ÂÜÀòžž

Regulatory Influencer: Bosnia and Herzegovina Aligns Data Protection Law with EU GDPR Standards

April 29, 2025
<
Back
The Parliamentary Assembly of Bosnia and Herzegovina published a new Law on Personal Data Protection in the Official Gazette of BiH No. 12/25 on February 28, 2025. The law replaces the outdated 2006 legislation and aligns Bosnia’s data protection regime with EU Regulation 2016/679 (General Data Protection Regulation - GDPR) and Directive 2016/680.

The Parliamentary Assembly of Bosnia and Herzegovina published a new  in the Official Gazette of BiH No. 12/25 on February 28, 2025. The law replaces the outdated 2006 legislation and aligns Bosnia’s data protection regime with  (General Data Protection Regulation - GDPR) and . It entered into force on March 7, 2025, and is applicable from October 4, 2025.

The law introduces binding data protection obligations for businesses operating in Bosnia and Herzegovina or targeting its market. It creates uniform requirements for data processing, risk assessments, international data transfers, breach response and regulatory reporting. It also strengthens the authority of the  (AZLP BiH), which now oversees compliance, enforcement and sanctions.

How does this change things?

The new law introduces many data governance requirements previously absent in Bosnia and Herzegovina. For businesses, this creates clear compliance expectations, as well as significant legal exposure for non-compliance. 

Key updates include:

  • Risk-based obligations: Companies must assess and document the legal basis for all personal data processing. Any processing that presents a high risk to individual rights, such as large-scale profiling or biometric data use, triggers a mandatory data protection impact assessment (DPIA) ().
  • Mandatory appointment of DPOs: Businesses must appoint a data protection officer (DPO) if they are public authorities or if their core activities involve large-scale systematic monitoring or processing of special categories of personal data or criminal data.().
  • Recordkeeping and transparency: Controllers are required to maintain detailed records of processing activities and make those available to the AZLP upon request. The records shall include key details such as purposes, categories, recipients, and retention periods ().
  • Breach notification: Personal data breaches must be reported to the AZLP without undue delay and, in some cases, also to the affected individuals. Failing to notify can result in enforcement action ()
  • International transfers: Cross-border personal data flows may only be transferred to another country or international organisation if it ensures an adequate level of protection. If not, the controller or processor must provide appropriate safeguards, and the data subject must be granted enforceable rights and effective legal remedies ().
  • Enforcement and fines: The AZLP now has the authority to investigate, issue warnings, impose temporary or permanent limitations and levy administrative fines for infringements. Fine levels and criteria mirror the EU’s GDPR model ()

These changes affect all sectors, with particular operational implications for technology, finance, retail and any business engaging in digital services or international data sharing.

The bigger picture

Bosnia and Herzegovina’s adoption of a GDPR-aligned law signals a strong intent to meet EU accession requirements. Harmonising with EU digital regulations is critical to opening the door to membership talks and improving trade and investment ties with the European bloc.

Historically, political fragmentation between the state, entity and district levels in Bosnia and Herzegovina has slowed legal reform. The adoption of a state-level GDPR-compliant law demonstrates institutional alignment and presents a rare opportunity for regulatory predictability in a complex legal environment.

For businesses, the benefits are twofold:

  • Legal certainty: Companies now have clear, harmonised rules for data processing and transfers, similar to those already followed in the EU.
  • Commercial advantage: Compliance with GDPR-like standards removes barriers to cross-border services, data partnerships and vendor relationships with EU-based firms.

Bosnia’s improved regulatory credibility is also likely to enhance its attractiveness as a destination for outsourcing, shared services and digital expansion.

Why should you care?

For businesses, this law is a legal turning point. It introduces enforceable standards for data management, security and accountability. 

Immediate priorities include:

  • Conducting a gap analysis against GDPR-style requirements.
  • Designating a DPO if criteria are met, and defining their scope and authority.
  • Mapping all data flows and ensuring valid legal bases for international transfers.
  • Reviewing breach detection and escalation protocols in line with notification rules.
  • Training staff and updating customer-facing policies to meet transparency obligations.
  • Preparing for regulatory engagement with the AZLP and maintaining full compliance documentation.

Aligning with GDPR-style standards removes a major barrier for companies seeking to do business with EU-based partners. Under the EU’s rules, personal data can only be transferred to countries with equivalent protections. Bosnia’s new law brings it into that category, making it easier for EU firms to share data with Bosnian providers, enter outsourcing contracts or establish cross-border service operations without needing complex contractual safeguards or additional legal reviews. This positions Bosnia as a lower-risk, regulation-friendly jurisdiction for digital trade and cooperation.

Izabela Bielecka

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

To read more articles like this, along with gaining access to the tools that will help you navigate compliance risk with confidence, request a demo of our RegTech platform today.

Related articles

May 1, 2025

Regulatory Influencer: The Uncertain Future of the CFPB

In recent months, the future of the US Consumer Financial Protection Bureau (CFPB) has become thoroughly uncertain. Navigating the whirlwind of political changes has been overwhelming for policy specialists and compliance experts alike, as everyone tries to piece together what to comply with, and what to prepare for.
Read article
May 1, 2025

South Korea’s AI Basic Act: Balancing Innovation, Regulation and Ethical AI Development

On December 26, 2024, South Korea’s National Assembly passed the Act on the Development of Artificial Intelligence and Establishment of Trust (AI Basic Act), which establishes a structured framework for AI governance. The legislation introduces regulatory measures to oversee AI implementation, promote industrial innovation and address risks associated with the deployment of AI. A key provision of the act is the creation of a National AI Committee that’s responsible for supervising AI-related societal integration and industrial development. Additionally, the Minister of Science and ICT must develop and execute an AI Basic Plan every three years, in order to ensure a coordinated and forward-looking approach to AI policy. The law provides support for the construction of testing facilities, equipment and systems to facilitate AI validation and performance testing. AI system developers must maintain detailed documentation on safety and reliability measures, while national and local governments are encouraged to assist private sector projects in the testing and validation efforts.
Read article

Opt in to hear about webinars, events, industry and product news

Gambling Compliance

Learn more

Payments Compliance

Learn more
Still can’t find what you’re looking for? Get in touch to speak to a member of our team, and we’ll do our best to answer.
Contact us
No items found.
Acquiring
Bank Accounts
Business Lending
Card Networking System
Cash-Based Payment Methods
Consumer Lending
Cross-Border Payments
Crypto-Assets
E-Money
Issuing
Mobile Payments
Payment Processors
Prepaid
Remittances
Third-Party Providers
Bosnia and Herzegovina

Please choose your preferred
service to log in to.

Don’t have an account?