EU General Data Protection Regulation (hereinafter the GDPR) is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC which regulates data protection and natural persons privacy within the European Union and adopts regulations concerning the transfer of personal data to third countries.The GDPR’s primary aim is to enhance individuals’ control and rights over their personal data and to simplify the regulatory environment for international business by harmonization of the regulations across the Union. The General Data Protection Regulation which entered into force in 2016 superseded Directive 95/46/EC and, following a two-year transition period, became directly applicable in all Member States of the European Union of 25 May 2018.
In Bosnia and Herzegovina this field is governed by the Law on Personal Data Protection (“Official Gazette BiH”, 49/06, 76/11 and 89/11 – correction).
Unlike applicable laws in Bosnia and Herzegovina, the General Data Protection Regulation has the intention to enhance the effectiveness of data protection in such a manner that risky processing are additionaly monitored.
By signing the Stabilisation and Association Agreement, Bosnia and Herzegovina has been obliged to ensure that its existing legislation is made compatible with the EU’s acquis (due date 1st June 2021), and this obligation also pertains to the harmonization of the Law on Personal Data Protection with the EU’s new legislation on personal data protection.
Having in mind the stated facts and a broad scope of the General Data Protection Regulation as determined in Article 3, Independent System Operator in Bosnia and Herzegovina (hereinafter NOSBiH) takes care of personal data protection and respects requirements set out in the General Data Protection Regulation and in the applicable laws although giving some preference to the General Data Protection Regulation.
The following text will give you information on the manner in which NOSBiH deals with personal data.
This notice is informative and should be understood as such.
1. Important terms
The Law on Personal Data Protection defined the terms, but General Data Protection Regulation provides broader definitions of the terms important for privacy.
Personal data, as defined by the Regulation, “means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
However, personal data is a very broad term, simply speaking it includes: name and surname, identification number, photo, voice, address, phone number, IP address, if such data can lead to direct or indirect identification of a natural person. We emphasise here that the data collector, even before the collection process starts, is obligated to provide the data subject with the following information: the purposes of the collecting, the legal basis for the collecting, the recipients of the data, and the existence of the right to request from the controller access to and rectification or erasure of his/her personal data.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Where legal issue is based on consent, it must be explicit for collected data and for explicit purposes (Article 7; defined in Article 4). According to Article 7 it is the organization’s liability to demonstrate that the data subject has consented to processing of his or her personal data. The consent must be freely given.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
GDPR defines pseudonymisation as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. There is also encryption that render the personal data unintelligible to any person who is not authorised to access it without the decryption key. GDPR provides that additional information (such as the decryption key) is to be kept away from personal data which have undergone pseudonymisation.
Another approach is tokenisation, which is a non-mathematical approach to protecting data at rest that replaces sensitive data with non-sensitive substitutes, referred to as tokens. The tokens have no extrinsic or exploitable meaning or value as data. They do not alter the type or length of data, which means it can be processed by legacy systems such as databases that may be sensitive to data length and type. This approach also requires much fewer computational resources to process and less storage space in databases than traditionally-encrypted data. This is enabled by keeping certain data partially or completely visible for the processing and analytic, while sensitive data is hidden.
Pseudonymisation is recommended to reduce the risks to the concerned data subjects and also to help controllers and processors to meet their data protection obligations (Recital 28).
Although the GDPR encourages pseudonymisation with the purpose of reducing the risks to the concerned data subjects, data which have undergone pseudonymisation is still considered as personal (Recital 28) and is under the GDPR’s supervision.
Communication of a personal data breach – personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The communication to the data subject is not required if the the controller has implemented appropriate technical and organisational protection measures, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption (Article 34).
Filing system means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
2. Principles relating to processing of personal data
According to the General Data Protection Regulation these are the principles relating to processing of personal data:
3. Legal basis for personal data processing
The processing of personal data includes operations such as collection, recording, storage, consultation, disclosure, transmission or destruction.
According to the General Data Protection Regulation the data may not be processed unless there is at least one of the following legal basis to do so (Article 6, paragraph 1):
4. Rights of the data subject
According to the General Data Protection Regulation data subjects whose data are processed at NOSBiH should be able to exercise these rights:
5. Information on a data protection officer
Within the implementation of standards on personal data protection NOSBiH, as the data controller, designated a data protection officer. This person will provide you with any information and answer your requests pertaining to the processing of your personal data. Please direct your inquiry to:
6. The data subject’s rights in case of unauthorised processing
The data subject will exercise all rights under the General Data Protection Regulation in case of unauthorised processing of his or her data as well as the right to lodge a complaint to the competent supervisory authority.
Notice on Personal Data Processing at NOSBiH |