LAW ON THE PROTECTION OF PERSONAL DATA
“Official Gazette” of Bosnia and Herzegovina, 32/01
Based on Articles IV.4, II and III of the Constitution of Bosnia and Herzegovina, the Parliamentary Assembly of Bosnia and Herzegovina, in the session of the House of Representatives held on November 30, 2001 and in the session of the House of Peoples held on December 20, 2001, adopted the LAW ON THE PROTECTION OF PERSONAL DATA
Purpose of the Law
The purpose of this Law is to secure in the territory of Bosnia and Herzegovina for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to the processing of personal data relating to him ("data protection").
Scope of the Law
This Law shall apply to the processing of personal data by:
a. public bodies at the level of Bosnia and Herzegovina,
b. public bodies of the Federation of Bosnia and Herzegovina and Republika Srpska and the District of Brcko of Bosnia and Herzegovina insofar as the minimum level of data protection provided by this Law is not governed by the legislation of the Federation of Bosnia and Herzegovina or Republika Srpska or the District of Brcko of Bosnia and Herzegovina,
c. private bodies of the Federation of Bosnia and Herzegovina and Republika Srpska and the District of Brcko of Bosnia and Herzegovina insofar as the minimum level of data protection provided by this Law is not governed by the legislation of the Federation of Bosnia and Herzegovina or Republika Srpska or the District of Brcko of Bosnia and Herzegovina,
For the purposes of this Law in particular:
'personal data' shall mean any information relating to an identified or identifiable natural person (hereinafter: 'data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an personal identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
"special categories of data" shall mean any personal data relating to
a. racial origin, nationality, national or ethnic origin, political opinion or party affiliation, trade union affiliation, religious or other belief, health, sexual life and
b. criminal conviction.
processing of personal data' ('processing') shall mean any operation or set of operations performed upon personal data, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
"data access" means any operation that enables a third party to view personal data without the right to use it thereafter for other purposes;
controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or European Community regulations, the controller or the specific criteria for his nomination may be designated by national or European Community law;
'processor' shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.
BASIC PRINCIPLES FOR DATA PROTECTION
Quality of Data
Personal data undergoing automatic processing shall be:
a. obtained and processed fairly and lawfully;
b. stored for specified and legitimate purposes and not used in a way incompatible with those purposes;
c. adequate, relevant and not excessive in relation to the purposes for which they are stored;
d. accurate and, where necessary, kept up to date;
e. preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.
Personal data shall not be processed unless:
a) the data subject has unambiguously given his consent; or
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
d) processing is necessary in order to protect the vital interests of the data subject; or
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject.
Personal data disclosing racial origin, political opinion, religious or other belief as well as personal data about health or sexual life cannot be proceeded automatically unless the appropriate protection is provided by law. This shall also apply to personal data related to criminal convictions.
Personal data shall not be transferred and files or records shall not be consolidated (merged, connected, or otherwise conjoined) unless the conditions set out in paragraphs 1 and 2 of this Article are complied with.
Para (3) shall apply to the consolidation of files processed by the same controller.
Purpose of Data processing
Personal data shall be processed only for a specified purpose, in exercise of a right or in compliance with a legal obligation. In the case of compulsory data transfer or access, the legal rule ordering such data handling shall also be indicated to the person obliged to furnish the data.
No personal data shall be processed other than that indispensably required for satisfying the purpose of processing and only in a way compatible with that purpose. Data shall not be used excessively and longer than is required for that purpose.
Before collecting any personal data the data subject shall be advised whether the collection is voluntary or compulsory. In the case of the compulsory supplying of personal data the title of the relevant law ordering data processing shall be stated.
The data subject shall be notified of the purpose of the processing of the data and of the identity of the controllers and the processors and whether the data is collected from the data subject or a third party.
Data Transfer Abroad
Personal data shall not be transferred from the country to a data controller or data processor abroad, whatever the data medium or the mode of transmission is, unless the conditions of Article 5 of this Law are complied with and provided that the same principles of data protection are obeyed by the foreign controller in respect of the data.
Technical Data Processing
The obligations of a data processor concerning the processing of personal data are determined by the data
controller according to the provisions of this Law and other applicable laws on data processing. The data controller is responsible for the legality of the instructions concerning the operations performed upon personal data.
The data processor is responsible for the processing of personal data under the instruction of the data controller. In fulfilling his functions the data processor shall not delegate his responsibilities to other data processors unless explicitly instructed to do so by the data controller.
The data controller and, within its competence, the data processor shall ensure data security and shall take all technical and organisational measures and develop rules of procedure required for the enforcement of this Law and other regulations concerning data protection and secrecy.
