freedoms of the data subject in the activities, especially the right to privacy in relation to the processing of personal data.

5.7. Legal bases in other instances

Not applicable.

6. Principles

The controller shall be required to:

  • process personal data fairly and lawfully;
  • process personal data collected for special, explicit, and lawful purposes in no manner contrary to the specified purpose;
  • process personal data only to the extent and scope necessary for the fulfilment of the specified purpose;
  • process only authentic and accurate personal data, and update such data when necessary;
  • erase or correct personal data which are incorrect and incomplete, given the purpose for which the data is collected or further processed;
  • process personal data only within the period of time necessary for the fulfilment of the purpose of their processing;
  • keep personal data in the format that allows identification of the data subject for not longer than required for the purpose for which the data are collected or further processed; and
  • ensure that personal data that was obtained for various purposes are not combined or merged.

7. Controller and Processor Obligations

The data controller and, within the scope of its competences, the data processor shall take care of data security and shall take all technical and organisational measures and develop rules of procedure required for the enforcement of the Law and other regulations concerning data protection and secrecy. The controller and the processor shall be required to take measures against unauthorised or accidental access to personal data, their alteration, destruction or loss, unauthorised transfer, other forms of illegal data processing, as well as measures against misuse of personal data. This obligation shall remain valid even after terminating personal data processing.

7.1. Data processing notification

Before processing personal data, data controllers are required to submit a notification/request for intention to establish personal data filing system along with the following information:

  • title of the personal data filing system;
  • first and last name and address of the data controller and the data processor, the actual place of data processing (including technical processing), as well as any activity of data processor related to the processing of personal data;
  • purpose of the data processing;
  • legal basis for the processing;
  • type of data to be processed;
  • categories of data subjects;
  • data source and method of collection;
  • type of transferred data, recipients of such data, and legal basis for the transfer;
  • deadlines for erasure of certain types of data;
  • indication regarding whether the data have been transferred into or abroad from BiH with the indication of the country or international organisation and foreign user of such personal data and the purpose for this transfer to or abroad from BiH as prescribed by an international agreement, law or other regulation, or the written consent of the person to whom this data transferred; and
  • indication of measures taken towards protecting the personal data.

The controller is authorised to begin processing personal data only after the AZLP approves the processing, or upon the expiration of two months following the day the request has been received by the AZLP. The following documents are needed:

  • application form; 
  • draft of the data subject consent for the data processing (in one of the official languages in use in BiH Bosnian/Serbian/Croatian, or in bilingual form English/Bosnian/Serbian/Croatian languages)
  • entity's decision on establishment of personal data filing system;
  • Court registry excerpt for the local entity/data controller indicating the registered seat of entity;
  • Certificate of incorporation for each data processor (translated by an authorised court interpreter);
  • VAT certificate for data controller;
  • draft of the safety plan (outlining the safety and technical measures for the protection of personal data);
  • Power of Attorney;
  • in case that the processor will be processing data for the controller, the agreement on personal data processing singed by the controller and the processor (in one of the official languages of BiH or translated by an authorised court interpreter);
  • In case personal data will be processed outside BiH, a data transfer agreement between the controller and the processor is also required (translation needs to be authorised by a court interpreter). Please note that data transfer agreement must include following elements:
    • the scope;
    • the purpose; and
    • the period of time for which the agreement has been concluded, as well as adequate guarantees of the processor in terms of technical and organisational protection of personal data.

Based on the above-mentioned documentation, the AZLP will make the assessment and following their approval the processing of the personal data may start. It usually takes up to two months for the procedure to be completed, and for the filing systems to become active. If upon the expiration of two months from the day the request was submitted, the AZLP makes no decision whatsoever, the processing may also start.

Furthermore, any data amendments concerning personal data filing systems must be submitted to the AZLP not later than within 14 days following the establishment or update of such data (Article 14(6) of the Law).

Prior control

The AZLP is mandated to carry out 'prior control', especially in cases where it involves the processing of special categories of personal data or processing of personal data which is intended to assess the personality of the data subject, including the decision-making based on such processing.

Exemptions

The notification requirement does not apply to data processing for journalistic purposes and artistic or literary expression (Article 19 of the Law).

7.2. Data transfers

The controller who is processing personal data on the basis of a special law is required to respect the right to protection of privacy and personal life of the data subject. Personal data shall not be transferred and files and records shall not be consolidated (combined, merged, or otherwise joined) if aforesaid conditions have not been fulfilled. The consolidation of records and files may be performed only if the data processing is carried out by the same controller.

