CBBH Privacy Rules

PRIVACY RULES OF THE CENTRAL BANK OF BOSNIA AND HERZEGOVINA

  1. INTRODUCTION

The Central Bank of Bosnia and Herzegovina (hereinafter: the Central Bank) considers the protection of your personal data highly important. These Privacy Rules explain how the Central Bank collects, uses and protects personal data in accordance with the Law on Personal Data Protection (Official Gazette of BiH, No. 12/25). For us, the principle of transparency is key to building trust, as its consistent application allows you to understand the processing procedures and exercise your rights as data holders.

  1. INFORMATION ON DATA CONTROLLER

The controller of your personal data within the scope of legal competences is:

  • Name: the Central Bank of Bosnia and Herzegovina
  • Address: Maršala Tita 25, 71000 Sarajevo
  • Personal Data Protection Officer: The Central Bank has an appointed officer whom you can contact for any questions regarding the processing of your data and the exercise of your rights.
  • Contact: +387 33 278 322; e-mail:
  1. THE CATEGORIES OF PERSONAL DATA THAT WE PROCESS

According to the Law on Personal Data Protection, "personal data" is any data relating to a natural person whose identity has been or can be determined. Depending on the nature of your contact with the Central Bank, we process different categories of such data:

  • Identification and employment legal data: Data on members and qualifications of management and supervisory bodies, appointed persons, job candidates, persons engaged on the basis of a work contract or training, authorised signatories of depositors and visitors to the Central Bank's facilities.
  • Contact data: E-mail addresses, telephone numbers and postal addresses for the purposes of official communication, media enquiries and newsletters.
  • Financial and property-related data: Data contained in the Central Register of Credits (CRC), declarations of personal interests prescribed by the Code of Ethics of the Central Bank (available at Usklađenost poslovanja (Compliance)), statements on conflict of interest according to the Public Procurement Law and security questionnaires according to the Law on Protection of Confidential Information.
  • Data on authorisation: The data on authorised signatories of depositors, users of the electronic interbank money market (EIMM) platform, users of the CRC, the Single Register of Accounts (SRA) and the giro clearing system (ACH). You can read more details about the Central Bank's payment systems at the following links:

    o    Central Register of Credits of Business Entities and Natural Persons in Bosnia and Herzegovina

    o    Electronic interbank money market

    o    Single Register of Accounts of Business Entities in Bosnia and Herzegovina

    o    Giro clearing

  • Data on digital interaction: IP addresses, cookies and technical data about visits to the website or intranet for analytics and service functionality. You can read more details about the cookie policy here.
  • Multimedia data: Video surveillance footage, as well as photographs and recordings of events organised by the Central Bank.
  1. LEGAL BASES AND PURPOSES OF DATA PROCESSING

As a rule, the Central Bank processes personal data for the purpose of complying with legal (statutory) obligations, execution of contracts and within the exercise of official authorities, and less often on the basis of consent or legitimate interest.

  • Exercise of official authorities and contracts: The Central Bank processes data for the purpose of maintaining monetary stability, managing payment systems, keeping registers and managing rights of access to these systems. The processing of personal data may be necessary for the execution of contracts for the procurement of services as well as during the implementation of the public procurement procedure in accordance with the law.
  • Human resources and labour relations management: The processing of personal data is necessary for the regulation of the employment status, the implementation of competition procedures, the payment of remunerations and the rights of hired persons and the enabling of the use of benefits on a voluntary basis to interested employees.
  • Safety and protection: The Central Bank uses video surveillance and access logs to protect persons, property, and critical infrastructure. The Central Bank may process data for the purpose of preventing and combating fraud, especially IT fraud (sending spam, phishing, hacking, false presentation).
  • Public relations and handling of requests: Personal data may be processed for the purpose of processing requests for access to information, newsletters, media communication and informing the public through web channels. Acting on requests and enquiries from citizens regarding the operations of the Central Bank, the protection of personal data or regarding the reporting of irregularities may also imply the processing of necessary identification data.
  • Promotion of the Central Bank activities and events and social networks management: The Central Bank may process photographs and videos to document and promote its activities and events. The Central Bank is present on various social networks, each of which has its own privacy and data protection rules. It is recommended that you read them.
  • The establishment, exercise or defence of the legal interests of the Central Bank may include the processing of personal data for evidence purposes.
  1. RECIPIENTS OF DATA AND TRANSFER TO OTHER COUNTRIES

Your data are only submitted to third parties (tax authorities, PDI funds, courts, agencies, banks) if there is an explicit legal basis (e.g. fulfilment of a legal or statutory obligation). As a rule, the Central Bank does not transfer data outside of Bosnia and Herzegovina, unless it is necessary for the execution of payments or defined by an international agreement, with the application of all legal protection measures.

