The law is in force. Fines reach up to BAM 40 million. Is your company ready?
Picture this: an employee accidentally sends a client spreadsheet to the wrong email address. An old contact list sits forgotten on a server no one has reviewed in years. Your contract with an external IT partner contains not a single clause about data protection.
Each of these scenarios, seemingly minor mistakes or oversights, can today trigger a regulatory inspection, a public disclosure of the violation, and a financial penalty that could devastate even a well-established business.
Welcome to the era of Bosnia and Herzegovina’s new Personal Data Protection Law.
What Has Changed and Why You Cannot Afford to Ignore It
In February 2025, Bosnia and Herzegovina adopted a new Personal Data Protection Law, which came into full effect in October 2025. This is not a cosmetic update — it is a fundamental overhaul of the country’s legal framework, bringing BiH into alignment with the EU’s General Data Protection Regulation (GDPR).
The contrast with the old 2006 law is stark:
- Previous framework: Symbolic fines, vague obligations, minimal enforcement
- New law: Fines of up to BAM 40 million or 4% of global annual turnover — whichever is higher
To be precise: the maximum penalty for the most serious violations equals approximately €20 million, placing BiH directly in line with the sanctions prescribed by the EU’s GDPR.
The Personal Data Protection Agency (AZLP) now holds significantly expanded powers: conducting inspections, ordering audits, notifying affected individuals of breaches, and imposing administrative fines.
Mistake #1: Thinking “This Doesn’t Apply to Us”
One of the most dangerous assumptions among Bosnian-Herzegovinian business owners is the belief that data protection is a concern only for large corporations or multinationals.
That is incorrect.
The law applies to every organisation — public or private, large or small — that processes the personal data of individuals on the territory of BiH. If your company:
- maintains a database of clients, suppliers, or employees,
- uses email marketing or CRM systems,
- operates CCTV surveillance on its premises,
- uses cloud services to store documents,
- or works with external partners who have access to your data —
…then you are directly covered by this law and bear its full legal obligations.
Five Risks That Are Threatening Your Business Right Now
1. Data You Don’t Know You Have
Many companies have no clear picture of which personal data they process, where it is stored, who has access to it, and how long it is retained. Old databases, archived emails, scattered spreadsheets — all of it falls within the scope of the law.
Risk: Without a record of processing activities, proving compliance is impossible. In the event of an inspection, the burden of proof lies with you.
2. Outdated Contracts with Partners and Vendors
The new law introduces strict requirements governing the relationship between data controllers (your company) and data processors (your IT partner, accounting firm, marketing agency). Every such relationship must be governed by a written agreement containing precisely defined provisions.
Risk: A contract that lacks data protection clauses is not just a legal gap, it is direct grounds for a penalty.
3. Ignoring Data Subject Rights
The law grants individuals a broad set of new rights: the right to access their own data, the right to erasure (“the right to be forgotten”), the right to object, and the right to data portability. Companies are required to respond to these requests within legally prescribed timeframes.
Risk: An unaddressed request from a client or employee can be grounds for a complaint to the AZLP — and the opening of formal proceedings.
4. Insufficient Technical and Organisational Security Measures
Privacy by Design is no longer optional, but a legal requirement. Data Protection Impact Assessments (DPIAs) are mandatory for high-risk processing activities. Organisations must document and implement appropriate technical safeguards.
Risk: A data breach in the absence of adequate protective measures automatically amplifies liability and the scale of potential fines.
5. Delayed Breach Notification
In the event of a security incident involving personal data, the law requires notification to the AZLP within 72 hours. Missing this deadline is itself a separate offence.
Risk: Quietly handling an incident internally, without the required notification, can lead to significantly harsher sanctions than the breach itself.
Complacency Is the Most Expensive Strategy
There is a well-documented psychological tendency — “this won’t happen to us” — and it is particularly dangerous in the realm of regulatory compliance. Companies wait for a competitor to be fined, for an inspection to hit someone else, for a public scandal to force action.
The problem with this approach is that the cost of reactive compliance is always far higher than the cost of proactive preparation. Fines, legal fees, reputational damage, loss of client trust — these are consequences that can be existential for a business.
And in a context where BiH is actively pursuing EU integration, the intensity of regulatory scrutiny and enforcement will only increase.
How to Protect Your Business and Why the Right Partner Makes All the Difference
Compliance with the new Personal Data Protection Law is not a one-time project, but an ongoing process that demands technical expertise, legal understanding, and organisational adaptation.
Our team offers comprehensive support covering every dimension of compliance:
Data Mapping and Audit — We identify all personal data flows within your organisation and build a record of processing activities that meets legal requirements.
Contract and Policy Alignment — We review and update your vendor agreements, privacy policies, and internal procedures in line with the new legal obligations.
Technical Security Measures — We implement appropriate data security solutions: encryption, access controls, secure backups, and incident monitoring.
Employee Training — The human factor remains the most common cause of data breaches. We equip your teams to recognise risks and act in accordance with the law.
Incident Response Support — In the event of a breach, we ensure a fast and legally correct response — including timely notification to the AZLP within the required window.
DPO Services — If your organisation is legally required to appoint a Data Protection Officer, we provide this function either as an internal appointment or as an outsourced service.
Compliance Is Not a Cost, It Is an Investment in Trust
Companies that took data protection seriously early did not only avoid fines, they actually gained a competitive advantage. Clients, partners, and investors increasingly demand assurance that their data is handled responsibly.
In a business environment where trust is currency, being the company that can confidently say: “We protect your data” — that is a message that converts into long-term business relationships.
Your Next Step
Don’t wait for an inspection or an incident to take action.
Contact us today for a free initial compliance assessment of your organisation under the new Personal Data Protection Law. Our team will quickly analyse your current status and recommend priority steps to minimise risk and ensure legal certainty.