logo standard prva
AK Stevanović: The New Law on Personal Data Protection Has Entered into Force. Read What It Brings

AK Stevanović: The New Law on Personal Data Protection Has Entered into Force. Read What It Brings

07.10.2025

The New Law on Personal Data Protection in BiH – Alignment with the GDPR and Key Innovations

Written by: Mr. Božana Simić, attorney

The new Law on Personal Data Protection of Bosnia and Herzegovina ("Official Gazette of BiH", number 12/25) represents a comprehensive reform in the field of privacy protection. It was adopted on January 30, 2025, published on February 28, 2025, and entered into force on March 8 of the same year, but its application was postponed for 210 days from the date of entry into force. The law was enacted in order to overcome the obsolescence of the previous law from 2006 (with amendments from 2011) and to align the domestic framework with European standards, particularly the EU General Data Protection Regulation (GDPR). A six-month period was provided for harmonization with the new provisions, so it has been fully in effect since October 4 of the current year. Below, we analyze the key provisions of the new law, the most important innovations compared to the previous solution, the fundamental principles of processing, the rights of citizens whose data is processed, the obligations of data handlers, as well as penalties, and alignment with EU standards (GDPR).

Key Provisions of the New Law

Subject and Purpose of the Law:
The new Law prescribes rules for the protection of natural persons regarding the processing of personal data, regulates the rights of individuals to privacy and the obligations of those who collect and process data, and defines the jurisdiction of the Personal Data Protection Agency of BiH as the supervisory authority. The law has a broader focus than the previous one—it explicitly refers to alignment with the GDPR and contains special rules for data processing for the purposes of preventing and prosecuting criminal offenses (e.g., in the police and judicial context).

Terminology and Scope:
The alignment with the GDPR is also visible through the definitions of terms and the structure of the law. Modern terms such as data controller and data processor have been introduced, along with a clear definition of personal data and data subjects (individuals to whom the data relates), among others. The scope of the term personal data has been especially expanded—besides names, addresses, ID numbers, and similar information, it now includes online identifiers such as IP addresses, email addresses, cookies, as well as biometric data (e.g., fingerprints). This acknowledges that modern data about individuals includes digital footprints and characteristics not explicitly listed in earlier legislation.

Structure of the Law:
The law thoroughly regulates the principles of data processing, the legality of processing (legal grounds), the obligation to obtain consent in certain cases, the rights of data subjects, the obligations and responsibilities of controllers and processors, conditions for cross-border data transfers, appointment of a Data Protection Officer (DPO), record keeping of processing activities, conducting Data Protection Impact Assessments (DPIA), supervisory measures by the Agency, and prescribes sanctions for violations. In the following sections of this article, these key areas are addressed individually.

Most Important Innovations Compared to the Previous Law

The new law introduces a number of significant innovations compared to the old Law from 2006/2011, aligning Bosnia and Herzegovina's regulations with GDPR standards. The previous law was shorter and less comprehensive, and did not keep pace with technological developments and GDPR requirements, creating the need for a thorough reform. We highlight some of the key innovations of the new law compared to the previous one:

Broader Rights for Citizens:
New rights have been introduced for data subjects (citizens), such as the right to erasure ("right to be forgotten"), the right to data portability, the right to restriction of processing, and the right to object to processing, including objection to automated decision-making. These rights were not included to this extent in the previous law—for example, the right to data portability and the right to be forgotten are concepts that emerged only with the GDPR.

New Principles of Processing and “Built-in Privacy”:
In addition to traditional principles like legality, fairness, confidentiality, etc., the new law also prescribes the principles of “privacy by design” and “privacy by default.” This means that data protection must be embedded into systems and processes from the very beginning—already at the design stage of technology or service, measures for privacy protection and processing limitation must be envisaged. Earlier regulations did not have such explicit requirements.

Mandatory Documentation and Risk Assessment:
There is now an obligation to maintain records of data processing activities (for most organizations, with exceptions for the smallest entities) and to conduct a Data Protection Impact Assessment (DPIA) for processing that may pose a high risk to the rights and freedoms of individuals. The old law did not include DPIAs nor did it require record keeping in such a systematic way, which represents a significant tightening of the controller’s responsibility to proactively assess risks and ensure compliance (so-called controller accountability principle).

