This document is an excerpt from the EUR-Lex website
Document 52024PC0298
Proposal for a COUNCIL DECISION on the signing, on behalf of the European Union, of an Agreement between the European Union and Bosnia and Herzegovina on the cooperation between the European Union Agency for Criminal Justice Cooperation (Eurojust) and the authorities of Bosnia and Herzegovina competent for judicial cooperation in criminal matters
Proposal for a COUNCIL DECISION on the signing, on behalf of the European Union, of an Agreement between the European Union and Bosnia and Herzegovina on the cooperation between the European Union Agency for Criminal Justice Cooperation (Eurojust) and the authorities of Bosnia and Herzegovina competent for judicial cooperation in criminal matters
Proposal for a COUNCIL DECISION on the signing, on behalf of the European Union, of an Agreement between the European Union and Bosnia and Herzegovina on the cooperation between the European Union Agency for Criminal Justice Cooperation (Eurojust) and the authorities of Bosnia and Herzegovina competent for judicial cooperation in criminal matters
COM/2024/298 final
EUROPEAN COMMISSION
Brussels, 16.7.2024
COM(2024) 298 final
2024/0166(NLE)
Proposal for a
COUNCIL DECISION
on the signing, on behalf of the European Union, of an Agreement between the European Union and Bosnia and Herzegovina on the cooperation between the European Union Agency for Criminal Justice Cooperation (Eurojust) and the authorities of Bosnia and Herzegovina competent for judicial cooperation in criminal matters
EXPLANATORY MEMORANDUM
The present proposal concerns the signature of an Agreement between the European Union and Bosnia and Herzegovina on the cooperation between the European Agency for Criminal Justice Cooperation (Eurojust) and the authorities of Bosnia and Herzegovina competent for judicial cooperation in criminal matters (hereafter “the Agreement”).
1.CONTEXT OF THE PROPOSAL
•Reasons for and objectives of the proposal
The European Union Agency for Criminal Justice Cooperation (Eurojust) coordinates investigations and prosecutions of serious cross-border crime in Europe and beyond. As the European Union’s (EU) hub for judicial cooperation in criminal matters, Eurojust supports national investigating and prosecuting authorities.
In a globalised world, the need for cooperation between judicial authorities involved in the investigation and prosecution of serious crimes does not stop at Union borders. With the increase of cross-border crime, it is crucial to obtain information from outside one’s jurisdiction. Therefore, Eurojust should be able to cooperate closely and exchange personal data with judicial authorities of selected third countries to the extent necessary for the accomplishment of its tasks within the framework of the requirements set out in Regulation (EU) 2018/1727 1 (hereafter “Eurojust Regulation”). At the same time, it is important to ensure that adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals are in place for the protection of personal data.
Eurojust can exchange operational personal data with third countries where one of the requirements set out in Article 56(2), points (a) to (c), of the Eurojust Regulation is met:
·The Commission has decided pursuant to Article 57 that the third country or international organisation in question ensures an adequate level of protection, or in the absence of such an adequacy decision, appropriate safeguards have been provided for or exist in accordance with Article 58(1), or in the absence of both an adequacy decision and of such appropriate safeguards, a derogation for specific situations applies pursuant to Article 59(1);
·a cooperation agreement allowing for the exchange of operational personal data has been concluded before 12 December 2019 between Eurojust and the third country or international organisation, in accordance with Article 26a of Decision 2002/187/JHA 2 ; or
·an international agreement has been concluded between the Union and the third country or international organisation pursuant to Article 218 of the Treaty on the Functioning of the European Union (TFEU), that provides for adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals.
At present, Eurojust has cooperation agreements based on Article 26a of Decision 2002/187/JHA, which allow for exchanges of personal data, in place with Montenegro, Ukraine, Moldova, Liechtenstein, Switzerland, North Macedonia, the USA, Iceland, Norway, Georgia, Albania and Serbia. Under Article 80(5) of the Eurojust Regulation these cooperation agreements remain valid.
Since the entry into application of the Eurojust Regulation on 12 December 2019 and pursuant to the Treaties, the Commission is responsible, on behalf of the Union, for negotiating international agreements with third countries for the cooperation and exchange of personal data with Eurojust. In so far as necessary for the performance of its tasks, in line with Chapter V of the Eurojust Regulation, Eurojust may establish and maintain cooperative relations with external partners through working arrangements. However, these cannot by themselves be a legal basis for the exchange of personal data.
In order to strengthen the judicial cooperation between Eurojust and selected third countries, the Commission adopted a Recommendation for a Council Decision authorising the opening of negotiations for Agreements between the European Union and Algeria, Armenia, Bosnia and Herzegovina, Egypt, Israel, Jordan, Lebanon, Morocco, Tunisia and Turkey on cooperation between the European Union Agency for Criminal Justice Cooperation (Eurojust) and the competent authorities for judicial cooperation in criminal matters of those third States 3 .
The Council granted that authorisation on 1 March 2021 and adopted a set of negotiating directives and appointed a special committee to assist the Council in this task 4 .
In June 2023, the Council of Ministers of Bosnia and Herzegovina endorsed opening negotiations with the European Commission for an international Agreement on cooperation with Eurojust. The first round of negotiations took place on 25 October 2023 with a follow-up meeting on 13 December 2023. The negotiators reached a preliminary agreement on 16 January 2024. The EU Member States approved the text in the Council Working Group on technical level on 22 March 2024 with a few amendments. Bosnia and Herzegovina gave its final agreement on 10 April 2024. [The chief negotiators initialled the draft text of the Agreement in xx.xx.xxxx].
Before the agreement enters into force, Bosnia and Herzegovina is required to adopt a new law on personal data protection, in line with the EU acquis, and to ensure the necessary operational capacity and independence of the Personal Data Protection Agency.
•Consistency with existing policy provisions in the policy area
The Agreement was negotiated taking into account the comprehensive negotiating directives adopted by the Council together with the authorisation to negotiate on 1 March 2021. The present Agreement is also consistent with existing Union policy in the area of judicial cooperation.
In recent years, progress was made to improve the exchange of information cooperation between Member States and between Union agencies and third countries. Regulation (EU) 2023/2131 amending Regulation (EU) 2018/1727 and Council Decision 2005/671/JHA, as regards the digital information exchange in terrorism cases, 5 strengthens the framework for cooperation with third countries on the side of Eurojust by providing for a solid legal basis for the secondment of a third country liaison prosecutor to Eurojust and the cooperation with Eurojust.
Also, Regulation (EU) 2022/838 amending Regulation (EU) 2018/1727, as regards the collection, preservation and analysis of evidence relating to genocide, crimes against humanity and war crimes at Eurojust 6 , has a strong nexus to third countries. Both legislative acts underline the importance of close cooperation with third countries to investigate and prosecute serious crimes.
•Consistency with other Union policies
The proposal is also consistent with other Union policies.
In December 2022, the European Council granted Bosnia and Herzegovina the status of candidate country. In December 2023, the European Council decided it will open accession negotiations with Bosnia and Herzegovina, once the necessary degree of compliance with the membership criteria is achieved. On 12 March 2024, the European Commission recommended opening accession negotiations with Bosnia and Herzegovina 7 , noting that the adoption of the new law on personal data protection is a precondition for the implementation of the international agreement on cooperation with Eurojust, and recommending the strengthening of cooperation among law enforcement agencies and the adoption of a strategic approach towards fighting serious and organised crime in Bosnia and Herzegovina. On 21 March 2024, the European Council decided to open accession negotiations with Bosnia and Herzegovina and invited the European Commission to prepare the negotiating framework with a view to its adoption by the Council, once all relevant steps in the Commission’s recommendation of 12 October 2022 are taken.
