September 2023

1. Governing Texts

As part of the EU approximation process, Bosnia and Herzegovina ('BiH') has taken the obligation to harmonize all of its legislation with the EU laws. Therefore, BiH is obliged to harmonize its legislation with the Acquis Communautaire, which includes the harmonization of the Law on the Protection of Personal Data No. 49/06 ('the Law') with EU regulations in the field of personal data protection.

The main data protection law in BiH is the Law. The Agency for Personal Data Protection in Bosnia and Herzegovina ('AZLP') prepared the draft of the new Law on Personal Data Protection ('the Draft Law') based on the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') of the European Parliament and of the Council. Implementation of the GDPR will be resolved within that framework.

1.1. Key acts, regulations, directives, bills

The main data protection law in BiH is the Law.

Several other rulebooks, which relate to data processing, retention, security, and supervision, are also applicable (only available in Bosnian here).

1.2. Guidelines

The AZLP regularly issues opinions on data protection matters and makes them available on its website (only available in Bosnian here).

1.3. Case law

The Court of the BiH has issued several decisions relating to data protection, which can be accessed on the AZLP's website (only available in Bosnian here).

2. Scope of Application

2.1. Personal scope

The Law shall apply to personal data which is any information relating to an identified or identifiable natural person that is processed by all public authorities, natural and legal persons, unless otherwise stipulated by other legislation.

The Law shall not apply to personal data being processed by natural persons exclusively for personal needs and to accidental personal data collection unless these data are subject to further processing.

2.2. Territorial scope

The purpose of the Law is to secure in the territory of BiH for every individual, regardless of their nationality or residence, respect for human rights, and fundamental freedoms, and in particular the right to privacy and data protection with regard to the processing of personal data relating to them.

The controller who is not seated on the territory of BiH and who uses, in the data processing, the automatic or other equipment located on the territory of BiH, shall determine the representative for such processing unless the equipment is used only for the purpose of transit of data over BiH.

However, AZLP has powers to perform supervision, through inspection, over fulfillment of obligations stipulated by the Law only in the territory of BiH over local establishments, i.e., entities with its registered seat in BiH.

2.3. Material scope

The Law is applicable to personal data that are processed by all public authorities, natural, and legal persons unless otherwise stipulated by other legislation. This Law shall not apply to personal data being processed by natural persons for the sole purpose of personal activity or activities of the household.

Processing of personal data constitutes any operation or set of operations performed upon data, whether automatic or not, in particular, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available data access, alignment or combination, blocking, erasure or destruction.

Special categories of personal data may not be automatically processed unless the appropriate protection has been provided.

Upon the expiry of the period necessary for the fulfillment of the purposes for which the data were collected, such data may be processed only for statistical, scientific, and historical purposes. The data collected and stored for such purposes shall not be used for other purposes.

Personal data may be processed for statistical, historical, or scientific purposes without the consent of the data subject. When processed for the aforesaid purposes, personal data must be made anonymous.

When personal data are processed for the aforesaid purposes, the right to protect the privacy and personal life of the data subject must be complied with.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The competent authority is the AZLP.

3.2. Main powers, duties and responsibilities

The AZLP has powers to:

• perform supervision, through inspection, over fulfillment of obligations stipulated by the Law;
• keep the Central Registry;
• accept incentives and complaints of citizens concerning breaches of the Law;
• adopt implementing regulations, guidelines, or other legal documents in line with the Law;
• order blocking, erasing, or destroying of data, temporarily or permanent ban of processing, issuing warning or reprimand to the controller;
• file a request for filing the misdemeanor proceedings pursuant to the Law;
• provide advice and opinions in the area of personal data protection;
• co-operate with similar authorities in other countries;
• exercise other duties as foreseen by the Law; and
• supervise the transfer of personal data out of BiH.

4. Key Definitions

Data controller: The 'controller' shall be understood to mean any public authority, natural or legal person, agency, or any other body, which, independently or together with another party, manages, processes, and determines the purpose and the manner of personal data processing on the basis of laws or regulations (e.g., local company).

