Data protection & privacy laws in Bosnia & Herzegovina (2026)

The Law on Personal Data Protection (OG BiH No. 12/25) was adopted by the Parliamentary Assembly on 30 January 2025 and repeals the 2006 Personal Data Protection Act. It is directly modelled on the GDPR (EU 2016/679) and also transposes Directive 2016/680 (law-enforcement data processing).

The Agency for Personal Data Protection (AZLP) is the independent national supervisory authority. The 2025 law substantially strengthens its powers, granting it investigatory, corrective, and sanctioning competencies explicitly modelled on GDPR Article 58.

The law codifies the full GDPR suite of rights: access, rectification, erasure (right to be forgotten), restriction of processing, data portability, and the right to object, as well as rights related to automated decision-making and profiling.

Controllers must maintain records of processing activities, apply data-protection-by-design and by-default, conduct data-protection impact assessments for high-risk processing, and appoint a Data Protection Officer (DPO) where required. Foreign controllers processing BiH residents' data must designate a local representative.

For the most serious infringements, fines can reach up to BAM 40 million (approximately EUR 20 million) or 4% of total worldwide annual turnover, whichever is higher — a direct parallel to GDPR's two-tier penalty structure.

Alignment with GDPR is a formal EU accession requirement for BiH, which received candidate status in 2022. As of early 2026 the AZLP had not yet published all secondary implementing bylaws and guidelines, meaning some operational detail remains pending.