Within the provision of professional services, the firm processes personal data of clients – natural persons to the extent necessary for the conclusion and performance of the contractual relationship, case management, and the protection of the rights and legal interests of both the client and the firm. Below is a detailed description of the purposes of processing, the legal basis, the categories of personal data processed, as well as the retention periods for such data.

Categories of personal data processed:

• full name,
• date and place of birth,
• residential or temporary address,
• contact phone number,
• email address,
• data from personal identification documents (e.g. ID card or passport number), where necessary,
• data on personal, family, financial, or business status, depending on the matter,
• data contained in documents provided by the client (contracts, decisions, rulings, medical records, evidence, etc.),
• data obtained during representation from courts, administrative authorities, and other competent bodies,
• data relating to legal claims, disputes, and proceedings,
• data on communication with the client (correspondence, emails, meeting notes),
• financial data relevant for invoicing and payment of services,
• special categories of personal data (e.g. data concerning health, criminal convictions, family relationships), exclusively when necessary for a specific matter and permitted by law.

Purpose of processing:

The firm processes personal data of clients – natural persons in order to conclude an agreement on the provision of legal services, organize and manage cases, provide legal advice and representation, communicate with clients, prepare submissions and legal documents, undertake actions in the client’s interest, and maintain mandatory supporting documentation (including financial records arising from such relationship). As part of service provision, processing also includes the storage of evidence and case files, as well as the exchange of data with competent authorities and other parties to proceedings where necessary for the matter.

Legal basis:

The primary legal basis is the performance of a contract and/or taking steps at the request of the client prior to entering into a contract (Article 8(1)(b) of the Law). Where the firm is required to retain certain documentation or act in accordance with binding regulations (e.g. accounting, taxation, responding to requests from authorities), the legal basis is compliance with a legal obligation (Article 8(1)(c) of the Law). In situations where processing is necessary for the establishment, exercise, or defense of legal claims (e.g. debt collection, demonstrating proper conduct, protecting the firm in disputes), the legal basis relies on legitimate interest (Article 8(1)(f) of the Law).

Retention periods:

Personal data of clients – natural persons are retained in accordance with a combination of legal obligations, limitation periods, and the firm’s legitimate interests. During the contractual relationship and case handling, all data necessary for service provision are actively retained for as long as representation or advisory services are ongoing. After the conclusion of the proceedings or termination of the contract, case files and supporting documentation are retained for at least 10 years, taking into account the general limitation period for claims under the Law on Obligations, the need to demonstrate proper conduct, protection against potential claims by clients or third parties, as well as professional rules and record-keeping practices. Financial and accounting documentation (invoices, bills, payment records) is retained for at least 10 years, in accordance with the tax and accounting regulations of Republika Srpska and Bosnia and Herzegovina. Data on communication and working notes are retained as part of the case file for the same retention period as the core case documentation.

Within the provision of professional services to legal entities, the firm processes personal data of contact persons of clients – legal entities to the extent necessary for establishing and performing the contractual relationship, managing cases, and communicating with the client. Below is a detailed description of the purposes of processing, the legal basis, the categories of personal data processed, as well as the retention periods for such data.

Categories of personal data processed:

• full name of the contact person at the client – legal entity,
• position, job title, or authorization of the contact person,
• contact phone number,
• email address,
• data on representation and authorizations (e.g. powers of attorney, appointment decisions),
• data contained in service agreements,
• data on communication with contact persons (correspondence, emails, meeting notes),
• data contained in matters handled by the firm for the legal entity,
• data obtained from courts, administrative authorities, and other competent bodies in relation to such matters,
• financial and billing data related to invoicing and payment for services,
• special categories of personal data of contact persons or third parties, exclusively where they appear in matters handled by the firm and where permitted by law.

Purpose of processing:

The firm processes data of contact persons of clients – legal entities (e.g. responsible persons, legal representatives, employees designated for cooperation) for the purposes of communication, verification of authorizations, conclusion and performance of service agreements with the legal entity, case management, provision of legal advice and representation, as well as for organizing work and fulfilling obligations arising from the business relationship.

Legal basis:

Processing is primarily based on the performance of a contract with the client – legal entity and/or taking steps prior to entering into a contract (Article 8(1)(b) of the Law). Part of the processing is based on compliance with a legal obligation (Article 8(1)(c) of the Law), particularly in relation to the retention of business and financial documentation and compliance with applicable regulations. To the extent necessary for the protection of legal interests (e.g. documenting communication, protection against disputes), the legal basis may be the legitimate interest (Article 8(1)(f) of the Law).

Retention periods:

Personal data of contact persons of clients – legal entities are retained in accordance with the purpose of processing, applicable regulations, and the firm’s legitimate interest in documenting the provision of services and protecting its rights. Data are retained during the duration of the contractual relationship with the client – legal entity and the active handling of the matter. After termination of the contractual relationship or completion of the matter, documentation and data are retained for at least 10 years, taking into account the general limitation period for claims under the Law on Obligations, as well as the need to demonstrate proper performance of the contract and protection against potential claims by clients or third parties. Financial and accounting documentation containing personal data of contact persons (invoices, calculations, payment records) is retained in accordance with the deadlines prescribed by the tax and accounting regulations of Republika Srpska and Bosnia and Herzegovina, and for no less than 10 years. Data on communication, powers of attorney, and authorizations are retained as an integral part of the case file and follow the same retention period as the core documentation.

Within the scope of representation and legal advice in court, administrative, and other proceedings, the firm necessarily processes personal data of various participants in the proceedings, as well as data contained in case files and evidence. This section of the Privacy Policy describes the purposes and legal bases for such processing, the categories of personal data involved, and the retention periods applicable to such data.