Data processor: The Law defines 'data processor' as a natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the controller.

Personal data: The Law defines 'personal data' as any information relating to an identified or identifiable natural person. Following such a definition, the AZLP's position is that it is irrelevant by who or how can the data subject be identified as long as they can be identified. Furthermore, merging or combining personal data that were obtained for various purposes is prohibited. Exceptionally, personal data can be combined provided that the processing was based on a special law provision and that it was carried out by the same controller.

Sensitive data: The equivalent of sensitive data under the Law is the so-called 'special category of personal data' and it is defined as any personal data revealing:

• racial origin, nationality, national or ethnic origin, political opinion or party affiliation, trade union affiliation, religious, philosophical or other belief, health, genetic code, sexual life;
• criminal conviction; and
• biometric data.

Health data: The Law provided no definition per se. Special categories of data mean any personal data revealing health data.

Biometric data: The Law provided no definition per se. Special categories of data mean any personal data revealing biometric data.

Pseudonymization: The Law does not provide a definition for pseudonymization.

Data Subject: A Data Subject is a natural person whose identity can be determined or identified, directly or indirectly, in particular, by reference to a personal identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural, or social identity.

Anonymous Data: The Law defines 'anonymous data' as data that cannot be related to a data subject in terms of their identification, in their original form or following processing thereof.

5. Legal Bases

5.1. Consent

The Law defines consent of a data subject as any freely given specific and informed indication of a data subject's wish by which the data subject signifies his consent to the processing of their personal data.

The controller may process personal data only with the consent of a data subject.

Such consent for processing special categories of personal data shall have to be granted in writing, signed by the data subject, clearly stating data for which the consent has been granted, and must contain the name of the controller, the purpose and period of time for which the consent has been granted.

The consent may be withdrawn at any time, unless otherwise explicitly agreed upon by the data subject and the controller. The controller shall have to prove, at the request of AZLP, at any time, that there is consent for the period of personal data processing. The controller shall be required to keep the consent during the processing of personal data for the processing of which the consent has been granted.

5.2. Contract with the data subject

The controller may process data without the consent of a data subject if is necessary for the data subject upon their own request to enter into negotiations on a contractual relationship or to fulfill the obligations agreed upon with the controller.

5.3. Legal obligations

The controller may process data without the consent of a data subject if it is carrying out personal data processing as provided by law or which is required to comply with the duties specified by law.

5.4. Interests of the data subject

The controller may process data without the consent of a data subject if it is necessary for the protection of the vital interests of the data subject when the consent of the data subject has to be obtained without undue delay or the processing has to be terminated and collected data destroyed.

5.5. Public interest

The controller may process data without the consent of a data subject if personal data processing is required in order to complete the task carried out in the public interest.

5.6. Legitimate interests of the data controller

The controller may process data without the consent of a data subject if it is necessary for carrying out legitimate activities of political parties, political movements, civic associations, trade union organizations, and religious communities, except where there are prevailing interests for fundamental rights and freedoms of the data subject in the activities, especially the right to privacy in relation to the processing of personal data.

5.7. Legal bases in other instances

Not applicable.

6. Principles

The controller shall be required to:

• process personal data fairly and lawfully;
• process personal data collected for special, explicit, and lawful purposes in no manner contrary to the specified purpose;
• process personal data only to the extent and scope necessary for the fulfillment of the specified purpose;
• process only authentic and accurate personal data, and update such data when necessary;
• erase or correct personal data that are incorrect and incomplete, given the purpose for which the data are collected or further processed;
• process personal data only within the period of time necessary for the fulfillment of the purpose of their processing;
• keep personal data in the format that allows identification of the data subject for not longer than required for the purpose for which the data are collected or further processed; and
• ensure that personal data that were obtained for various purposes are not combined or merged.

