Which changes brings GDPR and how to apply it in Bosnia and Herzegovina?

The digital age that we are living in changing the way people and organizations communicate and exchange their data. Using the Internet one can complete many services, and online services require entering more and more of your personal data. People, therefore, are forced to make their own data available to the public and global audience.

How safe is it? Is your own safety jeopardized?

How to have a good flow of your data and a high level of the protection of your personal data? These are only some of the questions we will answer in this text. So let’s get started!

What is the GDPR?

In a competitive race, the more data you have available, the more information based on which you have to predict the market, bring some strategic decisions and win the competition. Due to extended exposure of the data to such an environment, there is a need for the legal regulation of the area aimed to protect the individual.

This is just the reason why the European Union (EU) brings the General Data Protection Regulation (GDPR) in 2016, but which comes into force from 25th May 2018, which is also the final date when all processes and information systems are to be adjusted. This Regulation should also contribute to the establishment of the area of freedom, security, and justice for this economic union, economic and social development, growth and economic strengthening and benefits to every individual.

Many companies and organizations often use the personal data of their clients as a free resource and use them without allowance, collect them without limits and other protection measures.

GDPR represents new legal protection of the personal data of EU citizens. The legal foundations of GDPR are Act of Functioning of the EU and the Fundamental Rights Charter of the EU, which in its contents explicitly state that everyone has a right to the protection of their personal data, and this right is to be uncompromisingly defended by this document. GDPR is a tool that will force the companies to think and set the manner of collection, analysis and data saving.


GDPR is applicable for every organization which collects and analyses the personal data of EU citizens, including micro, small or medium-sized companies, public institutions, bodies and agencies which collect personal data, independently of their location (in the EU or not), their size, legal form, or activity. All legal entities must adhere to the regulations which include not only Internet business operations but also all other types in which there is an insight into your personal information.

It will not be sufficient only to cover certain business fragments, but rather the overall type of collection and use of personal data.

Personal data

Personal data include any data/information or their combination which identifies a person. It is not just the name. It also includes data such as age, sex, unique identification number of a citizen, telephone number, e-mail address, IP address on your PC or mobile phone, GPS location, payment slip, credit debt, bank accounts, education and vocation, photos, videos, your favourite books or songs, physical, OIB, RFID tags and cookies on websites and other information.

Which changes bring GDPR to individuals?

The elementary differences of GDPR in comparison to earlier legislation are giving more rights to individuals who have easier access but better control over their data which are mainly used for the purposes of advertising. The rights of the examinees about their rights are clearly defined. Individuals have right to know what for are their data used, to have access to their personal data, to have right for editing or deleting, limiting of processing and distribution of their personal data, etc. This is just what the GDPR application enables. In order to store the personal data of an individual, we have to get the permission of them. When someone allows their data to be processed, then we can process their data to the purpose which their permission is given for. Additional strengthening of the rights of the information owner is provided by forecasting of the effects that collection and processing of the data may have to the rights and freedom of an individual, as well as informing the authorities and the owner in case of any sort of violations or infringements (within 72 hours).

One of the news in GDPR is referred to as the way of giving permission by the users for the collection and use of their personal data. Conditions must be written in a clear and comprehensible manner about the purpose of the data collection.

Data must be collected in the form in which they enable identification of an individual only for that period which is enough to provide the purpose for which they are collected.

Exceptions include the personal data which will be stored for archives of public interest, scientific or historical research or statistic purposes, which again must be adequately stored in accordance with the GDPR.

In order to ensure the above-stated conditions to be fully implemented, the law stipulates the existence of the independent state authority within every member country which will take care of the implementation in this field, and this will be coordinated by a single EU body.

What GDPR brings to legal entities?

It is very interesting that GDPR is not only referred to as the companies acting only on the EU area but also to all those which treat the data of the citizens populating EU area, disregarding the location or size. Basically, all organizations, institutions, companies and other legal entities which have employees, buyers, clients from the EU, are obliged to adhere to this GDPR regulation and protect the personal data of the above-mentioned individuals.