Data, and, in particular, special categories of data, shall be protected against unauthorised access, alteration, transfer, deletion, damage, or destruction.
Data processing operations concerning special categories of data as referred to in Art. 3.2 shall be examined by the Data Protection Commission following receipt of a notification from the controller that such data is to be processed. Such processing operations must only be started after the Data Protection Commission has completed its examination or two months have passed since the Commission has been notified.
Prior to commencement of any such data processing operation, the data controller shall notify the Data Protection Commission of:
a. the purpose of the data processing;
b. the type of processed data and the legal basis therefor;
c. the range of data subjects;
d. the source of data;
e. the type of transferred data, the recipients of such data, and the legal basis of transfer;
f. the deadlines for deletion of certain types of data;
g. the name and address of data controller and of data processor, the actual place of data processing (including technical processing), as well as any activity of data processor related to the processing of personal data;
h. proposed transfers of data to third countries.
Any change in data specified in paragraph. (2) shall be reported to the Data Protection Commission within 8 days.
Access to Personal Data
The data controller shall inform the data subject of the processing of his or her personal data performed either by the data controller or by a data processor, the purpose of the processing, its legal basis and duration, the name and address and activity in connection with the data processing of a data processor, as well as who received or will receive data and for what purpose. The length of records on transfer and, the duration of obligation to give information, may be restricted by laws on data processing. This duration shall not be less than five years with regard to personal data or less than twenty years with regard to special categories of data.
The data subject shall have the right to:
a. request information on the processing of his or her personal data;
b. request the rectification of his or her personal data, or deletion thereof when demonstrated to be incorrect or processed unlawfully.
The data controller shall furnish such information in writing, in an intelligible form, within 30 days from the submission of a request.
Information referred to in paragraph (2) of this Article shall be free, except for those repeatedly requested by the same person on the same area from the same controller within a period of one year.
The data controller shall not deny access to information to a data subject except where provided by law.
The data controller shall state the reason for denial of the information requested.
The controller shall annually report on applications denied to the Data Protection Commission.
The data controller shall correct inaccurate data.
Personal data shall be deleted if
a. the processing of such data is unlawful, or
b. the data has been obtained in an unlawful manner, or
c. requested so by data subject, or
d. the purpose of processing has ceased.
The data subject and any other person to whom data is transferred for processing shall be informed of any rectification and deletion of the data. Such information may be dispensed with, in view of the purpose of processing, if the legitimate interest of data subject is not infringed thereby.
The individual rights of the data subject (Articles 11. 12 and 15) may be restricted by law in the interest of the external and internal security of the State, in the areas of national defence, national security, crime prevention or criminal investigation as well as in the monetary interest of the State, or protecting the data subject or the rights or freedoms of others. Such restrictions are only permissible to the extent that they are necessary in a democratic society for one of the listed purposes.
The data controller shall pay compensation for any damage caused to a data subject as a result of the processing of his or her data. The data controller is liable for any damage to a data subject caused by a data processor. The data controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage
No compensation shall be paid for damage caused by the injured person's intentional or seriously negligent conduct.
DATA PROTECTION COMMISSION
The Council of Ministers of Bosnia and Herzegovina (hereinafter: the Council of Ministers) shall, on the proposal of the Ministry for Civil Affairs and Communications, appoint a commission for data protection and to monitor the access to and transfer of personal data to be called the Data Protection Commission (hereinafter: the Commission). The members of the Data Protection Commission may only be citizens of Bosnia and Herzegovina and they shall have the powers, duties and functions as set out in this Chapter.
Members of the Commission shall be independent and impartial and shall not be elected officials or hold any political mandate.
The Commission shall have five members who will be appointed by the Council of Ministers. The members of the Commission shall hold office for three years.
The members of the Commission shall have at least a university degree and be selected upon the basis of their professional experience in conducting and supervising proceedings involving data protection, and their demonstrated ability to exercise their function within an appeals panel. Three members of the Commission must be qualified lawyers.
The Commission shall decide by simple majority.
The members of the Commission may be removed from office on the proposal of the Council of Ministers. The Council of Ministers shall submit the proposal for removal of the member of the Data Protection Commission to the House of Peoples of the Parliamentary Assembly of Bosnia and Herzegovina. The grounds for removal of a member of the Commission shall be: conviction of the member of serious crime, physical or psychological incapacity or persistent failure to act in the fulfilling of his office.
