Page 1

Pursuant to Article IV.4.a) of the Constitution of Bosnia and Herzegovina, the Parliamentary Assembly of Bosnia and
Herzegovina, at the 79th session of the House of Representatives, held on May 17, 2006, and at the 58th
session of the House of Peoples, held on May 23, 2005, was adopted
THE LAW
ON PERSONAL DATA PROTECTION
CHAPTER I. GENERAL PROVISIONS
Article 1
(Subject of the Law)
(1) The aim of this Law is that on the territory of Bosnia and Herzegovina to all persons, regardless of
their nationality or residence, ensure the protection of human rights and fundamental freedoms, a
in particular the right to secrecy with regard to the processing of personal data relating to them.
(2) This Law establishes the Agency for Personal Data Protection in Bosnia and Herzegovina (in
hereinafter: the Agency), determine: its competence, organization and management, as well as
other issues relevant to its operation and lawful functioning.
Article 2
(Scope of application of the Law)
(1) This Act shall apply to personal data processed by all public bodies, physical and
legal entities, unless otherwise provided by other law.
(2) This Act shall not apply to personal data processed by natural persons exclusively in
private purposes.
(3) This Law shall not apply to the accidental collection of personal data, unless
this data is not processed further.
Article 3
(Definitions)
Certain terms used in this Act have the following meanings:
•

personal data means any information relating to a natural person on the basis of which
the identity of the person has been established or can be established;

•

data carrier is a natural person whose identity can be established or identified,
directly or indirectly, especially on the basis of a unique identification number, and one
or more factors characteristic of physical, physiological, mental, economic, cultural or

•

the social identity of that person;
special categories of data are all personal data that reveal:

a) racial origin, nationality, national or ethnic origin, political opinion or
party affiliation, or trade union membership, religious, philosophical or other belief,
health condition, genetic code, sex life;

Page 2

b) criminal convictions;
c) biometric data;
•

a collection of personal data is any systemic set of personal data that is available
according to specific criteria, whether they are centralized, decentralized or classified on
functional and geographical basis or set according to specific criteria
which relate to a person and which allow unhindered access to personal data in

•

•
•
•

•

dossier;
processing of personal data implies any action or set of actions that are performed
over data, whether automatic or not, and in particular the collection, entry,
organizing, storing, processing or modifying, taking, consulting,
use, transmission, dissemination, or otherwise access
data, sorting or combining, blocking, deleting or destroying;
anonymous data are data that are in their original form or after their processing
cannot communicate with the data subject in terms of his identification;
data access is any action that allows the user to view data without
the right to use that data for other purposes at a later date;
controller is any public body, natural or legal person, agency or other body that
independently or together with others, conducts, processes and determines the purpose and manner of personal processing
data based on laws or regulations;
processor is a natural or legal person, public authority, agency or other processing authority
personal data on behalf of the controller;

•

the user is a natural or legal person, public authority, agency or other body to which
provides access to personal data or to which personal data may be made available for use;

•

the consent of the data subject is any concrete and conscious indication of the desire of the data subject
data given of free will by which the data subject gives his consent to
his personal data is processed.

CHAPTER II BASIC PRINCIPLES OF LEGAL PROCESSING OF PERSONAL DATA
Article 4
(Principles of personal data processing)
The controller is obliged to:
a) processes personal data in a fair and lawful manner;
b) does not process personal data collected for special, explicit and lawful purposes for any purpose
a manner inconsistent with that purpose;
c) processes personal data only to the extent and to the extent necessary to fulfill a particular
purposes;
d) process only authentic and accurate personal data, and update them when necessary;
e) personal data that are inaccurate and incomplete, given the purpose for which they were collected, or
are further processed, deleted or corrected;
f) processes personal data only for the period of time necessary for completion
the purpose for which the data were collected;

