Adria legal group - Law office

phone

place

access_time

News

Bringing you the latest in legal news, activities and more across the region

news

Personal data protection in Bosnia & Herzegovina

1. Personal data protection law of B&H

Personal data protection law was published in the "Official Gazette of Bosnia and Herzegovina" No. 12/25 of 28.2.2025, which was adopted by the Parliamentary Assembly of Bosnia and Herzegovina at the 16th emergency session of the House of Representatives, held on 23 January 2025, and at the 8th emergency session of the House of Peoples, held on 30 January 2025. The Law entered into force on 08.03.2025, and shall be applied after the expiry of 210 days from the date of entry into force, i.e. from 04.10.2025. Upon the commencement of the application of this Law, the Law on the Protection of Personal Data ("Official Gazette of BiH", No. 49/06, 76/11 and 89/11) shall cease to be valid.

Compared to the previous Personal data protection law, adopted almost 20 years ago, the new Law regulates the area of ​​personal data protection in more detail and precisely. The new legal framework contains norms that are fully aligned with the most modern standards of personal data protection applied in the European Union.

The aim of the new Law is to protect the fundamental rights and freedoms of natural persons in Bosnia and Herzegovina, regardless of their citizenship and place of residence, and in particular their rights to the protection of personal data. The Law is aligned with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, or the so-called General Data Protection Regulation (GDPR).

Through the analysis of the new legal provisions, we see significant changes through a more precise definition and elaboration of citizens' rights related to their personal data and the right to privacy, a clearer division of responsibilities and obligations for data controllers and processors, a clear determination of the principles of personal data processing, as well as the determination of the competences and powers of the Personal Data Protection Agency of BiH.

New are also significantly higher fines in case of violation of obligations related to the protection of personal data, which can range from 20,000.00 BAM to 40,000,000.00 BAM, or in the case of entrepreneurs up to 4% of the total annual turnover at the global level for the previous financial year.

We now also have a clear definition of terms such as genetic and biometric data, as well as greater obligations of controllers in terms of technical and organizational protection measures, and the introduction of the principle of the "right to be forgotten". Also, by harmonizing with European standards, this Law not only protects the rights of citizens, but also defines the legal framework for cross-border data transfers, i.e. data transfers to another country or international organization, as well as legal protection mechanisms for such transfers, starting from the adequacy decision and safeguards, all the way to binding business rules and deviations in special cases.

2. Steps in the harmonization process

Given that the new Act introduces numerous new acts, it is certainly necessary for numerous legal entities to complete the process of achieving full compliance with the new Personal data protection law, so it is necessary to take the following steps:

2.1. Detection of specific processing of personal data carried out by a legal entity and insight into existing acts - This is the first step in the harmonization process, i.e. analysis of all personal data processed by a certain legal entity. This includes information about customers, suppliers, employees, as well as information exchanged with third parties. Detailed "mapping" enables the identification of data flows, legal bases for processing, as well as potential risks that may arise when handling data. Also here, an overview is made of the existing acts that the company owns, which means that the acts do not necessarily need to be changed, but it is only necessary to harmonize or adjust them.

2.2. Determining the purpose and legal basis for each individual processing - This is the second step through which the basis and purpose for each individual processing of personal data is determined. Through this step, it is certainly possible to assess the proportionality of each individual processing in relation to the purpose achieved by that processing.

2.3. Making a decision on which processing should be continued (because it is allowed) and which needs to be modified due to perceived deficiencies - The third step is directly linked to the previous step, where the validity of further processing and their permissibility is assessed, and everything that is considered irregular is modified or legally adjusted.

2.4. Drafting or revision of acts that must or should follow each specific processing - The fourth and final step does not include the necessary change of all internal acts, but rather their possible modification to the new legal regulations, and new acts are adopted for which the need arises.

