New Personal Data Protection legislation

The new Law on Personal Data Protection of Bosnia and Herzegovina has been published in the Official Gazette of BiH No. 12/2025.

This law establishes rules for the protection of natural persons regarding the processing of personal data and the free movement of such data. It also defines the competencies, organization, and governance of the Personal Data Protection Agency of Bosnia and Herzegovina, as well as other matters relevant to its lawful operation. Additionally, it sets out provisions for the protection of individuals’ personal data when processed by competent authorities for the purposes of preventing, investigating, and detecting criminal offenses, prosecuting offenders, and enforcing criminal sanctions, including protection against and prevention of threats to public security.

The objective of the new Law is to safeguard the fundamental rights and freedoms of individuals in Bosnia and Herzegovina, regardless of their nationality or residence, particularly their right to personal data protection.

The law aligns Bosnia and Herzegovina’s legal framework with the provisions of Regulation (EU) 2016/679 of the European Parliament and the Council of April 27, 2016, on the protection of natural persons regarding the processing of personal data and on the free movement of such data, commonly referred to as the General Data Protection Regulation (GDPR).

Compared to the previous Personal Data Protection Law, which was enacted nearly 20 years ago, the new Law provides a significantly more detailed and comprehensive regulatory framework for personal data protection. It incorporates provisions fully harmonized with the latest data protection standards applied within the European Union.

The new Law introduces significant changes, including a more precise definition and elaboration of individuals’ rights concerning their personal data and privacy, a clearer division of responsibilities and obligations for data controllers and processors, a well-defined set of principles governing data processing, and the establishment of the competencies and powers of the Personal Data Protection Agency of Bosnia and Herzegovina.

By aligning with European standards, this Law not only protects individuals’ rights but also defines the legal framework for cross-border data transfers, including transfers to other countries or international organizations. It establishes legal mechanisms for such transfers, ranging from adequacy decisions and safeguards to binding corporate rules and derogations for specific situations.

Moreover, the Law introduces significantly higher financial penalties for non-compliance with personal data protection obligations. Fines may range from BAM 20.000,00 to BAM 40.000.000,00 or, in the case of entrepreneurs, up to 4% of their total global annual turnover for the preceding financial year.

The Law entered into force on March 8, 2025, and will apply after the expiration of 210 days from its entry into force, i.e., from October 4, 2025. In the interim, it is necessary to adopt a series of by-laws to further elaborate the legal provisions, while data controllers and processors are given sufficient time to ensure compliance with the new legal requirements.

Author: Igor Letica

E-mail: [email protected]

About the author