Bosnia's new Personal Data Protection Law introduces stricter rules

In addition to financial sanctions, the Law brings several important innovations, including the so-called “right to be forgotten,” allowing citizens to request the deletion of their data when there is no longer a legal basis for retaining it. Special emphasis is placed on the protection of children, who will only be able to use certain online services with parental consent.

The Director of the Personal Data Protection Agency of Bosnia and Herzegovina, Dragoljub Reljic, explained that the new Law aligns Bosnia and Herzegovina’s legislation with European standards, particularly the General Data Protection Regulation (GDPR) and the EU Police Directive.

“The Law introduces the concepts of biometric and genetic data, simplifies administrative procedures, and strengthens the Agency’s supervisory powers,” Reljic said.

The new provisions also make it easier for citizens to access the information held about them and to clearly understand who processes their data and for what purpose. In the event of a data breach, controllers must immediately notify the Agency and, in serious cases, the affected individuals as well.

Reljic noted that many data controllers are now required to appoint a Data Protection Officer, while foreign entities processing data belonging to BiH citizens must have a local representative in Bosnia and Herzegovina.

“The penalties are extremely strict, ranging from 500 marks (approximately €255) for individual employees to 40 million marks (approximately €20.4 million) for legal entities, or up to four percent of total global revenue,” Reljic emphasised.

The Law was published in the Official Gazette of BiH on February 28, came into force on March 8, and its practical implementation began on October 4. A transitional period of 210 days was given for institutions and companies to adapt to the new requirements.

The Agency for Identification Documents, Registers and Data Exchange (IDDEEA) announced that it is already applying the new provisions and continuously improving its internal regulations and security protocols.

“By implementing the new Law, we are ensuring the highest level of personal data protection in the processes of personalisation, storage, and exchange of identification information,” the Agency stated.