GDPR requires listing, categorization and coding of all information about their user’s personal data from all individuals, institutions and organizations which in any way treat the personal data of their clients. Personal consent to the use of personal data is defined as an act of permission. Organizations are set the unique standard of personal data and privacy protection in the area of the EU, where we have a unique standard to which requirements we must adjust. On the other hand, this standard sets before all organizations very high and rigid requirements with very high fines. Disrespect of the rules draws fines, and these vary up to 20 million €, i.e. 4% of the total turnover, depending on which amount is bigger. Supervision of this Regulation is to be under the control of the Personal Data Protection Agency.

In order for you to establish the compliance of your organization to this Regulation you need persons who understand these requirements very well, and sometimes it is even necessary to name the qualified staff for personal data protection. For this part, you can name persons outside your organization, whether by using outsourcing contracts or business agreements. It can be a Data Processing Manager, Data Processing Clerk or Personal Data Protection Officer. It is necessary for organizations to make their own plan for data protection, risk estimation and measures for clearance of these.

If you are a company or organization, your plan to protect the personal data may depend on several factors such as sensitivity level, amount of data or complexity of your digital infrastructure. Minimum you must undertake is to analyze what type of personal data you take and store, where you store them, make the risk estimation and set the best source where they are safe from unallowed access or information leakage, limit the access to them, and check if they are correctly encrypted.

How to apply GDPR in Bosnia and Herzegovina?

The most comprehensive change in the European policy of data protection within the last few decades is also applicable in Bosnia and Herzegovina, although it is not an EU member. By signing The Stabilisation and EU Association Agreement, Bosnia and Herzegovina undertake the obligation of adaptation of its domestic legislation to the legislation of the EU, which is due to 2021 when the Bosnian citizens will be under the protection. However, since 25th May Bosnia and Herzegovina must protect the EU citizens within its borders and outside. It is very important that the companies in Bosnia and Herzegovina, which operate with the data of EU citizens adjust themselves to the requirements of the GDPR regulation. Bosnia and Herzegovina must comply with the regulations of GDPR, first for the EU citizens, and then for itself as it once becomes the EU member. The first step for every organization in Bosnia and Herzegovina is to make a “Compliance estimate” of the personal data protection of the existing Law on the personal data protection in Bosnia and Herzegovina with GDPR regulation.

Fine provisions from the Law on personal data protection will be applicable in Bosnia and Herzegovina all until the new law adjusted to this regulation comes into force. It is very specific for Bosnia here as a significant number of its citizens is already EU citizen.


How ED Vision can help you to adjust your business with GDPR?

Apply this regulation in your organization and tell your clients that you offer them full control of their personal data!

A very important part of personal data collection is your website. If you have a website, you collect personal data, send a regular newsletter, pay salaries, have a webshop and process a bunch of orders everyday… if you have a database of individuals (buyers or employees) who are EU citizens, we will help you to adjust your business in accordance with GDPR.

Although GDPR is very clear in personal data protection, it does not describe the processes or technologies which companies must have in order to provide that protection. Many owners and company managers are not aware of the obstacles they must go through in order to implement these requirements, for which we do not have too much time. They should know that the adjustment is not a simple process and that it will make significant changes to their business. Therefore, the earlier they start, the less painful will it be. We can help you with that.

What GDPR represents for your website? Since the arrival of GDPR into our business world, the data collection of our users via website becomes significantly more complex. We will help you to provide full control of your users’ personal data and offer them clear, non-obligatory and comprehensible instructions for the provision or deletion of their personal data from your system.

Here we will represent you the changes in accordance with GDPR referring to your website so that you can apply them as soon as possible.

Privacy statement

If you don’t have a privacy statement, we will help you introduce it. The privacy statement is a very important document, i.e it is a page that your domain should have. The privacy statement is a very important part of GDPR adjustment by which you fulfill the transparency element. We will help you to create this privacy statement in the right manner and make sure the permissions for personal data use are valid. Therefore we will in simple and comprehensible terms inform your clients so that they clearly and undoubtedly know their rights, ways of data processing, ways of asking for change or deletion of their data, and which security standards you have.

