You are in: UniCredit Leasing Bosnia
UniCreditLeasing
AA
   BA     EN
A A A

Home > Privacy
Privacy
Print Add to Favorites
Start searching

In accordance with Article IV.4.a. of the Constitution of Bosnia and Herzegovina, Parliamentary Assembly of Bosnia and Herzegovina, at the session of the House of Representatives held on 30 November 2001 and at the session of the House of Peoples held on 20 December  2001 adopted the
LAW ON THE  PROTECTON OF PERSONAL DATA


Chapter  I – GENERAL PROVISIONS

Purpose of the Law

Article  1.
The purpose of this Law is to secure  in the territory of Bosnia and Herzegovina for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to the processing of personal data relating to him (“data protection”).

Scope of the Law

Article  2.
This Law shall apply to processing of personal data by:
a) public bodies at the level of Bosnia and Herzegovina ;
b) public bodies of the Federation of Bosnia and Herzegovina  and  Republika Srpska  and Brcko District of  Bosnia and Herzegovina (hereinafter : Brcko District of B&H) insofar as the minimum level of data protection by this Law is not governed by the legislation of the Federation of Bosnia or the  Republika Srpska or the  Brcko District of B&H;
c)  other bodies of the Federation of Bosnia and Herzegovina or the Republika Srpska or the Brcko District  of B&H insofar as their activities are not limited to the Federation of Bosnia and Herzegovina  or Republika Srpska  or the Brcko District of B&H.

Definitions
 
Article  3.
The protection of personal data shall mean in particular :
personal data shall mean any information relating to an identified or indentifiable  physical person   (hereinafter:data subject ); an identifiable person is one who can be identified , directy or indirectly, in particular by reference to personal identification number or to one or more factors specific to his physical, physiological, mental, economic, cultura or social identity of that person;
”special categories of data” shall mean any personal data relating to:
a) racial origin, nationality, national or ethnic origin, political opinion or party affiliation, trade union affiliation, religious or other belief, medical condition, sexual orientation; and
b) criminal convictions .

Personal data processing  (processing ) shall mean any operation or set of operations performed upon personal data such as collection,storage,organization,adaptation of alteration, retrieval,consultation,use,disclosure by transmission, dissemination or otherwise making available, alignement or combination,blocking, erasure or destruction .
Data access means any operation that enables a third party to view personal data without the right to use thereafter for other purpose.Controller shall mean the physical or legal person, public authority, agency or any other body which alone or jointly determines the purposes and means of the processing  of personal data;where the purposes and means of processing are determined by national or European Community regulatios, the controller or the special criteria for this nomination may be designated by the national or European Comminity law.
Processor shall man any natural or physical person, public authority, agency or any other body which processes personal data on behalf of the controller.
The data subject’s consent shall mean any freely given specific and informed indication of his wishes by which the data subject  signifies his agreement to processing of his personal data.
 
Chapter II – BASIC PRINCIPLES FOR PERSONAL DATA PROTECTION

Data quality

Article 4.
Personal data undergoint automatic processing shall be :
a) obtained and processed fairly and lawfully ;
b) stored for specific and legitimate purposes and not used in a way incompatible with this purpose ;
c) adequate, relevant and not excessive in relation to the purposes for which they are stored,
d)preserved in a form which permits identification of the data subject for no longer that is required to the purpose for which those data are stored,
e)preserved in a form which permits identification of the data subjects for no longer  than is required for the purpose for which those data are stored.

Data processing
 
Article  5
Personal data shall not be processed unless
a) the data subject has not unambiguously given his consent ,or
b)processing is necessary for the performance of a contract to which the data subject is party in order to take spets at the request of the data subject prior to entering into a contract, or c)processing is necessary for compliance with legal obligation wo thich the controller is subject;
or

d)  processing is necessary for protection of vital interest of the data subjects; or
e) processing is necessary  for performance of tasks carried out in public interest  or performance of public authority vested into data controller  or into a  third person to whom the data are disclosed ; or,
f) processing is necessary for the purposes of legitimate interest  pursued by the controller or a third party to whom the data are disclosed , except in cases wheee such  interests are  overridden by  interest for fundamental rights and freedoms of the data subject.