Categories of personal data processed:

• identification data of parties to the proceedings (full name or other identifiers as contained in case files),
• contact details of parties (address, phone number, email),
• data on opposing parties in the proceedings,
• data on witnesses,
• data on expert witnesses,
• data on legal representatives and attorneys,
• data on judges, prosecutors, officials of administrative authorities, notaries, and enforcement officers,
• data on third parties appearing in case files and evidence,
• data contained in court, administrative, and other acts (judgments, rulings, decisions, conclusions),
• data contained in claims, responses, submissions, appeals, legal opinions, and other procedural documents,
• data contained in evidence (contracts, invoices, business documentation, medical records, financial reports, statements, correspondence, etc.),
• data on facts and circumstances relevant to the proceedings,
• data on criminal offences, misdemeanors, judgments, and sanctions, where relevant to the case,
• data on health, family relationships, financial and social status, where arising from the nature of the proceedings,
• data on communication with courts, administrative authorities, and other participants in the proceedings.

Purpose of processing:

In the context of handling court, administrative, and other proceedings, the firm processes personal data of various categories of individuals (parties, opposing parties, witnesses, experts, officials, judges, case handlers, record-keepers, attorneys, and third parties whose data appear in the case files) for the purposes of case management, preparation and submission of filings, collection and evaluation of evidence, communication with courts and authorities, and undertaking procedural actions necessary for representation and the protection of the client’s rights and interests.

Legal basis:

The processing is primarily based on the performance of a contract with the client (Article 8(1)(b) of the Law) and on compliance with a legal obligation to act in accordance with procedural regulations and requests of competent authorities (Article 8(1)(c) of the Law), where applicable. For processing that is necessary for the conduct and protection of legal proceedings (including evidentiary purposes, debt collection, and protection against liability), the legal basis is the legitimate interest (Article 8(1)(f) of the Law), with the obligation to limit processing to what is necessary for the specific matter.

Retention periods:

Personal data processed within court, administrative, and other proceedings are retained in accordance with procedural regulations, archival rules, limitation periods, and the firm’s legitimate interest in documenting lawful and professional conduct. Data are retained for the duration of the proceedings, including all stages of ordinary and extraordinary legal remedies, as well as enforcement and other related proceedings. After the final conclusion of the proceedings, the complete case file, including all submissions, evidence, and decisions, is retained for at least 10 years, taking into account the general limitation period for claims under the Law on Obligations, the possibility of initiating proceedings through extraordinary legal remedies, the need to protect both the firm and the client against subsequent claims or disputes, as well as the professional obligation to preserve documentation of actions taken.

Special categories of data in proceedings:

Where case files contain special categories of data (health data, biometric data, family relationships, criminal convictions, etc.), processing is based on specific legal rules and grounds, most commonly for the establishment, exercise, or defense of legal claims in practice.

When individuals contact the firm with an inquiry or request for services, their personal data are processed solely for the purpose of establishing communication, reviewing the submitted inquiry, and assessing the possibility of accepting a specific engagement. Processing is carried out in a limited scope and only to the extent necessary for these purposes, in accordance with the principles of data minimization and confidentiality. Such processing does not imply the automatic establishment of a contractual relationship, nor does it create an obligation for the firm to accept the engagement. Below is a detailed description of the purposes and legal bases of processing, the categories of personal data processed, and the retention periods in accordance with applicable regulations.

Categories of personal data processed:

• full name of the potential client,
• contact phone number,
• email address,
• data on the method of contact (phone, email, in-person visit),
• data concerning the legal issue or service request,
• data voluntarily provided by the potential client during initial communication,
• notes from initial consultations or discussions,
• data on communication with the potential client (email correspondence, call notes),
• data on the decision whether the engagement is accepted or declined,
• data related to conflict-of-interest checks.

Purpose of processing:

The firm processes personal data of potential clients for the purpose of receiving and handling inquiries, providing initial information, organizing consultations, assessing the possibility of accepting an engagement, including conflict-of-interest checks to the extent necessary, and making a decision on entering into a service agreement.

Legal basis:

The legal basis is taking steps at the request of the data subject prior to entering into a contract (Article 8(1)(b) of the Law).

Retention periods:

Personal data of potential clients are retained in a limited scope and only for as long as necessary to achieve the purpose of processing, i.e. for initial communication and assessment of the possibility of accepting an engagement. If no service agreement is concluded, the data are retained until the end of communication, and for no longer than 12 months from the last contact. If the potential client becomes a client of the firm, their data become subject to the processing regime applicable to clients and are retained in accordance with the retention periods prescribed for client data.

In the recruitment and selection process, the firm processes personal data of candidates who apply for open positions or who submit unsolicited applications for potential engagement. Such data are processed exclusively for the purposes of conducting the selection process, assessing professional qualifications, and making decisions regarding employment or other forms of engagement. The firm processes candidate data in a limited scope, in accordance with the principles of lawfulness, data minimization, storage limitation, and confidentiality, and without automated decision-making or profiling. Below is a detailed description of the purposes and legal bases of processing, the categories of personal data processed, as well as the retention periods relating to job applications.

Categories of personal data processed:

• full name of the candidate,
• contact phone number,
• email address,
• residential or temporary address,
• data on education (schools, universities, degrees, diplomas),
• data on work experience (employers, periods of employment, job descriptions),
• data on professional knowledge, skills, and qualifications,
• data contained in the curriculum vitae (CV),
• data contained in the cover letter,
• data on possession of a driver’s license of the relevant category,
• data from recommendations or references (if provided),
• notes and evaluations from interviews,
• data on the results of the selection process,
• data on the candidate’s consent for retaining data in the candidate database, if given,
• other data voluntarily provided by the candidate as part of the application.