7. Controller and Processor Obligations

7.1. Data processing notification

Before processing personal data, data controllers are required to submit a notification/request for intention to establish a personal data filing system along with the following information:

• title of the personal data filing system;
• first and last name and address of the data controller and the data processor, the actual place of data processing (including technical processing), as well as any activity of the data processor related to the processing of personal data;
• purpose of the data processing;
• legal basis for the processing;
• type of data to be processed;
• categories of data subjects;
• data source and method of collection;
• type of transferred data, recipients of such data, and legal basis for the transfer;
• deadlines for the erasure of certain types of data;
• indication regarding whether the data have been transferred into or abroad from BiH with the indication of the country or international organization and foreign user of such personal data and the purpose for this transfer to or abroad from BiH as prescribed by an international agreement, law or other regulation, or the written consent of the person to whom this data refer; and
• indication of measures taken towards protecting personal data.

The controller is authorized to begin processing personal data only after the AZLP approves the processing, or upon the expiration of two months following the day the request has been received by the AZLP. The following documents are needed:

• application form;
• draft of the data subject consent for the data processing (in one of the official languages in use in BiH, namely, Bosnian/Serbian/Croatian, or in bilingual form in English/Bosnian/Serbian/Croatian languages);
• entity's decision on the establishment of a personal data filing system;
• Court registry excerpt for the local entity/data controller indicating the registered seat of the entity;
• certificate of incorporation for each data processor (translated by an authorized court interpreter);
• VAT certificate for data controller;
• draft of the safety plan (outlining the safety and technical measures for the protection of personal data);
• power of attorney;
• in case the processor will be processing data for the controller, the agreement on personal data processing signed by the controller and the processor (in one of the official languages of BiH or translated by an authorized court interpreter);
• in case personal data will be processed outside BiH, a data transfer agreement between the controller and the processor is also required (translation needs to be authorized by a court interpreter). Please note that the data transfer agreement must include the following elements:
  • the scope;
  • the purpose; and
  • the period of time for which the agreement has been concluded, as well as adequate guarantees of the processor in terms of technical and organizational protection of personal data.

Based on the above-mentioned documentation, the AZLP will make the assessment and following their approval, the processing of the personal data may start. It usually takes up to two months for the procedure to be completed, and for the filing systems to become active. If upon the expiration of two months from the day the request was submitted, the AZLP makes no decision whatsoever, the processing may also start.

7.2. Data transfers

The controller who is processing personal data on the basis of a special law is required to respect the right to protection of privacy and personal life of the data subject. Personal data shall not be transferred, and files and records shall not be consolidated (combined, merged, or otherwise joined) if aforesaid conditions have not been fulfilled. The consolidation of records and files may be performed only if the data processing is carried out by the same controller.

7.3. Data processing records

The personal data filing system controller shall establish and maintain the records for each personal data filing system, which shall contain the basic information on the system, and in particular:

• title of personal data filing system;
• first and last name and address of data controller and data processor, the actual place of data processing (including technical processing), as well as any activity of data processor related to the processing of personal data;
• purpose of the data processing;
• legal basis for the processing;
• type of data to be processed;
• categories of data subjects;
• data source and method of collection;
• type of transferred data, the recipients of such data, and the legal basis for transfer;
• deadlines for the erasure of certain types of data;
• an indication whether the data have been transferred into or abroad from BiH with the indication of the country or international organization and foreign third party of such personal data and the purpose for this transfer to or abroad from BiH as prescribed by an international agreement, law or other regulation, or written consent of the person to whom this data refer;
• indication of measures taken towards protecting personal data.

7.4. Data protection impact assessment

It is not strictly regulated thus, not mandatory to carry out Data Protection Impact Assessments ('DPIA').

7.5. Data protection officer appointment

The role of the Data Protection Officer ('DPO') is not regulated per se under the applicable legislation. However, it should be noted that, according to the Rulebook on the Manner of Keeping and Specific Measures of Personal Data Protection, the compulsory appointment of an 'administrator of personal data collection' and 'executor' is regulated.

