DLA Piper Intelligence

Data Protection
Laws of the World


Bosnia and Herzegovina
Bosnia and Herzegovina

The Law on Protection of Personal Data ('Official Gazette of BIH', nos. 49/06, 76/11 and 89/11) (DP Law) is the governing law regulating data protection issues in Bosnia and Herzegovina (BiH). The DP Law came into force on July 4, 2006 and was amended on October 3, 2011.

Last modified 28 Jan 2019
Bosnia and Herzegovina

The Law on Protection of Personal Data ('Official Gazette of BIH', nos. 49/06, 76/11 and 89/11) (DP Law) is the governing law regulating data protection issues in Bosnia and Herzegovina (BiH). The DP Law came into force on July 4, 2006 and was amended on October 3, 2011.

Last modified 28 Jan 2019

Definition of personal data

The DP Law defines personal data as any information relating to an identified or identifiable natural person. Data subjects are natural persons whose identity can be determined or identified, directly or indirectly, in particular by reference to a personal identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

Definition of sensitive personal data

The DP Law defines sensitive personal data as any data relating to any of the following:

  • Racial, national or ethnic origin
  • Political opinion, party affiliation, or trade union affiliation
  • Religious, philosophical or other belief
  • Health
  • Genetic code
  • Sexual life
  • Criminal convictions
  • Biometric data
Last modified 28 Jan 2019

The Personal Data Protection Agency (DPA) is the national data protection authority in BiH. The DPA is seated in

Dubrovačka 6
Last modified 28 Jan 2019

Each data controller (defined as a person or legal entity which processes personal data) must provide the DPA with specific information on the database containing personal data ("Database") established and maintained by the controller. The DPA maintains a publicly available register of data controllers and Databases.

The Database's registration includes two phases:

  • First, the controller must register as a data controller (this registration as a controller is to be performed only once).

  • Second, the controller must report to the Database's establishment, which has to be done within 14 days.

Registration of the Database is made by submitting the application in the prescribed form to the DPA. The DPA form includes information regarding:

  • Data controller 
    • Name
    • Address of its registered seat
  • The Database itself
    • Processing purpose
    • Legal ground for its establishment
    • Identification of exact processing activities
    • Types of processed data
    • Categories of data subjects, and
    • Transfer of data abroad

If there is a subsequent change in the registered data, for example changing initial processing activities, the change needs to be reported to the DPA within 14 days from the date the change occurred.

Last modified 28 Jan 2019
Data Protection Officers

There is no statutory obligation that the entity which processes personal data has a data protection officer. The Rules on the Manner of Keeping and Special Measures of Personal Data Technical Protection (Official Gazette of BiH no. 67/09) (Rules) stipulate that a controller can have an administrator of the Database. Such administrator is a natural person authorized and responsible for managing the Database and ensuring privacy and protection of personal data processing, in particular regarding implementation of security measures, storage and protection of data.

Last modified 28 Jan 2019
Collection & Processing

Collection and processing of personal data is permissible if carried out pursuant to the data subject’s consent and in compliance with the basic principles of personal data protection.

The form of the data subject’s consent depends on the type of personal data collected and processed. While the collection and processing of sensitive personal data requires explicit written consent from the data subject, the consent for the collection and processing of personal data falling within a category of general personal data does not have to be in writing. However, at the request of the competent authority, the controller has to be able to prove, at any time, the existence of a data subject’s consent for processing of both personal and sensitive personal data. Therefore, having a written consent for collection of any personal data is advisable. When required, written consent must contain at minimum elements prescribed by the DP law.

Apart from the consent, there are also other conditions which must be met for the collection and processing to be regarded as legitimate, including:

  • Processing must be done in a fair and lawful way
  • The type and scope of processed data must be proportionate to the respective purpose
  • Other principles regarding the legitimate reasons for personal data processing

The DP Law provides an exception when a data subject's personal data may be processed without the data subject’s consent. This is the case where the processing is necessary for the fulfillment of a data controller’s statutory obligations or for preparation or realization of an agreement concluded between a data controller and a data subject (Exceptional Cases). These conditions are considered the basic principles of personal data protection and are applicable to each case of personal data processing.

Last modified 28 Jan 2019

Under the transfer rules set out in the DP Law, processed personal data may be transferred to countries where an adequate level of personal data protection is ensured. In that regard, preferential status is given to the member states of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ("Convention"), as members of the Convention ensure an adequate level of personal data protection.

Personal data transfer to countries that do not provide for an adequate level of personal data protection is allowed in certain cases stipulated by the DP Law, for example:

  • When the data subject consented to the transfer and was made aware of possible consequences of such transfer
  • When it is required for the purpose of fulfilling the contract or legal claim
  • When it is required for the protection of public interest

In addition, the DPA may exceptionally approve the transfer to a country that does not ensure adequate an level of personal data protection if the controller in the country where the data is to be transferred can provide for sufficient guarantees in regard to the protection of privacy and fundamental rights and freedoms of the data subject.