Purpose of processing:

The firm processes candidates’ personal data for the purpose of conducting the selection process, verifying qualifications, organizing interviews, deciding on employment or other engagement, as well as for the potential retention of applications in the candidate database where the candidate has provided consent.

Legal basis:

For the selection process, the legal basis is taking steps at the request of the data subject prior to entering into a contract (Article 8(1)(b) of the Law). For retention after the completion of the selection process, the legal basis is consent (Article 8(1)(a) of the Law), which the candidate may withdraw at any time.

Retention periods:

Personal data of job applicants are retained only for as long as necessary to conduct the selection process and make a decision on employment. Data of candidates who are not selected are retained until the completion of the selection process, and thereafter for no longer than 6 months. This period allows the firm to respond to potential complaints from candidates, demonstrate the lawfulness of the selection process, and protect itself against possible claims. If a candidate provides explicit consent for their data to be retained in the candidate database, the data may be stored for up to 18 months from the date of consent, exclusively for future recruitment processes. Upon expiry of this period, or earlier if the candidate withdraws consent, the data are deleted. Data of candidates who are selected and with whom an employment contract or another form of engagement is concluded become subject to a separate regime governing the processing of employees’ personal data and are regulated by a separate privacy policy.

For the purpose of protecting persons and property, the firm conducts video surveillance within its premises. Video surveillance is implemented solely to ensure the security of the premises, employees, clients, and visitors, as well as for the prevention and evidencing of potential security incidents. Processing of personal data through video surveillance is carried out in a limited scope, with clearly marked monitored areas and in accordance with the principles of lawfulness, proportionality, and data minimization. Below is a description of the purposes and legal bases of processing, the categories of personal data processed, as well as the retention periods for recordings collected through the video surveillance system.

Categories of personal data processed:

• video recordings of individuals present in the monitored area,
• visual representation of individuals (appearance, movement, behavior),
• date and time of recording,
• location of recording within the monitored premises.

Purpose of processing:

The firm processes data obtained through video surveillance solely for the purpose of protecting persons and property, preventing and evidencing incident situations, and controlling access to the premises to the extent necessary for security.

Legal basis:

The legal basis is the firm’s legitimate interest in ensuring security and protecting property (Article 8(1)(f) of the Law), while ensuring proportionality (limited scope, defined retention period, and controlled access to recordings).

Retention periods:

Recordings collected through the video surveillance system are retained for a maximum of 8 days from the date of creation, after which they are automatically deleted by overwriting with new recordings or permanently erased. An exception to this retention period applies where a specific segment of a recording is extracted for evidentiary purposes in a particular case, such as footage documenting theft, property damage, or another security incident. In such cases, the extracted recording may be retained until the conclusion of proceedings before the competent authorities, or for as long as necessary for its use as evidence.

For more information on video surveillance and the rules governing the processing of personal data through video surveillance, please refer to the separate Notice to Data Subjects on the Processing of Personal Data via Video Surveillance.

This notice is provided in accordance with the Law on Personal Data Protection of BiH for the purpose of transparent information about surveillance at the firm's headquarters (Bulevar vojvode Živojina Mišića 49b, Banja Luka).

Purpose and legal basis:

Video surveillance is carried out exclusively for the protection of persons (employees and visitors) and the property of the controller. The legal basis is legitimate interest (Article 8(1)(f) of the Law).

Method of surveillance:

The monitored area is clearly marked with visible notices. The system records movement in common areas, entrances, and approaches, without intruding on privacy that is not necessary for security purposes.

Access to data and recipients:

Direct access to recordings is granted exclusively to authorized persons of the controller. Recordings may be submitted to competent authorities (police, court) exclusively on the basis of a written request within legal proceedings.

Data subject rights:

Individuals on the recording have the right to access the data (viewing the recording) and the right to object, provided that this does not compromise the rights of third parties. Requests are submitted in writing to the Data Protection Officer.

When visiting the firm’s website (www.advokatskafirmasajic.com), certain personal and technical data of visitors are processed to ensure the proper functioning of the website, maintain its security and stability, and improve user experience. Such processing is carried out in a limited scope and in accordance with applicable personal data protection regulations, while adhering to the principles of lawfulness, transparency, and data minimization. The firm does not track users beyond what is necessary for the technical functioning and security of the website, nor does it carry out automated decision-making or profiling of visitors. Below is a detailed explanation of the categories of personal data processed through the website and cookies, the purposes of such processing, the legal basis, and the retention periods.

Categories of personal data processed:

• user IP address,
• date and time of access to the website,
• device data (device type, operating system),
• internet browser data and version,
• data on visited pages and actions taken on the site,
• technical cookie identifiers (cookie ID),
• data on cookie preferences,
• data voluntarily provided by the user via the website,
• aggregated statistical data on website usage.

Purpose of processing:

The firm processes certain technical data of website visitors in order to ensure the proper functioning of the website, maintain security, detect misuse, and improve content and user experience. To the extent that analytical or marketing cookies are used, the purpose is to measure website traffic and understand how the website is used.

Legal basis:

For necessary technical functionalities and website security, the legal basis is the legitimate interest (Article 8(1)(f) of the Law). For all non-essential cookies (e.g. analytics that are not strictly necessary), the legal basis is consent (Article 8(1)(a) of the Law), which may be withdrawn through cookie settings.