The Joint Action Plan on Counterterrorism for the Western Balkans, signed on 19 November 2019, requires Bosnia and Herzegovina to make sure it has in place the data protection standards necessary for the conclusion of an international agreement on cooperation with Eurojust, and subsequently to ensure an effective engagement in judicial cooperation and information exchange for multilateral counter-terrorism cases coordinated by Eurojust, as well as Eurojust activities related to counter-terrorism in general.
Existing Commission strategic documents underpin the necessity of improving the efficiency and effectiveness of law enforcement and judicial cooperation in the European Union (EU), as well as of expanding the cooperation with third countries. These include, among others, the Security Union Strategy 8 , the Counter-Terrorism Agenda for the EU 9 , and the EU Strategy to tackle organised crime 10 .
In line with these strategic documents, international cooperation has also been enhanced in the area of law enforcement. Based on the authorisation by the Council 11 , the Commission has negotiated an Agreement with New Zealand on the exchange of personal data with the European Union Agency for Law Enforcement Cooperation (Europol).
At the same time, it is crucial that judicial cooperation with third states is fully in line with the fundamental rights enshrined in the EU Treaties and in the Charter of Fundamental Rights of the European Union.
One particularly important set of safeguards, notably those included in Chapter II of the Agreement, concerns the protection of personal data, which in the EU is a fundamental right. In accordance with Article 56(2), point (c), of the Eurojust Regulation, Eurojust may transfer personal data to an authority of a third country based on an international agreement concluded between the Union and that third country pursuant to Article 218 TFEU adducing adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals.
Chapter II of the Agreement provides for such safeguards, including in particular provisions ensuring a number of data protection principles and obligations that must be respected by both Parties (Articles 10ff.) as well as provisions ensuring enforceable individual rights (Article 14ff.), independent supervision (Article 21) and effective administrative and judicial redress for violations of the rights and safeguards recognised in the Agreement resulting from the processing of personal data (Article 22).
It is necessary to strike a balance between enhancing security and safeguarding human rights, including data and privacy. The Commission ensured that the Agreement provides a legal basis for the exchange of personal data for judicial cooperation in criminal matters while providing for adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals.
2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
•Legal basis
Article 218(5) of the Treaty on the Functioning of the European Union (TFEU) provides for decisions ‘authorising the signing of the agreement and, if necessary, its provisional application before entry into force.’ Since the proposal’s aim is to receive an authorisation to sign the Agreement, the procedural legal basis is Article 218(5) TFEU.
The substantive legal basis depends primarily on the objective and content of the envisaged act. If the envisaged act pursues two aims or has two components and if one of those aims or components is identifiable as the main one, whereas the other is merely incidental, a legal act must be founded on a single substantive legal basis, namely that required by the main or predominant aim or component. The proposal has two main aims and components, namely the cooperation between Eurojust and Bosnia and Herzegovina in criminal matters as well as the establishing adequate safeguards with respect to the protection of privacy and other fundamental rights and freedoms of individuals for this cooperation. Thus, the substantive legal basis needs to be Article 16(2) and Article 85 TFEU.
Therefore, this proposal is based on Article 16(2) and Article 85 TFEU in conjunction with Article 218(5) TFEU.
•Subsidiarity (for non-exclusive competence)
The Eurojust Regulation lays down specific rules regarding transfers of personal data by Eurojust outside of the European Union. Article 56(2) thereof lists situations where Eurojust can lawfully transfer personal data to judicial authorities of third countries. It follows from the provision that for structural transfers of personal data by Eurojust to Bosnia and Herzegovina the conclusion of a binding international agreement between the European Union and Bosnia and Herzegovina, adducing adequate safeguards with respect to the protection of privacy and other fundamental rights and freedoms of individuals is required. In accordance with Article 3(2) TFEU, the Agreement thus falls within the exclusive external competence of the Union. Therefore, this proposal is not subject to subsidiarity check.
•Proportionality
The Union’s objectives with regard to this proposal as set out above can only be achieved by entering into a binding international agreement providing for the necessary cooperation measures, while ensuring appropriate protection of fundamental rights. The provisions of the agreement are limited to what is necessary to achieve its main objectives. Unilateral action of the Member States towards Bosnia and Herzegovina does not represent an alternative, as Eurojust has a unique role. Unilateral action would also not provide a sufficient basis for judicial cooperation between Eurojust and third countries and would not ensure the necessary protection of fundamental rights.
•Choice of the instrument
In accordance with Article 56 of the Eurojust Regulation, in the absence of an adequacy finding Eurojust may engage in the structural transfer of operational personal data to a third country only based on an international agreement pursuant to Article 218 TFEU that provides for adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals (Article 56(2)(c)). In accordance with Article 218(5) TFEU, the signing of such an agreement is authorised by a decision of the Council.
3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
•Ex-post evaluations/fitness checks of existing legislation
Not applicable.
•Stakeholder consultations
Not applicable.
•Collection and use of expertise
In the process of the negotiation, the Commission did not use external expertise.
•Impact assessment
Not applicable.
•Regulatory fitness and simplification
Not applicable.
•Fundamental rights
The exchange of personal data and its processing by the authorities of a third country constitutes an interference with the fundamental rights to privacy and data protection. However, the Agreement ensures the necessity and proportionality of any such interference by guaranteeing the application of adequate data protection safeguards to the personal data transferred, in line with EU law.
Chapter II provides for the protection of personal data. On that basis, Articles 9 to 20 set out fundamental data protection principles, including purpose limitation, data quality and rules applicable to the processing of special categories of data, obligations applicable to controllers, including on retention, keeping of records, security and as regards onward transfers, enforceable individual rights, including on access, rectification and automated decision-making, independent and effective supervision as well as administrative and judicial redress.
The safeguards cover all forms of processing of personal data in the context of the cooperation between Eurojust and Bosnia and Herzegovina. The exercise of certain individual rights can be delayed, limited or refused where necessary and proportionate, taking into account the fundamental rights and interests of the data subject, on important public interest grounds, in particular to prevent risks to an ongoing criminal investigation or prosecution. This is in line with Union law.
Also, both the European Union and Bosnia and Herzegovina will ensure that an independent public authority responsible for data protection (supervisory authority) oversees matters affecting the privacy of individuals in order to protect the fundamental rights and freedoms of natural persons in relation to the processing of personal data under the Agreement.
In accordance with Article 29(3) of the Agreement, the Agreement shall not apply until both parties have notified each other of the fulfilment of the obligations contained in the Agreement, including those related to the protection of personal data, and this notification has been accepted. In addition to that, and to further strengthen the safeguards for the protection of personal data, article 29(4) of the Agreement states that a Party may postpone the transfer of personal data for as long as the other Party has not provided for in law and implemented the safeguards and obligations contained in Chapter II of the Agreement (Information exchange and data protection).
Furthermore, the Agreement guarantees that the exchange of personal data between Eurojust and Bosnia and Herzegovina is consistent with both the principle of non-discrimination and Article 52(1) of the Charter, which ensure that interferences with fundamental rights guaranteed under the Charter are limited to what is strictly necessary to genuinely meet the objectives of general interest pursued, subject to the principle of proportionality.