Data Protection Officer (DPO):
The GDPR concept of the DPO is now embedded in the Bosnian-Herzegovinian law. Appointing a DPO is mandatory for certain organizations and authorities—for example, for public institutions, for companies whose core activity is the processing of large amounts of data, or the processing of special categories of data (sensitive data). Previous legislation did not require the existence of a DPO. Additionally, the conditions a DPO must meet are prescribed (expertise, certification, independence in work, direct contact with top management and the Agency).

Data Breach Notification:
The new law introduces the obligation that any serious data leak or unauthorized access to personal data must be reported to the Agency within 72 hours of becoming aware of the incident. Also, if the breach is likely to pose a high risk to individuals’ rights, affected persons (data subjects) must be notified as well. The previous law did not contain such a precise requirement for breach notification, which now requires companies and institutions to establish internal procedures for responding to security incidents.

International Data Transfers:
The rules for cross-border personal data transfers have been tightened. It is now explicitly prescribed that data can be transferred outside of BiH only if the recipient country has an adequate level of protection confirmed by the Council of Ministers of BiH (on the proposal of the Agency), or if appropriate safeguards have been taken, such as standard contractual clauses, or in special situations with the explicit consent of the data subject. The old law regulated cross-border transfers in a general way but did not elaborate mechanisms such as standard clauses or consent conditions, which are now regulated in the spirit of the GDPR.

Appointment of Representatives for Foreign Companies:
Foreign legal entities without a registered office in BiH, but which process personal data of BiH citizens (e.g., via the Internet, through remote service provision), must now appoint a local representative in BiH as a contact point for the supervisory authority and data subjects. This corresponds to Article 27 of the GDPR and was not previously required of foreign companies operating in our market.

Higher Fines and Sanctions:
The penalty regime is significantly stricter. Administrative fines of up to 40 million KM or up to 4% of the total annual global turnover of the offender (for legal entities), depending on which amount is higher, are prescribed. This mirrors the GDPR model. The previous law provided for significantly lower fines (on the order of several tens of thousands of KM at most), whereas the new law clearly indicates that privacy violations will be costly for those responsible. In addition to fines for companies, penalties are also foreseen for responsible individuals in institutions/companies (e.g., managers) ranging from several hundred to several thousand KM for certain offenses. The Personal Data Protection Agency has been given broader powers to conduct inspections, order measures, and impose sanctions and processing bans in case of violations—ensuring stronger enforcement of the law than before.

Protection of Children and Vulnerable Groups:
As a special innovation, the 2025 law emphasizes the protection of children's personal data. It is prescribed that in the context of information society services, a child's consent for data processing is valid only if the child is at least 16 years old, and below that age, the consent or approval of a parent/guardian is required. This practically means that, for example, online service providers must verify the age of users and obtain parental consent for minors under 16, which earlier legislation did not clearly define. Also, special categories of data (such as data on health, biometrics, racial or ethnic origin, political opinions, sexual orientation, etc.) enjoy enhanced protection and may only be processed exceptionally, under strict conditions provided by law.

The above innovations show that the new law is significantly more complex and stricter. In the continuation, we will further examine some of these areas in more detail—principles of processing, citizens’ rights, the obligations of those who handle data, and penalty provisions—in order to clarify what they mean in practice.

Principles of Personal Data Processing

The principles of processing represent the fundamental rules that must be followed by anyone who collects and processes personal data. The new law defines them in accordance with GDPR standards. The key principles are:

  • Lawfulness, fairness, and transparency: Data must be processed in a lawful manner, respecting the rights of the individual, and must be transparent toward the data subject about how their data is being used.

  • Purpose limitation: Data may only be collected for clearly defined and legitimate purposes and must not be further processed in a way that is incompatible with those original purposes.

  • Data minimization: Only the minimum amount of data necessary to achieve a specific purpose may be collected. The processing of excessive data that is not needed for the intended goal is prohibited.

