top of page

BOSNIA AND HERZEGOVINA - Data Protection and GDPR Review

The history of data protection in Bosnia and Herzegovina is relatively young and is shaped by the country's efforts to align its legislation with European and international standards. Below is an overview of the key milestones in the evolution of data protection in Bosnia and Herzegovina.

1. Early Initiatives

The awareness of data protection in Bosnia and Herzegovina started to grow in the early 2000s as the country began to modernize its legal system and public administration. The emergence of digital technologies and the increased flow of personal information prompted the need for legislation to protect individuals' privacy.

2. Adoption of the Law on the Protection of Personal Data (LPDP)

In 2006, Bosnia and Herzegovina enacted the Law on the Protection of Personal Data, marking the first comprehensive legislation dedicated to data protection. This law laid the foundation for the principles governing the collection, processing, and storage of personal data, closely reflecting the EU Data Protection Directive (95/46/EC).

3. Establishment of the Personal Data Protection Agency (PDPA)

The LPDP also established the Personal Data Protection Agency (PDPA) in 2006, granting it the authority to supervise, enforce, and provide guidance on data protection matters. The PDPA played a crucial role in promoting awareness and compliance with the law.

4. Amendments to the LPDP

In response to changes in technology and international standards, the LPDP underwent several amendments, most notably in 2010 and 2014. These amendments strengthened the law by introducing new provisions and more clearly defining the rights and obligations of data subjects and data controllers.

5. Alignment with European Standards

Bosnia and Herzegovina's efforts to harmonize its legislation with the European Union's data protection framework are part of the broader process of EU integration. While the country is not a member of the EU, its legal reforms reflect a commitment to align with European values and standards, including in the area of data protection.

6. Impact of the GDPR

The European Union's General Data Protection Regulation (GDPR), effective from 2018, does not directly apply in Bosnia and Herzegovina. However, it has influenced the local debate on data protection and impacts businesses and organizations in the country that process personal data of EU residents.

7. Ongoing Challenges and Future Developments

The development of data protection in Bosnia and Herzegovina is an ongoing process, with challenges including enforcement, public awareness, and compliance. Efforts to further align the country's legislation with the GDPR and other international standards are expected to continue, reflecting the dynamic nature of data protection in a globalized digital age.

The history of data protection in Bosnia and Herzegovina reflects a progressive approach towards aligning the country's legal framework with European and international standards. While the journey has been marked by significant milestones, such as the adoption of the LPDP and the establishment of the PDPA, it is also characterized by ongoing efforts to adapt to evolving technologies and regulatory landscapes.

Bosnia and Herzegovina is not a member of the European Union, so the General Data Protection Regulation (GDPR) is not directly applicable within the country. However, businesses and organizations that process personal data of individuals in the EU must comply with the GDPR, and there has been movement within the country to align data protection laws with European standards.

Here is a guide to understanding data protection in Bosnia and Herzegovina, particularly in relation to the GDPR.

Data Protection Legislation in Bosnia and Herzegovina

Bosnia and Herzegovina's data protection legislation is primarily governed by the Law on the Protection of Personal Data (LPDP). This law sets out the rules for the collection, processing, and transfer of personal data.

Key Principles:

  1. Lawfulness and Legitimacy: Personal data must be processed lawfully, fairly, and transparently.

  2. Purpose Limitation: Data must be collected for specific and legitimate purposes.

  3. Data Minimization: Only the data necessary for the intended purpose should be processed.

  4. Accuracy: Data must be accurate and, where necessary, kept up to date.

  5. Storage Limitation: Personal data should not be stored longer than necessary for the purpose for which it was collected.

  6. Integrity and Confidentiality: Data must be protected against unauthorized access, accidental loss, or destruction.

Personal Data Protection Agency (PDPA)

The PDPA is responsible for overseeing and enforcing data protection laws in Bosnia and Herzegovina. It provides guidance, handles complaints, and can impose penalties for violations.

Rights of Data Subjects

Under the LPDP, individuals have several rights, including:

  • Right to Information: Individuals must be informed about how their data is being processed.

  • Right of Access: Data subjects have the right to access their personal data.

  • Right to Rectification: Individuals can correct inaccurate or incomplete data.

  • Right to Erasure: In certain situations, data subjects can request the deletion of their data.

  • Right to Object: Individuals have the right to object to processing in certain circumstances.

Obligations for Data Controllers and Processors

Entities handling personal data must comply with several obligations:

  • Notification: Data controllers must register their processing activities with the PDPA.

  • Security Measures: Implement adequate measures to protect personal data.

  • Data Breach Notification: Notify the PDPA and affected individuals of significant data breaches.

GDPR Compliance for Entities in Bosnia and Herzegovina Dealing with the EU

For businesses processing personal data of EU residents, GDPR compliance is essential. Key considerations include:

  • Understanding GDPR Requirements: Familiarize oneself with the GDPR principles, rights, and obligations.

  • Ensuring Legal Grounds for Processing: Have a valid legal basis, such as consent, for processing personal data.

  • Appointing an EU Representative: If applicable, designate a representative within the EU for GDPR matters.

  • Data Transfer Considerations: Ensure compliance with GDPR requirements for transferring data outside the EU.


Data protection in Bosnia and Herzegovina is guided by the LPDP, which shares many principles with the GDPR. Entities within the country that process personal data of EU residents must also ensure compliance with the GDPR. Given the complexity of the regulatory landscape and potential differences between local law and the GDPR, consultation with legal experts specializing in data protection is advisable for organizations operating in or with Bosnia and Herzegovina.


bottom of page