We will help you, provide instructions so you can make and adjust the Privacy Statement which will fulfill the requirements of the GDPR. That way you will safely collect your users’ data, communicate and do business in accordance with GDPR.


A cookie is a piece of information stored on a user’s computer by a website they visit. Cookies usually save settings related to a website, such as preferred language or address. Later, when the user opens the same websites cookies enable the website to show information adjusted on the basis of the user’s needs.

GDPR brings a change with cookies and above all related to them. The title “This website uses cookies” is not allowed anymore, and every cookie we want to store in a web browser has to get the user’s consent for it. This refers not only to cookies necessary for website functioning but also for all other types of cookies.

We can implement solutions that will be accepted or rejected by users, or as GDPR stipulates the only certain type of cookies. Also, in accordance to GDPR, visitors will at any moment be free to withdraw their consent for the use of cookies.


According to GDPR every data that the user enters, can be used only to the purpose for which the user provided their consent. For example, e-mail address which you received from a buyer by webshop, if you have consent you can use it exclusively for the completion of that order, not for sending your advertising campaigns. If you want that, below contact form, there has to be a tick box (unmarked) with the statement “I agree

to receive newsletter “. So, in order for you to use that e-mail address in your newsletter campaign, the user has to provide additionally their consent.

We will check your website and in agreement with you, add all the necessary notifications and explanations as well as tick boxes for consents, so that your forms on your website are in accordance with GDPR.

Before you click on a button “Register”, it is always best to add an empty box where user can tick. Permissions will be recorded in a digital form so that in case of any inspection checkups or disagreements with a buyer, you can show that you have permission for the use of their personal data for such purpose. GDPR regulation refers only to personal data, and other data that are not personal (anonymous – out of which it is not possible to determine a person’s identity), are protected by the national legislation of each member state.


Before the introduction of GDPR, newsletter lists were filled in different ways. In case that newsletter lists were picked-up, it is necessary to stop using them because there is a potential possibility of getting fines. Most of the websites nowadays have forms for e-mail collection for newsletter with a notification that e-mail address is provided for the use of free e-book or getting some discounts. After that this e-mail address is used for regular newsletter sending.

GDPR stops this practice and in case you would like to send your newsletter to a user, they have to give you permission for that. Having GDPR introduced, the newsletter you may send only to those who provided their permission for that. So, if you get permission on the form where it is stated that your user will get a promotional code, you do not have the right to use their e-mail address for your newsletter campaign, but only for sending this promotional code. Our simplest solution we can implement on your website is an additional tick box (checkbox) in which they can put a tick for receiving the newsletter, but this tick must not be automatically put. One of the options with new newsletter subscribers is double opt-in sign-up, i.e. the user gets on their e-mail address a confirmation e-mail, in which it is stated in which purposes their e-mail will be used, for which they give their final confirmation.

If you have a newsletter list which you collected by informing users about the clear purpose of their e-mail address, then it would be good for you to prepare a newsletter in which you will ask for their consent for further reception of newsletter e-mails from you. On your list will then be left only those who confirmed to remain your subscribers, all others should be deleted.

Data overview possibility

If the users entered their personal data on your website, we can create the functionality of their user profiles for you. That way on one place simply and fast they can be overviewed with all the personal data they entered, and they can edit or delete them on their own. That way you will reduce the number of e-mails with such requests.

On every user profile (for example webshop) there must be a possibility that the user themselves deletes the profile, permissions, together with all other data (personal data, ordering history etc.)

Other obligatory data

In case that the supervision of websites becomes more extensive due to GDPR, then other important data will also be checked as well. We will check if you have all the necessary data and warn you if you are missing them. All stated in this text is of general nature and represents our own interpretation of GDPR regulation. We offer you what we applied from GDPR for ourselves as well, and we do not guarantee in legal terms that everything will perfectly match GDPR requirements. For more detailed instructions we recommend you to consult the lawyer. In case you would like to adjust your online business with GDPR, please contact us via the contact form which is GDPR adjusted.