  • Accuracy: Personal data must be accurate and kept up to date; inaccurate data should be corrected or deleted without delay.

  • Storage limitation: Data must be stored in a form that allows identification of the individual only for as long as necessary to fulfill the intended purpose. After that, the data must be deleted or anonymized, unless the law requires longer retention.

  • Integrity and confidentiality: Appropriate data security must be ensured, including protection against unauthorized or unlawful access, disclosure, alteration, or loss, through technical and organizational measures.

  • Accountability: The data controller is responsible for compliance with all these principles and must be able to demonstrate that compliance. This is a new principle that effectively obligates organizations to maintain records and document their data processing activities.

In addition to these general principles, the law introduces the concept of built-in privacy:

  • Privacy by design and by default: Systems and services must be designed to protect user privacy from the outset. By default, only data necessary for the specific purpose should be collected and processed, applying the highest security standards. For example, software used for data processing should have default settings that do not allow public sharing of data unless the user explicitly chooses otherwise, and it should include safeguards against data breaches already at the planning stage.

In practice, these principles require every data-processing entity (whether a company, institution, or another body) to establish a culture of data protection: from drafting clear and understandable privacy policies, limiting access to data, to regularly reviewing whether only necessary data is stored and whether it is up to date. Adhering to the principles is the foundation of lawful processing—violating the principles (e.g., collecting excessive data or storing it longer than necessary) constitutes a violation of the law.

Rights of Data Subjects

One of the central components of the new law is the catalog of rights for data subjects—individuals whose personal data is being processed. These rights are almost identical to those prescribed by the GDPR, thereby guaranteeing citizens of Bosnia and Herzegovina a high level of control over their data. The key rights include:

  • Right to be informed: Individuals have the right to be clearly and understandably informed about who is processing their personal data, why, and how. Information about processing must be presented in simple language, without incomprehensible legal or technical jargon. This right obligates controllers to provide transparent privacy notices at the time of data collection.

  • Right of access: The data subject has the right to obtain confirmation from the controller about whether their data is being processed, access to that data, and information about the purpose of processing, categories of data, potential recipients, storage periods, etc. (similar to the "Subject Access Request" under the GDPR). The controller must provide a copy of the personal data it processes about that individual.

  • Right to rectification: If data is inaccurate or incomplete, the individual has the right to request correction or completion. The controller must make the correction without undue delay and inform the individual accordingly.

  • Right to erasure (“right to be forgotten”): In certain situations, the data subject has the right to request the deletion of their personal data. This may apply, for example, if the data is no longer necessary for the purposes for which it was collected, if the individual withdraws consent on which the processing was based, or if the processing is unlawful. The controller must then delete the data unless a legal basis overrides the request (e.g., a legal obligation to retain data).

  • Right to restriction of processing: This right allows individuals to temporarily halt the processing of their data in specific situations. For example, if the accuracy of data is disputed, the individual may request a restriction while the accuracy is verified; or if the processing is unlawful, but the individual prefers restriction over deletion; or if the controller no longer needs the data but it must be retained for legal claims. While processing is restricted, the data may only be stored and not further processed (unless with consent or for legal reasons).

  • Right to data portability: A new right that allows the data subject to receive their personal data provided to the controller in a structured, commonly used, and machine-readable format and to transmit that data to another controller if desired. This applies when processing is based on consent or a contract and is carried out by automated means. For example, a user may request data from a social network or bank to transfer to another service provider.

  • Right to object: Individuals have the right to object at any time to the processing of their data based on the controller’s legitimate interest or a task carried out in the public interest, including profiling based on those grounds. Once an objection is raised, the controller must stop processing unless it can demonstrate compelling legitimate grounds that override the individual’s interests and rights. Notably, the right to object to direct marketing is absolute—if someone states they do not want their data used for marketing, the controller must comply. Additionally, individuals have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects, unless they have given explicit consent, subject to certain exceptions.