4.BUDGETARY IMPLICATIONS
There are no budgetary implications for the Union budget.
5.OTHER ELEMENTS
•Implementation plans and monitoring, evaluation and reporting arrangements
There is no need for an implementation plan, as the Agreement will enter into force on the first day of the second month following the month during which both Parties have notified each other that the respective procedures have been completed.
With regard to monitoring, the European Union and Bosnia and Herzegovina shall jointly review the implementation of the Agreement one year after the date of entry into application, and at regular intervals thereafter, and additionally if requested by either Party and jointly decided. Moreover, the Parties shall jointly evaluate the Agreement four years after the date of entry into application.
•Detailed explanation of the specific provisions of the proposal
Article 1 includes the objectives of the Agreement.
Article 2 defines the scope of the cooperation.
Article 3 includes the definitions of important terms of the Agreement.
Article 4 establishes the obligation of Bosnia and Herzegovina to designate at least one contact point within its domestic competent authorities, who cannot be identical to the Liaison Prosecutor. A contact point shall be designated also for terrorism matters.
Article 5 provides for the secondment of the Liaison Prosecutor to Eurojust.
Article 6 provides for the conditions for the participation of representatives of Bosnia and Herzegovina in operational and strategic meetings at Eurojust.
Article 7 provides that Eurojust may assist Bosnia and Herzegovina to establish Joint Investigation Teams and may be requested to provide financial or technical assistance.
Article 8 provides for the option of Eurojust to post a Liaison Magistrate to Bosnia and Herzegovina.
Article 9 sets out the purposes of data processing under the Agreement.
Article 10 lists the general data protection principles applicable under the Agreement.
Article 11 guarantees additional safeguards for the processing of special categories of personal data and different categories of data subject.
Article 12 limits fully automated decision-making using personal data transferred under the Agreement.
Article 13 restricts the onward transfer of the personal data received.
Article 14 provides for the right of access, including to obtain confirmation on whether personal data relating to the data subject are processed under the Agreement as well as essential information on the processing.
Article 15 provides for the right to rectification, erasure, and restriction of processing, under certain conditions.
Article 16 provides for the notification of a personal data breach affecting personal data transferred under the Agreement, ensuring that the respective competent authorities notify each other as well as their respective supervisory authority of such breach without delay, and to take measures to mitigate its possible adverse effects.
Article 17 provides for the communication to the data subject of a personal data breach likely to have a serious effect upon his or her rights and freedoms.
Article 18 includes rules as regards storage, review, correction and deletion of personal data.
Article 19 requires the keeping of logs of the collection, alteration, access, disclosure including onward transfers, combination and erasure of personal data.
Article 20 includes obligations regarding data security, ensuring the implementation of technical and organizational measures to protect personal data exchanged under this Agreement.
Article 21 requires effective supervision and enforcement of compliance with the safeguards set out in the Agreement, ensuring that there is an independent public authority responsible for data protection (supervisory authority) to oversee matters affecting the privacy of individuals, including the domestic rules relevant under the Agreement to protect the fundamental rights and freedoms of natural persons in relation to the processing of personal data.
Article 22 provides for administrative and judicial redress, ensuring that data subjects have the right to effective administrative and judicial redress for violations of the rights and safeguards recognized in the Agreement resulting from the processing of their personal data.
Article 23 provides that the exchange and protection of EU classified and sensitive non-classified information is regulated by a working arrangement on confidentiality concluded between Eurojust and the competent authorities of Bosnia and Herzegovina.
Article 24 provides for the responsibility of the competent authorities. E.g. the competent authorities shall be liable for any damage caused to an individual as a result of legal or factual errors in information exchanged.
Article 25 provides that, in principle, each Party shall bear its own expenses associated with the implementation of this Agreement.
Article 26 provides for the conclusion of a working arrangement between Eurojust and the competent authorities of Bosnia and Herzegovina.
Article 27 provides for the relation with other international instruments, ensuring that the Agreement will not prejudice or affect the legal provisions with regard to the exchange of information foreseen in any treaty, agreement, or arrangement between Bosnia and Herzegovina and any Member State of the European Union.
Article 28 provides for the notification of the implementation of the Agreement.
Article 29 provides for entry into force and application of the Agreement.
Article 30 provides for amendments to the Agreement.
Article 31 provides for the review and evaluation of the Agreement.
Article 32 provides for a settlement of disputes and suspension clause.
Article 33 includes provisions on the termination of the Agreement.
Article 34 provides for the way in which notifications in accordance with this Agreement are made.
Article 35 refers to the authentic texts.
2024/0166 (NLE)
Proposal for a
COUNCIL DECISION
on the signing, on behalf of the European Union, of an Agreement between the European Union and Bosnia and Herzegovina on the cooperation between the European Union Agency for Criminal Justice Cooperation (Eurojust) and the authorities of Bosnia and Herzegovina competent for judicial cooperation in criminal matters
THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16(2) and Article 85, in conjunction with Article 218(5) thereof,
Having regard to the proposal from the European Commission,
Whereas:
(1)Articles 47 and 52 of Regulation (EU) 2018/1727 of the European Parliament and of the Council 12 provide that Eurojust may establish and maintain cooperation with authorities of third countries based on a cooperation strategy.
(2)Article 56 of Regulation (EU) 2018/1727 of the European Parliament and of the Council also provides that Eurojust may transfer personal data to an authority of a third country inter alia based on an international agreement concluded between the Union and that third country pursuant to Article 218 of the Treaty on the Functioning of the European Union (TFEU), setting out adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals.
(3)On 1 March 2021, the Council authorised the Commission to open negotiations with Bosnia and Herzegovina for an agreement on cooperation between the European Union Agency for Criminal Justice Cooperation (Eurojust) and the authorities of Bosnia and Herzegovina competent for judicial cooperation in criminal matters.
(4)The negotiations on the Agreement between the European Union and Bosnia and Herzegovina on the cooperation between Eurojust and the competent authorities of Bosnia and Herzegovina for judicial cooperation in criminal matters (‘the Agreement’) were successfully finalised, at the level of the negotiation teams, in January 2024. After the Member States had approved the text on technical level on 22 March 2024, Bosnia and Herzegovina gave its final agreement on 10 April 2024. [The text of the Agreement was initialled on xx.xx.xxxx].
(5)The Agreement enables the transfer of personal data between Eurojust and the competent authorities of Bosnia and Herzegovina, with a view to fighting serious crime and terrorism and protecting the security of the Union and its citizens.
(6)The Agreement ensures full respect of the Charter of Fundamental Rights of the European Union, in particular the right to respect for private and family life, recognised in Article 7, the right to the protection of personal data, recognised in Article 8, and the right to an effective remedy and a fair trial recognised by Article 47. In particular, the Agreement includes adequate safeguards for the protection of personal data transferred by Eurojust under the Agreement.
(7)Ireland is bound by Regulation (EU) 2018/1727 and is therefore taking part in the adoption of this Decision.
(8)In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark is not taking part in the adoption of this Decision and is not bound by it or subject to its application.
(9)The European Data Protection Supervisor delivered its Opinion [xxx] on [xx.xx.xxxx].