Page 3

d) keep personal data in a form that allows the identification of the data subject no longer than
what is necessary for the purpose for which the data are collected or further processed;
h) ensure that personal data collected for different purposes are not aggregated or
combine.
Article 5
(Consent of the data carrier)
(1) The controller may process personal data with the consent of the data subject.
(2) The consent must be given in writing, it must be signed by the data subject, it must
have an accurate indication of the data in respect of which consent is given, and must contain the name
controller, the purpose and time period for which consent is given.
(3) The consent may be withdrawn at any time, unless the data subject and
the controller does not explicitly agree otherwise.
(4) The controller shall, at the request of the competent authority, at all times, prove that it exists
consent for the period of personal data processing.
(5) The controller is obliged to keep the consent during the processing of personal data for the processing of which it is
she date.
Article 6
(The right to process personal data without the consent of the data subject)
The controller may process the data, without the consent of the data subject, if one is fulfilled
from the following conditions:
a) if it processes personal data in accordance with the law or the processing is necessary in order to
fulfilled the competencies established by law;
b) if it is necessary for the data subject to enter into negotiations on the contractual relationship or yes
the obligations agreed with the controller are fulfilled;
c) if it is necessary to protect the interests of the data subject, it must be done without delay
obtain the consent of the data subject or the processing of the data collected must be terminated
data must be destroyed;
d) if the processing of personal data is necessary for the fulfillment of a task performed in public
interest;
e) if it is necessary to protect the legal rights and interests exercised by the controller or the user, and
if this processing of personal data is not in conflict with the right of the data subject to protect his own
private and personal life;
f) if necessary for the execution of legitimate activities of political parties, movements,
associations of citizens, trade unions and religious communities.
Article 7

Page 4

(Data authenticity)
(1) The controller is obliged to check whether the personal data are authentic and accurate.
(2) If incomplete and inaccurate personal data cannot be corrected or supplemented, while taking in
taking into account the purpose for which they are collected or further processed, the controller must do so without delay
destroy.
Article 8
(Merging records)
(1) A controller who processes personal data on the basis of a special law is obliged to
respects the rights to protection of private and private life of the data subject.
(2) Personal data may not be transferred, and files and records may not be merged (merged,
merge or otherwise link) if the obligations set out in paragraph (1) have not been complied with
of this article.
(3) The merging of records and files, according to paragraph (2) of this Article, may be done only if
the processing of personal data is performed by the same controller.
Article 9
(Processing of special categories of personal data)
(1) The processing of special categories of personal data is prohibited.
(2) Notwithstanding the provision of paragraph (1) of this Article, the processing of a special category of personal data
is allowed if:
a) the data subject has explicitly given his consent;
b) processing is necessary for the protection of life, health, property and other vital interests
data subject or other person for whom consent cannot be obtained, especially when
it is a physically, mentally or legally incapable person, or if the person is considered missing, or because of
other similar reasons;
c) the processing of data is necessary for the performance of the obligation or special rights of the controller from
areas of labor law to the extent authorized by law;
d) data processing is performed for the needs of preventive medicine, medical diagnostics,
providing and managing medical services, if it processes such data professionally
a medical person who is subject to the obligation to keep according to the law or the code of the competent authority
professional secrets or other persons who are also subject to the obligation of secrecy;
e) data processing is performed within the legal activities of an institution, foundation, association or
other non-profit organizations with political, philosophical, religious or trade union goals, a
provided that the data processing relates exclusively to members of those bodies or persons who s
contact them regularly regarding their goals, provided that this information is not available
disclosed to a third party without the consent of the data subject;

Page 5

f) processing of data that has been clearly made public by the data subject or is processing
necessary to initiate, enforce or defend against legal claims;
g) it is of special public interest or in other cases prescribed by law. In these
In such cases, the law must contain specific provisions on adequate protection mechanisms.
Article 10
(Automatic processing of a special category of personal data)
A special category of personal data cannot be processed automatically if it is not by law
adequate protection is provided.
Article 11
(Data security)
(1) The data controller and, within their competence, the data processor shall take care of security
data, and take all technical and organizational measures and establish rules of procedure which
are necessary for the implementation of this Law and other regulations related to protection and secrecy
data.
(2) The controller and the processor are obliged to take measures against unauthorized or accidental access
personal data, alteration, destruction or loss of data, unauthorized transfer, others
forms of illegal data processing, as well as measures against the misuse of personal data. This one
the obligation remains in force even after the completion of data processing.
(3) The public body as a controller is obliged, according to its competencies, to issue a regulation with a purpose
implementation of this Law.
(4) The controller and, within their competence, the data processor are obliged to make a plan
data security which determines technical and organizational measures for personal security
data.
(5) The Council of Ministers of Bosnia and Herzegovina (hereinafter: the Council of Ministers), in addition to
previously obtained opinion of the Agency, will prescribe the manner of storage and special technical measures
protection.
Article 12
(Data processing via processors)
(1) If the processing of personal data through the processor is not excluded by law, the controller may
conclude a contract with the processor on the processing of personal data, which must be made in writing
forms.
(2) The contract shall state the scope, purpose and term for which the agreement was concluded, as well as the adequate ones
processor guarantees regarding technical and organizational protection of personal data.
(3) The processing of data through the processor must be regulated by a binding contract
processor to the controller, and in particular that the processor will act only on the basis of
instructions of the controller in accordance with the provisions of this Law.

