In March 2025, Bosnia and Herzegovina adopted its long-awaited Law on Personal Data Protection, a piece of legislation that fundamentally reshapes the country’s privacy landscape. The law was adopted to bring domestic rules into alignment with the EU’s General Data Protection Regulation (GDPR) and to ensure a coherent data protection framework across both entities and Brcko District. After a 210-day vacatio legis, the law is set to take full effect in October 2025, giving businesses and public authorities a limited time to adapt.
A New Legal Framework
The previous law, dating back to 2006, had long been considered outdated and poorly harmonized with European standards. The new law mirrors the GDPR in structure, principles, and terminology. It introduces the concept of controllers and processors, data subject rights, obligations regarding lawful bases for processing, and a system of oversight by the Personal Data Protection Agency of Bosnia and Herzegovina (DPA).
The law applies to all processing of personal data by both private and public entities established in Bosnia and Herzegovina, as well as to foreign operators targeting Bosnian residents. This extraterritorial effect is a direct import from GDPR, ensuring that companies outside BiH must comply when offering goods or services to individuals in the country.
Lawful Bases and Consent
As in the GDPR, processing of personal data requires a lawful basis. The law explicitly lists contract performance, legal obligations, vital interests, public interest, and legitimate interests as grounds. Consent remains a central basis, but the law clarifies that it must be freely given, specific, informed, and unambiguous. The new framework also introduces stricter requirements for processing sensitive data, such as health information, biometric identifiers, and political or religious affiliations. Here, explicit consent or a narrow statutory exception will be required.
Expanded Data Subject Rights
Data subjects gain significantly enhanced rights under the new law. In addition to access, rectification, and objection rights, individuals can now exercise the right to erasure (“right to be forgotten”), right to data portability, as well as the right to restriction of processing. Controllers must respond to such requests without undue delay and in any event within 30 days, a timeline identical to GDPR.
Obligations for Controllers and Processors
The law imposes a host of compliance duties on controllers and processors. Key among them are: (1) data protection by design and by default, requiring that privacy considerations are embedded into systems and processes from the outset; (2) records of processing activities, which must be maintained and made available to the DPA upon request; (3) data protection impact assessments (DPIAs) for high-risk processing, such as large-scale use of special categories of data or systematic monitoring of public areas; and (4) contracts between controllers and processors, spelling out responsibilities, security measures, and limitations on sub-processing. Additionally, certain entities will need to appoint a Data Protection Officer (DPO), particularly where the core activities involve large-scale monitoring or processing of sensitive data.
Supervisory Authority and Enforcement
The Agency for Personal Data Protection retains its central role as supervisory authority but with significantly enhanced powers. The law equips the agency with investigatory, corrective, and sanctioning powers modeled on the GDPR. Administrative fines are now aligned with European practice: for the most serious breaches, they can be up to approximately EUR 20 million or 4% of the total worldwide annual turnover, whichever is higher.
Transitional Period and Practical Implications
Organizations operating in Bosnia and Herzegovina face a demanding compliance agenda in the months ahead. Steps that will need to be prioritized include: (1) mapping data processing activities and identifying lawful bases, (2) reviewing and updating privacy notices, contracts, and internal policies, (3) establishing procedures for handling data subject requests, (4) implementing technical and organizational security measures, and (5) assessing the need for DPO appointments and conducting DPIAs where applicable. The transitional period until October 2025 is short, and non-compliance will expose businesses to significant financial and reputational risk.
Conclusion
The adoption of the new Law on Personal Data Protection marks a decisive step in Bosnia and Herzegovina’s integration into the European data protection framework. By closely following the GDPR model, the law strengthens the rights of individuals, modernizes corporate obligations, and equips the supervisory authority with real enforcement power. For companies, it represents both a compliance challenge and an opportunity to build trust with customers and partners in the country.
By Igor Letica, Head of the Data Protection Department, Law Firm Sajic Banja Luka
This article was originally published in Issue 12.8 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