(10)Therefore, the Agreement should be signed on behalf of the Union, subject to its conclusion at a later date,
(11)In accordance with the Treaties, it is for the Commission to ensure the signing of the Agreement, subject to its conclusion at a later date,
HAS ADOPTED THIS DECISION:
Article 1
The signing of the Agreement between the European Union and Bosnia and Herzegovina on the cooperation between the European Union Agency for Criminal Justice Cooperation (Eurojust) and the authorities of Bosnia and Herzegovina competent for judicial cooperation in criminal matters (‘the Agreement’) is hereby approved on behalf of the Union, subject to the conclusion of the said Agreement.
The text of the Agreement to be signed is attached to this Decision.
.
Article 2
This Decision shall enter into force on the date of its adoption.
Done at Brussels,
For the Council
The President
EUROPEAN COMMISSION
Brussels, 16.7.2024
COM(2024) 298 final
ANNEX
to the Proposal for a
Council decision
on the signing, on behalf of the European Union, of an Agreement between the European Union and Bosnia and Herzegovina on the cooperation between the European Union Agency for Criminal Justice Cooperation (Eurojust) and the authorities of Bosnia and Herzegovina competent for judicial cooperation in criminal matters
ANNEX
(draft)
Agreement
between
the European Union and Bosnia and Herzegovina
on the cooperation between the European Union Agency for Criminal Justice Cooperation (Eurojust) and the authorities of Bosnia and Herzegovina competent for judicial cooperation in criminal matters
THE EUROPEAN UNION, hereinafter referred to as ‘the Union’,
and
BOSNIA AND HERZEGOVINA,
hereinafter jointly referred to as ‘the Parties’,
HAVING REGARD to Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust) and replacing and repealing Council Decision 2002/187/JHA 1 , “the Eurojust Regulation”, as applied in accordance with the Treaty on European Union and the Treaty on the Functioning of the European Union, in particular Article 47, Article 52 (1) and Article 56 (2) of the Eurojust Regulation,
HAVING REGARD, in particular, to Article 56 (2) point (c) of the Eurojust Regulation, which sets out the general principles for the transfer of personal data from Eurojust to third countries and international organisations, and pursuant to which Eurojust may transfer personal data to a third country based on an international agreement concluded between the Union and that third country pursuant to Article 218 of the Treaty on the Functioning of the European Union,
CONSIDERING the interests of both Eurojust and Bosnia and Herzegovina in developing a close and dynamic judicial cooperation in criminal matters to address the challenges posed by serious crime, in particular organised crime and terrorism, while ensuring appropriate safeguards with respect to fundamental rights and freedoms of individuals, including privacy and the protection of personal data,
CONVINCED that judicial cooperation between Eurojust and Bosnia and Herzegovina will be mutually beneficial and help develop the Union’s area of Freedom, Security and Justice,
CONSIDERING the high level of protection of personal data in the Union and Bosnia and Herzegovina, and that the principle of gender-neutrality should guide the implementation of this Agreement, namely that all statistical data collected, recorded and processed during the implementation of the Agreement should be gender-disaggregated,
NOTING that Bosnia and Herzegovina has ratified the Council of Europe Convention (ETS No. 108) for the Protection of Individuals with regard to Automatic Processing of Personal Data, done at Strasbourg on 28 January 1981 and its amending Protocol (CETS No. 223) done at Strasbourg on 10 October 2018, both of which play a fundamental role in the Eurojust data protection system,
RESPECTING the Council of Europe Convention (ETS No. 5) for the Protection of Human Rights and Fundamental Freedoms done at Rome on 4 November 1950, which is reflected in the Charter of Fundamental Rights of the European Union, and in the Constitution of Bosnia and Herzegovina,
HAVE AGREED AS FOLLOWS:
Chapter I
Objectives, scope and common provisions
Article 1
Objectives
1.The overall objective of this Agreement is to enhance judicial cooperation between Eurojust and the competent authorities of Bosnia and Herzegovina in combating serious crime.
2.This Agreement allows for the transfer of personal data between Eurojust and the competent authorities of Bosnia and Herzegovina, in order to support and strengthen the action by the competent authorities of the Member States of the Union and those of Bosnia and Herzegovina, as well as their cooperation in investigating and prosecuting serious crime, in particular organised crime and terrorism, while ensuring appropriate safeguards with respect to fundamental rights and freedoms of individuals, including privacy and the protection of personal data.
Article 2
Scope
The Parties shall ensure that Eurojust and the competent authorities of Bosnia and Herzegovina cooperate in the fields of activities and within the competence and tasks of Eurojust, as set out in the Eurojust Regulation, as applied in accordance with the Treaty on European Union and the Treaty on the Functioning of the European Union, and in this Agreement.
Article 3
Definitions
For the purpose of this Agreement the following definitions apply:
(1)‘Eurojust’ means the European Union Agency for Criminal Justice Cooperation, established by the Eurojust Regulation including any subsequent amendments thereto;
(2)‘Member States’ means the Member States of the Union;
(3)‘competent authority’ means, for the Union, Eurojust and, for Bosnia and Herzegovina a domestic authority with responsibilities under domestic law relating to the investigation and prosecution of criminal offences, including the implementation of judicial cooperation instruments in criminal matters; as listed in Annex II to this Agreement;
(4)‘Union bodies’ means institutions, bodies, offices and agencies as well as missions or operations established under the Common Security and Defence Policy, set up by, or on the basis of the Treaty on European Union and the Treaty on the Functioning of the European Union, as listed in Annex III to this Agreement;
(5)‘serious crime’ means the forms of crime with respect to which Eurojust is competent, in particular those listed in Annex I to this Agreement, including related criminal offences;
(6)‘related criminal offences’ means the criminal offences committed in order to procure the means of committing serious crimes, in order to facilitate or commit serious crimes or in order to ensure impunity for those committing serious crimes;
(7)‘Assistant’ means a person who may assist a National Member, as referred to in Chapter II, Section II, of the Eurojust Regulation, and the National Member’s Deputy, or the Liaison Prosecutor, as referred to in the Eurojust Regulation and in Article 5 of this Agreement respectively;
(8)‘Liaison Prosecutor’ means a person who holds the function of a public prosecutor or a judge in Bosnia and Herzegovina in accordance with its domestic law and is seconded by Bosnia and Herzegovina to Eurojust, pursuant to Article 5 of this Agreement;
(9)‘Liaison Magistrate’ means a magistrate as referred to in the Eurojust Regulation, posted by Eurojust to Bosnia and Herzegovina pursuant to Article 8 of this Agreement;
(10)‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
(11)‘processing’ means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(12)‘genetic data’ means personal data relating to the genetic characteristics of an individual that have been inherited or acquired, which give unique information about the physiology or the health of that individual, resulting in particular from an analysis of a biological sample from the individual in question;
(13)‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
(14)‘information’ means personal and non-personal data;
(15)‘non-personal’ data means data other than personal data;
(16)‘personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
(17)‘Supervisory authority’ means, an authority responsible for data protection in accordance with Article 21, and which has been subject to notification pursuant to Article 28(3).
Article 4
Contact points
1.Bosnia and Herzegovina shall designate at least one contact point within its domestic competent authorities to facilitate the communication and cooperation between Eurojust and the competent authorities of Bosnia and Herzegovina. Bosnia and Herzegovina shall designate one of its contact points as its contact point also for terrorism matters. The Liaison Prosecutor shall not be a contact point.
2.The contact point for Bosnia and Herzegovina shall be notified to the Union. Bosnia and Herzegovina shall inform Eurojust in the event that a contact point changes.