  • Right to withdraw consent: When processing is based on consent, the data subject has the right to withdraw that consent at any time. Withdrawing consent must be as easy as giving it, and after withdrawal, the controller may no longer process that data (this does not affect the lawfulness of processing before the withdrawal). Before collecting consent, the controller must inform the individual of their right to withdraw it. This ensures that consent is genuinely under the individual’s control and not irrevocable.

All the rights listed above must be enabled and facilitated by the data controller. Upon a data subject’s request, the controller must respond without undue delay and no later than the legally prescribed deadline (typically one month). Rejection of a request must be exceptional and must be justified. Furthermore, data subjects have the right to file a complaint with the Personal Data Protection Agency if they believe their rights have been violated, and they have the right to judicial remedies.

This significant expansion of citizens’ rights means that companies and institutions must establish procedures for responding to requests: for example, how to provide a copy of the data to a person who requests access, or how to delete someone’s data from their databases. Also, informing individuals through privacy policies and notices must be in clear language—“without legal or technical terms they don’t understand”—so that the average citizen knows what rights they have and how to exercise them.

Obligations of Data Controllers and Penal Provisions

The new law prescribes in detail the obligations of data controllers and processors (i.e. all entities that determine the purposes of processing or process data on behalf of the controller). Both new technical and organizational measures that must be applied, as well as procedural obligations for demonstrating compliance with the law, are introduced. Below are the most important obligations and associated penalty provisions:

  1. Technical and Organizational Protective Measures: Controllers and processors are required to apply appropriate security measures to protect personal data, taking into account the nature of the data and risks. This includes measures such as encryption, access control, physical security of servers, regular backups, protection against malicious software, etc. The law also requires the establishment of internal security policies and training for staff handling data. The principles of privacy by design and by default practically mean that data protection must already be integrated when developing new systems or procedures. Violation of these obligations (e.g. if a data breach occurs due to inadequate security) exposes the organization to financial sanctions.

  2. Records of Processing Activities: All controllers should keep records of which personal data they process, for what purposes, on what legal grounds, where the data is stored, to whom it is disclosed, how long it is retained, etc. This documentation (so‑called “Record of Processing Activities”) can be in written or electronic form. Exception: small enterprises with up to 250 employees are partially exempted, except if their processing is not occasional, or involves sensitive categories of data or high risk. Nevertheless, in practice it is advisable for even smaller entities to keep at least basic records. This obligation aims to always be able to ascertain what is happening with data within an organization. Failure to keep records or incomplete records may result in an offense and a monetary fine.

  3. Data Protection Impact Assessment (DPIA): When a processing activity may pose a high risk to individuals’ rights and freedoms (e.g. introduction of new tracking technology, processing large amounts of sensitive data, user profiling, biometric identification, etc.), the controller is required to carry out a DPIA before initiating the processing. A DPIA involves a detailed analysis: what data will be processed, why it is necessary, what potential privacy risks exist, and what measures will be taken to mitigate risks. If the DPIA shows that the risk remains high, the controller must consult the Agency prior to processing. This obligation is entirely new in our legislation, adopted from the GDPR, and serves a preventative function to ensure data protection is considered in advance. Failure to perform a DPIA when legally required may result in significant fines.

  4. Managing Consents: When processing is based on the consent of data subjects, the controller must be able to prove that valid consent has been obtained. Consent must be given voluntarily, informed, and unambiguous, typically in written or electronic form (e.g. clicking “I accept” along with a privacy policy), and the request for consent must be clear and separate from other terms. Special rules are prescribed for the consent of children in information society services – minors under 16 years require parental/guardian consent. The controller must facilitate withdrawal of consent (e.g. allowing the user to unsubscribe from a newsletter at any time). Sending marketing emails (newsletters) without prior consent is now explicitly prohibited and punishable. This means that companies must establish clear mechanisms for collection and registration of user consents for different purposes of processing.