An 'administrator of personal data collection' is a physical person authorized and responsible for the managing of collections of personal data, responsible for ensuring confidentiality and protection of personal data processing and proper maintenance of the security, storage, and protection of personal data.

An 'executor' is a natural person, employed or engaged with a controller performing work related to the processing of personal data.

Access to data stored in collections of personal data is permitted to authorized employees with the controller or processor and to authorized persons responsible for the maintaining and developing of the system for managing the collections of personal data and these persons shall be nominated by the controller.

7.6. Data breach notification

There is no general breach notification obligation, however, when the data subject finds or suspects that the controller or processor breached the data subject's right, or that there is a direct risk of breach of right, the data subject may file a complaint with the AZLP for the purposes of protecting their rights and thereby request the following:

• that the controller or processor refrain from such activities and remedy the factual situation caused by such activities;
• that the controller or processor carry out a rectification or supplementation of personal data so as to make them authentic and accurate; and
• that the personal data be blocked or liquidated.

The AZLP shall issue a decision on the data subject's request which shall be submitted to the complainant and the controller.

The AZLP may release the controller from responsibility if it proves that the controller could not prevent the breach of the data subject's rights caused by the personal data processor.

Nevertheless, the data subject may demand from the controller or the processor to suspend the irregularities, remedy an illegal state of affairs, make a corrigendum, supplementation, blockage, or to destroy the personal data.

No appeal shall be allowed against the AZLP decision, but it is possible to initiate an administrative dispute proceeding before the Court of BiH.

7.7. Data retention

There are specifically prescribed retention periods. As BiH consists of the Federation of Bosnia and Herzegovina ('FBiH') and the Republic of Srpska ('RS') both known as entities, and the Brcko District ('BD'), this means that there are four levels of jurisdiction with some of the competences shared between the entities and some being sole competence of the State. Depending on the entity to which the legal undertaking is registered, the laws of that entity apply, unless it is a State competence (e.g., VAT, protection of personal data, etc.) in which case the State law applies irrespective of the place of registration.

The retention of documents obligation is set by the entities' laws and as such will be assessed below.

Article 163 of the Labor Act of FBiH (only available in Bosnian here) and Article 261 of the Labor Act of RS (only available in Bosnian here) regulate that employers are required to retain the employees' workbooks during the employment period of the employees.

Article 239 of the Decision on the Implementing Regulations of the Customers Policy Act (only available in Bosnian here), sets the obligation that the invoices and other relevant documents are kept for three years.

Articles 31 and 32 of the Law on Accounting and Auditing of the FBiH provide for:

• the retention deadline for bookkeeping documents and business books starts on the last day of the business year;
• auxiliary calculations, sales, and purchase books are retained for two years;
• annual reports on business activities must be retained for 11 years following the end of the business year;
• periodical calculations, and transaction payment documents, must be retained for at least five years;
• bookkeeping documents used for the auxiliary records must be retained for at least seven years;
• bookkeeping documents used for the record and main register must be retained for at least 11 years; and
• documents retained permanently are payroll slips, analytical files on paid contributions, agreements on the sale-purchase of real-estates, annual accountancy reports, financial reports, consolidated financial reports, reports on conducted auditing, and all other internal documents that may have relevance to financial activities.

Article 22 of the Law on Accountancy and Auditing Law of RS (only available in Serbian here) regulates the following:

• documents retained permanently that are, payroll slips, analytical files on salaries, documents proving the ownership over real estate and securities, financial reports, and reports on conducted auditing.
• bookkeeping documents used for the record must be retained for at least five years or longer if required by other laws.
• the record and the main book must be retained for at least ten years.
• auxiliary books are maintained for at least five years.
• retention deadline for bookkeeping documents and business books starts on the last day of the calculation period to which they refer.
• retention deadline for business books and financial reports starts on the last day of the business year.

