Transcript PERSONAL DATA PROTECTION AGENCY IN BOSNIA AND HERZEGOVINA

Personal data protection and cross-border international
cooperation
PRESENTATION
Basic information
 The Personal Data Protection Agency in Bosnia
and Herzegovina (hereinafter referred to as: the
Agency) was established by the Law on the
Protection of Personal Data (“Official Gazette of
BaH”, No.: 49/06).
 The Agency is placed in Sarajevo and started its
work in 2008.
(1)
Competencies of the Agency:
 To supervise the implementation of this Law and other
laws on personal data processing;
 To act on data subject’s complaints;
 To submit to the Parliamentary Assembly of Bosnia and
Herzegovina annual reports on personal data protection;
 To follow the personal data protection requirements by
giving proposals as to enacting or amending legislation
governing the data processing, give opinions on the
proposed laws and take care of fulfillment of the criteria
relevant to data protection originating from international
treaties that are binding for Bosnia and Herzegovina.
(Article 40)
(2) The Agency is authorized to:
 Perform supervision, through inspection, over fulfillment of obligations









stipulated by this law;
Keep the Central Registry;
Accept incentives and complaints of citizens concerning breaches of this
Law;
Adopt implementing regulations, guidelines or other legal documents in
line with the Law;
Order blocking, erasing or destroying of data, temporarily or permanent
ban of processing, issue warning or reprimand to the controller;
File a request for filing the misdemeanor proceedings pursuant to this
Law;
Provide advice and opinions in the area of personal data protection;
Co-operate with similar authorities in other countries;
Exercise other duties as foreseen by law;
Supervise the transfer of the personal data out from Bosnia and
Herzegovina.
 So far, 65 inspections have been made (39 regular, 21
revisions, 5 extraordinary), 20 meetings with the
representatives of controllers were held for
implementation of ordered measures, also 48
objections and 139 opinions were processed.
 More important, all conditions for issuing penalties
regarding breaches of the Law are fulfilled.
Employees
 The Agency’s staff is civil servants and employees. The
employment relations of the civil servants working in the Agency
are regulated by the Law on Civil Service in the Institutions of
Bosnia and Herzegovina, while the employment relations of the
employees are regulated by the Labor Law for Institutions of
Bosnia and Herzegovina.
 According to the Book of regulation on Internal Organization
the number of foreseen employees is 45, although at the moment
23 civil servants and employees are employed.
 It is important to mention that nine of those 23 persons work as
Inspection Advisers dealing with data protection and one
person as a Senior Associate for Complaints, two ITs are
responsible for the Central registry and informatics, and one
person for the international cooperation.
Financial sources
 Agency is financed by the funds from the Budget of the
Institutions of Bosnia and Herzegovina and
international obligations of Bosnia and Herzegovina.
(Article 36).
Decision making
 The Agency issues a decision.
 It is not allowed to appeal against Agency’s decision,
but it is possible to initiate administrative dispute
proceedings before the Court of Bosnia and
Herzegovina. (Article 30)
 So far 8 disputes have been initiated and in 3 cases
Agency’s decision have been confirmed.
Recent changes, amendmens
National legislation
 The Draft Law amending the Law on the personal data protection is referred to
the parliamentary procedure for adoption. Suggested amendments are aimed
at further strengthening of the independence of the Agency.
 According to the amendments to the existing Law on the personal data
protection Director and his deputy would be appointed by the Parliamentary
Assembly of Bosnia and Herzegovina, unlike previous solutions.
 According to positive legislation the Agency is headed by the Agency Director
who is responsible for his work and the work of the Agency to the Council of
Ministers which is the body responsible for appointing him for a period of four
years with the possibility of reappointment.
 At the same time, reporting of the Agency would be simplified, since there
would be only annual Report on personal data protection prepared for the
Parliament and no more regular reporting on functioning of the Agency for the
Council of Ministers.
Functioning
 The Agency is an independent administrative organization




