Council of Ministers of Bosnia and Herzegovina, by Decision of 17 March 2020 declared the occurrence of a state of natural or other disaster in the territory of Bosnia and Herzegovina (“BH”) because of the risk of an epidemic of a contagious disease caused by a new corona virus (COVID-19) (“State of Emergency”).

Since Bosnia and Herzegovina (“BH”) is organized as a complex state, which consists of several structures of government: two entities Republic of Srpska (“RS”), the Federation of Bosnia and Herzegovina (“FBH”) and Brčko District (District”), Bosnia and Herzegovina, and these entities, within its competences adopted in the past several weeks, a series of measures to combat the COVID-19 virus epidemic.

In this review, we address the issues of protection of personal data in Bosnia and Herzegovina in relation to the State of Emergency.

Increased processing of different categories of personal data by public authorities and employers is not in itself for harsh criticism by the public, but it urges those responsible to process the data in accordance with the basic principles of processing and that:

a. the processing of personal data is in a fair and lawful manner;

b. personal data collected for specific, explicit and lawful purposes are not processed in any way inconsistent with that purpose;

c. personal data are processed only to the extent and scope necessary to fulfill a particular purpose;

d. personal data are processed only for the period of time necessary to fulfill the purpose for which the data were collected.

I. Protection of personal data of employees

During the State of Emergency, employers undertake various actions of processing of personal data of employees, namely a special category – data on the health status of employees. The legislator attaches particular importance to specific categories of personal data by prescribing the general principle that the processing of special categories of personal data is prohibited. The legislator allows the processing of this category of personal data exceptionally, prescribing the cases when the processing is considered to be in accordance with the regulations.

Consequence of the State of Emergency is primarily that employers are taking actions of collection, recording and disclosure of special categories of personal data of employees in order to detect and prevent the spread of the epidemic.

These actions are taken by employers as a consequence of continuous implementation of the recommended health measures prescribed by the competent public health authorities, protection of vulnerable categories of employees (older employees, employees with diseases that carry an increased risk of serious consequences of COVID-19 infection) and the need to ensure conduction of work process at the employers whose business activities have not been suspended.

In implementing security measures, certain employers, in consultation with healthcare institutions or on their own initiative, also carry out medical examinations of employees, such as measuring body temperature, with the aim of detecting potential infected persons, their isolation and further treatment.

Given the measures actually taken by employers and the requirements imposed by the applicable data protection regulations, there is a need to strike a balance with the measures taken and the protection of personal data.

For this review, we answer the questions:

• whether the Agency for Personal Data Protection of Bosnia and Herzegovina (“DPA”) has issued instructions or guidelines for employers regarding the collection of personal data of employees;

• whether employers are allowed to process specific categories of employees’ personal data for the purpose of identifying COVID-19 virus cases; and

• whether the employer can disclose the identity of an employee infected with the COVID-19 virus or in mandatory isolation designated by the competent authorities.

DPA did not issue any specific instructions or guidelines for employers regarding the enhanced processing of employees’ personal data being carried out as a measure to combat the epidemic.

With regard to the processing of personal data, the Personal Data Protection Law (the “Law”) also applies in this situation.

Personal data revealing a medical condition are a special category of data whose processing is exceptionally permitted, namely: (i) if the processing is necessary to protect the life, health, property and other vital interests of the data subject or other person for whom consent cannot be obtained; (ii) the processing of data is necessary for the performance of an obligation or special rights of the controller in the field of labor law to the extent authorized by law; (iii) if it is of particular public interest) and in other cases prescribed by the Law.

In our opinion, the processing of employees’ health data relating to the collection, storage, use of data by the employer for the purpose of combating the COVID-19 pandemic is permitted. These actions would relate to surveying employees as to whether they are at greater risk of being harmed by the virus (age and existence of disease identified as a risk factor), stay of employees abroad, contact with infected persons or persons in isolation and collection and other processing of similar data.

