u FOKUSU

IA Law Firm Bosnia reports: Bosnia and Herzegovina Enters GDPR Regime in October – Fines Up to BAM 40 Million

IA Law Firm Bosnia informs readers that, as of October 4, 2025, Bosnia and Herzegovina officially enters a new era of personal data protection.
With the entry into force of the Law on Personal Data Protection of Bosnia and Herzegovina (“Official Gazette of BiH”, No. 12/2025), the legal framework in BiH is aligned with the European General Data Protection Regulation (GDPR), introducing a stricter regime for all entities processing citizens’ personal data.

The law introduces a series of new obligations for data controllers—public institutions, companies, and organizations that collect, process, or manage citizens’ data.

What’s Changing?

Some of the most significant changes include:

  • Mandatory appointment of Data Protection Officers in certain sectors (particularly in public administration and when processing sensitive data),
  • Maintaining records of personal data processing, accessible to competent inspectors (abolishing the Central Register),
  • Obligation to report data breaches to the Personal Data Protection Agency and affected individuals when their rights may be at risk,
  • Conducting privacy impact assessments before launching extensive and high-risk data processing activities,
  • Fines aligned with GDPR standards, reaching record amounts for both legal and natural persons.

You can view the full text of the new Law here:
🔗 https://www.paragraf.ba/propisi/bih/novi-zakon-o-zastiti-licnih-podataka.html

Fines in BiH: Up to an astonishing BAM 40 million

According to the new law, Bosnia and Herzegovina has prescribed the following penalties for violations of personal data protection provisions:

For legal entities (data controllers):
🔹 From BAM 10,000 to BAM 20,000,000, or up to 2% of total annual global turnover, whichever is higher.

For legal entities (data processors):
🔹 From BAM 20,000 to BAM 40,000,000, or up to 4% of total annual global turnover in the previous financial year (for entrepreneurs).

For responsible natural persons (directors, managers, officers):
🔹 From BAM 5,000 to BAM 70,000.

For employees who cause violations through their actions:
🔹 From BAM 500 to BAM 5,000.

These sanctions are unexpectedly high compared to other laws in force in BiH, raising doubts among many as to whether the Law will be implemented effectively. While personal data protection is still considered a secondary concern in many business operations, it is noteworthy that the largest monetary fines are introduced precisely under this law.

Major Fines Across Europe as a Warning

The enforcement of the GDPR in the EU has already resulted in significant fines, demonstrating how seriously regulators take violations of privacy rights:

📍 In 2023, Meta (Facebook) was fined a record €1.2 billion in Ireland for the unlawful transfer of user data from the EU to the US.
📍 In Bulgaria, a 2019 cyberattack on the Tax Administration led to the massive leakage of data from over 5 million citizens. Fines exceeded €3 million.
📍 In Croatia, the highest fine to date—€2.26 million—was imposed in 2023 on B2 Kapital for processing data of over 130,000 individuals without adequate protection measures.

Time to Prepare Is Running Out

The new law leaves very little room for delay. Entities that fail to align their operations with the new rules by October 4 face serious legal and financial risks.
Have you already taken the necessary steps by appointing Data Protection Officers, adopting clear documentation, and establishing records and security procedures? These obligations—along with many others—are no longer just recommendations, but mandatory requirements whose breach can seriously jeopardize your company’s operations.

For more information about IA Law Firm Bosnia’s services in this area, visit:
🔗 https://ia-lawfirm.com/en/information-technologies-media-and-telecommunications/

Ostale novosti

©Copyright 2021. All Rights Reserved. Design & Development By