Personal data disclosing racial origin, political opinions or religious or other convictions, as well as personal data on medical condition  or sexual orientation  can not be automatically processed , unless the appropriate protection is provded by the law. This shall also apply to personal data relating to criminal convictions.
Personal data shall not be transferred  and files and recors shall not be consolidated  (merged, connected or otherwise conjoined ), unless the conditions set out in Paragraphs   1 and  2 under this Article are not complied with.
The Paragraph  3 shall apply to the consolidation of files processed by the same controller.

Purpose of data processing

Article 6
Personal data processing shall be carried out only for specific purposes, in exercise of a right or in compliance with legal obligation. In the case of compulsory data transfer or data access,  In the case of compulsory data transfer or access, the legal rule ordering such data handling shall also be indicated to the person obliged to furnish the data
No personal data shall be processed other than that indispensably required for satisfying the purpose of processing and only in a way compatible with that purpose. Data shall not be used excessively and longer than is required for that purpose.

Article  7
Before collecting any personal data the data subject shall be advised whether the collection is voluntary or compulsory. In the case of the compulsory supplying of personal data the title of the relevant law ordering data processing shall be stated.
The data subject shall be notified of the purpose of the processing of the data and of the identity of the controllers and the processors and whether the data is collected from the data subject or a third party.

Data transfer abroad

Article  8
Personal data shall not be transferred from the country to a data controller or data processor abroad, whatever the data medium or the mode of transmission is, unless the conditions of Article 5 of this Law are complied with and provided that the same principles of data protection are obeyed by the foreign controller in respect of the data.

Technical data processing
 
Article  9.
The obligations of a data processor concerning the processing of personal data are determined by the data controller according to the provisions of this Law and other applicable laws on data processing. The data controller is responsible for the legality of the instructions concerning the operations performed upon personal data
The data processor is responsible for the processing of personal data under the instruction of the data controller. In fulfilling his functions the data processor shall not delegate his responsibilities to other data processors unless explicitly instructed to do so by the data controller.

Data security

Article  10.
The data controller and, within its competence, the data processor shall ensure data security and shall take all technical and organisational measures and develop rules of procedure required for the enforcement of this Law and other regulations concerning data protection and secrecy.
Data, and, in particular, special categories of data, shall be protected against unauthorised access, alteration, transfer, deletion, damage, or destruction.

Article  11.
The data controller and, within its competence, the data processor shall ensure data security and shall take all technical and organisational measures and develop rules of procedure required for the enforcement of this Law and other regulations concerning data protection and secrecy.
Data, and, in particular, special categories of data, shall be protected against unauthorised access, alteration, transfer, deletion, damage, or destruction.
Prior to commencement of any such data processing operation, the data controller shall notify the Data Protection Commission of:
a. the purpose of the data processing;
b. the type of processed data and the legal basis therefore;
c. the range of data subjects;
d. the source of data;
e. the type of transferred data, the recipients of such data, and the legal basis
of transfer;
f. the deadlines for deletion of certain types of data;
g. the name and address of data controller and of data processor, the actual place of data processing (including technical processing), as well as any activity of data processor related to the processing of personal data;
h. proposed transfers of data to third countries.
Any change in data specified in paragraph. (2) shall be reported to the Data Protection Commission within 8 days.

Access to personal data

Article  12.
The data controller shall inform the data subject of the processing of his or her personal data performed either by the data controller or by a data processor, the purpose of the processing, its legal basis and duration, the name and address and activity in connection with the data processing of a data processor, as well as who received or will receive data and for what purpose. The length of records on transfer and, the duration of obligation to give information, may be restricted by laws on data processing. This duration shall not be less than five years with regard to personal data or less than twenty years with regard to special categories of data.

Article  13.  
The data subject shall have the right to:
a) request information on the processing of his or her personal data;
b) request the rectification of his or her personal data, or deletion thereof when demonstrated to be incorrect or processed unlawfully
c) The data controller shall furnish such information in writing, in an intelligible form, within 30 days from the submission of a request
Information referred to in paragraph (2) of this Article shall be free, except for those repeatedly requested by the same person on the same area from the same controller within a period of one year.