Retention periods:

Data processed via the website and cookies are retained in accordance with the purpose of processing and the principle of data minimization. Technical data and log records necessary for the functioning, stability, and security of the website are retained for a short period, i.e. only as long as necessary to identify and resolve technical issues or security incidents, and at most within the timeframes defined by the technical and security practices of the hosting provider. Cookies necessary for the functioning of the website are stored for the duration of the session or for a shorter period required for their technical purpose. Non-essential cookies (e.g. analytical cookies) are stored in accordance with their purpose and the periods defined in the Cookie Policy, and their use is based on the user’s consent. Consent may be withdrawn at any time, after which such cookies are deleted. Data voluntarily provided by users through the website are retained strictly in accordance with the purpose for which they were provided and within the retention periods applicable to the relevant processing activity (e.g. potential clients).

For more information on cookies and similar technologies used on our website, please refer to the Cookie Policy.

The firm processes personal data in connection with the distribution of newsletters and other professional updates for the purpose of informing interested parties about topics of professional and business relevance. The newsletter is primarily intended for legal entities; however, for this purpose, personal data of contact persons employed by such legal entities are processed, as well as data of other individuals who have voluntarily subscribed to receive such communications. Processing of data for newsletter purposes is carried out transparently, in a limited scope, and exclusively for informational purposes, without automated decision-making or profiling. Below is a description of the categories of personal data processed, the purposes of processing, and the retention periods.

Categories of personal data processed:

• email address,
• name of the legal entity or organization,
• data on consent to receive the newsletter,
• data on withdrawal of consent or unsubscription,
• technical data related to the distribution of newsletters (e.g. delivery status).

Purpose of processing:

The firm processes contact data for the purpose of sending professional notifications, news, and information of professional relevance (newsletter), maintaining professional communication, and informing interested parties about relevant topics.

Legal basis:

The primary legal basis is consent (Article 8(1)(a) of the Law), particularly where regular email communications are not strictly necessary for contract performance. In limited B2B contexts (existing business relationship and reasonable expectation of the recipient), the processing may also be based on legitimate interest (Article 8(1)(f) of the Law), while the firm in any case ensures a clear possibility to unsubscribe from the mailing list.

Retention periods:

Personal data processed for newsletter purposes are retained for as long as the recipient’s consent remains valid, i.e. until consent is withdrawn or the user unsubscribes. In the event of withdrawal of consent or unsubscription, the email address is deleted or permanently blocked from further processing for newsletter purposes, except for the minimum data necessary to demonstrate that consent has been withdrawn and that communications are no longer being sent, which constitutes a legitimate interest of the firm. Technical logs and records related to newsletter distribution are retained for a short period, solely for troubleshooting, statistical reporting of delivery, and demonstrating compliance with data protection regulations.

As part of service provision, the firm processes personal data for the purpose of issuing invoices, calculating and collecting fees for services rendered, maintaining accounting records, and fulfilling obligations under tax and accounting regulations. Such processing is necessary for the lawful operation of the firm and the proper performance of contractual obligations towards clients. Data are processed exclusively for financial and accounting purposes, without automated decision-making or profiling, and in accordance with the principles of lawfulness, data minimization, and storage limitation. Below are the categories of personal data processed for these purposes, the purposes of processing, the applicable legal basis, and the retention periods.

Categories of personal data processed:

• full name of the client or contact person,
• residential address or registered office,
• contact phone number,
• email address,
• legally required identification data (e.g. tax ID or other identifiers where applicable),
• data on services provided,
• amounts, currencies, and payment deadlines,
• data on payment methods,
• data on payments made and outstanding balances,
• data contained in invoices, proforma invoices, and related financial documentation,
• data on communication related to debt collection.

Purpose of processing:

The firm processes personal data for issuing invoices, calculating service fees, collecting payments, recording transactions, maintaining accounting records, and complying with tax and accounting regulations.

Legal basis:

Processing is based on the performance of a contract (Article 8(1)(b) of the Law) and on compliance with a legal obligation (Article 8(1)(c) of the Law) regarding mandatory retention of financial documentation and compliance with tax, accounting, and other applicable regulations. In cases of enforcement or disputes, the legal basis may also include legitimate interest (Article 8(1)(f) of the Law) for the protection of property rights.

Retention periods:

Personal data processed for billing and payment purposes are retained in accordance with tax and accounting regulations of Republika Srpska and Bosnia and Herzegovina, which generally require retention for at least 10 years from the end of the financial year to which the documentation relates. In addition to statutory periods, certain data may be retained beyond this period where necessary for the protection of the firm’s legal and property interests, particularly in relation to claims, disputes, or enforcement proceedings, taking into account the general limitation periods under the Law on Obligations. Data on payments, debts, and communication related to collection are retained as part of financial documentation and follow the same retention periods.

Within the framework of business cooperation, the firm processes personal data of suppliers and business partners, namely their contact persons, solely for the purpose of establishing and performing contractual and business relationships. Processing is carried out in a limited scope and in accordance with applicable personal data protection regulations.

Categories of personal data processed:

• full name of the contact person at the supplier or business partner,
• position or job title of the contact person,
• contact phone number,
• email address,
• name, registered office, and identification data of the supplier or business partner,
• data on authorization for representation and signing,
• data contained in contracts and business documentation,
• data on communication related to business cooperation,
• data required for invoicing and payments (bank and payment details).
• data contained in invoices, bills, and supporting documentation.

Purpose of processing:

The firm processes data of suppliers and business partners (primarily contact persons) for the purposes of negotiation, conclusion and performance of contracts, communication, organization of delivery of goods/services, payments and financial settlement, as well as for maintaining business records and fulfilling legal obligations.

Legal basis:

Processing is based on the performance of a contract (Article 8(1)(b) of the Law) and on compliance with a legal obligation (Article 8(1)(c) of the Law) in relation to financial and accounting requirements. In addition, part of the processing (e.g. basic communication records and protection against disputes) may be based on legitimate interest (Article 8(1)(f) of the Law).

