DPA — Do You Have One Yet, and Why Not?

What Is a Data Processing Agreement?

A Data Processing Agreement is a contract between a controller (your company — the one that decides why and how personal data is used) and a processor (any external party that handles that data on your behalf). It spells out the ground rules: what data is being processed, for what purpose, how long, what security measures must be in place, and what happens to the data when the relationship ends.

Think of it this way: if you hand someone the keys to your customer database, a DPA is the written agreement that says exactly what they can and can’t do with those keys.

The legal basis for this requirement is “Član 30″ (Article 30) of the new law, which lays out in detail what such an agreement must contain and what obligations the processor takes on.

Why the New Law Changes Everything

Bosnia and Herzegovina’s previous data protection framework — dating back to 2006 — didn’t require this kind of formal agreement between controllers and processors. Companies could (and did) share personal data with external providers based on little more than a general service contract and a handshake.

The new law changes that completely. Modelled closely on the EU’s GDPR Article 28, it requires that every controller-processor relationship is governed by a written agreement — and “written” includes electronic form, so a signed PDF or digital contract counts.

Here’s the silver lining: if your company already works with EU partners, there’s a good chance you have GDPR-compliant DPAs in place for those relationships. Since the new B&H law mirrors the GDPR requirements closely, those existing agreements likely cover most of what you need. The gap is usually with your domestic processor relationships — the local IT company, the accounting firm, the HR software provider.

Do You Actually Need One? (Spoiler: Probably Yes)

This is where most companies get surprised. When you hear “data processor,” you might picture a large outsourcing firm handling millions of records. In reality, the definition is much broader. Here are everyday relationships that almost certainly require a DPA:

• Cloud and SaaS providers — Microsoft 365, Google Workspace, AWS, or any cloud hosting where personal data is stored
• External bookkeeping and payroll — your accountant handles employee salary data, tax IDs, bank details
• IT support and managed services — if they can access your systems remotely, they can access personal data
• Marketing tools and CRM platforms — Mailchimp, HubSpot, or any tool managing customer contact information
• HR software — platforms handling employee records, leave management, recruitment data
• Physical security providers — if a third party manages your CCTV system, they’re processing personal data

The rule of thumb is simple: if someone outside your organization touches personal data on your behalf, you need a DPA.

And it doesn’t stop there. The law also addresses sub-processors — if your processor hires another processor (say, your IT provider uses a sub-contracted cloud service), that relationship needs to be covered too. Your processor can’t engage a sub-processor without your prior written approval, and the same data protection obligations must flow down the chain.

What Must Be in the Agreement

Article 30 is quite specific about what the DPA must include. In plain terms, the processor commits to:

• Follow your instructions only — process data solely based on your documented instructions, nothing more
• Ensure confidentiality — all people with access to the data must be bound by confidentiality obligations
• Implement proper security — apply appropriate technical and organizational measures to protect the data (the law details these in član 34)
• Respect sub-processor rules — no hiring additional processors without your written consent
• Help you respond to data subject requests — if a customer asks to see or delete their data, the processor must assist
• Delete or return data when done — once the service ends, the processor must either delete all personal data or hand it back to you
• Allow audits — you (or an auditor you appoint) must be able to inspect and verify compliance

If this list looks familiar to anyone who’s dealt with GDPR, that’s because it’s essentially the same. The Croatian Data Protection Authority (AZOP) has even published a DPA template — and since both laws share the same GDPR DNA, it’s a useful reference point. Bosnia’s Agencija za zaštitu ličnih podataka may issue its own standard contractual clauses in the future (the law explicitly allows for this), but for now, you’ll need to draft your own or adapt an existing template.

What Happens If You Don’t Have One?

Beyond the obvious legal risk under the new law, the practical consequences are worth thinking about. If a processor mishandles personal data and there’s no DPA in place, you as the controller have no contractual basis to hold them accountable. You’re exposed, and so are the people whose data was compromised.

There’s also a growing commercial reality. EU companies — especially those subject to NIS2 or GDPR supply chain requirements — increasingly ask partners and vendors to demonstrate that proper DPAs are in place. If you work with clients in Croatia, Slovenia, Germany, or anywhere in the EU, not having DPAs can cost you business, not just fines.

It’s Simpler Than It Sounds

If this all feels overwhelming, take a breath. A well-drafted DPA is largely a one-time effort per processor relationship. Once you’ve mapped out who processes personal data on your behalf and put agreements in place, you’re covered — with periodic reviews when relationships or services change.

The first step is straightforward: make a list of every external party that has access to personal data in your organization. You’ll likely be surprised how long that list is. From there, it’s a matter of drafting agreements that meet the law’s requirements and getting them signed before October 2025.

If you’d like help mapping your processor relationships or drafting DPAs that actually meet the new law’s requirements, book a free 30-minute consultation — we’ll help you figure out where you stand and what needs to happen next.