Legal background for adoption of this regulation:


  • Law on Personal Data Protection (Official Gazette of Bosnia and Herzegovina No. 49/06 and 76/11 and 89/11)
  • Rulebook on the maintenance and special technical security measures for personal data (Official Gazette of BiH, No. 67/09)


  1. Definitions


The terms used in this document shall have the following meanings:

  • 'personal data' shall mean any information relating to an identified or identifiable natural person;
  • ‘data subject’ shall mean a natural person who can be identified, directly or indirectly, in particular by reference to a personal identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
  • ‘processing of personal data' shall mean any operation or set of operations performed upon personal data, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
  • ‘anonymous data’ shall mean the data which, in its original form or after their processing, cannot be linked to the data subject in regard to its identification;
  • ‘controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data pursuant to the Law or regulations;
  • 'data processor' shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
  • ‘third party’ shall mean any natural or legal person, public authority, agency or any other body, except the data subject, controller, data processor and persons directly subordinated to the controller or data processor, authorized to process the data.
  • 'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.
  • ‘data recipient’ shall mean a natural or legal person, public authority, agency or any other body to which the data is disclosed, regardless of whether they are a third party or not; public authorities that may receive such data in the framework of a special request are not considered as recipients.




The purpose of adoption of this regulation is a successful protection of personal data, which includes a number of administrative, technical and physical measures. In compliance with all principles and standards for data management, FLYBOSNIA d.o.o. Sarajevo shall continuously be resolving issues in the segments of:

  • relevancy (checking of data relevant for business operations and decision-making),
  • legality and ethical values of the data, and
  • security of data from unauthorized access and misuse.

Access to the records containing personal data shall be limited only to those persons for whom it is reasonably necessary to be aware of such data in order to perform their legitimate business purposes or the same should be enabled to them pursuant to other state regulations. This document defines the rules related to protection of individuals in regard to the collection and processing of personal data and rules related to free transfer of personal data. The goal of this document is to establish adequate mechanisms for protection and management of personal data of the data subject and other persons whose personal data is processed.

  1. What personal data do we process and how do we collect them?

In regard to this document, especially the following data are considered personal data:


  1. First name, surname
  2. Contact address (street, town and postcode), email address
  3. Telephone number
  4. Date of birth
  5. Place of birth
  6. Sex
  7. Citizenship
  8. Passport number
  9. Personal identity number
  10. Nationality
  11. Photo and passport data
  12. Credit card data


If you use the website of FLYBOSNIA d.o.o. Sarajevo for flight reservation, we will collect from you and use all the information necessary for the reservation. This may include personal data such as your name, date of birth, address, personal identity number, data about your kin, sex, passport data, in addition to payment data (for instance credit card number and e-mail) for the passenger.

In addition, we may request data from you for the purpose of providing advanced services, such as medical services. This is a special category of personal data which we treat with a special attention. These special categories of data include data about your health, for instance whether you use a wheelchair or need an oxygen tank, certain health related behaviors, such as whether you are a smoker or not, etc. If you or any passengers have special requirements in regard to health, food or access, about which you or such passenger would like to inform us, we can collect such data in a given section about such needs.

In case you carry out the purchase of a flight ticket not only for yourself but also for a person travelling with you, please note that you must have the relevant power to represent that passenger and share his/her personal data with us. You undertake to explain to that person how we shall use his/her personal data pursuant to this regulation. It is assumed that such actions have been undertaken prior to making a reservation. We can also be a subject of special legal obligations to explain to such persons that we control their personal data even if you have provided us such data.

