Data protection

Introductory Information

Personal data processing and protection policy (hereinafter: the Policy) represents a basic act describing the purpose and the objectives of personal data collection, processing and management by the Public Company Motorways of the Federation of BiH Ltd Mostar (hereinafter: the JPAC).The goal of the Policy is to establish appropriate processes of protection and management of personal data of data subjects, i.e. service users, employees and other persons whose personal data are processed, in accordance with the GDPR regulation (EU) 2016/679 of the European Parliament and Council from 27 April 2016 (hereinafter: the Regulation), the Law on the Protection of Personal Data of BiH (hereinafter: the Law) on the protection of individuals with regard to the processing of personal data and free movement of such data and JPAC’s internal acts. The JPAC has recognized the importance of protection of data privacy, security and protection for all individuals appearing as participants in our business processes. Through this Policy, the JPAC expresses its readiness to comply with the Regulation, the Law, company’s internal acts on personal data protection.

Individuals as participants in the processes the Policy applies to include:

  • Current employees of the JPAC company,
  • Members of families of current employees of the JPAC,
  • Former employees of the JPAC,
  • Members of families of former employees of the JPAC,
  • Potential new employees (job candidates)
  • Employees of contractors, engineers, subcontractors on certain construction sites,
  • Users of motorways and expressways managed by the JPAC,
  • Other private persons sharing their private data in projects involving the JPAC.

Data Controller

This Policy applies to any personal data collected and stored by the PC Motorways of the Federation of BiH Ltd. Mostar, Adema Buća 20, 88000 Mostar.

As the Data Controller, the JPAC is responsible for the processing and storing of your personal data.

In case that you have any questions with regard to the use of this Policy or exercising of your rights deriving therefrom, as specified below in the text, feel free to contact us using one of the below-listed contact details:

  • +387 36 512 300 (ext.361) / 387 33 277 900 (ext.953)
  • PC Motorways of the Federation of BiH Ltd. Mostar, ul. Adema Buća 20, 88000 Mostar, with “GDPR – Data Protection” reference

Basic Terms

In this Chapter you may find explanations of basic terms from the Data Protection Policy.

  • Personal data imply any data that are related to an identifiable individual (first name, surname, telephone number, personal ID number, e-mail address etc.)
  • Data Controller -an entity that determines purpose, conditions and means of personal data processing
  • Data Processor – entity that processes personal data on behalf of the Data Controller
  • Personal Data Protection Agency – state agency the task of which is to protect data and privacy, supervise the process of application of the Regulation and implement actively the Regulation on Data Protection.
  • Data Protection Officer (DPO) – an employee responsible for data protection who works independently so as to ensure that a business entity complies with the policy and procedures established on the basis of the Regulation
  • Processing of personal data – any operation which is performed on personal data, whether or not by automated means, such as collection, use, preparation of reports for recordings and similar


Purpose of Collection of Personal Data

In order to be able to offer its services to data subjects, the JPAC has to process their personal data needed for quality provision of certain services. Otherwise, i.e. if a data subject rejects to

communicate such personal data, the JPAC will not be able to provide him/her with a service.

We collect individuals’ personal data for the purposes of:

– different legal obligations – we collect data and send them by way of different paper and digital forms to different State Administration institutions for the purpose of registration, deregistration or change of employees’ status and rights, investigative activities and court proceedings.

– different contractual obligations – we send data to the contracting authority and/or creditors during the process of procurement and during the execution of works with regard to the contracted jobs.

– our internal processes- by which we wish to ensure better efficiency of work, cost effectiveness of a project and prevent alienation of fixed assets, material, small inventory and similar.


Principles of Data Processing

In processing personal data of data subjects, the JPAC complies with the following basic principles:

  • Lawfulness, fairness and transparency – the JPAC shall process personal data of data subjects in accordance with the applicable regulations and encompassing all data subjects’ rights, and shall provide data subjects, in accordance with the Regulation, the Law and the JPAC’s internal acts, with any necessary information about which personal data that concern them are collected, used or made available for access or are processed in a different way. It shall ensure, upon their request, access to their data for data subjects, an explanation of processing, grounds for and lawfulness of processing. The data subject shall be informed about any relevant information in a timely manner, i.e. prior to the collection of personal data.
  • Purpose limitation – personal data must be collected for specific, explicit and legitimate purposes, and shouldn’t be further processed in a way that is not compatible with the said purposes.
  • Data minimization – the JPAC shall collect and process personal data in a way that such data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Each organizational unit within the JCAP shall ensure that this principle is applied adequately.
  • Accuracy and updating – the JPAC shall ensure that the data are accurate and shall undertake all reasonable measures to ensure that personal data that are not correct, taking account of the purpose they are processed for, be deleted or rectified without delay. For that purpose, the data subjects that have a business, i.e. a contractual relationship with the JPAC shall have the right and the obligation to update their personal data.
  • Storage limitation – personal data of data subjects shall be kept in a form that enables their identification only for as long as is required for the personal data processing purpose, and for a longer period if there is a legitimate interest for that (for instance, if they serve as evidence in a court or investigation procedure).
  • Integrity and Confidentiality – the JPAC shall collect and process data in such a way that shall ensure proper safety of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage, by applying appropriate technical or organizational measures. The implementation of this principle shall be ensured by the implementation of a system the goal of which is to restrict access to data, detect and protect against data leak, by methods of supervision over access to data and similar.