Retention periods:

Personal data of suppliers and business partners are retained for the duration of the contractual or business relationship, and after its termination for at least 5 years, taking into account the general limitation period for claims and the need to prove proper performance of contractual obligations. Financial and accounting documentation containing personal data is retained in accordance with tax and accounting regulations of Republika Srpska and Bosnia and Herzegovina, which generally require retention for at least 10 years. Data on communication and contractual relationships are retained as part of business documentation and follow the same retention periods.

The firm processes personal data related to received complaints and objections from clients for the purposes of their registration, review, and resolution, as well as to improve the quality of services provided and to protect the rights and legal interests of both clients and the firm. Such processing enables the firm to investigate the allegations contained in a complaint or objection, take appropriate measures, and document the process and outcome. Processing is carried out strictly to the extent necessary to establish relevant facts and circumstances, maintain communication with the client, and record actions taken, in accordance with the principles of data minimization and confidentiality.

Categories of personal data processed:

• full name of the complainant or person submitting the objection,
• contact details (phone, email, address),
• data on the relationship (case number, type of service, period of service provision),
• content of the complaint or objection,
• data on facts and circumstances related to the complaint,
• data on communication with the complainant,
• data on actions taken and progress of handling,
• data on the outcome of the complaint or objection,
• data on involved persons and authorities, where applicable,
• special categories of personal data, exclusively where they arise from the content of the complaint and where permitted by law.

Purpose of processing:

The firm processes data for the receipt, registration, review, and resolution of client complaints and objections, conducting internal checks of allegations, communicating with the complainant, implementing service quality improvements, and documenting proper conduct and protecting legal interests.

Legal basis:

The legal basis is compliance with legal obligations applicable to service providers (Article 8(1)(c) of the Law), where applicable, as well as legitimate interest (Article 8(1)(f) of the Law) for the protection of the rights and interests of the firm and the client and for maintaining records of actions taken. Where a complaint is related to a dispute or anticipated legal claim, processing is necessary for the establishment, exercise, or defense of legal claims.

Retention periods:

Personal data processed in connection with complaints and objections are retained until the completion of the complaint or objection handling procedure, and thereafter for the period necessary to demonstrate proper conduct and protect the firm’s legal interests. After completion of the procedure, the documentation is retained for at least 5 years, and where necessary longer, taking into account the possibility of initiating court or other proceedings, as well as the general limitation period for claims of 10 years, where the nature of the matter requires it. If a complaint or objection is related to court or other proceedings, the data are retained in accordance with the retention periods applicable to the case files and proceedings to which they relate.

The firm processes personal data in relation to data subject requests for the purpose of enabling individuals to exercise their rights under applicable data protection regulations. Such processing is carried out exclusively for receiving, registering, and lawfully handling submitted requests, in accordance with prescribed deadlines and data protection principles.

Categories of personal data processed:

• full name of the data subject,
• contact details (address, phone number, email),
• data necessary for identification of the data subject,
• data on the type and content of the request (access, rectification, erasure, restriction, portability, objection),
• data relating to the personal data subject to the request,
• data on communication with the data subject,
• data on actions taken and decisions made,
• data on deadlines and manner of handling the request,
• data on possible complaints to the supervisory authority.

Purpose of processing:

The firm processes data of data subjects for the purpose of identifying the requester, registering the request, assessing its validity, preparing a response, taking action on the request, maintaining records of deadlines and responses, and demonstrating compliance with legal obligations.

Legal basis:

Processing is based on the legal obligation of the controller to enable and document the exercise of data subjects’ rights (Article 8(1)(c) of the Law).

Retention periods:

Personal data processed in relation to data subject requests are retained for as long as necessary to process the request and document compliance with the controller’s legal obligations. After completion of the request handling, documentation is retained for at least 5 years for the purpose of demonstrating lawful processing, compliance with deadlines, and fulfilment of obligations towards the supervisory authority. In cases where proceedings before a supervisory authority or a court are initiated following a request, the data are retained until the final conclusion of such proceedings, and thereafter for an additional period in accordance with the general limitation period of 10 years, where necessary for the protection of the firm’s legal interests.

Within its professional and business activities, the firm may organize events, seminars, and professional conferences, as well as participate in events organized by third parties. In such cases, personal data of participants, speakers, and contact persons are processed solely for the purposes of organization, attendance records, and professional communication, in compliance with applicable data protection regulations.

Categories of personal data processed:

• full name of participants, speakers, or panelists,
• contact details (email address, phone number),
• name of the organization or company the participant represents,
• position, title, or profession,
• data on event registration (date and method of registration),
• data on attendance at the event,
• data on role at the event (participant, speaker, moderator),
• data on issued attendance certificates or certificates of completion,
• data on communication related to event organization or participation,
• technical data related to online events (e.g. platform access data), where applicable,
• photographs or video recordings from events, where used and subject to appropriate notice and legal basis.

Purpose of processing:

Where the firm organizes events, seminars, or trainings, it processes participant data for registration, attendance tracking, logistics, distribution of materials and certificates, and communication related to the event.

Legal basis:

The legal basis may be the performance of a contract (Article 8(1)(b) of the Law) where participants enter into an organized relationship through registration. Where data are used for future communications about similar events, the legal basis is consent (Article 8(1)(a) of the Law).

Retention periods:

Personal data processed in connection with events, seminars, and professional gatherings are retained during the duration of the event and for the period immediately following its completion, as long as necessary for administrative closure, communication, and issuance of attendance certificates. Data on participation in events, including attendance records and issued certificates, are retained for as long as necessary to demonstrate professional development and the professional activities of both the firm and participants. Photographs and recordings from events, when used for informational or promotional purposes, are retained for as long as their purpose remains valid or until consent is withdrawn, after which they are deleted or no longer used.