  5. Appointment of a DPO: As previously mentioned in the “innovations,” certain entities must appoint a Data Protection Officer (DPO). The DPO may be an internal person or an externally engaged specialist, but in any case must have appropriate qualifications—knowledge of data protection laws and practices, ability to monitor compliance and advise leadership. The DPO must be independent in their work—they must not have conflicts of interest, must report to the highest level of management, and are tasked with overseeing legal compliance, training staff, and cooperating with the Agency. The DPO obligation applies to public authorities (excluding courts in judicial matters) and companies whose main activity includes mass processing or processing of special data. However, even when the law does not mandate it, appointing a DPO is recommended to facilitate compliance and reduce risk. Failure to appoint a DPO when required or obstruction of their work constitutes a violation of the law.

  6. Contracts between Controllers and Processors: When a controller engages another company (processor) to process data on its behalf (for example, cloud services, transaction processors, CRM platforms), a data processing agreement (DPA) must be concluded. This contract must stipulate that the processor may operate only according to the controller’s instructions, applying the same protective measures, and define liabilities. The processor also bears obligations to protect data and may be held jointly liable with the controller if it fails to comply with the contract.

  7. Cross‑Border Data Transfer: As already mentioned, the new law prohibits exporting personal data to countries without an adequate level of protection, except under special mechanisms. The controller must verify whether there is a decision of adequacy for that country (to be adopted by the Council of Ministers of BiH upon the Agency’s proposal). If none exists, it is permissible to rely on standard contractual clauses or other contractual/guaranteed safeguards. Lacking those, the only recourse may be individual derogations (such as explicit consent by the data subject for a specific transfer). For companies, this means that using cloud services or sending data to partners outside BiH requires a legal basis—often that will be standard contractual clauses in agreements with those partners. Non‑compliance with these provisions is likewise subject to sanctions.

  8. Cooperation with the Agency and Oversight: Controllers and processors are obliged to cooperate with the Personal Data Protection Agency, which is authorized to conduct inspections, act on citizen complaints, and order corrective measures. The new law explicitly empowers the Agency to issue orders banning processing, to require correction or deletion of data, and to impose administrative fines for violations. Organizations must grant the Agency access to information and premises during oversight; otherwise, they violate the law.

  9. Penal Provisions: As already emphasized, the law introduces penalty levels similar to the GDPR. The most serious violations (breach of fundamental principles, unlawful processing, violation of data subjects’ rights, noncompliance with Agency orders, unlawful international transfers, etc.) may result in fines of up to 40,000,000 KM or 4% of the company’s total annual turnover—whichever is higher. For lesser violations (e.g. failure to respond to a subject’s request within the prescribed time, minor documentation lapses) lower fines are foreseen, but even those can be significant (e.g. up to 10 or 20 million KM depending on the category of violation, per the text of the law). Responsible natural persons within the company or institution may be fined several hundred to several thousand KM. It is important to note that fines are assessed taking into account circumstances—severity and duration of the violation, the number of individuals affected, the degree of culpability, mitigating measures taken, prior violations, and degree of cooperation with the Agency. Thus, if a violation occurs, active cooperation with the supervisory authority and prompt response may lead to milder sanctions, whereas ignoring or obstructing will likely lead to harsher penalties.

Also, certain acts of unlawful processing may incur criminal liability under criminal laws (for example, unauthorized use of personal data may constitute a criminal offense), which is separate from the Data Protection Law itself. However, the primary enforcement mechanism lies with the Agency and administrative penalties. The legislator’s message is clear: compliance is not optional but obligatory, and investing in data protection is far more cost‑effective than paying fines.

Compliance with EU Standards (GDPR)

The new Personal Data Protection Law of Bosnia and Herzegovina is modeled after the GDPR and almost entirely mirrors its key provisions. This means BiH has fulfilled one of the important prerequisites on its path toward European integration – adopting modern data protection legislation. Here are some notes on the relationship between the new law and the GDPR:

  • Substantial alignment: The structure, processing principles, individual rights, obligations of controllers/processors, and institutions such as the DPO, DPIA, activity records, breach notifications, international transfers, etc., are essentially identical to the GDPR framework. Therefore, companies already compliant with GDPR largely meet the requirements of the BiH law (with some minor local specifics).