Each JPAC organizational unit, just like the Data Processor shall ensure compliance with the above mentioned principles in processing personal data it is competent for.

In accordance with the said principles, JPAC’s employees shall have access to personal data of data subjects depending on their authorizations, and for the purpose of successful performance of tasks relating to specific job positions.

The JPAC shall forward data of data subjects to other legal persons and state institutions when that is grounded in the law.

Each organizational unit of the JCAP shall be obliged to identify the lawfulness of any data processing falling under its competence.


Rights of Data Subjects

When collecting personal data, the JPAC shall provide the data subject with information concerning:

– identity and contact details for the JPAC as the Data Controller,

– contact details of the Data Protection Officer (DPO),

– purposes of processing for which personal data are collected just like the legal grounds for processing,

– legitimate interests of the JPAC,

– recipients or categories of recipients of personal data, if any,

– intention to transfer personal data to third countries, if any,

– data retention period,

– data subjects’ right of access to personal data, right to restrict processing and to erase data,

– right to lodge a complaint to the Personal Data Protection Agency of BiH.


Rights of data subjects under the Regulation, the Law and this Policy are as follows:

Right of Access to Data – the data subject shall have the right to receive a certificate from the JPAC as to whether his/her personal data are processed and if yes, access to personal data and information about the processing purpose, data categories, potential recipients that personal data will be disclosed to, his/her right to request rectification, erasure or restriction of processing of personal data, and the right to lodge a complaint to a supervisory authority.

Right to Rectification – the data subject shall have the right to request, without any unnecessary delay, the JPAC to rectify personal data concerning him/her. Taking account of the purpose of processing, the data subject shall have the right to complete the incomplete personal data by, inter alia, giving an additional statement.

Right of Erasure – the data subject shall have the right to request from the JPAC that personal data concerning him/her be erased.

Right to Restrict Processing – the data subject shall have the right to request and to obtain restriction

Right to Object –the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her.


The JPAC shall provide information to the data subject, at his/her request, about actions taken in relation to the said rights within a deadline of 30 days from the date of reception of proper request. Exceptionally, the JPAC may extend the deadline for reply for justified reasons and shall notify the data subject thereof.

Information shall be provided in a written form or by different means, including electronically, if appropriate. If so requested by the data subject, information shall be provided in a verbal form, on the condition that the identity of the data subject has been determined by different means.

In case the JPAC fails to act upon a request, it shall notify the data subject of the reasons and of the possibility to lodge a complaint to the supervisory body.


Our Data Retention Period


Your personal data shall be retained in accordance with the applicable laws and only for as long as is required for achieving the personal data processing purpose, or for a period prescribed by the law or for a period required for contract execution. The data collected on the basis of consent shall be erased even before your cancellation, in case that the purpose for which the data have been collected has been achieved. Personal data the retention period for which has expired (for instance if the purpose for which they have been collected has been achieved, because the legal deadline has expired etc.) shall be erased, destroyed or anonymized in a way making personal data recovery impossible.

Data shall be retained for different periods of time, depending on the purpose for which they are collected, as defined in the records of data collections of the JPAC.


Cookie Policy

Cookies are small text files the majority of web pages store on users’ internet access devices in order to recognize users of individual devices during their access. Their storage is fully controlled by the user’s browser – which may enable or disable the storing of cookies, as desired. Cookies are not harmful and are always of limited duration

The Internet page of the PC Motorways of the Federation of BiH Ltd. Mostar ( collects two types of cookies.

  • Technical cookies for the purpose of ensuring unhindered operation of the web page
  • Statistical cookies by which you allow monitoring of statistics concerning Internet page visits, and your data (Internet protocol address, cookie identifiers) are used to adjust advertisements during

the next page visit.

The server on which this Internet page resides is protected with all types of protection to secure data privacy and safety. By disabling cookies, you decide whether you will allow cookies to be stored on your computer. Cookie settings may be controlled and configured in your Internet browser. By disabling cookies, you may no longer be able to use some functionalities of our Internet page.