Bosnia and Herzegovina aligns data protection with EU standards

Summary

Bosnia and Herzegovina’s Data Protection Act, introduced in 2025, aligns the country’s legal framework with the EU General Data Protection Regulation (GDPR) and the EU Data Protection Law Enforcement Directive. The law reinforces cross-border data transfer regulations, expands data subject rights, and imposes stricter obligations on businesses and government entities.

The law mandates procedural compliance for Standard Contractual Clauses (SCCs), requiring them to be translated into Bosnian/Croatian/Serbian, signed in wet ink, and submitted within five business days before the transfer can occur. Binding Corporate Rules (BCRs) require AZLP BiH approval, ensuring that multinational corporations maintain high-level privacy standards.

Additionally, organizations must adopt Privacy by Design principles, conduct Data Protection Impact Assessments (DPIAs) for high-risk data processing, and comply with new AI-driven automated decision-making restrictions. Businesses processing biometric, genetic, or sensitive financial and healthcare data must implement enhanced security measures such as encryption and strict access controls.

Administrative fines for non-compliance can reach up to 4% of an organization’s annual global turnover or €20 million, mirroring GDPR penalty structures. Explicit consent is required for one-off international data transfers, while routine transfers must adhere to SCCs or BCRs.

As Bosnia and Herzegovina moves toward full GDPR compliance, businesses must urgently update their data governance policies, vendor agreements, and security frameworks to avoid penalties and ensure legal compliance. The AZLP BiH continues to refine enforcement mechanisms, providing further guidance for companies operating in the region.

Why is This Law Important? A Shift Towards a GDPR-Compliant Framework

The Data Protection Act is a landmark legislative shift for Bosnia and Herzegovina, not only strengthening personal data protection but also aligning national data laws with EU requirements. The introduction of GDPR-equivalent data transfer mechanisms and supervisory authority powers suggests BiH’s intention to position itself as a secure jurisdiction for digital trade and investment.

For businesses, these changes introduce new compliance burdens but also create opportunities for enhanced consumer trust and data security. Organizations that already follow GDPR compliance will find it easier to adapt to BiH’s new rules, while companies with outdated data practices must undergo a complete overhaul of their policies and data governance models.

Key Highlights of the New Law

No adequacy decision has been granted yet for any country, requiring businesses to rely on SCCs or BCRs for international data transfers.
New rights for individuals, including data portability, erasure (right to be forgotten), and restriction of processing, ensure stronger control over personal data.
Organizations processing personal data in BiH or targeting BiH residents must comply, even if they are based outside the country.
Cross-border transfers require SCCs, submitted within five business days to the Personal Data Protection Agency (AZLP BiH) before processing.
Explicit consent is required for one-off international transfers, while routine transfers must adhere to predefined mechanisms.
Companies must implement privacy by design, ensuring secure data processing and minimizing risks from the outset.
Administrative fines can reach up to 4% of an organization’s annual global turnover or €20 million, whichever is higher.

New Compliance Challenges for Businesses

Sectoral Impact: Who Will Be Most Affected?

The BiH Data Protection Act will significantly impact industries that rely on large-scale data processing, including:

Technology & E-Commerce: Companies using AI-driven analytics, targeted advertising, and behavioral tracking must overhaul their user consent mechanisms and tracking policies.
Financial & Healthcare Sectors: Banks, insurance companies, and healthcare providers must adopt stronger data encryption, access control measures, and secure authentication methods.
Public Sector & Government Agencies: Government bodies handling citizen data must implement enhanced security measures and ensure transparent data-sharing agreements.

Risk Mitigation Strategies for Organizations

To ensure compliance with the new data protection framework, companies should:

Conduct DPIAs regularly: Identify high-risk data processing activities and document compliance efforts.
Review and update vendor contracts: Ensure third-party service providers follow SCC/BCR guidelines.
Enhance employee training: Educate staff on new data protection obligations and reporting procedures.
Monitor enforcement trends: Stay updated on AZLP BiH guidelines and adjust internal compliance policies accordingly.

Legal Precedents and Case Law References

The new BiH Data Protection Act aligns closely with EU jurisprudence, with key influences from:

Schrems II (C-311/18, 2020): Impacted cross-border data transfers, requiring stricter SCC implementation.
Google Spain SL v. AEPD (C-131/12, 2014): Established the right to be forgotten, now fully integrated into BiH law.
Digital Rights Ireland (C-293/12, 2014): Strengthened data minimization principles, now applied to government surveillance restrictions.

Looking Ahead: Future Enforcement Trends

While the AZLP BiH has been granted significant enforcement powers, it remains unclear whether it will adopt an aggressive enforcement approach similar to Ireland’s Data Protection Commission (DPC) or follow a gradual implementation strategy. If history serves as a guide, we may see initial warnings and advisory rulings before major fines are issued.

Additionally, future amendments could introduce clarifications on cross-border data transfers, cloud service provider obligations, and sector-specific compliance rules.

Businesses should closely monitor enforcement trends and prepare for potential regulatory updates in the coming years.

Conclusion: Preparing for Compliance

The BiH Data Protection Act represents a significant transformation in the country’s approach to data privacy and regulatory enforcement. Companies operating in BiH must immediately adapt their data governance models, privacy policies, and risk assessment strategies to ensure full compliance.

For organizations that fail to comply, the financial penalties and reputational risks could be severe. Businesses should proactively invest in compliance measures, including:

Conducting compliance audits.
Revising vendor agreements.
Enhancing cybersecurity infrastructure.
Training employees on BiH’s new data regulations.

As BiH moves closer to EU data protection harmonization, companies must adopt a forward-thinking approach to compliance, ensuring long-term regulatory alignment and competitive advantage.