The DPL represents a decisive step toward aligning Bosnia and Herzegovina’s data protection framework with EU Regulation 2016/679 (GDPR) and the EU Law Enforcement Directive (Directive 2016/680). The new law introduces stronger safeguards for personal data, expands the rights of data subjects, and imposes enhanced obligations on data controllers and processors.
Key changes include:
- Recognition of biometric and genetic data as personal data.
- Codification of the right to be forgotten and stricter breach notification requirements.
- Obligations to appoint Data Protection Officers and local representatives for foreign entities.
- Significantly increased enforcement powers for the BH Personal Data Protection Agency, including fines of up to BAM 40 million or 4% of global turnover.
While this legislative step brings formal alignment with the GDPR, its practical success will depend on implementation—particularly the readiness of supervisory authorities, the adoption of supporting by-laws, and the institutional capacity to ensure consistent enforcement.
In his article, our Senior Partner, Miloš Mitić, highlights our ongoing commitment to monitoring and analysing regulatory trends that influence the business and compliance environment throughout the Western Balkans.
The introduction of the DPL marks an important step toward harmonisation with EU standards, but also highlights the ongoing need for capacity building, inter-institutional coordination, and genuine commitment to the protection of fundamental rights.
The coming two years, during which controllers and processors must achieve full compliance, will be decisive in determining whether Bosnia and Herzegovina’s reform results in operational alignment—or remains a formal aspiration.