Within its business operations and in accordance with applicable regulations, the firm may transfer or make personal data available to certain categories of recipients, strictly to the extent necessary for achieving the purposes of processing and fulfilling legal and contractual obligations.

Personal data transfers are carried out with appropriate technical and organizational security measures, as well as in accordance with the principles of confidentiality and data minimization

Transfers to processors are carried out exclusively on the basis of concluded data processing agreements or other legally binding instruments, which precisely define the subject matter and duration of processing, the nature and purpose of processing, the categories of personal data and data subjects, as well as the obligations and rights of the controller and the processor in accordance with applicable data protection laws.

Data processors

The firm engages certain external entities that process personal data on its behalf and under its instructions, acting as processors.

This includes in particular:

• IT service providers, including maintenance of IT infrastructure, server systems, networks, and security solutions,
• providers of software solutions and applications used in daily operations, including case management, documentation, and internal record-keeping systems,
• hosting providers, cloud storage providers, and technical support services,
• accounting and bookkeeping service providers processing data related to financial operations, calculations, and tax obligations,
• providers of email services and other business communication tools used within the firm’s operations.

All processors are engaged on the basis of appropriate agreements or other legally binding instruments regulating the processing of personal data in accordance with applicable data protection laws, including the obligation to act solely on documented instructions of the firm, the obligation of confidentiality, and the implementation of appropriate security measures.

For a detailed and up-to-date list of processors to whom the firm transfers personal data, data subjects may contact the data controller or the Data Protection Officer using the contact details provided. In accordance with applicable data protection laws, the firm will provide the requested information while ensuring the protection of confidential business information and adherence to the principle of transparency.

Other recipients of personal data

In addition to processors, personal data may be disclosed or made available to other categories of recipients where necessary for the performance of contractual obligations, compliance with legal requirements, or protection of legal interests. This includes in particular:

• courts of all jurisdictions, within judicial and enforcement proceedings,
• prosecution offices and other law enforcement authorities,
• administrative authorities and other public bodies, where required by law or necessary for the exercise of rights and obligations,
• notaries, bailiffs, experts, and other authorized persons involved in proceedings,
• banks and other financial institutions, in connection with payment transactions, debt collection, and execution of financial obligations,
• tax authorities and other competent bodies in relation to tax and accounting obligations,
• business partners and suppliers, to the extent necessary for contract performance or service delivery,
• organizers of events, seminars, and professional gatherings, where the firm participates in such activities.

Transfer of data to other countries

In certain cases, personal data may be transferred or made available to recipients in other countries, particularly when using international IT services, cloud solutions, or platforms for online communication and events. In such situations, the firm ensures that the transfer is carried out in accordance with applicable law, using appropriate safeguards, including contractual clauses and other data protection mechanisms required by applicable regulations.

Restrictions on data transfers

The firm does not sell personal data nor makes them available to third parties for purposes not consistent with the stated purposes of processing. All data transfers are limited to the minimum necessary to achieve the specific purpose, and access to data is granted only to authorized persons who are bound by confidentiality obligations.

The firm applies appropriate technical and organizational measures to ensure the integrity, confidentiality, availability, and resilience of its processing systems, in accordance with applicable personal data protection regulations in Bosnia and Herzegovina, relevant subordinate legislation, GDPR standards, as well as the rules and obligations arising from the legal profession.

Security measures are determined taking into account the nature and sensitivity of the personal data processed, the scope and purposes of processing, the context in which processing is carried out, and the potential risks to the rights and freedoms of data subjects. Special attention is given to data processed in the context of legal services, considering their inherently sensitive and confidential nature.

Organizational measures and governance of processing

The firm has established a clear organizational framework for personal data protection, defining responsibilities, authorizations, and procedures related to data processing. Personal data processing is permitted exclusively to authorized persons, in accordance with the “need-to-know” principle, and only to the extent necessary for the performance of specific professional and business tasks.

All persons who, within the firm, have access to personal data are bound by confidentiality obligations, both under data protection regulations and under the duty of attorney-client privilege, which represents one of the fundamental principles of the legal profession. The obligation to maintain legal professional privilege applies to all information and data obtained in the course of providing legal services, without time limitation and regardless of the form in which the data are stored.

The firm implements internal procedures and rules governing the handling of personal data, including collection, use, disclosure, storage, archiving, and deletion of data.

Access control and authorization management

Access to personal data is managed through an access control system ensuring that each user has individual and personalized access rights. The scope of access is strictly limited and tailored to the role and responsibilities of each individual.

Access rights are regularly reviewed, and access is revoked or further restricted in cases of changes in job responsibilities, termination of cooperation, or when there is no longer a need to process specific data. Particular attention is given to preventing unauthorized access to data, both internally and externally.

Technical information security measures

Personal data processed in electronic form are protected through the application of modern technical security measures. These measures include, among others, password protection of information systems, user account control, restriction of access to networks and systems, as well as regular updates of software and operating systems.

Measures are implemented to protect against data loss, unauthorized access, misuse, alteration, or destruction of data, including antivirus and other security solutions, as well as mechanisms for creating backup copies of data where applicable. Backup copies are stored in a manner that ensures data availability in the event of technical issues or incidents.

Physical security and premises protection

Personal data in physical form are stored in locked offices, cabinets, or archive rooms with controlled access. Access to the firm’s premises is restricted to authorized persons, and additional physical security measures are implemented to protect documentation and equipment.

A video surveillance system is installed at the firm’s headquarters for the purpose of protecting persons and property, in accordance with applicable regulations, with clearly marked monitored areas and strict adherence to data protection principles, primarily data minimization and storage limitation.

