Last modified 13 February 2026

Data Protection in Bosnia and Herzegovina

Breach notification in Bosnia and Herzegovina

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Bosnia and Herzegovina

The Law on the Protection of Personal Data of BiH ("Official Gazette of BiH", no. 12/25)

The Law on Personal Data Protection of Bosnia and Herzegovina (“DP Law”) was adopted on 30th January 2025 and entered into force on 8th March 2025. The DP Law represents a significant reform of the previous data protection framework and aims to align the national legal system with the standards of the EU.

To a large extent, the DP Law transposes the principles, concepts, and structure of the GDPR. It introduces modern data protection standards, strengthens the rights of data subjects, expands the obligations of controllers and processors, and enhances the supervisory and enforcement powers of the national data protection authority.

The adoption of this DP Law is an important step in Bosnia and Herzegovina’s process of harmonization with EU law and in ensuring a higher level of protection of personal data and privacy.

Related resources

Definitions

Definitions in Bosnia and Herzegovina

The definitions provided in the DP Law are aligned with the terminology and concepts of the GDPR.

Personal data means any information relating to an identified or identifiable natural person.

Special categories of personal data mean personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a person’s sex life or sexual orientation.

Data subject means an identified or identifiable natural person, that is, a person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data controller means a natural or legal person, public authority, or other competent body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data processor means a natural or legal person or public authority which processes personal data on behalf of the data controller.

Related resources

Authority

National data protection authority in Bosnia and Herzegovina

The Personal Data Protection Agency (DPA) is the national data protection authority in BiH. The DPA is seated in:

Dubrovačka 6
Sarajevo
www.azlp.ba

The DPA remains national data protection authority under Draft Data Protection Law.

Related resources

Registration

Registration in Bosnia and Herzegovina

Unlike the previous law, the current legal framework in Bosnia and Herzegovina abolishes the central registry previously maintained by the Agency. There is no general obligation to submit records of personal data processing to the Agency. Instead, controllers and, where applicable, their representatives are required to maintain detailed internal records of all processing activities for which they are responsible.

These records should cover:

the identity and contact details of the controller,
any joint controllers,
representatives, or
data protection officers;
the purposes of processing;
categories of data subjects and personal data;
categories of recipients, including those in other countries or international organizations;
transfers abroad and related safeguards;
retention periods; and
a general description of technical and organizational security measures.

Data processors and their representatives must also maintain records of all processing carried out on behalf of controllers, including information on the type of processing, transfers abroad, and implemented safeguards.

Records must be maintained in written form, including electronic format, and must be made available to the Agency upon request.

Certain exceptions apply: small organizations with fewer than 250 employees are generally exempt, unless the processing is likely to pose a high risk to data subjects’ rights and freedoms, involves non-occasional processing, includes sensitive data, or relates to criminal convictions and offenses.

Specific notification obligations remain in place, such as breach notifications, consultation with the Agency following a data protection impact assessment in high-risk cases, and providing details of the data protection officer, where applicable.

Related resources

Data protection officers

Data protection officers in Bosnia and Herzegovina

The data controller and processor are required to appoint a Data Protection Officer (“DPO”) in the following cases:

when the processing is carried out by a public authority, except for courts acting in their judicial capacity;
when the core activities of the controller or processor consist of processing operations which, by their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale; or
when the core activities of the controller or processor consist of large-scale processing of special categories of personal data or data relating to criminal convictions and offences.

A group of undertakings may appoint a single DPO provided that the DPO is easily accessible from each establishment.

Public authorities may appoint a single DPO for multiple authorities, taking into account organizational structure and size.

In other cases, controllers, processors, or associations representing them may, or where prescribed by law must, appoint a DPO. A DPO may act on behalf of these associations.

The DPO shall be appointed based on professional qualifications, including expertise in data protection law and practice, and the ability to perform the tasks assigned by law.

The DPO may be employed by the controller or processor or engaged under a service contract.

Controllers or processors must publish the DPO’s contact details and communicate them to the supervisory authority.

