Bosnia and Herzegovina - Data Breach Guide

Published on Oct 26, 2019

Bosnia and Herzegovina

1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?

In the case of a data breach affecting residents of Bosnia and Herzegovina ("BiH"), there is no legal obligation to notify affected individuals or the Personal Data Protection Agency ("DPA").

Under Article 30 of the Law on Protection of Personal Data ("PDPL"), an individual may (but is not obligated to) file a complaint to the DPA of BiH.

Also, under the applicable secondary legislation, data processors must inform the data controller in case of an attempt of access to the data protection security system. In this case, there are no statutorily prescribed requirements that apply in respect of the procedure to be followed.

1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

If an individual believes that his/her right to the protection of personal data has been breached, or that his/her data was not handled fairly, the individual has the right to object and to ask the DPA that:

  • The controller or processor refrains from such actions and corrects the factual situation caused by these actions;
  • The controller or processor corrects or amends personal information so that it is authentic and accurate; and/or
  • The personal data is blocked or destroyed.
1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?

The complaint must be understandable and complete. The complaint shall contain:

  • The name and surname and address of the complainant or note that the complainant wants to stay anonymous;
  • The name of the controller or the data processor against whom the complaint has been filed;
  • A short explanation of the complaint; and
  • Evidence and signature of the complainant, or the signature of the legal representative.

There is no specified time period in which notice must be given.

The complaint may be lodged in written form, and be submitted to the DPA by mail, fax or email. Alternatively, the complaint may be made in person to the DPA or by telephone with written notice following. The complainant may declare a preference to remain anonymous, but the DPA shall inform him/her that in this case the complainant will not be advised on the measures undertaken to address his/her complaint.

1.4 What are the penalties, fines, or risks in failing to notify, either by the DPA or in litigation?

Pursuant to Article 49 of the PDPL, a fine ranging from EUR 2,500 up to EUR 50,000 may be imposed on the controller depending on the nature of infringement.

Fines are also proscribed for the responsible person of controller and the employee of controller in the range from EUR 100 to EUR 5,000 and from EUR 50 up to EUR 2,500 respectively.

1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?

We would recommend notifying the affected individuals of a data breach.

1.6 What are the applicable (data protection) laws or guidelines within your country?

The key legislation is the Law on Protection of Personal Data ("Official Gazette of Bosnia and Herzegovina" 49/06, 76/11 and 89/11)

1.7 Contact information for the local Data Protection Authority:

Name:

Agencija za zaštitu ličnih podataka u Bosni i Hercegovini

Address:

Dubrovačka 6, 71000 Sarajevo, Bosnia and Herzegovina

Telephone:

+387 33 726 250

Fax:

+387 33 726 251

Email:

azlpinfo@azlp.ba

Website:

www.azlp.ba

For more information, contact:

Name:

Sanja Voloder

Firm:

CMS Reich-Rohrwig Hainz d.o.o.

Address:

Ul. Fra Anđela Zvizdovića 1, Sarajevo, BiH-71000, Bosnia and Herzegovina

Telephone:

+387 33 944 600

Fax:

+387 33 296 410

Email:

sanja.voloder@cms-rrh.com

Website:

www.cms-rrh.com/Bosnia-Herzegovina