Article 5
Liaison Prosecutor and staff
1.To facilitate the cooperation provided for in this Agreement, Bosnia and Herzegovina shall second a Liaison Prosecutor to Eurojust.
2.The mandate and the duration of the secondment of the Liaison Prosecutor shall be determined by Bosnia and Herzegovina in agreement with Eurojust.
3.The Liaison Prosecutor may be assisted by one or more Assistants and other support staff, depending on the workload and in agreement with Eurojust. When necessary, the Assistants may replace the Liaison Prosecutor or act on the Liaison Prosecutor’s behalf.
4.Bosnia and Herzegovina shall ensure that the Liaison Prosecutor and the Liaison Prosecutor’s Assistants are competent to act in relation to foreign judicial authorities.
5.The Liaison Prosecutor and the Liaison Prosecutor’s Assistants shall have access to the information contained in the domestic criminal records, registers of arrested persons, investigation registers, DNA registers or other register(s) of public authorities of Bosnia and Herzegovina where such information is necessary to fulfil their tasks, in accordance with its domestic law.
6.The Liaison Prosecutor and the Liaison Prosecutor’s Assistants shall have the power to contact the competent authorities of Bosnia and Herzegovina directly.
7.Bosnia and Herzegovina shall inform Eurojust of the exact nature and extent of the judicial powers conferred to the Liaison Prosecutor and the Liaison Prosecutor’s Assistants within Bosnia and Herzegovina to carry out their tasks in accordance with this Agreement.
8.The details of the tasks of the Liaison Prosecutor and the Liaison Prosecutor’s Assistants, their rights and obligations and the costs involved for Eurojust shall be governed by a working arrangement concluded between Eurojust and the competent authorities of Bosnia and Herzegovina in accordance with Article 26.
9.The working documents of the Liaison Prosecutor and the Liaison Prosecutor’s Assistants shall be held inviolable by Eurojust.
Article 6
Operational and strategic meetings
1.The Liaison Prosecutor, the Liaison Prosecutor’s Assistants, and other representatives of competent authorities of Bosnia and Herzegovina, including the contact points referred to in Article 4, may participate in meetings with regard to strategic matters upon the invitation of the President of Eurojust, and in meetings with regard to operational matters with the approval of the National Members concerned.
2.National Members, their Deputies and Assistants, the Administrative Director of Eurojust and Eurojust staff may attend meetings organised by the Liaison Prosecutor, the Liaison Prosecutor’s Assistant(s), or other representatives of competent authorities of Bosnia and Herzegovina, including the contact points referred to in Article 4.
Article 7
Joint Investigation Teams
1.Eurojust may assist Bosnia and Herzegovina to establish joint investigation teams (JITs) with the national authorities of a Member State pursuant to the legal basis applicable between them, enabling judicial cooperation in criminal matters, such as agreements on mutual assistance.
2.Eurojust may be requested to provide financial or technical assistance to operate a JIT that it supports operationally.
Article 8
Liaison Magistrate
1.For the purpose of facilitating judicial cooperation with Bosnia and Herzegovina, Eurojust may post a Liaison Magistrate to Bosnia and Herzegovina in accordance with the Eurojust Regulation.
2.The details of the Liaison Magistrate’s tasks, the Liaison Magistrate’s rights and obligations and the costs involved, shall be governed by a working arrangement concluded between Eurojust and the competent authorities of Bosnia and Herzegovina as referred to in Article 26.
Chapter II
Information exchange and data protection
Article 9
Purposes of processing personal data
1.Personal data requested and received under this Agreement shall be processed only for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, within the limits of Article 10(6) and the respective mandates of the competent authorities.
2.The competent authorities shall clearly indicate, at the latest at the moment of the transfer of personal data, the specific purpose or purposes for which the data are transferred.
Article 10
General data protection principles
1.Each Party shall provide for personal data transferred and subsequently processed under this Agreement to be:
(a)processed fairly, lawfully, in a transparent manner and only for the purposes for which they have been transferred in accordance with Article 9;
(b)adequate, relevant and not excessive in relation to the purposes for which they are processed;
(c)accurate and where necessary, kept up to date; each Party shall provide that the competent authorities take every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without undue delay;
(d)kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
(e)processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
2.The competent authority transferring the personal data (the “transferring authority”) may indicate, at the moment of transferring personal data, any restriction on access thereto or the use to be made thereof, in general or specific terms, including as regards their onward transfer, erasure or destruction after a certain period of time, or their further processing. Where the need for such restrictions becomes apparent after the transfer of personal data, the transferring authority shall inform the competent authority receiving the personal data (“the receiving authority”) accordingly.
3.Each Party shall ensure that the receiving authority complies with any restriction of the access to or the use of the personal data indicated by the transferring authority as referred to in paragraph 2.
4.Each Party shall provide that its competent authorities implement appropriate technical and organisational measures in order to be able to demonstrate that the data processing complies with this Agreement and that the rights of the data subjects concerned are protected.
5.Each Party shall comply with the safeguards provided for in this Agreement regardless of the nationality of the data subject concerned and without discrimination.
6.Each Party shall ensure that personal data transferred under this Agreement have not been obtained in violation of human rights recognised by international law binding on the Parties.
Each Party shall ensure that the personal data received are not used to request, hand down or execute a death penalty or any form of cruel or inhuman treatment.
7.Each Party shall ensure that a record is kept of all transfers of personal data under this Article and of the purposes of such transfers.
Article 11
Categories of data subjects and special categories of personal data
1.The transfer of personal data in respect of victims of a criminal offence, witnesses or other persons who can provide information concerning criminal offences shall be allowed only where strictly necessary and proportionate in individual cases for investigating and prosecuting a serious crime.
2.The transfer of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be allowed only where strictly necessary and proportionate in individual cases for investigating and prosecuting a serious crime.
3.The Parties shall ensure that the processing of personal data under paragraphs 1 and 2 is subject to additional safeguards, including restrictions of access, additional security measures and restrictions of onward transfers.
Article 12
Automated processing of personal data
Decisions based solely on automated processing of transferred personal data, including profiling, which produce an adverse legal effect on the data subject or significantly affect him or her, shall be prohibited, unless authorised by law for the investigation and prosecution of serious crime which provides appropriate safeguards for the rights and freedoms of the data subject, including at least the right to obtain human intervention.
Article 13
Onward transfer of the personal data received
1.Bosnia and Herzegovina shall ensure that its competent authorities are prohibited from transferring personal data received under this Agreement to other authorities of Bosnia and Herzegovina unless all of the following conditions are fulfilled:
(a)Eurojust has given its prior explicit authorisation;
(b)the onward transfer is only for the purposes for which the data were transferred in accordance with Article 9; and
(c)the transfer is subject to the same conditions and safeguards as those applying to the original transfer.
Without prejudice to Article 10(2), no prior authorisation is needed when personal data are shared among competent authorities of Bosnia and Herzegovina.
2.Bosnia and Herzegovina shall ensure that its competent authorities are prohibited from transferring personal data received under this Agreement to the authorities of a third country or to an international organisation, unless all of the following conditions are fulfilled:
(a)the onward transfer concerns personal data other than those covered by Article 11;
(b)Eurojust has given its prior explicit authorisation; and
(c)the purpose of the onward transfer is the same as the purpose of the transfer by Eurojust.