Controllers and processors shall ensure that the DPO is properly and timely involved in all issues related to personal data protection. Controllers and processors shall support the DPO in performing their tasks, providing necessary resources, access to personal data and processing operations, and support for maintaining expertise. The DPO shall not receive instructions regarding the performance of their tasks. Controllers and processors cannot dismiss or penalize the DPO for performing their duties. The DPO reports directly to the highest management level. Data subjects may contact the DPO regarding processing of their personal data and exercising their rights. The DPO shall maintain confidentiality of all information obtained while performing their tasks. The DPO may perform other tasks, provided they do not create a conflict of interest.

The DPO shall:

inform and advise the controller or processor and employees engaged in processing about their obligations under the law;
monitor compliance with the law and internal policies of the controller or processor, including awareness-raising, training, and audits;
provide advice, when requested, on data protection impact assessments and monitor their implementation;
cooperate with the supervisory authority;
act as a contact point for the supervisory authority on all data processing matters, including prior consultation when required.

While performing their tasks, the DPO shall take into account the risks associated with processing, considering the nature, scope, context, and purposes of processing.

Furthermore, in the event that the personal data of data subjects in Bosnia and Herzegovina is processed by a data controller or processor who does not have a registered office, business establishment, residence, or habitual abode in Bosnia and Herzegovina, and if the processing activity is related to:

offering goods or services to those data subjects in Bosnia and Herzegovina, regardless of whether the data subject is required to make a payment; or
monitoring the behavior of data subjects, provided that their behavior takes place within Bosnia and Herzegovina,

the data controller or processor is obliged to appoint a representative in Bosnia and Herzegovina in writing.

However, exceptions to this obligation are provided for:

processing that is occasional, i.e., where there is no substantial processing of special categories of data or processing of personal data relating to criminal convictions and offences, and where it is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing; or
processing of personal data carried out by public authorities.

The appointment of a representative of the data controller or processor does not affect the legal obligations that may be directed against the data controller or processor itself.

Related resources

Collection and processing

Collection and processing in Bosnia and Herzegovina

Under the DP Law, personal data may only be collected and processed in a lawful, fair, and transparent manner. The key principles include:

Lawfulness, fairness, and transparency. Processing is lawful only if based on at least one of the following legal grounds:
- Consent of the data subject for one or more specific purposes,
- Performance of a contract to which the data subject is a party, or taking steps at the request of the data subject prior to entering into a contract,
- Legal obligation of the controller,
- Protection of vital interests of the data subject or another person,
- Public interest or official authority, i.e., processing necessary for performing a task carried out in the public interest or in the exercise of official powers and
- Legitimate interests pursued by the controller or a third party, except where overridden by the interests, rights, or freedoms of the data subject (especially if the data subject is a child);
Purpose limitation. Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data minimization. Only data that are adequate, relevant, and limited to what is necessary for the intended purposes may be collected and processed.
Accuracy. Controllers are required to ensure that personal data are accurate and kept up to date, and to take reasonable steps to rectify or erase inaccurate data without delay.
Storage limitation. Personal data must be kept in a form that permits identification of data subjects no longer than necessary for the purposes for which the data are processed.
Integrity and confidentiality. Appropriate technical and organizational measures must be implemented to ensure the security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.
Accountability. Controllers and processors are responsible for demonstrating compliance with these principles, including maintaining internal records of processing activities and cooperating with the Agency.

Processing of special categories of personal data, such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or data concerning criminal convictions, is prohibited unless specific conditions are met (e.g., explicit consent, legal obligations, or public interest).

Data subjects’ rights include:

Right to be informed when personal data are collected, including legal basis and purpose of processing.
Right of access to their personal data.
Right to rectification of inaccurate or incomplete data.
Right to erasure (“right to be forgotten”) in certain circumstances.
Right to restriction of processing.
Right to be notified of any rectification, erasure, or restriction of processing.
Right to data portability.
Right to object to processing, including for direct marketing purposes.
Rights related to automated decision-making and profiling.