Personal data disclosing racial or ethnic origin, political opinion, religious or other belief as well as sexual orientation or union membership shall not be processed. The processing of the above-mentioned special categories of personal data shall be carried on exclusively in the following cases:

- data subject has given explicit consent for processing of such personal data for one or more specific purposes;

- such processing is necessary for the needs of fulfilling of obligations and exercising of special rights of FlyBosnia d.o.o. Sarajevo pursuant to the laws of Bosnia and Herzegovina;

- such processing is necessary for protection of vital interests of the data subject or other person;

- processing is related to the personal data for which it is evident that the data subject has disclosed them;

- such processing is necessary to claim, defend or enforce legal claims


FlyBosnia d.o.o. Sarajevo pays special attention to the protection of minors’ data, since minors may be less aware of the risks, consequences and protective measures, as well as their own rights in regard to processing of personal data. Persons under the age of sixteen (16) are considered minors.

In addition, we collect your personal data on our website through the link "CONTACT" ____________. If you have sent an inquiry through our link "Contact", your personal data shall be used exclusively for the purpose of replying to your inquiry. The copy shall not be used for any other purpose, except for storing of e-mail in a given time period.


We can also collect personal data through log-files. Our website stores the information about your IP address in log files for a certain period of time. The information in log files include the internet protocol (IP) address, browser type, Internet Service Provider (ISP), date/time, reference website and other information that the browser may record. We use such data exclusively for the purpose of resolving of possible problems in the functioning of the system, meaning administration of the website.


Our website may use "cookies" and other tracking technologies. A "cookie" is a small textual file that may contain cached data (IP address, e-mail address or password), in order that a user does not have to re-enter such data every time he/she visits the website. Also, data about geo-location of users may be stored, for user’s easier navigation during the process of purchasing of tickets. Most browsers allow you to control the "cookies"-a, and if you do not want such data to be available to us, you can disable the "cookies". In such case, our website may nor function properly on your browser.


With your consent, we can perform “profiling” in order to provide offers that match your interests and needs (for instance, discounts to the flight ticket, vouchers, etc.). With your consent, we can send provide you with such offers via e-mail or telephone.


  1. Basis for use of your personal data

We shall collect, use and share your personal data if there is an adequate basis for that. Such basis includes:

  • When your personal data is necessary for fulfillment of carriage contract or taking of steps for conclusion of contract with you, for instance for performance of payment and making of reservations with us, or to complete the organization of your travel arrangements if you are a passenger in flight reservation;
  • When we have to use your personal data in order to comply with adequate legal or regulatory obligations that we have;
  • When we have your consent to use your personal data for certain activities, for instance sending of special offers from us and our partners which we deem to be of interest to you.

FlyBosnia d.o.o. Sarajevo keeps a registry of activities on processing of personal data for which it is responsible, that is in cases when it fulfills the role of the controller or processor. This registry is in electronic form and contains at least the following information:

• name and contact information of the controller/processor

• purpose of the processing

• description of categories of data subjects and categories of personal data

• categories of recipients to whom such data is disclosed or shall be disclosed, including recipients in third countries or international organizations;

• transfer of personal data to a third country or international organization, including the name of the third country or name of international organization

• prescribed deadline for deletion of different categories of data, if possible

• general description of technical and organizational security measures.


  1. Recipients of your personal data

Since of the founders of FlyBosnia d.o.o. is Mr. Al Shiddi, Sulaiman Abdullah, we must share information with the Al Shiddi agency in Riyadh, Saudi Arabia, in order to be able to provide our services to you more easily and more efficiently.


Other recipients of your personal data:

  • Banks and other providers of payment services, for approval and realization of payments;
  • Other third parties that assist us in our business operations and provision of services. For instance, providers of IT services that assist us with technical support and management of the system of business support, or third parties – agents selling reservation, etc.
  • Customs and/or immigration services or other regulatory bodies or state authorities, in order to comply with legal obligations and provide security for all our passengers and clients;

Occasionally, we may share your data with state authorities and agencies and international organizations, in full compliance with the valid laws, rules and regulations, as well as legitimate requests of law enforcement bodies, regulatory and other state or international agencies or when it is in our legitimate interests, even if we are not legally obliged to share such information.

If we sell or transfer a part or our entire business operation or assets to a third party in the future we may disclose or transfer the data to the potential or real buyer that purchases our business operations or assets.