Page 6

(4) The data processor is responsible for the processing of personal data according to the instructions of the controller
data. In the performance of his duties, the data processor may not transfer his own
liability to other data processors if it does not obtain explicit consent to do so from
data controller.
Article 13
(Collection of personal data)
The controller of the personal data collection shall establish and keep records for each personal data collection
which contains basic information about the collection, in particular the following:
a) the name of the collection;
b) name, surname and address of the data controller and data processor, actual place of processing
data (including technical processing), as well as other activities of data processors related to
personal data processing;
c) the purpose of data processing;
d) legal basis for processing;
e) the type of data being processed;
f) categories of data carriers;
g) source of data and method of collection;
h) the type of data transferred, the recipients of such data and the legal basis for the transfer;
i) deadlines for deleting certain types of data;
j) transfer of data from abroad, ie export of data from Bosnia and Herzegovina s
with an indication of the state, ie the international organization and the foreign user of personal
data, and the purpose for that entry, ie export prescribed by an international agreement,
by law or other regulation, ie with the written consent of the person to whom the data relate;
k) an indication of the measures taken to protect personal data.
Article 14
(Main Register)
(1) The controller of the personal data collection shall submit to the Agency the data from the records referred to in Article 13,
which unites them in the Main Register.
(2) Controllers of personal data collections shall be obliged before establishing a personal data collection
submit to the Agency a request for the intended establishment of a collection of personal data, together with
data referred to in Article 13 before undertaking any processing activities.
(3) The Agency shall check the data processing activities after receiving it from the data controller
request for personal data processing. Data processing operations can only begin when

Page 7

The Agency shall approve the processing either after the expiration of two months from the day on which the Agency received it
request.
(4) The obligation to provide prior notice does not apply to the establishment of a collection
personal data in cases where the law determines the purpose of processing, data or categories
the data being processed, the category of data subjects, users or categories
users to whom the data will be disclosed, and the time at which the data will be stored.
(5) In the case referred to in paragraph (3) of this Article, the controller of the personal data collection shall be obliged to provide information on
establishing a collection of personal data, as well as changes in data on the collection of personal data,
submit to the Agency no later than 14 days from the date of establishment of the collection or change
data.
(6) Data from the Main Register shall be available to the public.
(7) The Agency shall publish the records from the Main Register.
Article 15
(Record keeping)
The manner of keeping records referred to in Article 13 of this Law and the form of records, as well as exceptions from
the obligation to report certain collections under Article 14 shall be prescribed by the Council of Ministers, in addition to
previously obtained opinion of the Agency.
Article 16
(Obligation to maintain data confidentiality)
(1) Employees of the controller or processor and other persons working on the processing of personal data
on the basis of a contract with a controller or processor, they may process personal data only under
conditions and to the extent determined by the controller or processor.
(2) Employees of the controller or processor, other natural persons who process personal data
on the basis of a contract concluded with the controller or processor and other persons who, within
application of legally prescribed rights and performance of duties, come into contact with personal data
in the premises of the controller or processor, they are obliged to keep the personal data secret and adhere to it
is an established method of insurance.
(3) Personal data processed by the controller or data processor for employees shall be
official secret.
(4) The obligation to keep personal data confidential shall remain in force even after the termination of employment
relationship, or a specific task.
(5) Exemption from the obligation to keep personal data confidential may be prescribed only
by law.

Page 8

Article 17
(Providing personal data to the user)
(1) The data controller may not provide personal data to the user before doing so
data carrier notifications. If the data subject does not approve the provision of personal data, they are
they cannot disclose to a third party unless it is in the public interest.
(2) The personal data controller is authorized to provide personal data for use to other users
on the basis of a written request of the user if it is necessary for the performance of activities within the framework
legally established competencies or realization of legitimate interests of users.
(3) The written request must contain the purpose and legal basis for the use of personal data, and
the types of personal data requested.
(4) It is prohibited to provide personal data for use to other users for whose processing,
that is, the use is not authorized according to the provisions of Art. 5 and 6 of this Law, and if the purpose
for which personal data are requested for use contrary to the provisions of Article 4 of this Law.
(5) The data controller shall keep special records on personal data provided for use
the user of personal data and the purpose for which the personal data is provided.
(6) The data subject may not exercise the right to block or destroy personal data
if the controller has an obligation to process the data according to a special law or if it would be so
violated rights of third parties.
Article 18
(Data transfer abroad)
(1) Personal data shall not be transferred from Bosnia and Herzegovina to the controller or data processor
abroad, regardless of the data medium or mode of transmission, if in the country to which it is located
transfers the conditions set out in Article 4 of this Law and provided that the parties are not met
the controller respects the same data protection principles for all data.
(2) Exceptionally, personal data may be transferred abroad if the data subject has provided it
consent, when necessary for the performance of a contract or legal claim and when it is
necessary to protect the public interest.
Article 19
(Processing of personal data in the media)
(1) Processing of personal data for journalistic purposes, for artistic and literary purposes
expression, will be performed in accordance with a special regulation and codes of conduct.
(2) They do not refer to the processing of personal data for the purposes stated in paragraph (1) of this Article
provisions of this Law, except for the provisions on security and confidentiality as well as on liability for damage.