According to Article 169 of Company Law of RS (only available in Bosnian here), limited liability companies are required to retain the following documents:

• copy of the notarized founding act, including all of its annexes;
• any agreement between the members of the company, including all of its annexes;
• decision on registration;
• internal documents approved by the assembly members and management board;
• book containing decisions;
• founding acts of every representative office or subsidiary;
• documents proving ownership over the company's property;
• minutes and decisions from the assembly and management board meetings;
• minutes from the auditing boards and their other orders and conclusions;
• financial reports, reports on business activities, and independent auditor reports;
• bookkeeping documentation and invoices, documents on financial reports, and business reports submitted to the competent bodies;
• the list of all associate companies along with the information on shares;
• book of shares;
• list with the names and addresses of the members of the management board, all persons authorized to represent the company;
• the name and the address of the internal auditor and the members of the auditing board;
• list of all share transfers including pledges; and
• the list of all agreements that were concluded by the manager, management board members.

A company is required to retain the notarized founding act, including all of its annexes, permanently, whereas documents (ii)-(xvii) are retained at least five years upon which they must be retain in accordance with the rules on archives.

The Decree on Organization and Methods of Archiving Activities in Legal Entities of FBiH (only available in Bosnian here) ('the Organization Decree') provides that the retention period may be two, five, 10, or 20 years, etc., or permanent ('P') and permanent operational ('PO') (Article 8 of the Organization Decree). Companies are required, within their office management, to organize and conduct as a part of their regular activities, archiving activities which would relate to their regular activities (Article 9 of the Organization Decree). To this end, and for the reasons of proper archiving and retention of subject matters and other materials of the register, as well as for the reasons of selecting of archiving materials from the materials of the register, companies are required to submit the list of categories of materials of the register, within the retention period as referenced above, for the approval of the Archive Administration of FBiH. For the registry materials which have not been considered as materials for archiving, retention limitations shall be determined in accordance with the needs of the company.

The Laws on Archiving of RS (only available in Serbian here) provide that the retention period can be two, five, 10, 20 years, or permanently. In accordance with Article 8 (3) of the Laws on Archiving of RS, companies are required to make lists of the documents that they intend to retain, proposing the retention period as well. These lists are subject to the approval of the Archive Administration of RS.

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

In principle, the processing of special categories of personal data is prohibited. However, some exemptions apply, and processing is allowed if:

• the data subject has explicitly consented to the processing;
• the data processing is necessary to protect the life and health, property, and other vital interests of the data subject or some other person from whom such consent cannot be obtained, in particular, when a physically, mentally, or legally incapacitated person is concerned, or if the person concerned is missing or for other similar reasons;
• the data processing is necessary for the fulfilment of an obligation or exercise of special rights of the controller arising from labor legislation inasmuch the controller is authorized by the law;
• the data processing is carried out to serve the needs of preventive medicine, medical diagnostics, medical service providing, and management, provided that such data are processed by a professional medical officer required to keep the professional secret by operation of law or code of conduct of the responsible authority, or other persons who are also required to keep the secret;
• the data processing is carried out within the scope of legitimate activities of an institution, foundation, association, or any other non-profit organization with political, philosophical, religious, or trade union objectives, provided that the data processing shall solely relate to the members of the bodies or persons who have regular contacts with them in reference to their objectives, and the data shall not be disclosed to a third party without the consent of the data subject;
• the data processed have been clearly made public by the data subject or this is required in order to initiate, enforce, or make a defense against legal claims; or
• it is of special public interest or in other cases stipulated by law.

In such cases, the Law shall have to contain specific provisions on appropriate protection mechanisms.

In the case of processing of special category of personal data, consent has to be in written form, signed by the data subject and it must clearly identify the personal data for which it was given, the controller and the processing purposes, and the period for which it was given. In practice, this means that it has to be provided on an informed and voluntary basis. Also, it means that it has to be in a specific and understandable language. The proposed processing period is subject (just as all the other items of the data filing system request) to the AZLP's approval. The AZLP uses a proportionality test to assess controllers' requests for processing in terms of proposed personal data for proposed time and purposes.

