In January 2025, Bosnia and Herzegovina adopted a new Personal Data Protection Law, introducing significant changes in how organizations collect, use, and protect personal data. The primary goal of this law is to align with the European Union’s General Data Protection Regulation (GDPR), which means that organizations must now meet stricter requirements to ensure lawful data processing and privacy protection.
Given that the previous law from 2006 was outdated and did not reflect the realities of digital business, the new regulation establishes stronger rights for individuals, increased obligations for organizations, and higher penalties for non-compliance.
Key changes introduced by the new law
Unlike previous regulations, the new law provides clearer definitions of organizational responsibilities and citizen rights, with a strong emphasis on transparency and data security.
Individuals now have the right to:
- Access and correct their personal data.
- Request data deletion (right to be forgotten), with certain exceptions.
- Restrict data processing, temporarily suspending its use.
- Data portability, allowing transfer of personal data to another service provider.
- Object to data processing, including automated decision-making.
Organizations are now required to:
- Ensure transparent processing and clearly inform individuals about their rights.
- Implement technical and organizational security measures in line with the principles of privacy by design and privacy by default.
- Maintain records of data processing activities.
- Report any data breaches to the Personal Data Protection Agency within 72 hours.
Additionally, the new law introduces the requirement to appoint a Data Protection Officer (DPO) in organizations that process sensitive data or handle large-scale personal data processing. The DPO plays a crucial role in ensuring compliance, serving as the primary contact point between the company, regulators, and individuals whose data is being processed.
How can organizations achieve compliance?
Many organizations in Bosnia and Herzegovina are facing complex data protection requirements for the first time, unsure of how to apply them in practice. While implementing the ISO 27701 standard is a long-term optimal solution, it is not the only approach.
Consalta offers specialized consulting services to help organizations comply with the new law, including:
- Development of essential data protection documentation, including privacy policies, data processing procedures, and processing activity records.
- Assessment of the current state and identification of compliance gaps, providing a roadmap to full legal compliance.
- Guidance on technical and organizational security measures, ensuring adequate data protection and regulatory adherence.
- External Data Protection Officer (DPO) services, an option allowed under the new law. Organizations can outsource their DPO role instead of appointing an in-house expert, making compliance easier and more cost-effective while ensuring expert support for regulatory inquiries and audits.
ISO 27701 as a long-term data protection solution
For organizations looking for a systematic approach to data protection, ISO 27701 provides a comprehensive framework for compliance with the new law and GDPR. This standard extends ISO 27001 and ISO 27002, offering clear guidelines for privacy management and personal data security.
Key benefits of ISO 27701 include:
- Clearly defined responsibilities for data processing and protection.
- A structured approach to risk assessment and mitigation.
- Well-documented processing activities, making compliance audits more efficient.
- Increased trust from customers and business partners through internationally recognized certification.
ISO 27701 is not just a technical standard—it is a strategic approach that enables organizations to proactively manage privacy risks and minimize legal exposure.
For detailed information on the ISO 27701 standard and how we can assist in its implementation, visit our page ISO 27701 – Privacy Information Management System.
Case study: Sarajevo International Airport
One of the first organizations in Bosnia and Herzegovina to implement ISO 27701 is Sarajevo International Airport. By adopting this framework, the airport enhanced its data protection practices, ensured compliance with GDPR and the new law, and significantly reduced legal and operational risks.
As an organization handling large amounts of sensitive personal data, Sarajevo International Airport used ISO 27701 implementation to increase trust among passengers and business partners, setting an example for other organizations seeking to elevate their data security standards.
You can read more about this success in our blog post Sarajevo International Airport Certified to ISO 27701 Standard
Conclusion: compliance is not optional—it’s a legal requirement
The adoption of the new Personal Data Protection Law marks a significant step toward strengthening privacy and data security in Bosnia and Herzegovina. However, organizations must now take concrete steps to ensure compliance, including appointing a DPO, implementing privacy policies, securing data processing, and reporting data breaches.
Organizations have multiple paths to compliance—from legal consulting and documentation development to adopting ISO 27701 as a long-term data protection strategy.
Consalta provides tailored solutions to help businesses comply with the new law. Whether you need expert guidance, a complete privacy compliance strategy, or external DPO services, our team is here to help you avoid legal risks and build trust with clients and partners.
For more information on how to align your business with the new law, visit our contact page.