3.Eurojust shall give its authorisation pursuant to paragraph 2 point (b) only if and insofar as an adequacy decision, a cooperation agreement or an international agreement providing for adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals, within the meaning of the Eurojust Regulation, in each case covering the onward transfer, is in place.
4.The Union shall ensure that Eurojust is prohibited from transferring personal data received under this Agreement to Union bodies not listed in Annex III, to the authorities of a third country or to an international organisation, unless all of the following conditions are fulfilled:
(a)the transfer concerns personal data other than those covered by Article 11;
(b)Bosnia and Herzegovina has given its prior explicit authorisation;
(c)the purpose of the onward transfer is the same as the purpose of the transfer by the transferring authority of Bosnia and Herzegovina; and
(d)in the case of an onward transfer to the authorities of a third country or to an international organisation, an adequacy decision, a cooperation agreement or an international agreement providing for adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals within the meaning of the Eurojust Regulation, in each case covering the onward transfer, is in place.
The conditions referred to in the first subparagraph do not apply when the personal data are shared by Eurojust with Union bodies listed in Annex III or with authorities responsible in the Member States for investigating and prosecuting serious crime.
Article 14
Right of access
1.The Parties shall provide for the right of the data subject to obtain confirmation from the authorities processing the personal data transferred under this Agreement as to whether personal data relating to him or her are processed under this Agreement, and, where that is the case, access to at least information on the following:
(a)the purposes and legal basis for the processing, the categories of data concerned, and, where applicable, the recipients or categories of recipients to whom the personal data have been or will be disclosed;
(b)the existence of the right to obtain from the authority rectification or erasure, or restriction of the processing of personal data;
(c)where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
(d)communication, using clear and plain language of the personal data undergoing processing and of any available information as to the sources of those data;
(e)the right to lodge a complaint with the supervisory authority referred to in Article 21 and its contact details.
In cases where the right of access referred to in the first subparagraph is exercised, the transferring authority shall be consulted on a non-binding basis before a final decision on the request for access is taken.
2.The Parties shall provide for the authority concerned to address the request without undue delay and in any case within three months of the receipt of the request.
3.The Parties may provide for the possibility of delaying, refusing or restricting the information referred to in paragraph 1, to the extent that and for as long as such delay, refusal or restriction constitutes a measure that is necessary and proportionate, taking into account the fundamental rights and interests of the data subject, in order to:
(a)avoid the obstruction of official or legal inquiries, investigations or procedures;
(b)avoid prejudice to the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
(c)protect public security;
(d)protect national security; or
(e)protect the rights and freedoms of others, such as victims and witnesses.
4.The Parties shall provide for the authority concerned to inform the data subject in writing of:
(a)any delay, refusal or restriction of access and of the reasons therefor; and
(b)the possibility of lodging a complaint with the respective supervisory authority or of seeking a judicial remedy.
The information set out in the first subparagraph, point (a) of this paragraph, may be omitted where this would undermine the purpose of the delay, refusal or restriction under paragraph 3.
Article 15
Right to rectification, erasure or restriction
1.The Parties shall provide for the right of the data subject to obtain from the authorities processing personal data transferred under this Agreement the rectification of inaccurate personal data relating to the data subject. Taking into account the purposes of the processing, the right to obtain rectification includes the right to have incomplete personal data transferred under this Agreement completed including by means of providing a supplementary statement.
2.The Parties shall provide for any data subject to have the right to obtain from the authorities processing personal data transferred under this Agreement the erasure of personal data concerning the data subject where the processing of the personal data infringes Article 10(1) or Article 11(2), or where the personal data have to be erased in order to comply with a legal obligation to which the authorities are subject.
3.The Parties may provide for the possibility of the authorities to grant restriction of processing rather than the rectification or erasure of personal data as referred to in paragraphs 1 and 2 where:
(a)the accuracy of the personal data is contested by the data subject and their accuracy or inaccuracy cannot be ascertained; or
(b)when the personal data have to be maintained for the purposes of evidence.
4.The transferring authority and the authority processing the personal data shall inform each other of cases referred to in paragraphs 1, 2 and 3. The authority processing the data shall rectify, erase or restrict the processing of the personal data concerned in accordance with the action taken by the transferring authority.
5.The Parties shall provide for the authority having received a request under paragraph 1 or 2 to inform the data subject in writing without undue delay that the personal data have been rectified, or erased, or that their processing has been restricted.
6.The Parties shall provide for the authority having received a request under paragraph 1 or 2 to inform the data subject in writing of:
(a)any refusal of the request and of the reasons therefor;
(b)the possibility of lodging a complaint with the respective supervisory authority; and
(c)the possibility of seeking a judicial remedy.
The information listed in the first subparagraph, point (a) of this paragraph, may be omitted under the conditions set out in Article 14(3).
Article 16
Notification of a personal data breach to the authorities concerned
1.The Parties shall provide, in the event of a personal data breach affecting personal data transferred under this Agreement, for their respective authorities to notify each other as well as their respective supervisory authority of that breach without delay, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, and to take measures to mitigate its possible adverse effects.
2.The notification shall at least describe:
(a)the nature of the personal data breach, including, where possible, the categories and number of data subjects concerned and the categories and number of personal data records concerned;
(b)the likely consequences of the personal data breach;
(c)the measures taken or proposed to be taken by the authority processing the data to address the personal data breach, including the measures taken to mitigate its possible adverse effects.
3.Where, and in so far as, it is not possible to provide the information referred to in paragraph 2 at the same time, the information may be provided in phases without undue further delay.
4.The Parties shall provide for their respective authorities to document any personal data breach affecting personal data transferred under this Agreement, including the facts surrounding the breach, its effects and the remedial action taken, thereby enabling their respective supervisory authority to verify compliance with this Article.
Article 17
Communication of a personal data breach to the data subject
1.The Parties shall, where a personal data breach as referred to in Article 16 is likely to result in a high risk to the rights and freedoms of natural persons, provide for their respective authorities to communicate the personal data breach to the data subject without undue delay.
2.The communication to the data subject pursuant to paragraph 1 shall describe in clear and plain language the nature of the personal data breach and contain at least the elements provided for in Article 16 (2) points (b) and (c).
3.The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
(a)the personal data concerned by the breach were subject to appropriate technological and organisational protection measures that render the data unintelligible to any person who is not authorised to access them;
(b)subsequent measures have been taken which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
(c)such communication would involve disproportionate effort, in particular owing to the number of cases involved. If so, the authority shall issue a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
4.The communication to the data subject may be delayed, restricted or omitted under the conditions set out in Article 14(3).
Article 18
Storage, review, correction and deletion of personal data
1.The Parties shall provide for appropriate time limits to be established for the storage of personal data received under this Agreement or for a periodic review of the need for the storage of such data, so that such data are stored for no longer than is necessary for the purposes for which they are transferred.
2.In any case, the need for continued storage shall be reviewed no later than three years after the transfer of the personal data.
3.Where a transferring authority has reason to believe that personal data previously transferred by it are incorrect, inaccurate, no longer up to date, or should not have been transferred, it shall inform the receiving authority, which shall rectify or erase the personal data, and provide notification thereof to the transferring authority.
4.Where a competent authority has reason to believe that personal data previously received by it are incorrect, inaccurate, no longer up to date, or should not have been transferred, it shall inform the transferring authority, which shall provide its position on the matter.