Data sharing 

According to the Law, it is regulated that the data controller may not provide personal data to any third parties prior to notifying the data subject. If the data subject does not consent to providing the personal data, the data shall not be disclosed to the third party unless such disclosure is in the public interest. The data controller is authorised to provide personal data to other third parties based on the third party's written request if this is necessary for carrying out tasks within the competence specified by law or for exercising the lawful interests of the third party. The written request shall indicate the purpose, the legal grounds for the personal data use, and the type of personal data requested. Moreover, it is prohibited to provide personal data to other third parties who have not been authorised to process or use them and if the purpose for the use of such personal data requested is contrary to data protection principles. Personal data is processed only to the extent necessary to fulfil a certain purpose. This principle means that if the law or by-laws adopted on the basis of law do not prescribe per se which personal data are processed, then the minimum personal data required to achieve the purpose of such processing is taken.

Considering aforesaid, this is assessed and a decision on providing personal data to third parties is made on a case-by-case basis.

7.3. Data processing records

The personal data filing system controller shall establish and maintain the records for each personal data filing system, which shall contain the basic information on the system, and in particular:

  • title of personal data filing system;
  • first and last name and address of data controller and data processor, the actual place of data processing (including technical processing), as well as any activity of data processor related to the processing of personal data;
  • purpose of the data processing;
  • legal basis for the processing;
  • type of data to be processed;
  • categories of data subjects;
  • data source and method of collection;
  • type of transferred data, the recipients of such data, and the legal basis for transfer;
  • deadlines for erasure of certain types of data;
  • an indication whether the data have been transferred into or abroad from BiH with the indication of the country or international organisation and foreign third party of such personal data and the purpose for this transfer to or abroad from BiH as prescribed by an international agreement, law or other regulation, or a written consent of the person to whom this data refer; and
  • indication of measures taken towards protecting the personal data.

7.4. Data protection impact assessment

There is no definition of Data Protection Impact Assessment ('DPIA') in the Law.  

7.5. Data protection officer appointment

The role of the Data Protection Officer ('DPO') is not regulated per se under the applicable legislation. However, it should be noted that, according to the Rulebook on the Manner of Keeping and Specific Measures of Personal Data Protection, compulsory appointment of an 'administrator of personal data collection' and 'executor' is regulated.

An 'administrator of personal data collection' is a physical person authorised and responsible for the managing of collections of personal data, responsible to ensure confidentiality and protection of personal data processing and proper maintenance of the security, storage, and protection of personal data.

An 'executor' is a natural person, employed or engaged with a controller performing work related to the processing of personal data.

Access to data stored in collections of personal data is permitted to authorised employees with the controller or processor and to authorised persons responsible for the maintaining and developing of the system for managing the collections of personal data and these persons shall be nominated by the controller.

7.6. Data breach notification

There is no general breach notification obligation, however, when the data subject finds or suspects that the controller or processor breached the data subject's right, or that there is a direct risk of breach of right, the data subject may file a complaint with the AZLP for the purposes of protecting their rights and thereby request the following:

  • that the controller or processor refrain from such activities and remedy the factual situation caused by such activities;
  • that the controller or processor carry out a rectification or supplementation of personal data so as to make them authentic and accurate; and
  • that the personal data be blocked or liquidated.

The AZLP shall issue a decision on the data subject's request which shall be submitted to the complainant and the controller.

The AZLP may release the controller from responsibility if it proves that the controller could not prevent the breach of data subject's rights caused by the personal data processor.

Nevertheless, the data subject may demand from the controller or the processor to suspend the irregularities, remedy an illegal state of affairs, make a corrigendum, supplementation, blockage, or to destroy the personal data.

No appeal shall be allowed against AZLP decision, but it is possible to initiate an administrative dispute proceeding before the Court of Bosnia and Herzegovina.

7.7. Data retention

There are specifically prescribed retention periods. As BiH consists of the Federation of Bosnia and Herzegovina ('FBiH') and the Republic of Srpska ('RS') both known as entities, and the Brcko District ('BD'), this means that there are four levels of jurisdiction with some of the competences shared between the entities and some being sole competence of the state. Depending on the entity to which the legal undertaking is registered, the laws of that entity apply, unless it is a state competence (e.g. VAT, protection of personal data, etc.) in which case the state law applies irrespective of the place of registration.

The retention of documents obligation is set by the entities' laws and as such will be assessed below.

Article 163 of the Labour Act of FBiH (only available in Bosnian here) and Article 261 of the Labour Act of RS (only available in Bosnian here) regulate that employers are required to retain the employees' work books during the employment period of the employees.

