The Personal Data Protection Act of Bosnia and Herzegovina dates from 2006 with subsequent amendments from 2011 (hereinafter: the Personal Data Protection Act) represents the lex specialis regulation in the field of personal data protection. The above mentioned Law is of the national framework and applies only in the territory of Bosnia and Herzegovina.

GDPR (General Data Protection Regulation – hereinafter: GDPR Regulation) is a regulation adopted at the level of the European Union and is directly applied in every member state. Therefore, since 2018, with the entry into force of the above mentioned regulation, the European Union uniquely regulates the rights and obligations regarding the protection of personal data and users thereof.

The GDPR regulation primarily introduces new rules of an internal nature that apply to every organization that has access to, stores or processes personal data, but also of an external nature whose rules aim to regulate the organization’s handling of the access to or storage of certain personal data and their presentation to third parties. In addition to the above, the GDPR regulation strengthens the position of the supervisory authority and leaves the possibility of imposing fines by the authority for the protection of personal data.

Bosnia and Herzegovina and other third countries, considered from the point of view of the European Union, do not have the obligation to apply the GDPR regulation directly. On the other hand, and taking into account only the candidate status of Bosnia and Herzegovina for membership in the European Union, Bosnia and Herzegovina is obliged to harmonize national regulations with the standards of the European Union. The aforementioned duty to harmonize regulations is not the only point of connection of the GDPR regulation with its application in Bosnia and Herzegovina. Namely, Article 3 of the GDPR regulation stipulates that it “refers to the processing of personal data in the context of the activities of the establishment of a controller or processor in the European Union, regardless of whether the processing takes place in the European Union or not.”

Regarding to the above, companies outside the European Union will be subject to this Regulation, if these companies offer goods or services or monitor the behavior of European Union residents. Such company has the obligation to organize the system internally in accordance with the requirements of the GDPR regulation, regardless of the fact that it is not located in the European Union.

The GDPR office prescribes the cases when data may be processed. Therefore, for the legal processing of personal data, there must be at least one of the following legal bases:

• The respondent has given consent for data processing for one or more special purposes;
• Processing is necessary for the performance of a contract to which the respondent is a party or in order to take actions at the request of the respondent before concluding the contract;
• Processing is necessary to comply with the legal obligations of the processor;
• Processing is necessary to protect the key interests of the data subject or other natural person;
• Processing is necessary for the performance of a task of public interest or in the exercise of the official authority of the processor manager;
• Processing is necessary for the purposes of the legitimate interests of the controller or a third party, except when those interests are stronger than the interests or basic rights and freedoms of the data subject that require the protection of personal data, especially if the data subject is a child.

The above abounds in many legal standards, which indicates that with every action undertaken that leads to the processing of personal data, it is necessary to assess whether in the concrete case there is a valid legal basis for undertaking it.

In case of violation of the provisions of the GDPR regulation, the supervisory authorities can impose sanctions of different content and type. For example, I can issue a written warning in the case of an unintentional violation for the first violation, administrative fines in the amount of up to 10 million euros or up to 2% of the total annual turnover at the world level for the previous year or up to 20 million euros (4% of the total annual turnover at the world level for the previous year) etc.