Page 9

Article 20
(Data processing for statistical, archival and scientific purposes)
(1) After the expiration of the time period necessary to fulfill the purpose for which they are
data collected, these data can only be processed for statistical, archival and scientific purposes.
Data collected and stored for these purposes will not be used for other purposes.
(2) Personal data may be processed for the purposes of statistics, archives and science without consent
data carrier. As soon as the processing of data for these purposes is completed, the data must be done
anonymous.
(3) When personal data are used for these purposes, it is necessary to respect the right to protection
privacy and personal life of the data subject.
Article 21
(Publication of personal data in research institutes)
An organization or person who performs data processing for the purposes of scientific research may publish
information obtained from personal data if it obtains the written consent of the holder
data.
CHAPTER III RIGHTS OF DATA MEDIA
Article 22
(Notification of data collection)
The data controller shall inform the data subject before the start of data collection, if
he has not already been informed of the following:
a) the purpose of the processing,
b) the controller, the receiving authority or the third party to whom the data will be made available,
c) on the legal obligation to submit data for processing,
d) the consequences in case the data subject refuses to do so,
e) in cases where the data subject has the right to refuse to submit personal data,
f) whether the acquisition of personal data is on a voluntary basis,
g) the existence of the right of access and the right to rectify the data relating to it.
Article 23
(Source of personal data)
If the controller has not obtained personal data from the data subject, he is obliged, without delay,
inform the data subject about the third party who submitted personal data to the controller
data.

Page 10

Article 24
(Right of access to personal data)
(1) The data controller shall inform the data subject about the course of processing his data
performed by the data controller or data processor, on the purpose of data processing, legal
basis and duration of processing, whether the data were obtained from the data subject or from a third party and
the right to access personal data, as well as who received or who will receive the data and for whom
purpose.
(2) The controller is not obliged to give a notification on the processing of personal data if:
a) processes personal data exclusively for statistical, scientific research or archival purposes;
b) the obligation of the controller to process the data arises from the law, or if such data is necessary
for the execution of rights and obligations prescribed by law;
c) the law stipulates that the controller has no obligation to provide notice;
d) exclusively processes published personal data;
e) processes personal data with the consent of the data subject, in accordance with Article 5 of this
Of the Act.
Article 25
(Method of submitting information)
(1) Unless otherwise provided by law, the controller is obliged, on the basis of written
request of the data subject, once a year, free of charge, to the data subject
information regarding the processing of his personal data.
(2) Otherwise, this information shall be provided at any time, with appropriate
a fee not exceeding the amount of the cost of providing the information.
(3) The data controller is obliged to submit this information in written and understandable form, in
within 30 days from the date of submission of the request.
Article 26
(Rejection of the request)
(1) The data controller may not refuse to provide information to the data subject except in
cases when it is provided by law.
(2) The data controller shall state the reason for which the request for obtaining the requested one was rejected
information.
(3) The data controller shall submit to the Agency an annual report on rejected requests
data carrier.