According to the new provisions of the Personal Data Protection Act, legal entities should modify or adopt the following acts:

  • Personal Data Protection Regulation (or Personal Data Protection Code) – the basic document that precisely defines internal procedures and principles for the processing of personal data (Article 7 of the Personal Data Protection Act).
  • Decision on the Appointment of a Data Protection Officer (Article 39 of the Personal Data Protection Act) – is a document that appoints an officer responsible for monitoring existing legal provisions, supervision, accountability, providing advice and contact with the Agency regarding personal data protection
  • Notice on the Processing of Personal Data – legality, fairness and transparency in relation to the data subject, i.e. transparent information to each person about the method, purpose, scope, storage and accuracy of the processing of their data.
  • Consent for the processing of personal data (Article 9 of Law) – a written statement given by the data subject for the processing of his personal data
  • Agreement between the controller and the processor (Article 30 of law) – Represents a written act between the data controller and the processor, which states the subject and duration of the processing, the nature and purpose of the processing, the type of personal data and the category of the data holder, as well as the obligations and rights of the data controller.
  • Internal Acts regarding the protection of personal data – represent internal acts, i.e. regulations that accurately determine the methods of data processing, access, storage and protection within the organization.
  • Assessment of the impact of risk (Article 37 of law) – is an assessment of whether some type of personal data processing will cause a high risk for the rights and freedoms of natural persons.
  • Privacy policy – ​​a document that informs users about the way their data is collected, used and protected
  • Cookie policy – ​​A cookie is information in the form of a simple text file saved on the computer by the website that the person visits. Essentially, it is a notification to users about the types of cookies used by the website, what their purpose is, and what options are available for managing settings.

Not all of the above acts need to be adopted or enacted immediately, and to begin with, the adoption of the Rules or Code on the Protection of Personal Data would definitely be necessary, while other acts are enacted as necessary as supporting acts.

Accordingly, the Code or Rules are proposed as the first and initial act that will be crucial in the harmonization process, because all other acts will be linked to the aforementioned act.

3. Assessment of the impact of processing on the protection of personal data (Article 37)

Article 37 of the New Personal Data Protection Act prescribes an assessment of the impact of processing on the protection of personal data. This is precisely one of the novelties in relation to the old Personal Data Protection Act, which stipulates that if there is a likelihood that a type of processing, in particular through new technologies and taking into account the nature, scope, context and purposes of the processing, will cause a high risk to the rights and freedoms of natural persons, the data controller shall, prior to processing, carry out an assessment of the impact of the envisaged processing on the protection of personal data.

Accordingly, the adoption and preparation of a Risk Impact Assessment (DPIA), i.e. an analysis of potential risks of data processing and measures to mitigate them, is useful for adoption because the same act prescribes and defines a series of measures to address the risks, which include protective measures, security measures and mechanisms to ensure the protection of personal data and demonstrate compliance with this Act, taking into account the rights and legitimate interests of the data subject and other persons involved. It shall be carried out by the controller before the start of processing.

In this case, and pursuant to Article 38 of the new Personal Data Protection Law, the Controller has the option to consult the Agency prior to processing if the personal data protection impact assessment has shown that the processing of the data would result in a high risk to the rights and freedoms of individuals, in the event that the data controller does not adopt measures to mitigate the risk.

4. Drafting of acts in the field of data transfer

Such acts need to be drafted only when transferring data to countries that do not provide an adequate level of data protection, and such cases are very rare. Accordingly, in our joint work, we would see to which countries data is being transferred and, if necessary, act accordingly.

For the sake of caution, we would like to point out that countries that provide an adequate level of protection are:

  • Members of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data;
  • Countries for which the EU has determined in its decisions (adequacy decisions) that they provide an adequate level of protection;
  • Countries with which BiH has concluded an international agreement on the transfer of personal data.

5. Conclusion

The new Personal data protection law of Bosnia and Herzegovina brings comprehensive changes that will significantly affect the way in which legal entities, state institutions and individuals manage personal data. Although the authorities adopted it after many years of waiting and delay, the new Law has taken another step towards harmonizing Bosnia and Herzegovina with European regulations in this area.

The Law was drafted according to the model of the General Data Protection Regulation (GDPR) and the EU Police Directive, and brings important changes for both citizens and those who process their data.

Given the major innovations in the Law itself, we certainly expect the active participation of the Agency, which in the coming period should provide certain guidelines and interpretations to many legal entities and state institutions in the process of implementing and harmonizing operations with the new legal provisions, and many will certainly refer to and use the already established practice of countries in the region in this area that have long completed this issue and harmonization.
Prethodna vest
  • links keyboard_arrow_right
    • akcija - 0 %