Article  14
The data controller shall not deny access to information to a data subject except where provided by law
The data controller shall state the reason for denial of the information requested.
The controller shall annually report on applications denied to the Data Protection Commission.

Article  15.
The data controller shall correct inaccurate data
Personal data shall be deleted if
a. the processing of such data is unlawful, or
b. the data has been obtained in an unlawful manner, or
c. requested so by data subject, or
d. the purpose of processing has ceased.

Article  16. 
The data subject and any other person to whom data is transferred for processing shall be informed of any rectification and deletion of the data. Such information may be dispensed with, in view of the purpose of processing, if the legitimate interest of data subject is not infringed thereby.

Article  17.
The individual rights of the data subject (Articles 11. 12 and 15) may be restricted by law in the interest of the external and internal security of the State, in the areas of national defence, national security, crime prevention or criminal investigation as well as in the monetary interest of the State, or protecting the data subject or the rights or freedoms of others. Such restrictions are only permissible to the extent that they are necessary in a democratic society for one of the listed purposes.

Compensation
 
Article  18.
The data controller shall pay compensation for any damage caused to a data subject as a result of the processing of his or her data. The data controller is liable for any damage to a data subject caused by a data processor. The data controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage
No compensation shall be paid for damage caused by the injured person's intentional or seriously negligent conduct.

Chapter  III – DATA PROTECTION COMMISSION

Article  19.
The Council of Ministers of Bosnia and Herzegovina (hereinafter: the Council of Ministers) shall, on the proposal of the Ministry for Civil Affairs and Communications, appoint a commission for data protection and to monitor the access to and transfer of personal data to be called the Data Protection Commission (hereinafter: the Commission). The members of the Data Protection Commission may only be citizens of Bosnia and Herzegovina and they shall have the powers, duties and functions as set out in this Chapter.
Members of the Commission shall be independent and impartial and shall not be elected officials or hold any political mandate
The Commission shall have five members who will be appointed by the Council of Ministers. The members of the Commission shall hold office for three years.
The members of the Commission shall have at least a university degree and be selected upon the basis of their professional experience in conducting and supervising proceedings involving data protection, and their demonstrated ability to exercise their function within an appeals panel. Three members of the Commission must be qualified lawyers.The Commission shall decide by simple majority.
The members of the Commission may be removed from office on the proposal of the Council of Ministers. The Council of Ministers shall submit the proposal for removal of the member of the Data Protection Commission to the House of Peoples of the Parliamentary Assembly of Bosnia and Herzegovina. The grounds for removal of a member of the Commission shall be: conviction of the member of serious crime, physical or psychological incapacity or persistent failure to act in the fulfilling of his office.
When investigating a complaint the Commission shall have regard to the rights of an accused person and in particular the following:
a) to be informed promptly, in a language which he understands and in detail, of the nature and cause of the accusation against him;
b) to have adequate time and facilities for the preparation of his defence;
c) to defend himself in person or through legal assistance of his own choosing or, if he has not sufficient means to pay for legal assistance, to be given it free when the interests of justice so require;
d) to examine or have examined witnesses against him and to obtain the attendance and examination of witnesses on his behalf under the same conditions as witnesses against him;
e) to have the free assistance of an interpreter if he cannot understand or speak the language used in court in the proceedings.

Article 20
The Commission shall:
a. observe the implementation of this Law and other laws on data processing;
b. examine complaints lodged with the Commission;
c. present a report on data protection to the Parliamentary Assembly of Bosnia and Herzegovina annually.

Article 21
The Commission shall monitor the conditions for protection of personal data, present proposal for adoption or modification of legislation concerning data processing and give opinion on such draft legislation.
The Commission observing an unlawful processing of data, shall require the controller to discontinue the processing. The controller shall take the necessary measures without delay and inform the Commission in writing within 15 days thereof.