Related resources

Transfer of personal data

Transfer of personal data in Bosnia and Herzegovina

The transfer of personal data outside Bosnia and Herzegovina is allowed only under strict conditions to ensure that the rights of data subjects are protected:

Adequacy of protection. Data may be transferred to countries, parts of countries, sectors, or international organizations that provide an adequate level of data protection, as assessed by the Agency and confirmed by a decision of the Council of Ministers of BiH. This assessment considers the rule of law, human rights, sectoral legislation, the effectiveness of supervisory authorities, and international obligations.
Appropriate safeguards. If a destination does not provide an adequate level of protection, transfers are only allowed if the controller or processor implements appropriate safeguards. These may include legally binding agreements, binding corporate rules, approved codes of conduct, certification mechanisms, or standard contractual clauses adopted by the Agency.
Data subject rights and legal remedies. The safeguards must ensure that data subjects can exercise their rights effectively and have access to judicial remedies in the receiving country or organization.
Continuous monitoring. The Agency continuously monitors the data protection situation in third countries or organizations and provides recommendations to the Council of Ministers for maintaining or revoking adequacy decisions.
Explicit consent. In certain cases, data may be transferred if the data subject has given explicit consent for the transfer.

This framework ensures that personal data of BiH citizens is protected even when transferred abroad, either by relying on adequacy decisions, implementing safeguards, or securing informed consent from data subjects.

Related resources

Security

Security in Bosnia and Herzegovina

Under the new DP Law, controllers and processors are required to implement appropriate technical and organizational measures to ensure the security of personal data throughout its lifecycle.

Key points include:

Confidentiality, integrity, and availability. Personal data must be protected against unauthorized or unlawful access, accidental loss, destruction, or damage.
Risk-based approach. Security measures should be proportional to the risks associated with the processing, taking into account the nature, scope, context, and purposes of the processing, as well as the likelihood and severity of potential risks to the rights and freedoms of data subjects.
Data breach management. Controllers must establish procedures for detecting, reporting, and investigating personal data breaches.
- The Agency must be notified within 72 hours of a breach.
- If the breach poses a high risk to the rights and freedoms of data subjects, the affected individuals must also be notified.
Ongoing review and adaptation. Security measures should be regularly tested, assessed, and updated to ensure their continued effectiveness.
Accountability. Controllers and processors must document the security measures taken and be able to demonstrate compliance to the Agency if requested.
Support to the DPO. The DPO must be properly involved and supported in assessing and monitoring security measures, ensuring compliance with the law and internal policies.

Related resources

Breach notification

Breach notification in Bosnia and Herzegovina

In the event of a personal data security breach, the controller must notify the Agency within 72 hours. If notification is delayed, the controller must explain the reasons for the delay. The processor must inform the controller without undue delay upon becoming aware of a personal data breach.

The report to the Agency must include at least:

A description of the nature of the breach, including, if possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records involved;
Contact details of the DPO or another point of contact for further information;
A description of the likely consequences of the breach;
A description of the measures taken or proposed by the controller to address the breach, including, where appropriate, measures to mitigate potential adverse effects.

If it is not possible to provide all information at once, the controller may submit information in phases, without unnecessary delay. The controller must document every personal data breach, including the facts relating to the breach, its effects, and the remedial measures taken. Such documentation enables the Agency to exercise its enforcement powers effectively. If there is a high risk to the rights and freedoms of natural persons, the controllers are also obliged to inform the data subjects themselves.

The controller must promptly notify the data subject in writing if a personal data breach is likely to result in a high risk to their rights and freedoms. The notification should be clear and simple, explaining the nature of the breach and the measures taken to mitigate it.

Notification is not required if:

appropriate technical or organizational safeguards were in place at the time of the breach (e.g., encryption),
subsequent measures ensure the high risk to the data subject is eliminated, or
direct notification would require disproportionate effort, in which case a public statement or equivalent measure can be used to inform data subjects effectively.

If the controller fails to notify the data subject, the Agency can require them to do so after assessing the likelihood of high risk, unless one of the exemption conditions applies.

