Personal data protection and cross-border international cooperation

PRESENTATION

Basic information

The Personal Data Protection Agency in Bosnia and Herzegovina (hereinafter referred to as: the Agency) was established by the Law on the Protection of Personal Data (“Official Gazette of BaH”, No.: 49/06).

The Agency is placed in Sarajevo and started its work in 2008.

(1) Competencies of the Agency:To supervise the implementation of this Law and

other laws on personal data processing;To act on data subject’s complaints;To submit to the Parliamentary Assembly of Bosnia

and Herzegovina annual reports on personal data protection;

To follow the personal data protection requirements by giving proposals as to enacting or amending legislation governing the data processing, give opinions on the proposed laws and take care of fulfillment of the criteria relevant to data protection originating from international treaties that are binding for Bosnia and Herzegovina. (Article 40)

(2) The Agency is authorized to: Perform supervision, through inspection, over fulfillment of

obligations stipulated by this law; Keep the Central Registry; Accept incentives and complaints of citizens concerning breaches

of this Law; Adopt implementing regulations, guidelines or other legal

documents in line with the Law; Order blocking, erasing or destroying of data, temporarily or

permanent ban of processing, issue warning or reprimand to the controller;

File a request for filing the misdemeanor proceedings pursuant to this Law;

Provide advice and opinions in the area of personal data protection;

Co-operate with similar authorities in other countries; Exercise other duties as foreseen by law; Supervise the transfer of the personal data out from Bosnia and

Herzegovina.

So far, 65 inspections have been made (39 regular, 21 revisions, 5 extraordinary), 20 meetings with the representatives of controllers were held for implementation of ordered measures, also 48 objections and 139 opinions were processed.

More important, all conditions for issuing penalties regarding breaches of the Law are fulfilled.

Employees

The Agency’s staff is civil servants and employees. The employment relations of the civil servants working in the Agency are regulated by the Law on Civil Service in the Institutions of Bosnia and Herzegovina, while the employment relations of the employees are regulated by the Labor Law for Institutions of Bosnia and Herzegovina.

According to the Book of regulation on Internal Organization the number of foreseen employees is 45, although at the moment 23 civil servants and employees are employed.

It is important to mention that nine of those 23 persons work as Inspection Advisers dealing with data protection and one person as a Senior Associate for Complaints, two ITs are responsible for the Central registry and informatics, and one person for the international cooperation.

Financial sources

Agency is financed by the funds from the Budget of the Institutions of Bosnia and Herzegovina and international obligations of Bosnia and Herzegovina. (Article 36).

Decision making

The Agency issues a decision.It is not allowed to appeal against Agency’s

decision, but it is possible to initiate administrative dispute proceedings before the Court of Bosnia and Herzegovina. (Article 30)

So far 8 disputes have been initiated and in 3 cases Agency’s decision have been confirmed.

Recent changes, amendmens

National legislation

The Draft Law amending the Law on the personal data protection is referred to the parliamentary procedure for adoption. Suggested amendments are aimed at further strengthening of the independence of the Agency.

According to the amendments to the existing Law on the personal data protection Director and his deputy would be appointed by the Parliamentary Assembly of Bosnia and Herzegovina, unlike previous solutions.

According to positive legislation the Agency is headed by the Agency Director who is responsible for his work and the work of the Agency to the Council of Ministers which is the body responsible for appointing him for a period of four years with the possibility of reappointment.

At the same time, reporting of the Agency would be simplified, since there would be only annual Report on personal data protection prepared for the Parliament and no more regular reporting on functioning of the Agency for the Council of Ministers.

Functioning

The Agency is an independent administrative organization established for the purpose of ensuring the personal data protection of and is headed by its Director. (Article 35). 

Agency is divided into three organizational units with 23 civil servants and employees and managed by Assistant directors.

Department for the inspection, complaints, and Central registry

Department for the international cooperation and public relations

Administrative department

Future challenges

Central registry (establishing, controllers, data collection)Central registry was established in 2010 and thus fulfilled

the legal obligation. Twenty seven controllers submitted to the Agency their records on the personal data collection, of which seventeen public bodies made their first reporting on personal data collection, and eleven legal persons delivered their notifications on intended establishment of personal data collection.