Engagement of processors and third parties

When the firm engages external data processors, it ensures that processing is carried out solely on the basis of concluded data processing agreements or other legally binding instruments. These instruments precisely define the obligations of processors regarding confidentiality, security, compliance with the firm’s instructions, and the prohibition of unauthorized further disclosure of data.

The firm ensures that processors apply a level of protection comparable to the standards applied by the firm itself, particularly considering the sensitivity of data covered by attorney-client privilege.

Handling of personal data breaches

The firm has established internal procedures for identifying, reporting, recording, and managing personal data breaches, in accordance with applicable data protection laws and relevant subordinate legislation. These procedures ensure timely response in the event of a suspected or confirmed breach, with the aim of limiting adverse effects and protecting the rights and freedoms of data subjects.

In the event of a personal data breach, the firm promptly takes appropriate technical and organizational measures to contain the incident, assess its scope and impact, determine its cause, and prevent recurrence. Each breach is recorded in a dedicated register, including documentation of the circumstances of the breach, the measures taken, and the outcome of the response.

The firm has adopted an Internal Rulebook on the Procedure for Exercising Data Subjects’ Rights, which regulates the handling of data subject requests, internal responsibilities, and communication regarding the exercise of rights, as well as procedures in situations where a personal data breach is related to the exercise or protection of data subject rights.

In accordance with applicable regulations, the firm notifies the competent supervisory authority of a personal data breach where required by law, as well as data subjects whose rights and freedoms are affected, where there is a high risk to their rights.

Breach management is carried out in accordance with the principles of transparency, proportionality, and confidentiality, and with special standards of protection arising from the obligation of attorney-client privilege.

Continuous improvement and professional standards

Technical and organizational measures for the protection of personal data are regularly reviewed and improved, taking into account changes in the legal framework, technological developments, and the firm’s business processes. A special standard of data protection arises from the obligation to maintain attorney-client privilege, which represents a permanent and fundamental guarantee of confidentiality for data processed in the course of providing legal services.

Google Maps integration

The firm’s website includes an integrated Google Maps service for displaying the location of the firm’s headquarters and facilitating access for visitors. Google Maps is a service provided by a third party, Google LLC or, depending on the user’s location, Google Ireland Limited.

When visiting the website and loading a page containing Google Maps integration, certain data may be automatically transmitted to Google, such as IP address, technical information about the device and browser, date and time of access, as well as usage data related to the service. This processing is carried out in accordance with Google’s privacy policies, and the firm has no control over further processing of data by Google.

The use of Google Maps integration serves solely to provide website functionality and to inform users about the location of the firm’s headquarters. The legal basis for this processing is the legitimate interest of the firm, namely its interest in providing users with a convenient location display and easier access to information.

The firm recommends that visitors review Google’s privacy policy before using this functionality. It should also be noted that the use of this service may involve the transfer of data to other countries, in accordance with Google’s internal policies and applicable data protection mechanisms.

Links to the firm’s social media profiles (Facebook, YouTube, LinkedIn)

The firm’s website contains links to its official social media profiles, including Facebook, YouTube, and LinkedIn. These links are provided for informational purposes, allowing users to learn more about the firm’s presence on social media and to visit those platforms if they choose to do so.

By clicking on a social media link, the user is redirected to a third-party website. From that moment onward, the processing of personal data is carried out in accordance with the privacy policies and terms of use of the respective platform. The firm has no control over the processing of personal data performed by these platforms, including any collection of user data, placement of cookies, tracking of user activity, or processing for marketing purposes.

The firm does not automatically transmit personal data to social networks solely by providing links on its website. However, certain technical data (e.g. IP address) may be processed by the social media provider once the user accesses the platform after clicking the link, particularly if the user is already logged into their account on that social network.

Users are advised to review the privacy policies and privacy settings of social media platforms before using them in order to understand how their personal data is processed.

• You can find the privacy policy of Facebook at the following link: https://www.facebook.com/privacy/policy/.
• You can find the privacy policy of YouTube at the following link: https://www.youtube.com/howyoutubeworks/privacy/.
• You can find the privacy policy of LinkedIn at the following link: https://www.linkedin.com/legal/privacy-policy.
• You can find Google’s privacy policy at the following link: https://policies.google.com/privacy?hl=en-US.

As data subjects, you have rights guaranteed by applicable personal data protection regulations in relation to the processing of your personal data. The firm respects these rights and ensures their exercise in accordance with the law, applying appropriate procedures that enable transparent and timely handling of data subject requests.

Transparent information, communication and exercise of data subject rights

We take appropriate measures to provide all information regarding the processing of personal data and all forms of communication related to the exercise of rights under the Law in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Right of access

The data subject has the right to obtain confirmation as to whether the firm processes their personal data and, where that is the case, to access the personal data and obtain information regarding:

• the purpose of processing,
• the categories of personal data being processed,
• the recipient or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations,
• the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period,
• the right to request from the firm rectification or erasure of personal data or restriction of processing of personal data relating to the data subject, or the right to object to such processing,
• the right to lodge a complaint with the competent authority or file a lawsuit with a competent court,
• where the personal data are not collected from the data subject, any available information as to their source,
• the existence of automated decision-making, including profiling.

Where personal data are transferred to a third country or international organisation, the data subject has the right to be informed of the appropriate safeguards.

Right to rectification and completion of data

The data subject has the right to obtain from the firm the rectification of inaccurate personal data concerning them without undue delay.

Taking into account the purposes of processing, the data subject has the right to have incomplete personal data completed, including by providing a supplementary statement.