In order that we can provide you the requested services, we may have to transfer the data to countries outside of the European Economic Area which do not provide the same level of personal data protection. In such cases, we shall undertake all the necessary measures toward the recipient of your personal data in order to secure an adequate level of protection of your personal data. We conclude contracts on data processing with the recipients of your personal data, by which they are obliged to provide the adequate level of protection of personal data that are processed, pursuant to the applicable Law on Protection of Personal Data and the Rulebook on the maintenance and special technical security measures for personal data. If an adequate level of protection of your personal data cannot be secured, we shall ask for your exclusive consent regarding any transfer of such data.


We are warning you that such data transfers may carry certain risks, since the recipient of your data may have an unreasonable access to the data, and you may not be in a position to exercise your rights regarding the protection of your personal data and rights on privacy.

  1. Method of storing and protection of personal data

We fulfill the legal obligations and protect your personal data in a way that we:

  • regularly update the personal data,
  • safely store and erase them,
  • do not collect or keep excessive amounts of data,
  • protect personal data from loss, abuse, unauthorized access and disclosure by securing the implementation of adequate technical and organizational measures for the protection and secure transfer of personal data.


In case of reservations of tickets through our website, your personal data is entered via scripted channels over a secure server, and in such way unauthorized access to your data is prevented. In order to protect your personal data, we implement adequate technical, physical and organizational measures for protection, taking into consideration the nature, scope and purpose of data processing, as well as risks of different probabilities.


We update and test our security technologies and undertake measures to improve them, We use advanced tools for protection and prevention of date leaking, we encrypt certain data and protect them from unauthorized access, modifications, loss, theft and any other breach or abuse of data.


Access to personal data is limited only to the data necessary for the above-mentioned purposes, and only to authorized persons within the company who work directly on personal data processing. Employees who have access to personal data are bound by clauses on data protection and we agree on adequate protection measures with our partners.


As stated above, we are trying to undertake all reasonable measures in order to protect your personal data. Despite all that, we cannot guarantee the security of the data you have provided us through the internet. By providing your data over the Internet, you accept the possible risk that every provision of personal data and activities on the Internet carries with itself and you agree not to consider us responsible for any errors, except if those are caused by our negligence or intentional abuse.


In order to minimize these risks and increase your security, it is necessary that you protect your device from various malicious programs (viruses, etc.). Our website may include links to other websites and vice versa. We are not responsible for protection of your personal data on linked websites.


We process and store personal data in a manner and within time periods prescribed by applicable laws and general regulations of the company.

VII        Submission of complaints and other rights on protection of personal data

If you establish or suspect that a controller or data processor have violated your rights or that there is a direct danger of violation of your rights, you may file a complaint to the Agency for Protection of Personal Data claiming protection of your rights and request that:


a) controller or data processor refrain from such actions and rectify the factual situation caused by such actions;

b) controller or data processor correct or amend personal data in order that they are authentic and correct;

c) personal data are blocked or erased.

The Agency shall make a special decision on your possible complaint and submit it to you and to us, as the controller or personal data processor. This decision of the Agency may not be appealed against, but an administrative dispute may be initiated before the Court of Bosnia and Herzegovina.

The data controller shall pay compensation for any damage caused to a data subject as a result of the processing of his or her data. Non-material damage is compensated with a public apology and payment of a fair financial compensation. The data controller is liable for any damage to a data subject caused by a data processor. The data controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage. No compensation shall be paid for damage caused by the injured person's intentional or seriously negligent conduct.

Regarding your personal data that we process, you shall have the following rights:

  • right to request verification that your data is being processed,
  • right to access your data being processed and obtain a copy of such data,
  • right to rectification of your personal data,
  • right to erasure of your personal data,
  • right to restriction of processing of personal data
  • right to data portability
  • right to withdraw your consent, when processing is based on your consent.


At any time, you may submit your request for information, data insight, issuing of a copy of personal data that is processed, rectification, erasure, restriction of processing, withdrawal of consent or file a complaint at the following address:  VRBANJA 1, 71000 SARAJEVO, BIH