Where the transferring authority concludes that the personal data is incorrect, inaccurate, no longer up to date, or should not have been transferred, it shall inform the receiving authority, which shall rectify or erase the personal data, and provide notification thereof to the transferring authority.
Article 19
Logging and documentation
1.The Parties shall provide for the keeping of logs or other documentation of the collection of, alteration of, access to, disclosure of, including onward transfer, combination and erasure of personal data. For greater certainty, they shall ensure that it is possible to verify and establish what personal data have been accessed, by whom and when.
2.The logs or documentation referred to in paragraph 1 shall be made available to the supervisory authority on request and shall be used only for verification of the lawfulness of data processing, self-monitoring and ensuring proper data integrity and security.
Article 20
Data security
1.The Parties shall ensure the implementation of technical and organisational measures to protect personal data transferred under this Agreement.
2.In respect of automated data processing, the Parties shall ensure the implementation of measures designed to:
(a)deny unauthorised persons access to data processing equipment used for processing personal data (“equipment access control”);
(b)prevent the unauthorised reading, copying, modification or removal of data media (“data media control”);
(c)prevent the unauthorised input of personal data and the unauthorised inspection, modification or deletion of stored personal data (“storage control”);
(d)prevent the use of automated data processing systems by unauthorised persons using data-communication equipment (“user control”);
(e)ensure that persons authorised to use an automated data processing system have access only to the personal data covered by their access authorisation (“data access control”);
(f)ensure that it is possible to verify and establish to which entities personal data may be or have been transmitted using data communication equipment (“communication control”);
(g)ensure that it is possible to verify and establish which personal data have been input into automated data processing systems and when and by whom the personal data were input (“input control”);
(h)prevent the unauthorised reading, copying, modification or deletion of personal data during their transfer or during transportation of data media (“transport control”);
(i)ensure that installed systems may, in the event of interruption, be restored immediately (“recovery”);
(j)ensure that the functions of the system perform without fault, that the appearance of faults in the functions is immediately reported (reliability) and that stored personal data cannot be corrupted by system malfunctions (“integrity”).
Article 21
Supervisory authority
1.The Parties shall provide for one or more independent public authorities responsible for data protection to oversee the implementation of, and ensure compliance with this Agreement, for the purpose of protecting the fundamental rights and freedoms of natural persons in relation to the processing of personal data.
2.The Parties shall ensure that:
(a)each supervisory authority acts with complete independence in performing its tasks and exercising its powers;
(b)each supervisory authority is free from external influence, whether direct or indirect, and neither seeks nor accepts instructions;
(c)the members of each supervisory authority have a secure term of office, including safeguards against arbitrary removal.
3.The Parties shall ensure that each supervisory authority has the human, technical and financial resources, premises, and infrastructure necessary for the effective performance of its tasks and exercise of its powers.
4.The Parties shall ensure that each supervisory authority has effective powers of investigation and intervention to exercise oversight over the bodies it supervises, and to engage in legal proceedings.
5.The Parties shall ensure that each supervisory authority has powers to hear and address complaints from individuals about the use of their personal data.
Article 22
Right to an effective judicial remedy
1.The Parties shall ensure that, without prejudice to any other administrative or non-judicial remedy, each data subject has the right to an effective judicial remedy where he or she considers that his or her rights guaranteed under this Agreement have been infringed as a result of the processing of his or her personal data in non-compliance with this Agreement.
2.The right to an effective judicial remedy shall include the right to compensation for any damage caused to the data subject by such processing as a result of a violation of this Agreement and under the conditions set out in the respective legal framework of each Party.
Chapter III
Confidentiality of information
Article 23
Exchange of EU classified or sensitive non-classified information
The exchange of Union and Bosnia and Herzegovina classified or sensitive non-classified information, if necessary under this Agreement, and its protection shall be regulated by a working arrangement concluded between Eurojust and the competent authorities of Bosnia and Herzegovina.
Chapter IV
Liability
Article 24
Liability and compensation
1.The competent authorities shall be liable, in accordance with their respective legal frameworks, for any damage caused to an individual as a result of legal or factual errors in information exchanged. In order to avoid liability under their respective legal frameworks vis-à-vis an injured individual, neither Eurojust nor the competent authorities of Bosnia and Herzegovina may plead that the other had transferred inaccurate information.
2.If a competent authority has paid compensation to an individual under paragraph 1, and its liability was a result of its use of information which had been erroneously communicated by the other competent authority or communicated as a result of a failure on the part of the other competent authority to comply with its obligations, the amount paid as compensation shall be repaid by the other competent authority, unless the information was used in breach of this Agreement.
3.Eurojust and the competent authorities of Bosnia and Herzegovina shall not require each other to repay compensation for punitive or non-compensatory damages.
Chapter V
Final provisions
Article 25
Expenses
The Parties shall ensure that the competent authorities bear their own expenses, which arise during the implementation of this Agreement, unless otherwise stipulated in this Agreement or in the working arrangement.
Article 26
Working arrangement
1.The details of the cooperation between the Parties to implement this Agreement shall be governed by a working arrangement concluded between Eurojust and the competent authorities of Bosnia and Herzegovina in accordance with the Eurojust Regulation.
2.The working arrangement shall replace any existing working arrangement concluded between Eurojust and the competent authorities of Bosnia and Herzegovina.
Article 27
Relation to other international instruments
This Agreement is without prejudice to, and shall not otherwise affect or impact any bilateral or multilateral agreement on cooperation or mutual legal assistance treaty, any other cooperation agreement or arrangement, or working level judicial cooperation relationship in criminal matters between Bosnia and Herzegovina and any Member State.
Article 28
Notification of implementation
1.The Parties shall provide for each competent authority to make publicly available its contact details as well as a document setting out using clear and plain language, information regarding the safeguards for personal data guaranteed under this Agreement, including information covering at least the items referred to in Article 14(1), points (a) and (c), and the means available for the exercise of the rights of data subjects. Each Party shall ensure that a copy of that document be provided to the other.
2.Where not already in place, the competent authorities shall adopt rules specifying how compliance with the provisions regarding the processing of personal data will be enforced in practice. A copy of those rules shall be sent to the other Party and their respective supervisory authority.
3.The Parties shall notify each other of the supervisory authority responsible for overseeing the implementation of, and ensuring compliance with, this Agreement in accordance with Article 21.
Article 29
Entry into force and application
1.This Agreement shall be approved by the Parties in accordance with their own procedures.
2.This Agreement shall enter into force on the first day of the second month following the month during which both Parties have notified each other that the procedures referred to in paragraph 1 have been completed.
3.This Agreement shall apply as from the first day after the date on which all of the following conditions have been fulfilled:
(a)the Parties have signed a working arrangement referred to in Article 26;
(b)the Parties have notified each other that the obligations laid down in this Agreement have been implemented, including those laid down in Article 28; and
(c)each Party has informed the other Party that the notification pursuant to point (b) of this subparagraph has been accepted.
The Parties shall notify each other in writing confirming the fulfilment of the conditions set out in the first subparagraph.
4.A Party may postpone the transfer of personal data in the event that, and for as long as, the other Party ceases to provide for, and implement, the safeguards and obligations contained in Chapter II (Information exchange and data protection) of this Agreement.
Article 30
Amendments
1.This Agreement may be amended in writing, at any time, by mutual consent between the Parties by written notification exchanged between them.