Page 11

Article 27
(Corrections and deletion of data)
The data subject and all other persons to whom the data was transferred with the aim of theirs
processing will be notified of all updates and deletions of data. Such information can
be denied, with regard to the purpose of processing, provided that this does not undermine a legitimate interest
data carrier.
Article 28
(Determining exceptions in rights)
(1) The data controller is not obliged to provide information on the processing of personal data or to enable it
access to personal data, if this could cause significant damage to legitimate interests
the following categories in Bosnia and Herzegovina:
a) state security;
b) defense;
c) public safety;
d) prevention, investigation, detection of criminal offenses and prosecution of perpetrators, and ethical violations
rules of the profession;
e) economic and financial interests, including monetary, budgetary and tax issues;
f) inspection and other control duties;
g) protect the data subject or the rights and freedoms of others.
(2) Such restrictions are allowed only to the extent necessary in one
democratic society for one of the above purposes.
Article 29
(Decision making based on automatic data processing)
(1) The controller may not make a decision that will produce legal effect on the holder
data or which can significantly affect him, and its goal is to assess certain personal characteristics
data carrier, which is exclusively based on automatic processing of personal data.
(2) Notwithstanding the provision of paragraph 1 of this Article, a decision made solely on the basis of
automatic data processing produces legal effect for the data subject:
a) if it was adopted in the procedure of concluding or executing the contract, provided that it is
the data subject's request is met or if there are appropriate measures to protect his
legitimate interests;
b) if the controller is authorized by law, which also determines protection measures
legitimate interests of the data subject, to make such a decision.

Page 12

Article 30
(Filing a complaint)
(1) When the data subject establishes or suspects that they are a controller or a data processor
violated his right or that there is a direct danger of a violation of the right, may file
object to the Agency in order to protect its rights and request that:
a) the controller or processor refrains from such actions and corrects the facts
caused by these actions;
b) the controller or processor documents or supplements personal data so that they are authentic and

correct;
c) personal data is blocked or destroyed.
(2) The Agency shall issue a decision on the request of the data subject referred to in paragraph (1) of this Article
submits to the objector and the controller.
(3) No appeal is allowed against the decision of the Agency, but an administrative dispute may be initiated
Court of Bosnia and Herzegovina.
(4) When deciding on the complaint, the Agency shall act in accordance with the provisions of the Law on
administrative procedure.
Article 31
(Disclaimer)
(1) The Agency may release the data controller from liability if it proves that it could not
to prevent the violation of the rights of the data carrier caused by the person working on the processing of personal data
data.
(2) The data subject may, in addition, request the controller or processor to suspend
irregularities, correct the illegally caused factual situation, correct, supplement,
block or destroy personal data.
Article 32
(Liability for damage)
(1) The data controller is obliged to compensate the material or non-material damage to the holder
data if it was inflicted on him due to a violation of the right to privacy.
(2) In disputes for the purpose of compensation for damage, the data subject shall file a lawsuit with the competent court at
in whose territory he has his domicile or residence, or in the competent court in whose territory the controller is
has its headquarters.
(3) The amount of monetary compensation for material damage shall be determined by the competent court, unless
the parties do not agree on the amount of compensation before the court.
(4) Non-pecuniary damage shall be compensated by a public apology, and by payment of fair monetary compensation
fees.

Page 13

(5) The data controller shall be liable if there is a violation of the rights of the data subject, prescribed
by this law, also caused by the processor.
Article 33
(Exemption from liability for damage)
(1) The data controller may be released from liability for damage, in whole or in part, if
prove that he is not responsible for the event that led to the damage.
(2) Compensation shall not be paid for the damage caused by the injured party
intentionally or with utter negligence.
CHAPTER IV DATA PROTECTION AUTHORITY
Article 34
(Scope of prescribing)
On all issues of organization and management, and other issues important for the functioning of the Agency
as administrative organizations, such as the adoption of regulations on internal organization and others
bylaws, administrative supervision, the relationship between the institutions of Bosnia and Herzegovina, and
the attitude of the Agency towards legal and natural persons, to the extent not prescribed by this Law,
the Law on Ministries and Other Administrative Bodies of Bosnia and Herzegovina shall apply and
Administration Act.
Article 35
(Agency definition)
The Agency is an independent administrative organization established to ensure the protection of personal data
data headed by a director.
Article 36
(Financing)
The funds needed to finance the work of the Agency are provided from the budget of the institutions of Bosnia and Herzegovina
Herzegovina and international obligations of Bosnia and Herzegovina.
Article 37
(Establishment of the Agency)
(1) The seat of the Agency is in Sarajevo.
(2) The Agency may have departments and other organizational units to be established
rulebook on internal organization.

