Law on Protection of Personal Data of Bosnia and Herzegovina

• January 23, 2025 – Adopted by the House of Representatives, replaces the 2006 law and its 2011 amendments.
• January 30, 2025 – Adopted by the House of Peoples.
• February 28, 2025 – Published in the Official Gazette and entered into force

The law applies to:

• Public authorities operating in Bosnia and Herzegovina.
• Private companies and other legal entities processing personal data.
• Natural persons acting as controllers when processing is not purely personal or household.
• Foreign controllers and processors offering goods or services to individuals in Bosnia and Herzegovina or monitoring their behaviour within the country.

It applies to both automated processing and structured manual filing syste

• Processing carried out by a natural person for purely personal or household activities.
• Certain processing by competent authorities regulated under specific provisions of the Act.
• Restrictions introduced by special legislation.
• Special rules for journalistic, academic, artistic, literary, and research activities.

Controllers must follow core data protection principles:

• Lawfulness, fairness, and transparency.
• Purpose limitation.
• Data minimization.
• Accuracy.
• Storage limitation.
• Integrity and confidentiality.

Additional obligations include:

• Identifying a valid legal basis (consent, contract, legal obligation, public interest, legitimate interest).
• Implementing appropriate technical and organizational measures.
• Applying data protection by design and by default.
• Maintaining records of processing activities where required.
• Conducting data protection impact assessments for high-risk processing.
• Appointing a Data Protection Officer (DPO) where mandated.

Website operators must:

• Provide clear and transparent information about the processing of personal data.
• Obtain valid consent where required, including parental consent for children under 16 in relation to information society services.
• Respond to data subject requests within 30 days, with limited extensions where permitted.
• Notify the supervisory authority of certain personal data breaches within 72 hours.
• Inform affected individuals when a breach presents a high risk to their rights and freedoms.
• Apply appropriate safeguards when collecting personal data online.

• Written data processing agreements between controllers and processors.
• Appointment of a representative in Bosnia and Herzegovina where required.
• Cross-border data transfers only where adequate safeguards or lawful mechanisms apply.
• Binding corporate rules and certification mechanisms where relevant.
• Additional safeguards for sensitive and biometric data.
• Specific conditions for video surveillance.

Individuals have the right to:

• Access their personal data.
• Rectify inaccurate or incomplete data.
• Request erasure in defined circumstances.
• Restrict processing in certain cases.
• Data portability where applicable.
• Object to certain processing, including direct marketing.
• Protection against decisions based solely on automated processing, except under specific conditions.
• Seek compensation for damage resulting from unlawful processing.

• Supervisory Authority: Personal Data Protection Agency of Bosnia and Herzegovina.
• Powers: Inspections, corrective measures, suspension of processing, and initiation of proceedings.
• Fines: Administrative fines for legal entities and responsible persons depending on the nature and severity of the violation.
• Supervision: Ongoing audits and regulatory oversight.