Personal data today represents the first-class asset, and the same enjoys legal protection in all modern legal systems. The protection of personal data is placed in the context of the exercise of fundamental human rights and freedoms, in particular the right to privacy. In Bosnia and Herzegovina, the protection of personal data is regulated by the Law on Personal Data Protection of BIH.
Numerous legal documents have been adopted at the international level regulating the field of personal data protection. The legislative activity of the European Union bodies is crucially significant, and the same resulted in the adoption of the General Data Protection Regulation – GDPR. The Regulation is being applied both in the Member States of the European Union but also extraterritorially in case the processing activities are closely related to the offering of goods and services to persons in the European Union, as well as in the case of monitoring their behaviour, as long as the behaviour takes place within the Union.
The Regulation was adopted in 2016 but came into force on May 25, 2018. It is significant to note the European Union bodies have decided to regulate this area with a regulation and not with a directive, bearing in mind that the regulation has an immediate impact in the territory of the EU Member States. In this manner, this area is unified at the level of the Union, and the possibility of the existence of different solutions in the Member States of the Union when transposing its provisions into national legislation is prevented.
For Bosnia and Herzegovina, the Regulation possesses a double significance. First of all, on the basis of the Stabilization and Association Agreement, Bosnia and Herzegovina, is committed to harmonize its legislative framework and actions with European Union law. Secondly, as mentioned above, there is a possibility that the provisions of the Regulation will be applied extraterritorially to entities in Bosnia and Herzegovina. Given the high fines under the Regulation in case of personal data processing that does not comply with the prescribed requirements, the issue of extraterritorial application to the BIH entities should not be neglected, regardless of whether the same acts as controller or processor of personal data.
The right to personal data protection in the era of globalisation, modern technical and technological development and digital information and communication technologies, and especially with the development of the internet, is faced with significant challenges. The protection of personal data is considered as protection of intangible assets, i.e., information (data), which is transmitted across state, political and other borders without any obstacles. With the development of the Internet, the dissemination of information containing personal data has become relatively simple while the costs of transmitting information on a global scale are almost non-existent. Therefore, it is often the case that the processing of personal data of a certain data subject takes place in several different countries, and that regulations from different jurisdictions are applied to the processing operations. In addition, the volume of collection and processing of personal data has increased significantly today, especially due to the importance of international trade and cooperation in all areas.
The Law on Personal Data Protection of BiH stipulates that processed personal data may be exported from Bosnia and Herzegovina to another country or given for use to an international organization that applies adequate personal data protection measures prescribed by law. The adequacy of personal data protection measures is assessed on the basis of specific circumstances in which the personal data transfer procedure is carried out, considering the type of personal data, purpose and period of processing, country to which data are transferred, statutory rules in force in the country where the data are transferred, the rules of the profession and the security measures that must be observed in that country. In that manner, the Law provides certain criteria that are considered when assessing the adequacy of protection measures but leaves the possibility to consider other criteria, depending on the circumstances of each case. It is considered that Member States apply adequate personal data protection measures, as they apply the GDPR.
On the other hand, the Law recognizes the possibility of exporting personal data from Bosnia and Herzegovina to another state that does not provide adequate protection measures prescribed by law in cases when:
1) the disclosure of personal data is prescribed by a particular law or an international agreement binding for Bosnia and Herzegovina,
2) prior consent has been obtained from the person whose data are being disclosed and the person has been informed of the possible consequences of disclosing the data,
3) the disclosure of personal data is necessary for the purpose of fulfilling the contract between the data subject and the controller or fulfilling the pre-contractual obligations undertaken at the request of the person whose data are processed,
4) the disclosure of personal data is necessary in order to save the life of the person to whom the data relate or when it is in their vital interest,
5) personal data are taken out of the register or records which, in accordance with the law or other regulations, are available to the public.
Therefore, regardless of the fact that the country to which the data is transferred does not meet the requirement of adequate protection measures, the transfer will be possible on the basis of some overriding interest or obligation. It equally refers to the data that has already entered the public domain, i.e. if data already represent an integral part of the register or record that is certainly available to the public. In these cases, the transfer of personal data from Bosnia and Herzegovina to another country or international organization does not require the consent or approval of the BiH Personal Data Protection Agency, although the country where the data recipient is located does not apply adequate data protection measures.
Exceptionally, the BIH Personal Data Protection Agency may approve the transfer of data from Bosnia and Herzegovina to another country, which does not provide an adequate level of protection when the controller in another country provides sufficient guarantees in terms of data privacy and fundamental rights and freedoms of individuals or provision of similar rights arises from the provisions of a specific contract.
In any case, for the transfer of data from Bosnia and Herzegovina, it is necessary to meet the general preconditions related to the conclusion of a contract on personal data processing between the controller and the processor, which must be made in writing, then data security as well as undertaking all technical and organizational measures and establishing the rules of procedure necessary to enforce data protection and confidentiality regulations.
In addition, the controller and the processor are committed to take measures against unauthorized or accidental access to personal data, alteration, destruction or loss of data, unauthorized transfer, other forms of illegal data processing, measures against misuse of personal data, as well as to make a data security plan which determines technical and organizational data protection measures. All the above obligations refer to the procedures of processing and transfer of personal data in the country, but also to the transfer of personal data abroad.
The EU regulation regulates the transfer of personal data from EU Member States to third countries, whereby the transfer of personal data to a third country or international organization may take place when the European Commission decides that a third country, territory or one or more specific sectors within a third country or the international organization provides an appropriate level of protection, in which case no special approval is required. In that case, it is a transfer based on the so-called Decision on Adequacy.
If the European Commission does not make such a decision, the controller or processor may transfer personal data to a third country or international organization only if the controller or processor has provided appropriate safeguards but also provided that enforceable rights and effective judicial protection are available to data subjects. Then it is a transfer based on the existence of the so-called appropriate safeguards.
The Regulation also provides for derogations in exceptional cases where a Commission decision or appropriate safeguards are not required, such as in case the data subject agrees to the proposed transfer after being informed of the possible risks of the transfer due to the lack of a Decision on Adequacy and appropriate safeguards, if the transfer is necessary for significant reasons of public interest, if the transfer is necessary to set, realize or defend legal claims, etc.
In conclusion, the transfer of data from abroad, as well as vice versa, is a common phenomenon directly related to the development of modern technologies, the global nature of business and the development of international cooperation in all areas. It is clear the transfer of data from one state to another, contributes to de facto losing control over the further use of data and poses a great risk to the rights and freedoms of data subjects. In order to manage this risk and reduce the possibility of violation of the right to personal data protection and the right to privacy of data subjects to the lowest possible level, the legislator regulates the transfer of data abroad and the requirements necessary for personal data to be exported. Compliance with the norms governing the transfer of data abroad is an indispensable part of harmonizing business with regulations on personal data protection, and all entities performing any of the activities of personal data processing should consider these obligations and transfer data abroad only in cases of adequate fulfilment of all requirements stipulated by law.
Author: Igor Letica