7.10. Controller and processor contracts

A controller has to enter into a written agreement with the processor, i.e., a data processing agreement. The agreement must be concluded in writing defining the purpose, the scope, and the period for which the contract has been concluded, as well as adequate guarantees for the processor in terms of technical and organizational protection of personal data. Data processing by the processor must be regulated by an agreement, which shall bind the processor to the controller, in particular in that the processor shall act only on the basis of the controller's instructions in accordance with the provisions of the Law.

The processor shall be responsible for personal data processing according to the data controller's instructions. While exercising its duties, the processor shall not transfer its responsibility to other processors, unless explicitly instructed by the data controller to do so.

8. Data Subject Rights

8.1. Right to be informed

The right to be informed is not regulated per se as such.

Before collecting any personal data, the controller shall notify the data subject, unless they have already been informed, on the purpose of the processing, the controller, receiving authority, or third party to whom the data will be accessible, whether forwarding of data for processing is a legal obligation, the consequences for the case that the data subject refuses, the cases in which the data subject has right to refuse to provide the personal data and if the personal data collection is voluntary.

8.2. Right to access

Before collecting any personal data, the controller shall notify the data subject, unless they have already been informed, on the right to access.

8.3. Right to rectification

Before collecting any personal data, the controller shall notify the data subject, unless they have already been informed, on the right to rectification data referring to them.

8.4. Right to erasure

The basic principle of the Law is that the controller is required to erase or correct personal data which are incorrect and incomplete, given the purpose for which the data are collected or further processed. The controller shall, at the request of the data subject, correct, delete, or block data that were found to be incorrect or incorrectly listed or processed in any other manner that is contrary to the law and rules relating to data processing. The controller shall, at the request of the data subject, inform the third party about whom the data were transferred to.

8.5. Right to object/opt-out

The right to object/opt-out is not regulated per se. The data subject may file an objection to the processing of the former institutions' data if such data were collected without their consent.

The data subject may request the deletion of data of the former institutions if they were illegally collected.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

The controller shall not issue a decision producing legal effects in regard of the data subject or a decision which may considerably affect the data subject while being aimed at evaluating certain personal characteristics of the data subject, solely on the basis of automatic data processing. Regardless of the aforesaid, the decision issued solely on the basis of automated data processing shall generate legal effects for the data subject in the following cases:

• in a procedure of entry into a contract or implementation of the contract, provided that the request of the data subject is fulfilled or that there are appropriate protection measures of his lawful interests such as a procedure that allows them to protect their position; or
• if the controller is authorized by a law, which also defines protection measures relevant to lawful interests of the data subject, to issue such a decision.

8.8. Other rights

The data controller shall be obliged to compensate for any physical and consequential damage to the data subject resulting from a violation of their right to privacy.

The data controller shall notify the data subject at their request on the progress of the processing of their personal data performed either by the data controller or by a data processor, the purpose of the data processing, the legal grounds for and duration of the processing, if the data were collected from the data subject or a third party, the right to access personal data, as well as who has received or will receive data and for what purpose.

The data subject is entitled to file a free-of-charge complaint upon the request of the controller concerning the future use or transfer of their data for direct marketing purposes or to be notified before their data are transferred for the first time to third parties for direct marketing. In case the data subject does not give their consent, personal data may not be provided to third parties.

9. Penalties

Potential sanctions for data protection non-compliance are manifold.

The AZLP has the power to investigate cases, both ex officio or in response to complaints. A broad set of instruments is available to address breaches. These include warning letters requiring remediation, ordering the suspension of processing activities, and ordering the destruction of data, among others. Such orders can be appealed to the courts.

Administrative fines are up to 100,000 KM (approx. $55,149).

Compensation claims for damages suffered by data subjects are another option. To the best of our knowledge, no such claims have been filed yet. On a non-legal side breaches of the Law can result in reputation harm and, in turn, potential loss of customer confidence and business opportunities.

9.1 Enforcement decisions

See the section above on case law. Enforcement decisions by the AZLP are available on its website.