When investigating a complaint the Commission shall have regard to the rights of an accused person and in particular the following:
a) to be informed promptly, in a language which he understands and in detail, of the nature and cause of the accusation against him;
b) to have adequate time and facilities for the preparation of his defence;
c) to defend himself in person or through legal assistance of his own choosing or, if he has not sufficient means to pay for legal assistance, to be given it free when the interests of justice so require;
d) to examine or have examined witnesses against him and to obtain the attendance and examination of witnesses on his behalf under the same conditions as witnesses against him;
e) to have the free assistance of an interpreter if he cannot understand or speak the language used in court in the proceedings.
The Commission shall:
a. observe the implementation of this Law and other laws on data processing;
b. examine complaints lodged with the Commission;
c. present a report on data protection to the Parliamentary Assembly of Bosnia and Herzegovina annually.
The Commission shall monitor the conditions for protection of personal data, present proposal for adoption or modification of legislation concerning data processing and give opinion on such draft legislation.
The Commission observing an unlawful processing of data, shall require the controller to discontinue the processing. The controller shall take the necessary measures without delay and inform the Commission in writing within 15 days thereof.
In exercising its functions the Commission may request a controller or processor to furnish it information on any matter, and may inspect any documents and records likely to bear on personal data.
The Commission may enter any premises where data are processed. The property and premises of non-statutory data controllers may only be entered and inspected during business hours.
State and official secrets shall not prevent the Commission from exercising its rights stated in this Article, but the provisions on secrecy shall bind it as well. In cases affecting state or official secrets the members of the Commission shall exercise their rights in person.
All authorities are obliged to support the Commission in carrying out its duties upon request.
Anyone may apply to the Commission in case of violation of his or her rights, or of a direct danger thereof, concerning the process of his or her personal data.
The Data Protection Commission may:
a. hear the applicant;
b. call witnesses and experts when it deems necessary;
c. ask for and obtain from the authorities concerned all relevant information.
Decisions of the Commission shall be:
a. subject to any judicial review in the State Court of Bosnia and Herzegovina;
b. reasoned on legal grounds;
c. notified to the appellant within 7 days.
No one shall suffer any prejudice on the grounds of his or her application to the Data Protection Commission.
DATA PROCESSING IN RESEARCH INSTITUTES
Personal data collected and stored for purposes of scientific research and statistics shall not be used for other purposes.
Personal data, as much as it is possible with regard to the research, shall be anonymised. Data capable of identifying a specified or specifiable natural person shall be stored separately. These data shall not be connected with other data except when it is required for the purposes of research.
An organisation or a person performing scientific research may disclose information obtained from personal data if consented to by the data subject or when data are processed solely for purposes of scientific research or are kept in personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics.
a. unlawfully transfers, facilitates access to, exploits or uses personal data that has been put into his/her care or has become accessible to him/her solely due to his/her professional involvement in electronic data processing, or
b. unlawfully discloses information to another person obtained from data that has been put into his/her care or has become accessible to him/her solely due to his/her professional involvement in electronic data processing, and is to be fined or punished by imprisonment not exceeding two years.
shall be punished with a fine in the amount ranging from KM 5,000.00 to KM 15,000.00.
The procedure, under this Article, may not be initiated upon a request of the affected person.
a. starts data processing without having complied with the duty of notifying the Data Protection Commission in advance, or
b. starts data processing without having obtained permission from the Data Protection Commission in cases in which this is necessary, or
c. continues data processing in spite of the fact that the Data Protection Commission has legally prohibited such processing, or
d. does not implement a legally binding decision that instructs to provide information on stored data, to rectify data or to delete data,
e. transmits personal data abroad without the permission of the Data Protection Commission, or
f. violates his obligations to inform data subjects on personal data, rectify incorrect data, delete data, or
g. severely violates his obligation to ensure confidentiality and secrecy of processed data or
h. does not co-operate with the Data Protection Commission, refuses to provide it with requested information or refuses to let the Data Protection Commission enter its premises, shall be punished with a fine in the amount ranging from KM 1,000.00 to KM 10,000.00.
The Ministry of Civil Affairs and Communications in consultation with the Data Protection Commission shall issue bylaws in the following areas:
a. data security and data processing by the institutions of Bosnia and Herzegovina;
b. all other matters necessary to implement this Law.
The Commission may issue guidelines on the tasks and rules for the appointment of the personal data protection official.
Procedure for Accessing Information of Public Interest
The provisions of this Law shall be taken into account in the application of the Law on Free Access to Information in Bosnia and Herzegovina (Official Gazette of BiH, number 28/00)
This Law shall enter into force 30 days after the date on which it is published in the Official Gazette of BiH and it shall also be published in official gazettes of the Entities and Brcko District of Bosnia and Herzegovina.
PS BiH number 69/01
December 20, 2001