The Central Bank provides access to personal data to researchers, in compliance with legal and internal regulations and procedures, in particular with regard to ensuring the application of appropriate protection measures. Such information may be made publicly available only after being previously anonymised in a manner that makes it impossible to directly or indirectly identify natural persons.

  1. DEADLINES FOR KEEPING DATA

Personal data are kept only for as long as necessary for the fulfilment of the purpose of processing or according to the deadlines defined by the Decision on the establishment of the list of categories of records with retention periods, adopted in accordance with the Law on Archival Material and the Archives of Bosnia and Herzegovina. Therefore, after the end of the purpose which they were collected for, your personal data are no longer used, but are kept in the archive for as long as the legal regulations on archival material define as obligatory. Videos collected by the video surveillance system are kept for 30 days, except in cases of proving an incident reported within the retention period.

7. TECHNICAL AND ORGANISATIONAL MEASURES OF PROTECTION

In order to ensure and prove the compliance of processing with applicable laws and regulations, the Central Bank applies appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access.

These measures ensure a level of security adapted to the risks of processing and the nature of the data protected:

  • Physical and technical protection: Control of access to premises, use of firewalls, passwords, smart cards and encryption.
  • Confidentiality: All employees and management of the Central Bank are obliged to maintain the confidentiality of the data obtained during the performance of their duties and tasks, which continues even after the termination of employment.
  • The "need to know" principle: Access to data is given only to persons who need it to perform official tasks.

Organisational and technical measures for the protection of personal data in the Central Bank are prescribed, among other things, by the Decision on the establishment of the Personal data security plan, the By-law on Information System Security, as well as regulations and procedures related to security systems and technical protection in the Central Bank facilities.

8. YOUR RIGHTS AS DATA HOLDER

In accordance with the law, you have the following rights with the proof of identity and depending on the legal basis for the processing:

  • Right of access: The right to know which of your data are processed and for what purpose.
  • Right to correction: The right to request the correction of inaccurate data.
  • Right to erasure ("right to be forgotten"): In cases prescribed by law, you have the right to request the deleting of your personal data (e.g. they are no longer needed for the purposes which they were collected for, you have decided to withdraw your consent to their processing, you believe that your data are processed unlawfully or you have successfully objected to the processing on the legitimate interest basis).
  • Right to restriction of processing: The right to request that the data no longer be processed in certain cases (e.g. for as long as you contest the accuracy or the legal basis for the processing of your data or if the controller no longer needs your data but you request them for the establishment, exercise or defence of legal claims).
  • Right to object: The right to object, stating reasons related to your particular situation as a data holder, to the processing of your personal data processed by the Central Bank on the basis of legitimate or public interest. In this case, the Central Bank will carry out an assessment to determine whether your rights are prevailed by the legitimate interests for the continuation of the processing.
  • Right to data transferability: The right to download the data provided by you to the Central Bank in a structured, commonly used and machine-readable format.

The Central Bank will respond to your request without undue delay and within 30 days as latest.

In the event that the processing of data is based on your consent, the consent to the processing of your personal data that you give in writing (physically or electronically) refers only to the purposes of the processing and the categories of personal data that are clearly stated to you on that occasion, and the processing of your personal data will not be carried out for other purposes. If you wish to withdraw your consent, you can do so in writing or in person by using the contact details provided in Section 2 of these Rules.

9. THE RIGHT TO SUBMIT A COMPLAINT TO THE SUPERVISORY AUTHORITY

If you believe that the Central Bank has violated your right to the protection of personal data, you have the right to file a complaint to the Personal Data Protection Agency in BiH, Dubrovačka br. 6, Sarajevo (e-mail: [email protected]).

10. CHANGES OF PRIVACY RULES

The Central Bank reserves the right to update these Rules in accordance with changes of the law or changes in processing procedures. Any amendment to these Privacy Rules shall enter into force upon its publication on the website of the Central Bank of Bosnia and Herzegovina. Only the applicable version is available on the website.



Newsletter CBBiH