  • Territorial scope: GDPR applies across the entire EU, while the BiH law is a national regulation. However, the BiH law also has extraterritorial reach similar to GDPR – it applies to foreign entities processing data of BiH citizens (hence the requirement to appoint a representative). This means foreign companies targeting the Bosnian market must comply with these standards.

  • Representative of foreign controllers: The obligation to appoint a representative in BiH for foreign companies (Article 27 GDPR) is incorporated into the BiH law, enabling the Agency to effectively supervise controllers without physical presence in BiH.

  • Penalty framework: Penalties are formally expressed in the local currency (Convertible Marks) with set thresholds (e.g., 40 million KM), but the mechanism is identical to GDPR – up to 4% of global turnover for the most serious violations. Large international entities cannot avoid penalties by claiming their BiH turnover is small; total global turnover counts, which is significant for big tech companies.

  • Local adaptation: The BiH law contains provisions tailored to the local legal system, such as specifying the Agency’s jurisdiction and procedures within BiH institutions, including entities and the Brčko District. It also includes provisions on data processing for judicial purposes and cooperation between the Agency and law enforcement, which GDPR does not directly cover (the EU has a separate directive for police and judicial sectors). However, regarding commercial and general processing, the new law largely follows European best practices.

All this means that Bosnian companies, institutions, and other entities must now operate practically the same as EU entities in terms of data protection. For internationally operating firms, alignment will be easier due to the unified rule set; for domestic firms not previously required to comply with GDPR, this is a significant change requiring substantial adjustment.

Conclusion

The new Personal Data Protection Law of BiH brings modernization and much stricter standards in privacy protection. Aligned with the GDPR, it grants citizens broader rights and control over their data, while imposing a higher level of responsibility and transparency on companies and institutions in data processing. Key changes like the introduction of the right to be forgotten, mandatory security measures, the DPO role, breach reporting, and significantly increased penalties make it clear that data protection must be taken seriously. This is also a step toward the EU – meeting European conditions and aligning with standards in member states.

For businesses, institutions, and other organizations, the period until October 2025 is the time for adjustment. It is recommended that all entities processing personal data review and align their practices with the new law. This includes, among other things: creating or updating privacy policies and processing records, training staff on new rules, implementing technical protection measures, appointing a data protection officer if required, establishing procedures to exercise citizens’ rights and report incidents, and reviewing all contracts and data transfers abroad. Investing effort in compliance will not only avoid fines but also bring long-term benefits – increased user/client trust and more secure business processes.

The new law significantly raises the bar for data protection in BiH. Although it poses challenges for business and administration, its enforcement is a positive step toward strengthening citizens’ rights and building a culture of privacy. This places BiH on par with EU countries regarding privacy regulation, benefiting both citizens and the business environment in the long run. Timely compliance and a serious approach to these obligations will be the best way to avoid unpleasant sanctions and ensure lawful data processing in the future.

/ / /

"Standard Prva" LLC Bijeljina is a company registered in Bijeljina at the District Commercial Court in Bijeljina. Company’s activities are accountancy, repurchases of receivables, angel investing and other related services. Distressed debt is a part of the Group within which the company repurchases the receivables, which function and are not returned regularly.

Lawyer’s Office Stevanović is the leading lawyer’s office in the region with the seat in Bijeljina. The LO abbreviation represents Lawyer’s Office of Vesna Stevanović and Lawyer’s Office of Miloš Stevanović.

Contact for media press@advokati-stevanovic.com or via telephone 00 387 55 230 000 or 00387 55 22 4444.

Our brands and businesses
About corporation
standard prva logo
Corporation registered in Bijeljina at ul. Nikola Tesla no. 10
Republic of SrpskaBosnia and Herzegovina
00 387 55 23 000000 387 55 22 4444

Copyright (c) Standard Prva d.o.o. Bijeljina 2024. All rights reserved. Legal services are provided exclusively by the Law Office of Vesna Stevanović or Miloš Stevanović from Bijeljina. Accounting services are provided by "Standard Prva" d.o.o. Secretarial and related services are provided by "United Development" d.o.o. Bijeljina.