Page 14

Article 38
(Employment relations in the Agency)
(1) Employees of the Agency are civil servants and employees.
(2) The employment relations of civil servants working in the Agency shall be regulated by the Law on Civil Servants
services in the institutions of Bosnia and Herzegovina.
(3) Labor relations of employees in the Agency shall be regulated by the Law on Work in Institutions of Bosnia and
Herzegovina.
(4) The positions held by civil servants and other employees shall be regulated
rulebook on internal organization.
Article 39
(National representation)
The structure of civil servants and employees in the Agency generally reflects the national one
population structure of BiH according to the 1991 census.
Article 40
(Competencies and affairs of the Agency)
(1) The tasks within the competence of the Agency are:
a) monitoring the implementation of the provisions of this Law and other laws on personal data processing;
b) acting on the submitted objections of the data subject;
c) submitting an annual report on protection to the Parliamentary Assembly of Bosnia and Herzegovina
personal data;
d) monitoring the conditions for personal data protection by submitting proposals for adoption or amendment
laws relating to the processing of personal data, and giving opinions with proposals thereof
laws and care to meet data protection criteria arising from international
agreements binding on Bosnia and Herzegovina.
(2) The Agency is authorized to:
a) through inspection, supervises the fulfillment of obligations prescribed by this Law;
b) keep the Main Register;
c) receives remarks and complaints of citizens related to the violation of this Law;
d) adopt implementing regulations, guidelines or other legal acts, in accordance with the Law;
e) order the blocking, deletion or destruction of data, temporary or permanent ban on processing,
warns or admonishes the controller;

Page 15

f) submits a request for filing misdemeanor proceedings in accordance with this Law;
g) provides advice and opinions regarding the protection of personal data;
h) cooperates with similar bodies in other states;
i) perform other duties prescribed by law;
j) supervises the export of personal data from Bosnia and Herzegovina.
Article 41
(Control performed by the Agency)
(1) When it notices that some processing of personal data is illegal, the Agency shall request from
controller to discontinue such processing, and order other measures. Controller without delay
take the ordered measures and inform the Agency in writing within 15 days.
(2) In performing its duties, the Agency may request from the controller or data processor
to provide her with information on any matter, and may inspect any document and
records in which there may be personal data.
(3) The Agency has the right to enter all premises where data processing is performed. Entry and
control of property and premises of data controllers that are not prescribed by law may be
performed only during working hours.
(4) State and official secrets shall not be an obstacle for the Agency in exercising its rights
referred to in this Article, but the provisions on secrecy are also binding on the Agency.
(5) Public authorities are obliged to provide implementation support to the Agency, at its request
of her duties.
Article 42
(Management - director)
(1) The Agency shall be managed by the Director of the Agency (hereinafter: the Director).
(2) The Director shall be accountable to the Council of Ministers for his and the work of the Agency.
Article 43
(Appointment of a director)
(1) The Director shall be appointed by the Council of Ministers in accordance with the Law on Ministers and Others
government appointments in Bosnia and Herzegovina.
(2) The Director shall be appointed for a term of four years, with the possibility of reappointment.

Page 16

Article 44
(Special conditions for the appointment of the director)
In addition to the conditions set out in the Law on Ministerial Appointments, a candidate for director of the sea
have:
a) education of a law graduate;
b) five years of work experience in management in the administration;
c) proven experience in the field of respect for human rights;
d) recognized high moral status.
Article 45
(Conditions for dismissal of the director)
The Council of Ministers may dismiss the Director before the expiration of his term of office:
a) at his request;
b) if he is permanently unable to perform his duties;
c) if the illegal work of the Agency is established;
d) if the final decision determines his disciplinary responsibility;
e) if he has been sentenced to imprisonment for a criminal offense.
Article 46
(Duties and responsibilities of the director)
(1) Director:
a) represents the Agency;
b) prepares the annual work plan according to the guidelines of the Chairman of the Council of Ministers, and
the annual budget of the Agency and proposes them for adoption to the Council of Ministers;
c) manages and directs tasks within the competence of the Agency;
d) propose to the competent authority to initiate negotiations related to the conclusion
international agreements on cooperation in matters of personal data protection;
e) makes constant analyzes for the purpose of rational distribution of employees and technical means.
(2) In addition to the duties and responsibilities referred to in paragraph (1) of this Article, the director shall perform other tasks,
such as:

Page 17

a) proposing to the Council of Ministers regulations on internal organization, including the total number
employees and criteria for filling, other rules and regulations provided by law, in
in accordance with the Law on Ministries and Other Administrative Bodies of Bosnia and Herzegovina;
b) appointment of heads of organizational units of the Agency;
c) assigning tasks to assistant directors in accordance with the law;
d) deciding on the rights and duties arising from the employment of civil servants and others
employees in accordance with applicable laws in this area;
e) procurement of equipment and other material resources for the needs of the Agency;
f) submission of an annual report on the work to the Council of Ministers, and if necessary or upon request
Minister, submission and special reports;
g) submitting reports to the Parliamentary Assembly of Bosnia and Herzegovina and the Council of Ministers;
h) performing other duties prescribed by law.
(3) The Director is responsible for the lawful operation of the Agency and the lawful spending of the funds allocated
Agency from the budget of the institutions of Bosnia and Herzegovina and international obligations of Bosnia and
Herzegovina.
Article 47
(Control of the Agency's activities)
The Parliamentary Assembly of Bosnia and Herzegovina may, if necessary, request that it be carried out
control of the work of the Agency.
CHAPTER V. PENAL PROVISIONS
Article 48
(1) A fine in the amount of 50,000 KM to 100,000 KM shall be imposed for a misdemeanor
controller if:
a) unlawfully processes a special category of personal data (Article 9);
b) transfers personal data abroad if they are not satisfied in the country to which they are transferred
conditions provided for in Article 5 of this Law and provided that the foreign controller for all data
does not respect the same principles of data protection (Article 18);
(2) For the misdemeanor referred to in paragraph (1) of this Article, the controller as the responsible person shall be fined
a fine in the amount of 1,000 KM to 15,000 KM.
(3) For the misdemeanor referred to in paragraph (1) of this Article, the controller as an employee shall be fined
a fine in the amount of 500 KM to 10,000 KM.

Page 18

Article 49
(1) A fine in the amount of 10,000 to 100,000 KM shall be imposed on the controller for a misdemeanor
if:
a) processes personal data contrary to Article 4 of this Law;
b) processes personal data without the consent of the data subject (Article 5, paragraph (1));
c) processes personal data without the consent of the data subject, and none of the following has been fulfilled
conditions from Article 6;
d) does not check whether the personal data processed are authentic and accurate (Article 7, paragraph (1));
e) does not destroy inaccurate and incomplete data without delay (Article 7, paragraph (2));
f) processes personal data on the basis of a special law, and does not respect the right to protection
private and personal life of the data subject (Article 8, paragraph (1));
g) transfers personal data, ie consolidates files and records, without being satisfied
prescribed conditions (Article 8, paragraph (2));
h) automatically processes a special category of personal data without providing it by law
envisaged protection (Article 10);
i) does not take the necessary measures and procedures against unauthorized or accidental access,
alteration, destruction or loss, unauthorized transfer, other forms of illegal processing,
as well as measures against the misuse of personal data (Article 11, paragraph (2));
j) does not make a data security plan (Article 11, paragraph (4));
k) entrust the processing of personal data to a processor without concluding a contract with him (Article 12.
paragraph (1));
l) a data processor if he transfers his responsibility to another processor, and yes for that
did not explicitly receive instructions from the controller (Article 12, paragraph (4));
m) illegally provides personal data to the user (Article 17);
n) uses data collected and stored for statistical, archival and scientific purposes
purposes (Article 20, paragraph (1));
o) publish information obtained during the processing of personal data in statistical, archival and
scientific purposes without the consent of the data subject (Article 21);
p) does not act upon the request of the Agency to stop the illegal processing of personal data and does not
take the ordered measures (Article 41, paragraph (1));
q) a controller or processor who fails to provide information at the request of the Agency or disables it
The Agency has access to any document or record that may contain personal data (Article 41, paragraph
(2));

Page 19

r) prevent the employees of the Agency from entering any premises where processing is performed
personal data (Article 41, paragraph (3));
(2) For the misdemeanor referred to in paragraph (1) of this Article, the controller as the responsible person shall be fined
a fine in the amount of 500 KM to 10,000 KM.
(3) The controller as an employed person shall be punished for the misdemeanor referred to in paragraph (1) of this Article
a fine in the amount of 300 KM to 5,000 KM.
Article 50
(1) A fine in the amount of 5,000 KM to 50,000 KM shall be imposed for a misdemeanor
controller if:
a) processes personal data on the basis of the consent of the data subject which is not made in
in accordance with Article 5, paragraph (2);
b) cannot prove that there is consent even if he does not keep the consent during processing
personal data for the processing of which consent has been given (Article 5, paragraphs (4) and (5));
c) entrust the processing of personal data to the processor, without the contract containing the prescribed elements
(Article 12, paragraph (2));
d) the data processor starts processing on the basis of a contract or a legal act that is not binding
processor to controller (Article 12, paragraph (3));
e) does not establish and keep the prescribed records (Article 13);
f) fails to submit to the Agency the data from the records referred to in Article 13 (Article 14, paragraph (1));
g) establish a collection of personal data before submitting the request to the Agency (Article 14, paragraph (2));
h) begins the establishment of a collection of personal data without obtaining the consent of the Agency or yes
two months have not elapsed since the submission of the request to the Agency (Article 14, paragraph (3));
i) fails to submit to the Agency within 14 days the data on the establishment of the personal data collection, or
on applications in established collections (Article 14, paragraph (5));
j) does not keep special records on personal data provided to the user (Article 17, paragraph (5));
k) processes personal data for journalistic purposes, purposes of artistic and literary expression
contrary to the provisions on data security and confidentiality (Article 19, paragraph (2));
l) does not make personal data anonymous after processing for statistical, archival and scientific purposes
(Article 20, paragraph (2));
m) does not ensure, when processing data for statistical, archival and scientific purposes, the level
protection prescribed by this Law (Article 20, paragraph (3));
n) does not inform the data subject before the start of data collection, unless he has not already done so
notified (Article 22);