Right to erasure

The data subject has the right to obtain from the firm the erasure of personal data concerning them, and the firm has the obligation to erase personal data without undue delay where one of the following grounds applies:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
• the data subject has withdrawn consent on which the processing is based and there is no other legal ground for processing,
• the data subject has objected to processing and there are no overriding legitimate grounds for processing, or the data subject has objected to processing for direct marketing purposes,
• the personal data have been unlawfully processed,
• the personal data must be erased for compliance with a legal obligation to which the firm is subject,
• the personal data have been collected in relation to the offer of information society services to a child under 16 years of age.

However, the right to erasure does not apply where processing is necessary:

• for exercising the right of freedom of expression and information,
• for compliance with a legal obligation requiring processing under applicable law to which the firm is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority,
• for reasons of public interest in the area of public health,
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as the exercise of the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
• for the establishment, exercise or defence of legal claims.

Right to restriction of processing

The data subject has the right to obtain restriction of processing where one of the following applies:

a) the accuracy of the personal data is contested by the data subject, for a period enabling the firm to verify the accuracy of the personal data,

b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,

c) the firm no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise or defence of legal claims,

d) the data subject has objected to processing pending the verification whether the legitimate grounds of the firm override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest.

Right to data portability

The data subject has the right to receive the personal data concerning them, which they have provided to the firm, in a structured, commonly used and machine-readable format, and has the right to transmit those data to another controller without hindrance from the firm, where the processing is based on the data subject’s consent or on a contract, and the processing is carried out by automated means.

Right not to be subject to a decision based solely on automated processing, including profiling

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

However, this right shall not apply where the decision:

• is necessary for entering into, or performance of, a contract between the data subject and the firm,
• is authorised by law applicable to the firm and which also provides appropriate safeguards for the rights, freedoms and legitimate interests of the data subject, or
• is based on the explicit consent of the data subject.

Right to withdraw consent

The data subject has the right to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Before giving consent, the data subject is informed accordingly. Withdrawal of consent is as easy as giving consent and may be exercised via the firm’s contact details as the data controller, as well as via the contact details of the Data Protection Officer.

Right to object to the firm

The data subject has the right, in cases provided by law, to submit an objection to the firm at any time regarding the processing of their personal data where they believe that the processing is carried out in violation of applicable regulations or where there are grounds relating to their particular situation. The objection may be submitted via the firm’s contact details as the data controller or by contacting the Data Protection Officer.

Upon receipt of the objection, the firm will review it without undue delay and act in accordance with applicable regulations and adopted internal procedures, including the Procedure on the Exercise of Data Subjects’ Rights. The data subject will be informed of the outcome within the legally prescribed timeframe.

Right to lodge a complaint with the Personal Data Protection Agency

The data subject has the right to lodge a complaint with the Personal Data Protection Agency of Bosnia and Herzegovina if they consider that the processing of personal data violates the Law, without prejudice to other administrative or judicial remedies.
Contact details of the Personal Data Protection Agency of Bosnia and Herzegovina:
Address: Dubrovačka 6, Sarajevo
Phone: +387 33 726 250
Email: [email protected]
Fax: +387 33 726 251

Right to judicial protection

A data subject who considers that they have suffered material or non-material damage due to a violation of the Law has the right to compensation for the damage suffered and may file a lawsuit before the competent court.

Exercise of rights

Access to personal data, as well as the exercise of data subject rights, is generally free of charge. However, where a request is manifestly unfounded, repetitive, or excessive, the firm reserves the right to charge a reasonable fee for handling such a request or, in exceptional cases, to refuse to act on the request, in accordance with applicable regulations.

The handling of data subject requests, including requests for access, rectification, erasure, restriction of processing and objections, is carried out in accordance with the adopted Procedure on the Exercise of Data Subjects’ Rights, which regulates the method of handling, deadlines and responsibilities related to the exercise of these rights. The firm shall decide on submitted requests and objections within 30 days of receipt, unless applicable regulations provide otherwise.

The firm does not carry out automated decision-making, including profiling, within the meaning of applicable personal data protection regulations. All decisions that produce legal effects concerning data subjects, or that similarly significantly affect them, are made by authorised persons based on individual assessment and without exclusive reliance on automated processing of personal data.

Personal data processed within the firm’s operations are not used for automated profiling of data subjects for the purpose of analysing or predicting their behaviour, personal preferences, economic situation, or other characteristics. The firm does not apply automated systems for decision-making that would produce legal or similarly significant effects on data subjects.

Additional information

The firm strives to process personal data in a transparent manner and in accordance with applicable personal data protection regulations, respecting the principles of lawfulness, fairness, data minimisation, and storage limitation.

These Privacy Policy provisions are intended to provide general information on how the firm processes personal data; however, they cannot cover all possible processing situations that may arise within individual business relationships or specific activities.

If you have additional questions regarding the processing of personal data, require further clarification, or consider that certain information is not sufficiently clear, you may contact the firm via the data controller’s contact details or the Data Protection Officer. The firm will, in accordance with applicable regulations, endeavour to provide clear and understandable information.

These Privacy Policy provisions do not affect the application of other internal acts of the firm governing specific matters related to personal data processing, including internal procedures and regulations.

In the event of any inconsistency between these Privacy Policy provisions and binding personal data protection regulations, the provisions of the applicable regulations shall prevail.

Updates to the Privacy Notice

The firm reserves the right to periodically update this Privacy Notice in accordance with applicable regulations and changes in the manner of personal data processing. Amendments may be necessary, in particular in the event of changes in legislation, the introduction of new processing activities, modifications of existing business processes, or improvements in personal data protection measures.

Any changes to this Privacy Notice will be published in an appropriate manner, including the publication of an updated version on the firm’s website or by other suitable means, depending on the nature of the change. Data subjects are encouraged to periodically review the Privacy Notice in order to stay informed about any updates.