As an EU candidate whose accession is contingent upon harmonizing its legislation with EU standards, Bosnia and Herzegovina (“BH”) was required to align its existing personal data protection with the EU Regulation 2016/679, the General Data Protection Regulation (“GDPR”). BH adopted the Personal Data Protection Law (“DPL”), published in the Official Gazette on 28 February 2025 and entering into force on 4 October 2025.
The implementation of this law represents a significant advancement in BH’s efforts to bring its data protection framework in line with European requirements. However, while the text of the DPL represents a formal alignment with EU standards, its implementation will test the institutional maturity of BH data protection regime, particularly given its complex constitutional structure and limited administrative capacity.
- DPL Highlights
The DPL brings the BH regulatory framework into full alignment with the GDPR and the EU Law Enforcement Directive (Directive 2016/680) and, in doing so, introduces major changes to the old data protection laws. Mirroring GDPR principles, biometric and genetic data are now explicitly recognized as personal data, alongside previously established identifiers such as names, photos, IP addresses, and e-mail addresses. The new law also introduces clear definitions of profiling, pseudonymization, and data breaches.
BH citizens now enjoy all of the data subject rights provided for in the GDPR, including the right to access, correct or delete their personal data, as well as to limit processing, transfer information, or object to automated decisions. Data breaches must be reported within 72 hours, and affected individuals are notified where the risk to their rights is significant.
The DPL strengthens obligations for data controllers, requiring robust technical and organizational safeguards and finally codifying the “right to be forgotten”, thereby allowing individuals to request the erasure of their data when no legal basis for processing remains.
Controllers and processors must also maintain detailed records of processing activities, which must be made available to the BH Personal Data Protection Agency (“DPA”) upon request. Organizations handling sensitive or large volumes of data must appoint a Data Protection Officer, and foreign entities processing BH residents’ data must designate a local representative.
The DPL also requires staff training, internal policies, privacy procedures, and codes of conduct - all of which must align with the law, ensuring compliance across both public and private sectors. Organizations are encouraged to adopt approved certification mechanisms and codes of conduct to demonstrate compliance and accountability. These obligations go beyond IT infrastructure, covering scenarios from publishing employee data online to operating legally justified and clearly marked video surveillance, where the legal basis for processing must always be clearly identified and understood.
While the DPLs structure closely mirrors the GDPR, its enforcement will depend on the practical ability of controllers and processors, many of whom lack the internal expertise - to implement these standards meaningfully rather than formally. Moreover, the law’s approach to cross-border processing and cooperation with foreign supervisory authorities remains to be addressed.
- Supervisory Authority
While the supervisory powers of the DPA have been strengthened to allow for effective oversight and enforcement, it has yet to publish bylaws and guidelines. It has the authority to conduct inspections and data-protection audits, to notify data subjects of breaches, to restrict or completely prohibit certain processing activities, to suspend data transfers and issue fines for particularly serious violations of the PDPL. The fines can range from BAM 500 for individuals to BAM 40 million or 4% of global turnover for companies, depending on the severity of the breach. The law also provides for individual liability of responsible persons within organizations, including fines of up to BAM 70,000 for executives and BAM 5,000 for employees. However, these very broad powers granted to the DPA are not in and of themselves a guarantee of effective oversight, so long as it is unwilling or unable to wield them properly. Therefore, the extent to which the DPA will actively enforce compliance remains uncertain and will depend on its capacity and willingness to act, particularly in cases of very large controllers and processors that wield considerable economic leverage.
The DPA’s current institutional capacity remains limited - both in human and financial resources, which may undermine the deterrent value of its new sanctioning powers.
Unless accompanied by a significant increase in inter-institutional cooperation (particularly with judicial and law enforcement bodies), the DPA’s expanded powers risk remaining largely theoretical. Another systemic challenge lies in the overlapping competences between the DPA and certain sectoral regulators, such as those for telecommunications and financial services, which could generate jurisdictional conflicts unless clearly delineated through by-laws.
- Transition and By-laws
It is also important to note that controllers and processors already engaged in data processing have 2 years to fully align their processing activities with the DPL. This means that the full effects of the law will not be felt until March 2027. This ‘grace period’ is important not only for controllers and processors, but also for the DPA and the BH legislature, which must, in this same period of time, introduce a number of by-laws and amendments to existing lawsin order for the DPL to become fully applicable.
Some of the by-laws envisioned in the DPL that have yet to be adopted include templates for Standard Contractual Clauses for data transfers, lists of processing operations that do or do not require a Data Protection Impact Assessment, certification criteria and procedures etc. That these acts have not already been adopted may be cause for some concern regarding the DPA’s readiness to effectively enforce the law. Although there is still ample time before March 2027, controllers and processors seeking compliance with the DPL at this time are going to run into difficulties resulting from the lack of adopted by-laws, which creates legal uncertainty for both them and the individuals whose data they are processing.
Equally important is that the DPL’s sanctioning regime cannot be fully implemented without corresponding amendments to procedural laws governing administrative offences and judicial review. In their current form, these laws do not provide a clear procedural foundation for imposing or enforcing fines in the prescribed percentages/amounts.
This gap reflects a broader structural problem: Bosnia and Herzegovina’s fragmented legal framework often prevents timely harmonization across related sectors. Unless addressed, this could delay the PDPL’s practical enforcement well beyond the statutory deadlines.
The coming period will therefore test whether the legislature and the DPA can move from declarative alignment with EU standards to genuine, functional compliance, by adopting the necessary by-laws and procedural amendments on time.
- Conclusion
Nonetheless, by adopting the DPL in its current form, BH has signalled its commitment to EU standards of governance, transparency, and the protection of fundamental rights. Yet, the law’s success will depend on timely adoption of supporting by-laws, sectoral harmonisation, and proactive enforcement by the PDPA. Without these steps, the framework risks remaining aspirational rather than operational. The next two years will be decisive: turning legislative ambition into practical compliance is essential for building trust, safeguarding rights, and advancing BH’s digital and European integration.
Ultimately, the PDPL should be seen not merely as a legislative milestone, but as a test of institutional credibility. Its success will depend less on the precision of its text and more on the consistency, transparency, and courage of its enforcement. For Bosnia and Herzegovina, this is as much a question of governance culture as it is of legal alignment.
By Milos Mitic, Senior Partner, JPM & Partners