Article 239 of the Decision on the Implementing Regulations of the Customers Policy Act (only available in Bosnian here), sets the obligation that the invoices and other relevant documents are kept for three years.

Articles 31 and 32 of the Law on Accounting and Auditing of the FBiH provides for:

  • the retention deadline for bookkeeping documents and business books starts on the last day of the business year;
  • auxiliary calculations, sales and purchase books are retained for two years;
  • annual reports on business activities must be retained for 11 years following the end of business year;
  • periodical calculations, transaction payment documents, must be retained for at least five years;
  • bookkeeping documents used for the auxiliary records must be retained for at least seven years;
  • bookkeeping documents used for the record and main register must be retained for at least 11 years; and
  • documents retained permanently are: payroll slips, analytical files on paid contributions, agreements on sale-purchase of real-estates, annual accounting reports, financial reports, consolidated financial reports, reports on conducted auditing and all other internal documents that may have relevance on financial activities.

Article 22 of the Law on Accountancy and Auditing Law of RS (only available in Serbian here) regulates the following:

  • Documents retained permanently are: payroll slips, analytical files on salaries, documents proving the ownership over real-estate and securities, financial reports and reports on conducted auditing.
  • Bookkeeping documents used for the record must be retained for at least five years or longer if required by other laws.
  • The record and the main book must be retained for at least ten years.
  • Auxiliary books are maintained for at least five years.
  • Retention deadline for bookkeeping documents and business books starts on the last day of the calculation period to which they refer.
  • Retention deadline for business books and financial reports starts on the last day of the business year.

According to Article 169 of Company Law of RS (only available in Bosnian here), limited liability companies are required to retain the following documents:

  • copy of notarised founding act, including all of its annexes;
  • any agreement between the members of the company, including all of its annexes;
  • decision on registration;
  • internal documents approved by the assembly members and management board;
  • book containing decisions;
  • founding acts of every representative office or subsidiary;
  • documents proving ownership over company's property;
  • minutes and decisions from the assembly and management board meetings;
  • minutes from the auditing boards and their other orders and conclusions;
  • financial reports, reports on business activities, and independent auditor reports;
  • bookkeeping documentation and invoices, documents on financial reports, and business reports submitted to the competent bodies;
  • the list of all associate companies along with the information on shares;
  • book of shares;
  • list with the names and addresses of the members of the management board, all persons authorised to represent the company;
  • the name and the address of the internal auditor and the members of the auditing board;
  • list of all share transfers including pledges; and
  • the list of all agreements that were concluded by manager and management board members.

A company is required to retain the notarised founding act, including all of its annexes, permanently, whereas documents (ii)-(xvii) are retained at least five years upon which they must be retained in accordance with the rules on archives.

The Decree on Organisation and Methods of Archiving Activities in Legal Entities of FBiH (only available in Bosnian here) ('the Organisation Decree') provides that the retention period may be two, five, ten, or 20 years, etc. or permanent ('P') and permanent operational ('PO') (Article 8 of the Organisation Decree). Companies are required, within their office management, to organise and conduct as a part of their regular activities, archiving activities which would relate to their regular activities (Article 9 of the Organisation Decree). To this end, and for the reasons of proper archiving and retention of subject-matters and other materials of the register, as well as for the reasons of selecting of archiving materials from the materials of the register, companies are required to submit the list of categories of materials of the register, within the retention period as referenced above, for the approval of the Archive Administration of FBiH. For the registry materials which have not been considered as materials for archiving, retention limitation shall be determined in accordance with the needs of the company.

The Laws on Archiving of RS (only available in Serbian here) provides that the retention period can be two, five, ten, 20 years or permanently. In accordance with Article 8 (3), companies are required to make lists of the documents that they intend to retain, proposing the retention period as well. These lists are subject to approval of the Archive Administration of RS.

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

In the case of processing of a special category of personal data, consent has to be in written form, signed by the data subject and it must clearly identify the personal data for which it was given, the controller and the processing purposes and the period for which it was given. In practice this means that it has to be provided on an informed and voluntary basis. Also, it means that it has to be in a specific and understandable language. The proposed processing period is subject (just as all the other items of the data filing system request) to the AZLP's approval. The AZLP uses a proportionality test to assess controllers' requests for processing in terms of proposed personal data for proposed time and purposes.