Last modified 28 Jan 2019

The DP Law requires data controllers and processors to:

  • Take care of data security and to undertake all technical and organizational measures
  • Undertake measures against unauthorized or accidental access to personal data, their alteration, destruction or loss, unauthorized transfer, other forms of illegal data processing, as well as measures against misuse of personal data
  • Adopt a personal data security plan ("Security Plan") which specifies technical and organizational measures for the security of personal data

As provided by the Rules (as defined in the section "Data Protection Officers"), the Security Plan includes the categories of processed data and the list of instruments for protection of the data to ensure confidentiality, integrity, availability, authenticity, possibility of revision and transparency of the personal data.

The Rules prescribe that the controller is required to undertake more stringent technical and organizational measures when processing sensitive personal data. Such measures aim at enabling recognition of each authorized access to the information system, operation with the data during the controller’s regular working hours and cryptographic protection of the data transmission via telecommunications systems with appropriate software and technical measures.

The Rules also closely regulate the manner of personal data keeping and personal data protection in automatic processing.

Last modified 28 Jan 2019
Breach Notification

The DP Law does not impose data security breach notification duty on the controller. However, the Rules do impose a duty on the Database's administrator, processor and performer to inform the controller on any attempt of unauthorized access to information system for the Database's management.

However, the regulations issued by the Communication Regulatory Agency (RAK) should be considered. The Regulation on Carrying out the Activities of the Publicly Available Electronic Communication Networks ('Official Gazette of BiH' no. 66/12) (Regulation A) stipulates that the operator of publicly available electronic communication networks (Operator) is required to inform RAK about its activities, operations and other applicable information required for RAK’s regulatory competences. Since RAK’s Regulation on Conditions for Providing the Telecommunications Services and Relation with End Users ('Official Gazette of BiH' no. 28/13) (Regulation B) prescribes for the Operator’s obligation to undertake such methods which will protect the privacy of users and others, in a manner that will ensure the integrity and confidentiality of data, it can be concluded that the Operator is required to notify RAK of any breach of security and integrity of public telecommunication services that resulted in violation of protection of personal data or privacy of the respective services' s users.

When it comes to the notification duty towards the users, the Regulation B obliges the Operator to inform the users adequately (eg, in user agreement, in its terms and conditions or in the appropriate technical way) about the possibility of privacy or telecommunication facilities violations.

Last modified 28 Jan 2019

The DPA enforces the DP Law. The DPA is authorized and obliged to monitor implementation of the DP Law, both ex officio, and upon a third-party complaint. If the DPA finds that a particular person or entity processing personal data acted in violation of data processing rules, it may request that the controller discontinue such processing and order specific measures to be carried out without delay.

When acting upon the complaints, the DPA may also issue a decision by which it can order blocking, erasing or destroying of data, adjustment or amendment of data, temporary or permanent ban of processing, issue warning or reprimand to the controller. The decision of the DPA may not be appealed; however, a party may initiate administrative dispute before the Court of BiH.

The DPA can initiate a misdemeanor proceeding against the respective data controller before the competent court, depending on the gravity of the particular misconduct and the data controller’s behavior with respect to the same. The offenses and sanctions are explicitly prescribed by the DP Law, which includes monetary fines for a controller in the amount between €2,550 and €51,100, as well as for the controller's authorized representative in the amount between €100 and €7,700.

Breach of personal data protection regulations represents a criminal offense of unauthorized collection of personal data by all criminal codes applicable in BiH (Criminal Code of BiH, Criminal Code of the Republic of Srpska, Criminal Code of the Federation of BiH and Crimes Code of Brčko Distrikt). Prescribed sanctions are monetary fines (in amount to be determined by the court) or imprisonment up to six (6) months (Criminal Code of BiH; Criminal Code of the Federation of BiH; Criminal Code of the Brčko Distrikt) or up to one (1) year (Criminal Code of the Republic of Srpska).

Last modified 28 Jan 2019
Electronic Marketing

Although electronic marketing is not governed by the DP Law, the respective law regulates protection of personal data used in direct marketing. In that regard, the controller is not allowed to disclose personal data to a third party without the data subject’s consent. However, when that is necessary for the protection of the controller’s rights and interests and when it is not in contradiction with the data subject’s right to the protection of personal privacy and personal life, the personal data may be used for direct marketing purposes without consent. The DPA is of the opinion that previous provision could be used only in explicit cases, when the controller is offering products or services to regular client in order to limit possible future damages for which he could be held responsible.

Under Regulation B, the Operator is prohibited from using user personal data for purposes of its business or other promotions, unless it obtains explicit consent from the user to whom such data relates.

Last modified 28 Jan 2019
Online Privacy

The general data protection rules, as introduced by the DP Law, are relevant for online privacy as well, as there are no specific regulations that explicitly govern online privacy. This includes obligation to act in accordance with the basic principles of personal data protection set out in the DP Law as well as acting on the basis of the data subject's informative consent.


Last modified 28 Jan 2019
Nihad Sijercic
Nihad Sijercic
Attorney-at-law in cooperation with Karanovic & Nikolic
T +387 33 844 000
Amina Dugum
Amina Dugum
Attorney-at-law in cooperation with Karanovic & Nikolic
T +387 33 844 000
Last modified 28 Jan 2019