Article 22
In exercising its functions the Commission may request a controller or processor to furnish it information on any matter, and may inspect any documents and records likely to bear on personal data.
The Commission may enter any premises where data are processed. The property and premises of non-statutory data controllers may only be entered and inspected during business hours.
State and official secrets shall not prevent the Commission from exercising its rights stated in this Article, but the provisions on secrecy shall bind it as well. In cases affecting state or official secrets the members of the Commission shall exercise their rights in person.
All authorities are obliged to support the Commission in carrying out its duties upon request.

Article 23
Anyone may apply to the Commission in case of violation of his or her rights, or of a direct danger thereof, concerning the process of his or her personal data.
The Data Protection Commission may:
a. hear the applicant;
b. call witnesses and experts when it deems necessary;
c. ask for and obtain from the authorities concerned all relevant information.
Decisions of the Commission shall be:
a. subject to any judicial review in the State Court of Bosnia and Herzegovina;
b. reasoned on legal grounds;
c. notified to the appellant within 7 days
No one shall suffer any prejudice on the grounds of his or her application to the Data Protection Commission.

Chapter IV

DATA PROCESSING IN RESEARCH INSTITUTES

Article 24
Personal data collected and stored for purposes of scientific research and statistics shall not be used for other purposes
Personal data, as much as it is possible with regard to the research, shall be anonymised. Data capable of identifying a specified or specifiable natural person shall be stored separately. These data shall not be connected with other data except when it is required for the purposes of research.
An organisation or a person performing scientific research may disclose information obtained from personal data if consented to by the data subject or when data are processed solely for purposes of scientific research or are kept in personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics.

Chapter V

PENALTY PROVISIONS Offenses

Article 25
Whoever:
a. unlawfully transfers, facilitates access to, exploits or uses personal data that has been put into his/her care or has become accessible to him/her solely due to his/her professional involvement in electronic data processing, or
b. unlawfully discloses information to another person obtained from data that has been put into his/her care or has become accessible to him/her solely due to his/her professional involvement in electronic data processing, and is to be fined or punished by imprisonment not exceeding two years.
shall be punished with a fine in the amount ranging from KM 5,000.00 to KM 15,000.00.
The procedure, under this Article, may not be initiated upon a request of the affected person.

Article 26
Whoever:
a. starts data processing without having complied with the duty of notifying the Data Protection Commission in advance, or
b. starts data processing without having obtained permission from the Data Protection Commission in cases in which this is necessary, or
c. continues data processing in spite of the fact that the Data Protection Commission has legally prohibited such processing, or
d. does not implement a legally binding decision that instructs to provide information on stored data, to rectify data or to delete data
e. transmits personal data abroad without the permission of the Data Protection Commission, or
f. violates his obligations to inform data subjects on personal data, rectify incorrect data, delete data, or
g. severely violates his obligation to ensure confidentiality and secrecy of processed data or
h. does not co-operate with the Data Protection Commission, refuses
to provide it with requested information or refuses to let the Data Protection Commission enter its premises, shall be punished with a fine in the amount ranging from KM 1,000.00 to KM 10,000.00.

Chapter VI

FINAL PROVISIONS

Article 27
The Ministry of Civil Affairs and Communications in consultation with the Data Protection Commission shall issue bylaws in the following areas:
a. data security and data processing by the institutions of Bosnia and Herzegovina;
b. all other matters necessary to implement this Law.
The Commission may issue guidelines on the tasks and rules for the appointment of the personal data protection official.

Procedure for Accessing Information of Public Interest.

Article 28
The provisions of this Law shall be taken into account in the application of the Law on Free Access to Information in Bosnia and Herzegovina (Official Gazette of BiH, number 28/00).

Article 29
This Law shall enter into force 30 days after the date on which it is published in the Official Gazette of BiH and it shall also be published in official gazettes of the Entities and Brcko District of Bosnia and Herzegovina.


PS BiH number 69/01 December 20, 2001 Sarajevo, Sejfudin Tokic, signed.

Speaker of the House of Peoples of the Parliamentary Assembly of BiH.

Speaker of the House of Representatives of the Parliamentary Assembly of BiH, Zeljko Mirjanic, signed.