2.Updates to the Annexes to this Agreement may be agreed between the Parties, by exchange of diplomatic notes.
Article 31
Review and evaluation
1.The Parties shall jointly review the implementation of this Agreement one year after the date of entry into application, and at regular intervals thereafter, and whenever requested by either Party and agreed between the Parties.
2.The Parties shall jointly evaluate this Agreement four years after the date of entry into application.
3.The Parties shall decide in advance on the details of the review and shall communicate to each other the composition of their respective teams. Each team shall include relevant experts on data protection and judicial cooperation. Subject to applicable laws, any participants in the review shall be required to respect the confidentiality of the discussions and to have appropriate security clearances. For the purposes of any review, the Parties shall ensure access to relevant documentation, systems and staff.
Article 32
Settlement of disputes and suspension
1.If a dispute arises in connection with the interpretation, application or implementation of this Agreement, and any matters related thereto, the representatives of the Parties shall enter into consultations and negotiations with a view to reaching a mutually agreeable solution.
2.Notwithstanding paragraph 1, in the event of a material breach or of non-fulfilment of obligations under this Agreement or, if there is an indication that such a material breach or non-fulfilment of obligations is likely to occur in the near future, either Party may suspend the application of this Agreement in whole or in part by written notification to the other Party.
Such written notification shall not be made until after the Parties have engaged in consultations during a reasonable period without reaching a resolution.
Suspension shall take effect 20 days from the date of receipt of such notification. Such suspension may be lifted by the suspending Party upon written notification to the other Party. The suspension shall be lifted immediately upon receipt of such notification.
3.Notwithstanding any suspension of the application of this Agreement, information falling within the scope of this Agreement and transferred prior to its suspension shall continue to be processed in accordance with this Agreement.
Article 33
Termination
1.Either Party may notify in writing the other Party of its intention to terminate this Agreement. The termination shall take effect three months after the date of receipt of the notification.
2.Information falling within the scope of this Agreement transferred prior to its termination shall continue to be processed in accordance with this Agreement as in force on the date of termination.
3.In case of termination, the Parties shall agree on the continued use and storage of the information that has already been communicated between them. If no agreement is reached, either Party is entitled to require that the information which it has communicated be destroyed or returned to it.
Article 34
Notifications
1.Notifications made in accordance with Article 29(2) shall be sent:
(a)for Bosnia and Herzegovina, to the Ministry of Justice of Bosnia and Herzegovina;
(b)for the Union, to the Secretary-General of the Council of the European Union.
Any other notification made in accordance with this Agreement shall be sent:
(a)for Bosnia and Herzegovina, to the Ministry of Justice of Bosnia and Herzegovina;
(b)for the Union, to the European Commission.
2.The information about the addressee of notifications referred to in paragraph 1 might be updated through diplomatic channels.
Article 35
Authentic texts
This Agreement shall be drawn up in duplicate in the Bulgarian, Czech, Croatian, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hungarian, Irish, Italian, Latvian, Lithuanian, Maltese, Polish, Portuguese, Romanian, Slovak, Slovenian, Spanish, Swedish as well as in the languages and scripts in official use in Bosnia and Herzegovina, all texts being equally authentic. In case of divergence, the English text shall prevail.
IN WITNESS WHEREOF, the undersigned Plenipotentiaries, duly authorised to this effect, have signed this Agreement.
For the European Union
For Bosnia and Herzegovina
ANNEX I
Forms of serious crime (Article 3, point (5))
–terrorism,
–organised crime,
–drug trafficking,
–money-laundering activities,
–crime connected with nuclear and radioactive substances,
–immigrant smuggling,
–trafficking in human beings,
–motor vehicle crime,
–murder and grievous bodily injury,
–illicit trade in human organs and tissue,
–kidnapping, illegal restraint and hostage taking,
–racism and xenophobia,
–robbery and aggravated theft,
–illicit trafficking in cultural goods, including antiquities and works of art,
–swindling and fraud,
–crime against the financial interests of the Union,
–insider dealing and financial market manipulation,
–racketeering and extortion,
–counterfeiting and product piracy,
–forgery of administrative documents and trafficking therein,
–forgery of money and means of payment,
–computer crime,
–corruption,
–illicit trafficking in arms, ammunition and explosives,
–illicit trafficking in endangered animal species,
–illicit trafficking in endangered plant species and varieties,
–environmental crime, including ship-source pollution,
–illicit trafficking in hormonal substances and other growth promoters,
–sexual abuse and sexual exploitation, including child abuse material and solicitation of children for sexual purposes,
–genocide, crimes against humanity and war crimes.
The forms of crime referred to in this Annex shall be assessed by the competent authorities of Bosnia and Herzegovina in accordance with the law of Bosnia and Herzegovina.
ANNEX II
Competent authorities of Bosnia and Herzegovina and their competences
(Article 3, point (3))
The competent authorities of Bosnia and Herzegovina, to which Eurojust may transfer data are as follows:
|
Authority |
Description of competences |
|
Ministry of Justice of Bosnia and Herzegovina |
Central coordinating authority for international and inter-entity judicial cooperation in criminal matters (e.g. mutual legal assistance and contacts with international tribunals); Extraditions; Administrative functions related to judicial bodies at state level. |
|
Prosecutor’s Office of Bosnia and Herzegovina Prosecutor’s Office of the Federation of Bosnia and Herzegovina, cantonal prosecutors’ offices Prosecutor’s Office of the Republika Srpska, district prosecutors’ offices Prosecutor’s Office of the Brčko District of Bosnia and Herzegovina |
Domestic authorities competent for the investigation and prosecution of criminal offences; Domestic authorities competent to implement judicial cooperation; |
|
Court of Bosnia and Herzegovina Supreme Court of the Federation of Bosnia and Herzegovina, cantonal courts and municipal courts in the Federation of Bosnia and Herzegovina Supreme Court of the Republika Srpska, district courts and basic courts in Republike Srpska Basic Court of the Brčko District of Bosnia and Herzegovina and Appellate Court of the Brčko District of Bosnia and Herzegovina |
Domestic authorities competent to act upon prosecutors’ requests and motions during the course of investigation and prosecution of criminal offences; Domestic authorities competent to implement judicial cooperation in criminal matters; |
|
State Investigation and Protection Agency, Border Police of Bosnia and Herzegovina, Directorate for Coordination of Police Bodies of Bosnia and Herzegovina Ministry of Internal Affairs of the Federation of Bosnia and Herzegovina (Police Administration of the Federation of Bosnia and Herzegovina), cantonal ministries of internal affairs (cantonal police administrations) in the Federation of Bosnia and Herzegovina Ministry of Internal Affairs of the Republika Srpska (Police Administration, Criminal Police Administration, Administration for Organised and Serious Crime, Administration for Combating Terrorism and Extremism) Police of the Brčko District of Bosnia and Herzegovina |
Domestic authorities competent to conduct investigative measures under the supervision of the competent prosecutor; |
ANNEX III
List of Union bodies
(Article 3, point (4))
Union bodies with which Eurojust can share personal data:
–European Central Bank (ECB)
–European Anti-Fraud Office (OLAF)
–European Border and Coast Guard Agency (Frontex)
–European Union Intellectual Property Office (EUIPO)
–Missions or operations established under the Common Security and Defence Policy, limited to law enforcement and judicial activities
–European Union Agency for Law Enforcement Cooperation (Europol)
–European Public Prosecutors Office (EPPO)