Related resources

Enforcement

Enforcement in Bosnia and Herzegovina

Enforcement under the DP Law emphasizes the Agency’s strongest powers while also promoting proactive compliance, risk mitigation, and accountability.

Key enforcement powers:

The Agency can impose fines of up to BAM 40 million, or up to 4% of the organization’s total annual global turnover if this amount exceeds the fixed maximum fine.
It may suspend or permanently prohibit processing of personal data.
It can order the correction, deletion, or destruction of personal data, and mandate remedial actions to prevent future violations.
The Agency may issue warnings, reprimands, or orders for compliance, and initiate administrative or misdemeanor proceedings.
Risk-based supervision: The Agency prioritizes enforcement efforts based on the potential risk to data subjects’ rights and freedoms, focusing on high-risk processing activities such as large-scale or sensitive data processing.
Compliance support: Enforcement is not purely punitive; the Agency provides guidance, recommendations, and advisory support to controllers and processors to ensure proper compliance.
Cooperation and coordination: The Agency works with other national authorities and international supervisory bodies, ensuring consistent enforcement, especially for cross-border data transfers and multinational organizations.
Transparency and accountability: Enforcement is accompanied by public reporting, including annual reports to the Parliamentary Assembly, covering enforcement actions, trends, and recommendations for improving compliance nationwide.
Internal accountability and breach management: Controllers and processors must implement internal mechanisms for monitoring and managing compliance, maintain records, conduct audits, support their Data Protection Officers, and have systems to detect, report, and remediate data breaches.

Additional rights and penalties:

Data subjects have the right to seek compensation when their rights under the DP Law are violated.
Criminal liability exists under the criminal codes of BiH, FBiH, RS, and BD, for unlawful processing of personal data, punishable by fines or imprisonment of up to 6 months (BiH/FBiH) or up to 1 year (RS/BD).

Related resources

Electronic marketing

Electronic marketing in Bosnia and Herzegovina

Although electronic marketing is not governed by the DP Law, the respective law regulates protection of personal data used in direct marketing. In that regard, the controller is not allowed to disclose personal data to a third party without the data subject’s consent. However, when that is necessary for the protection of the controller’s rights and interests and when it is not in contradiction with the data subject’s right to the protection of personal privacy and personal life, the personal data may be used for direct marketing purposes without consent. The DPA is of the opinion that previous provision could be used only in explicit cases, when the controller is offering products or services to regular client in order to limit possible future damages for which he could be held responsible.

Under Regulation B, the Operator is prohibited from using user personal data for purposes of its business or other promotions, unless it obtains explicit consent from the user to whom such data relates.

Related resources

Online privacy

Online privacy in Bosnia and Herzegovina

The general data protection rules, as introduced by the DP Law, are relevant for online privacy as well, as there are no specific regulations that explicitly govern online privacy. This includes obligation to act in accordance with the basic principles of personal data protection set out in the DP Law as well as acting on the basis of the data subject's informative consent.

Related resources

Key contacts

Data protection lawyers in Bosnia and Herzegovina

Amina Đugum Brkanić

Attorney-at-law

Sijercic Partners

Sarajevo

Lejla Bošnjak

Attorney at Law

Sijercic Partners

Sarajevo

The report to the Agency must include at least:

A description of the nature of the breach, including, if possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records involved;
Contact details of the DPO or another point of contact for further information;
A description of the likely consequences of the breach;
A description of the measures taken or proposed by the controller to address the breach, including, where appropriate, measures to mitigate potential adverse effects.

Notification is not required if:

appropriate technical or organizational safeguards were in place at the time of the breach (e.g., encryption),
subsequent measures ensure the high risk to the data subject is eliminated, or
direct notification would require disproportionate effort, in which case a public statement or equivalent measure can be used to inform data subjects effectively.

If the controller fails to notify the data subject, the Agency can require them to do so after assessing the likelihood of high risk, unless one of the exemption conditions applies.

Quick links

Data Protection in Bosnia and Herzegovina

Breach notification in Bosnia and Herzegovina

Continue reading