Personal Data Protection in Bosnia & Herzegovina and the Impact of GDPR

By Dragan Stijak, Law Firm Sajic

Bosnia & Herzegovina represents a country that is still going through a transition period and on its way encounters many diffculties in trying to reach the standards set by the European Union. This is certainly the case in the field of personal data protection.

According to the reports of the European Commission, Bosnia & Herzegovina has made only a partial harmonisation with international regulations in the field of data protection and privacy, but additional issues are represented by the lack of institutional support and monitoring, which have to ensure proper application of regulations in practice. Bosnia & Herzegovina has ratified the Council of Europe Convention for the Protection of Individuals with regard to the electronic processing of personal data (ETs No. 108), which is essential for ensuring the right to privacy. Consequently, on its grounds and principles, Bosnia & Herzegovina adopted the Law on the Protection of Personal Data in 2006, which is still in force and reflects the provisions of Directive 95/46 EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. However, it is important to note that legislative bodies in Bosnia & Herzegovina are making efforts to adopt a new Law on Data Protection and the same should fully comply with the requirements of the General Data Protection Regulation (GDPR), which put the previously mentioned Directive out of force.

Therefore, the substantive regulations governing this matter in Bosnia & Herzegovina are at a relatively satisfactory level with the tendency of even better compliance with the EU regulations. However, the main issue in the field of personal data protection and privacy is very inadequate institutional support, when it comes to respecting and applying regulations in practice, in cases of frequent violations where those who make such violations do not suffer almost any consequences.

In this regard, the serious problem is that the Agency for the Protection of Personal Data in Bosnia & Herzegovina, as an independent supervisory body, does not have suffcient support from legislative and executive authorities to improve its capacities, i.e. human, financial, and other resources which would lead to the better monitoring of the application of regulations, and provide a substantial level of data protection and better privacy and security of citizens in this regard.

Although the current Law on the Protection of Personal Data was passed in 2006, the general impression is that data protection is still a new term in Bosnia & Herzegovina and citizens still do not have a suffciently developed awareness of the importance of personal data protection. Nevertheless, the situation changed for the better after the entry into force of the GDPR in May 2018, all due to its extended territorial application which was immediately recognized by business entities in Bosnia & Herzegovina who process data of data holders from the EU in accordance with Article 3 of the GDPR, i.e. through activities related to offering goods or services to data holders in the EU, or monitoring their behaviour as long as it takes place within the EU. In addition, another reason for the increased interest of BIH business entities for GDPR and effort to comply with its requirements, are the extremely high fines imposed in cases of abuse of data that can even reach up to EUR 20,000,000 or up to 4% of the total annual turnover of the previous financial year on the global level, depending on which amount is higher.

It is clear that the entry into force of the GDPR definitely had a positive effect on Bosnia & Herzegovina, considering that many business entities, being controllers or data processors, began to devote much more attention to data protection and adjust their businesses to the demands of the GDPR, having in mind that it is not enough for them to be aligned only with local legislation but also with the requirements of the GDPR.

Naturally, throughout the process of compliance with the requirements of the GDPR, the most prominent are big organisations that process large amounts of data. However, it is encouraging that small enterprises, not only those with foreign founders, are also oriented towards the GDPR and give their contribution to the general improvement of citizens' awareness when it comes to the importance of personal data and privacy protection.

In addition, it is also very encouraging that business entities in Bosnia & Herzegovina, especially large organisations, have begun to assess the impact on personal data protection (DPIA) for existing and for future work processes, which was earlier almost unimaginable. This trend is unfortunately present in very small percentages and is related only to business entities in the economy, while state authorities, public agencies, and institutions still do not make any efforts to improve the protection of personal data or to comply with GDPR requirements.

As in many other countries, it remains an open issue in Bosnia & Herzegovina, along with the issue of how to influence and force state authorities and public institutions to be more effective in applying the regulations related to the data protection, since they have to be an example to other entities in presenting the importance of personal data and privacy protection.

Dragan Stijak

Dragan Stijak

Law Firm Sajic, Banja Luka, Bosnia & Herzegovina
T: + 387 51 227 620
E: This email address is being protected from spambots. You need JavaScript enabled to view it.; W:

Published: GGI Insider, No. 100, March 2019 l Photo: NicoElNino -


Ggi Logo 150x109px

GGI Global Alliance AG

Sihlbruggstrasse 140
6340 Baar


T: +41 41 7252500
F: +41 41 7252501
This email address is being protected from spambots. You need JavaScript enabled to view it.