On the base of delivered notifications on intended establishment of personal data collection and the first reporting on personal data collection eighteen controllers dealing with data processing in eighty three personal data collection were registered. Five personal data collection were registered by Personal Data Protection Agency in Bosnia and Herzegovina that conducts within its competence.

Web contact

In order to provide data for the Central registry, the official website referred a call for the controllers. Besides that, the instruction for interested people on how they can ask for help or make complaints was pointed (help desk).

Provisions of the Law

Article 18 of the Law

(1) Personal data shall not be transferred from Bosnia and Herzegovina to a controller or processor abroad regardless of data medium or the manner of transfer unless the requirements specified in Article 4 hereof have not been fulfilled in the receiving country and provided that that the foreign controller shall comply with equal data protection principles for all data.

(2) Exceptionally, the personal data may be transferred abroad if the data subject has consented to the transfer, where it is required for the purpose of fulfilling the contract or legal claim and when it is required for the protection of public interest.

Other legally binding instrumentsConvention on Protection of Individuals on

the manner to Automatic Processing of Personal Data ETC (108) and Additional Protocol

EU Directives

Some of the questions regarding transfer of personal data abroad

1. exchange of e-data and data bases within corporations PDPA in BiH received request for an opinion

in accordance with Article 18. of the Law are there obstacles for exchange of business e-data and data base within corporations whose seat is in third countries? The e-data would be used for reporting purposes only.

The PDPA in BaH suggested that adoption of Binding corporate rules within the sectors should be done and that in preparation of the rules representatives of the sectors should consult with the Agency.

2. Transborder flow of genetic data (DNA)The PDPA in BaH recieved the following

questions:Could courts and prosecutors offices in BaH

order expertise of DNA semples by medical faculties or labs in other countries and could an emploee of such faculty or lab take semples?

Is it necessary that the BaH Ministry of Justice in such cases process it as international legal assistence?

Is DNA personal data?

Recommendation No.R(97)5 on the protection of medical data of the CoE states that the transborder flow of medical data is possible to state that has ratified the Convention 108 ETC and which disposes of legislation which provides at least equivalent protection of medical data. Transborder flow of medical data to states that do not have equivalent protection laid down in convention could not occur unless:

Necessary measures, including those of contractual nature have been taken, and the data subject has the possibility to object transfer, or

The subject has given his consent.

Since June 30th 201o, in BaH the Law on application of DNA analyses in judicial procedures started. The Article 18. States that the DNA samples and profiles could be accessible to DNA labs, and in criminal proceedings to courts, prosecutor, defendant and his lawyer and members of police by the written order of the prosecutor in charged aiming at identification of the perpetrator of criminal act, declaration of missing person as a dead within the out of the court proceedings and to court and police for identification of unknown corps.

Article 19. is giving access only to person in charged in processing and keeping of DNA samples.

OpinionThe opinion has been given after anlyses of the the

above mentioned international and domestic legislation and international agreements regardin legal assistance in civil and criminal matters BaH has signed. According to them, legal assistance, among other, reffers to expertize.

Finally, it is possible and acceptable in accordance with the law to have transborder flow of DNA data (samples or e-data) to authorised institution or lab, based on written order issued by domestic court according to positive legislation or international instruments ratified by BaH when it is necessary for uninterrupted legal proceedings.

3. Legal assistance

The law on legal assistance in criminal matters in Art.13 defines general scope of legal assistance such as: delivery of summons to suspect, accused, witness, expert, detainee or other participant within the criminal proceedings; delivery of materials and writs; temporary exclusion of objects; surveillance; exchange of data and information and other activities that are not opposing this Law which could request international legal assistance.

Opinion

The case referred to delivery of personal data (address of individual in BaH) to one of European states main customs service in order to fight customs crime according to their act No...

Since both the state have signed and ratified Convention 108, basic principle applied to protection of personal data are the same. Accordingly, there are bases for mutual administrative assistance in customs related activities between two states according to the temporary trade agreement between EC and BaH and that personal data could be transferred abroad.

Requests of the Embassies sent via Ministry of foreign affairs

Majority of these inquiries that were sent through the Embassies and via Ministry of Foreign Affairs relate to personal data of domestic citizens requested by foreign police or social services centres.

It is our opinion that domestic institution and bodies may deliver such data to the Embassies if condition stipulated within the Article 17. of the Law on Personal Data Protection have been fulfilled in that state or there is other legal binding document (e.g. international agreement) that guarantees equal level of protection.