The General Data Protection Regulation (GDPR) is a legally binding instrument of the European Union (EU) that replaced the Data Protection Directive (the Directive). The Law on the Protection of Personal Data in Bosnia and Herzegovina (the Law) is not harmonised with the GDPR since the legislator followed the Directive when enacting the law. Certain segments thereon are harmonised because the GDPR retained several provisions of the Directive.
Personal Data Protection Agency (the Agency) is the institution responsible for the implementation of the Law. In addition to the Agency, the Court of BiH also participates in this procedure, providing judicial oversight over the implementation of the Law. Persons who believe that their rights have been violated can also rely on the Constitutional Court of BiH, which has appellate jurisdiction and can assess whether the decisions of state bodies violate the rights of natural and legal persons guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms. Furthermore, relevant actors are also the BiH Ministry of Civil Affairs, the Parliamentary Assembly of BiH, the BiH Council of Ministers and the BiH Ombudsmen Institution.
According to available data, the Agency operates with almost twice less staff than envisaged and with financial resources that do not meet its needs, such as for office premises or travel expenses required for inspection and employee training. Of the current 27 employees, only 7 of them work administrative acts, i.e., only 7 perform the Agency’s core activities.
Laws modelled on the GDPR have been adopted by the Western Balkans countries, as well as countries around the world. Furthermore, many operators in BiH doing business with the EU already apply the GDPR. There is no interest whatsoever for BiH or its citizens to not enact a GDPR-based law based.
The proposal of the Personal Data Protection Law (the Proposal) was drafted by the Agency in 2019. The text of the Proposal, which was available at the time of writing this paper, is largely compliant with the GDPR. According to available information, the process of drafting the final text of the Proposal is led by an interministerial group headed by the Ministry of Civil Affairs. Its development is still underway; therefore, modifications are possible.
Author: Nasir Muftić, lecturer at the Faculty of Law of the University of Sarajevo
This project is financed with the contribution of the Ministry of Foreign Affairs and International Cooperation of the Italian Republic. The content of this document represents the views of its authors and in no way represents the position of the Ministry of Foreign Affairs and International Cooperation.