Page 20

o) fails to notify the data subject of the third party who provided him with personal data (Article
23.);
p) does not inform the data subject about the processing of his data (Article 24);
q) on the basis of a written request of the data subject, does not submit once a year, without
fees, information related to the processing of his personal data (Article 25, paragraph (1));
r) does not submit the information in written and understandable form within 30 days from the day
submission of requests (Article 25, paragraph (3));
s) rejects a request for information without it being provided by law (Article 26, paragraph
(1));
t) does not state the reasons for which the request for information was rejected (Article 26.
paragraph (2));
u) fails to submit to the Agency an annual report on rejected applications (Article 26, paragraph (3));
c) make a decision exclusively on the basis of automatic processing of personal data (Article 29).
(2) For the misdemeanor referred to in paragraph (1) of this Article, the controller as the responsible person shall be fined
a fine in the amount of 200 KM to 5,000 KM.
(3) The controller as an employed person shall be punished for the misdemeanor referred to in paragraph (1) of this Article
a fine in the amount of 100 KM to 1,000 KM.
Article 51
A fine in the amount of 500 to 5,000 KM will be imposed on the person who processes the misdemeanor
personal data contrary to the conditions and scope determined by the controller or processor (Article 16, paragraph (1)).
Article 52
A fine in the amount of 500 KM to 5,000 KM will be imposed on the responsible person for the misdemeanor
in a public body that:
a) fails to enact a regulation for the purpose of implementing this Law (Article 11, paragraph (3));
b) does not provide support to the Agency in the performance of its duties (Article 41, paragraph (5)).
CHAPTER VI TRANSITIONAL AND FINAL PROVISIONS
Article 53
(Adoption of bylaws)
(1) The Council of Ministers shall adopt the regulations referred to in Article 11. and 15. of this Law within six months from
days of entry into force of this Law.
(2) The Council of Ministers may also adopt other regulations necessary for the implementation of this Law.

Page 21

Article 54
(Procedure for access to information of public interest)
The provisions of this Law shall be taken into account in the application of the Law on Freedom of Access
information.
Article 55
(Measures in the transition period)
(1) The controller, who processed personal data until the day this Law enters into force, and who
is subject to the obligation referred to in Article 15, he is obliged to perform this obligation no later than six
months from the date of entry into force of this Act.
(2) The processing of personal data performed before the entry into force of this Law shall be harmonized
with this law until December 31, 2006.
Article 56
(Appointments)
(1) The Agency shall start working on the basis of a special decision of the Council of Ministers, but not before 1.
January 2006.
(2) Until the completion of the appointment of the director, the Commission for Personal Data Protection, appointed in
in accordance with the Law on Personal Data Protection ("Official Gazette of BiH, No. 32/01), continues to operate
in accordance with this law.
Article 57
(Termination of the previous law)
(1) On the day this Act enters into force, the Personal Data Protection Act shall cease to be valid
("Official Gazette of BiH", No. 32/01).
(2) Regulations adopted on the basis of the Law on Personal Data Protection "Official Gazette of BiH",
No. 32/01) shall be applied until the enactment of regulations based on this Law.
Article 58
(Entry into force)
This Law shall enter into force on the eighth day from the day of its publication in the "Official Gazette of BiH".

PSBiH No. 308/06
May 23, 2006
Sarajevo

Page 22

Chairman
House of Representatives
Parliamentary Assembly of BiH
Martin Raguž , sr

Chairman
Home of the people
Parliamentary Assembly of BiH
Mustafa Pamuk , sr