In principle, the processing of special categories of personal data is prohibited. However, some exemptions apply and processing is allowed if:

  • the data subject has explicitly consented to the processing;
  • the data processing is necessary to protect the life and health, property and other vital interests of the data subject or some other person from whom such consent cannot be obtained, in particular, when a physically, mentally, or legally incapacitated person is concerned, or if the person concerned is missing or for other similar reasons;
  • the data processing is necessary for the fulfilment of an obligation or exercise of special rights of the controller arising from labour legislation inasmuch the controller is authorised by the law;
  • the data processing is carried out to serve the needs of preventive medicine, medical diagnostics, medical service providing and management, provided that such data are processed by a professional medical officer required to keep the professional secret by operation of law or code of conduct of the responsible authority, or other persons who are also required to keep the secret;
  • the data processing is carried out within the scope of legitimate activities of an institution, foundation, association, or any other non-profit organisation with political, philosophical, religious or trade union objectives, provided that the data processing shall solely relate to the members of the bodies or persons who have regular contacts with them in reference to their objectives, and the data shall not be disclosed to a third party without the consent of the data subject;
  • the data processed have been clearly made public by the data subject or this is required in order to initiate, enforce, or make defence against legal claims; or
  • it is of special public interest or in other cases stipulated by law.

In such cases the law shall have to contain specific provisions on appropriate protection mechanisms.

7.10. Controller and processor contracts

A controller has to enter into written agreement with the processor, i.e. a data processing agreement. The agreement must be concluded in writing defining the purpose, the scope, the period for which the contract has been concluded, as well as adequate guarantees for the processor in terms of technical and organisational protection of personal data.

Data processing by the processor must be regulated by an agreement, which shall bind the processor to the controller, in particular in that the processor shall act only on the basis of the controller's instructions in accordance with the provisions of the Law. The processor shall be responsible for personal data processing according to the data controller's instructions. While exercising its duties, the processor shall not transfer its responsibility to other processors, unless explicitly instructed by the data controller to do so.

8. Data Subject Rights

8.1. Right to be informed

The right to be informed is not regulated per se as such.

Before collecting any personal data, the controller shall notify the data subject, unless it has already been informed, on the purpose of the processing, the controller, receiving authority or third party whom the data will be accessible, whether forwarding of data for processing is a legal obligation, the consequences for the case that the data subject refuses, the cases in which the data subject has right to refuse to provide the personal data and if the personal data collection is voluntary.

8.2. Right to access

Before collecting any personal data, the controller shall notify the data subject, unless it has already been informed, on the right to access.

8.3. Right to rectification

Before collecting any personal data, the controller shall notify the data subject, unless it has already been informed, on the right to rectification data referring to them.

8.4. Right to erasure

The basic principle of the Law is that the controller is required to erase or correct personal data which are incorrect and incomplete, given the purpose for which the data are collected or further processed. The controller shall, at the request of the data subject, correct, delete, or block data that were found to be incorrect or incorrectly listed or processed in any other manner that is contrary to the law and rules relating to data processing. The controller shall, at the request of the data subject, inform the third party about whom the data were transferred to.

8.5. Right to object/opt-out

The right to object/opt out is not regulated per se. The data subject may file an objection to the processing of the former institutions data if such data were collected without it's consent.

The data subject may request deletion of data of the former institutions if they were illegally collected.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

The data controller shall be obliged to compensate for any physical and consequential damage to the data subject resulting from a violation of their right to privacy.

The data controller shall notify the data subject at their request on the progress of processing of their personal data performed either by the data controller or by a data processor, the purpose of the data processing, the legal grounds for and duration of processing, if the data were collected from the data subject or a third party, the right to access personal data, as well as who has received or will receive data and for what purpose.

The data subject is entitled to file a free of charge complaint upon the request of the controller concerning the future use or transfer of their data for direct marketing purposes or to be notified before their data are transferred for the first time to third parties for direct marketing. In case the data subject does not give their consent, personal data may not be provided to third parties.

9. Penalties

Potential sanctions for data protection non-compliance are manifold.

The AZLP has the power to investigate cases, both ex officio or in response to complaints. Broad sets of instruments are available to address breaches. These include warning letters requiring remediation, ordering the suspension of processing activities, ordering the destruction of data, among others. Such orders can be appealed to the courts.

Administrative fines are up to 100,000 KM (approx. €51,050).

Compensation claims for damages suffered by data subjects are another option. To the best of our knowledge no such claims have been filed yet. On a non-legal side, breaches of the Law can result in reputation harm and, in turn, potential loss of customer confidence and business opportunities.

9.1 Enforcement decisions

See the section on case law above. Enforcement decisions by the AZLP are available on its website.