established for the purpose of ensuring the personal data
protection of and is headed by its Director. (Article 35).
Agency is divided into three organizational units with 23
civil servants and employees and managed by Assistant
directors.
Department for the inspection, complaints, and Central
registry
Department for the international cooperation and public
relations
Administrative department
Future challenges
Central registry (establishing, controllers, data
collection)
 Central registry was established in 2010 and thus fulfilled the
legal obligation. Twenty seven controllers submitted to the
Agency their records on the personal data collection, of which
seventeen public bodies made their first reporting on personal
data collection, and eleven legal persons delivered their
notifications on intended establishment of personal data
collection.
 On the base of delivered notifications on intended
establishment of personal data collection and the first reporting
on personal data collection eighteen controllers dealing with
data processing in eighty three personal data collection were
registered. Five personal data collection were registered by
Personal Data Protection Agency in Bosnia and Herzegovina that
conducts within its competence.
Web contact
 In order to provide data for the Central registry, the
official website referred a call for the controllers.
Besides that, the instruction for interested people on
how they can ask for help or make complaints was
pointed (help desk).
Provisions of the Law
Article 18 of the Law
 (1) Personal data shall not be transferred from Bosnia and
Herzegovina to a controller or processor abroad regardless of
data medium or the manner of transfer unless the requirements
specified in Article 4 hereof have not been fulfilled in the
receiving country and provided that that the foreign controller
shall comply with equal data protection principles for all data.
 (2) Exceptionally, the personal data may be transferred abroad if
the data subject has consented to the transfer, where it is
required for the purpose of fulfilling the contract or legal claim
and when it is required for the protection of public interest.
Other legally binding instruments
 Convention on Protection of Individuals on the
manner to Automatic Processing of Personal Data ETC
(108) and Additional Protocol
 EU Directives
Some of the questions regarding transfer of personal
data abroad
1. exchange of e-data and data
bases within corporations
 PDPA in BiH received request for an opinion in
accordance with Article 18. of the Law are there
obstacles for exchange of business e-data and data
base within corporations whose seat is in third
countries? The e-data would be used for reporting
purposes only.
 The PDPA in BaH suggested that adoption of Binding
corporate rules within the sectors should be done and
that in preparation of the rules representatives of the
sectors should consult with the Agency.
2. Transborder flow of genetic data
(DNA)
 The PDPA in BaH recieved the following questions:
 Could courts and prosecutors offices in BaH order
expertise of DNA semples by medical faculties or labs
in other countries and could an emploee of such
faculty or lab take semples?
 Is it necessary that the BaH Ministry of Justice in such
cases process it as international legal assistence?
 Is DNA personal data?
 Recommendation No.R(97)5 on the protection of medical
data of the CoE states that the transborder flow of medical
data is possible to state that has ratified the Convention 108
ETC and which disposes of legislation which provides at
least equivalent protection of medical data. Transborder
flow of medical data to states that do not have equivalent
protection laid down in convention could not occur
unless:
 Necessary measures, including those of contractual nature
have been taken, and the data subject has the possibility to
object transfer, or
 The subject has given his consent.
 Since June 30th 201o, in BaH the Law on application of DNA
analyses in judicial procedures started. The Article 18.
States that the DNA samples and profiles could be
accessible to DNA labs, and in criminal proceedings to
courts, prosecutor, defendant and his lawyer and members
of police by the written order of the prosecutor in charged
aiming at identification of the perpetrator of criminal act,
declaration of missing person as a dead within the out of
the court proceedings and to court and police for
identification of unknown corps.
 Article 19. is giving access only to person in charged in
processing and keeping of DNA samples.
Opinion
 The opinion has been given after anlyses of the the above
mentioned international and domestic legislation and
international agreements regardin legal assistance in civil
and criminal matters BaH has signed. According to them,
legal assistance, among other, reffers to expertize.
 Finally, it is possible and acceptable in accordance with the
law to have transborder flow of DNA data (samples or edata) to authorised institution or lab, based on written
order issued by domestic court according to positive
legislation or international instruments ratified by BaH
when it is necessary for uninterrupted legal proceedings.
3. Legal assistance
 The law on legal assistance in criminal matters in
Art.13 defines general scope of legal assistance such as:
delivery of summons to suspect, accused, witness,
expert, detainee or other participant within the
criminal proceedings; delivery of materials and writs;
temporary exclusion of objects; surveillance; exchange
of data and information and other activities that are
not opposing this Law which could request
international legal assistance.
Opinion
 The case referred to delivery of personal data (address
of individual in BaH) to one of European states main
customs service in order to fight customs crime
according to their act No...
 Since both the state have signed and ratified
Convention 108, basic principle applied to protection
of personal data are the same. Accordingly, there are
bases for mutual administrative assistance in customs
related activities between two states according to the
temporary trade agreement between EC and BaH and
that personal data could be transferred abroad.
Requests of the Embassies sent via Ministry of foreign
affairs
 Majority of these inquiries that were sent through the
Embassies and via Ministry of Foreign Affairs relate to
personal data of domestic citizens requested by
foreign police or social services centres.
 It is our opinion that domestic institution and bodies
may deliver such data to the Embassies if condition
stipulated within the Article 17. of the Law on Personal
Data Protection have been fulfilled in that state or
there is other legal binding document (e.g.
international agreement) that guarantees equal level
of protection.