{"id":3133,"date":"2025-09-15T09:49:00","date_gmt":"2025-09-15T07:49:00","guid":{"rendered":"https:\/\/consalta.ba\/?p=3133"},"modified":"2026-03-17T14:49:20","modified_gmt":"2026-03-17T13:49:20","slug":"dpa-do-you-have-one-yet-and-why-not","status":"publish","type":"post","link":"https:\/\/consalta.ba\/en\/dpa-do-you-have-one-yet-and-why-not\/","title":{"rendered":"DPA \u2014 Do You Have One Yet, and Why Not?"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"data\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

You use cloud hosting? You outsource payroll? Your marketing agency sends emails on your behalf? Your IT support provider has remote access to company systems? Quick question – do you have a Data Processing Agreement with any of them?<\/strong><\/p>\n

If you hesitated, you’re not alone. Most companies in Bosnia and Herzegovina haven’t even heard of a Data Processing Agreement (DPA), let alone signed one. But with the new “Zakon o za\u0161titi li\u010dnih podataka<\/a>“<\/strong> (Law on Personal Data Protection) coming into force in October 2025, that needs to change – fast.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

What Is a Data Processing Agreement?<\/h2>\n

A Data Processing Agreement is a contract between a\u00a0controller<\/strong> (your company – the one that decides why and how personal data is used) and a processor<\/strong>\u00a0(any external party that handles that data on your behalf). It spells out the ground rules: what data is being processed, for what purpose, how long, what security measures must be in place, and what happens to the data when the relationship ends.<\/p>\n

Think of it this way: if you hand someone the keys to your customer database, a DPA is the written agreement that says exactly what they can and can’t do with those keys.<\/p>\n

The legal basis for this requirement is “\u010clan 30″<\/strong>\u00a0(Article 30) of the new law, which lays out in detail what such an agreement must contain and what obligations the processor takes on.<\/p>\n

Why the New Law Changes Everything<\/h2>\n

Bosnia and Herzegovina’s previous data protection framework \u2014 dating back to 2006 – didn’t require this kind of formal agreement between controllers and processors. Companies could (and did) share personal data with external providers based on little more than a general service contract and a handshake.<\/p>\n

The new law changes that completely. Modelled closely on the EU’s\u00a0GDPR Article 28<\/a>, it requires that every controller-processor relationship is governed by a written agreement – and “written” includes electronic form, so a signed PDF or digital contract counts.<\/p>\n

Here’s the silver lining: if your company already works with EU partners, there’s a good chance you have GDPR-compliant DPAs in place for those relationships. Since the new B&H law mirrors the GDPR requirements closely,\u00a0those existing agreements likely cover most of what you need<\/strong>. The gap is usually with your domestic processor relationships – the local IT company, the accounting firm, the HR software provider.<\/p>\n

Do You Actually Need One? (Spoiler: Probably Yes)<\/h2>\n

This is where most companies get surprised. When you hear “data processor,” you might picture a large outsourcing firm handling millions of records. In reality, the definition is much broader. Here are everyday relationships that almost certainly require a DPA:<\/p>\n