With regard to the possibility of undertaking medical examinations of employees by employers in the form of body temperature measurements or similar examinations to identify the symptoms of COVID-19 disease, the DPA did not issue an opinion whether this would be considered a breach of regulation.

Given that this measure has not been explicitly imposed on employers by public health institutions, it cannot be ruled out that the DPA may consider that by taking this measure, employers are unlawfully processing personal data. For this reason, it is recommended that employers obtain the DPA’s opinion before taking such or similar measures.

Employer cannot disclose the identity of the employee and other personal information of the employee who is infected with the COVID-19 virus without the proper legal basis. The existence of the basis for the disclosure should be determined on a case-by-case basis. In this sense, it is considered that it is permissible to exchange information in order to fulfill legal obligations towards the competent authorities, and to protect the life and health of employees. It is equally permissible to disclose the identity of an employee to other employees who have been exposed to contact with an infected employee to protect their health and similar.

In each specific situation, employers are advised to resort to the principle of proportionality. The least intrusive solutions should always be preferred, given the specific purposes to be achieved.

Upon termination of an emergency, employers are required to return to a regular data processing regime, including the permanent erasure of employees’ collected health data.

II. Protection of personal data of BH citizens

The fight against the epidemic implies that the competent authorities analyze every day the emergency measures taken and the results of the emergency measures. These actions of the competent authorities also include the processing of special categories of personal data of natural persons in the territory of Bosnia and Herzegovina.

Accordingly, the Ministry of Administration and Local Self-Government of the RS collects data on persons who violated measures of home isolation, and the data is published on the website Corona virus in Srpska. In the FBiH, the Federal Directorate for Inspection Affairs does the same on its website and the District on the website of the District Government.

In addition, certain public authorities publicly disclosed the personal data of persons to whom isolation and self-isolation orders were issued, although these persons did not violate regulations. One authority published a list of persons containing personal information on name, surname, year of birth, city / place, country from which the person came, the date on which the isolation began, the telephone number. Other competent authorities in Trebinje, Konjic and Čelić have, in the same or similar way, published lists of persons who are positive for corona virus, as well as persons who have been designated for isolation or self-isolation.

As a consequence of the emergency measures, questions were raised as to whether the data of persons in breach of regulations, i.e. prescribed emergency measures and data of persons suffering from the COVID-19 virus, as well as persons who had been subjected to a measure of isolation or self-isolation, could be made public.

In a statement dated March 23, 2020, the DPA stated that it is not illegal to publish a minimum of data on persons who violate the laws, i.e. certain prohibitions of the competent authorities, since it is a manifest violation of the law, namely those that protect and save lives. Consequently, the public interest outweighed the right to the protection of personal data, and the person who violated the law actively contributed to this.

With regard to the disclosure of data on all persons in isolation and self-isolation, DPA is explicit that the public disclosure of personal data of persons who are positive for corona virus and persons subject to measures of isolation and self-isolation who have not violated the laws or prohibitions of the competent authorities, is not in accordance with the Law.

Competent authorities continue to analyze the existing measures taken and adopt new ones on a daily basis, which inevitably leads to various forms of processing of specific categories of personal data of individuals.

The processing of personal data, including the processing of special categories of personal data, cannot be avoided, but by appropriate measures taken in accordance with the basic principles of legitimate data processing, it can take place within the legal framework.

III. Context of overview

All of the above is a framework overview of the protection of personal data during the State of Emergency caused by COVID-19 epidemic. None of the above constitutes legal advice nor do we assume any liability in the event of complying with the above.

Below are our contact details, in case you would like to receive more detailed information on the above matter:

Stevan Dimitrijević
Partner | Attorney at law
T | F +387 51 962 600
M +387 65 589 149
E-mail : stevan.dimitrijevic@dimitrijevicpartners.com

Tanja Savičić
Senior Associate | Attorney at law
T | F +387 51 962 600
M +387 65 918 526
E-mail : tanja.savicic@dimitrijevicpartners.com