Data Protection and GDPR in Bosnia and Herzegovina - a Guide for Companies

Data protection in Bosnia and Herzegovina is governed by the domestic Law on the Protection of Personal Data, but every company that processes the data of European Union citizens is also subject to the General Data Protection Regulation (GDPR). In practice, this means companies in BiH must have a legal basis for processing, apply appropriate technical and organisational measures, and be ready to report a data breach within the statutory deadline. Compliance is not a one-off project but an ongoing risk management process.

The legal framework: what applies in Bosnia and Herzegovina

Many business owners assume that GDPR "does not apply" in BiH because the country is not a member of the European Union. That is only partly true. Two separate but connected layers of rules are in force.

The first layer is the domestic Law on the Protection of Personal Data of BiH, overseen by the Personal Data Protection Agency (AZLP). It requires every entity that processes the personal data of individuals on the territory of BiH, from a small trade in Mostar to a large enterprise, to carry out processing lawfully, transparently and with appropriate security.

The second layer is GDPR, the European regulation with extraterritorial effect. It applies to a company in BiH as soon as that company offers goods or services to people in the EU or monitors their behaviour. A practical example: a webshop in Mostar that sells to customers in Germany, or a software company that processes the data of users in Croatia, falls under GDPR regardless of where it is based.

For companies in the region, a sensible rule applies: if you do business with the EU market or plan to, build your processes to the GDPR standard because it is stricter. This automatically satisfies the domestic requirements as well, and you do not have to maintain two separate systems.

Who are the "controller" and the "processor"

Two roles determine your obligations. The data controller is the one who decides why and how data is processed, most often the company itself for the data of its customers and employees. The data processor processes data on behalf of the controller, for example an external accounting service, a hosting provider or an email marketing tool. The relationship between them must be governed by a written data processing agreement. If you use cloud services, you very likely already have processors and you are accountable for them.

Key company obligations in practice

Compliance comes down to a few fundamental obligations that apply regardless of company size. The difference lies in scope, not in whether they apply at all.

• A legal basis for processing. For every category of processing you must have a basis: consent, performance of a contract, a legal obligation or legitimate interest. Consent must be freely given, specific and revocable, and a pre-ticked box is not valid consent.
• A record of processing activities. You need to document what data you collect, why, where you store it, for how long and with whom you share it. This record is the foundation of everything else and the first thing a supervisory authority asks for.
• Transparency towards data subjects. A privacy policy must clearly explain the purposes of processing and the rights of individuals. Generic, copied texts that do not match the company's actual processes do more harm than good.
• Exercising data subject rights. Individuals have the right to access their data, and to rectification, erasure, restriction and portability. You must have a procedure for receiving and resolving these requests within the deadline.
• Security of processing. You are required to apply technical and organisational measures appropriate to the risk, on which more below.
• Reporting a data breach. A serious breach (a leak, unauthorised access, ransomware) must be reported to the supervisory authority, and under GDPR the deadline is 72 hours from becoming aware of it. That is why it is important to have a response plan in place before an incident occurs.

Do you need a Data Protection Officer (DPO)

Appointing a Data Protection Officer (DPO) is mandatory when the core activity consists of regular and systematic monitoring of individuals on a large scale, or the processing of special categories of data (e.g. health data). A small retail company is usually not required to appoint a DPO, but it must still designate who is internally responsible for data protection. The function can also be entrusted to an external expert, which is often a more sensible solution for smaller companies.

Technical and organisational measures: where data protection really happens

GDPR deliberately does not prescribe an exact list of technologies, because the risk is not the same for everyone. Instead, it requires measures "appropriate to the risk". In practice, this means a company must assess how sensitive the data is and how likely misuse is, and then choose protection accordingly. The measures are divided into technical and organisational ones, and the most effective solution combines both approaches.

Type of measure	Examples	What it prevents
Technical	Encryption of data in transit and at rest, two-factor authentication, network segmentation, regular backups, patch management	Unauthorised access, interception of data, data loss in the event of a failure or attack
Organisational	Access policies based on the principle of least privilege, employee training, confidentiality agreements, clear incident procedures	Human error, abuse of internal privileges, phishing, uncontrolled data sharing
Control	Penetration testing, security monitoring (SOC/MDR), review of access rights, a data protection impact assessment (DPIA)	Undetected vulnerabilities and threats that bypass the basic measures

It is especially important to understand that paperwork without real technical protection does not amount to compliance. If you have a neatly written privacy policy but an unpatched server and passwords that employees share over messages, you have not protected the data, you have only documented an intention. That is why serious data protection always links the legal and technical layers.

The most common way to check how much your measures are really worth is an independent review. Penetration testing and other security services show how an attacker could realistically reach your data, which is a more valuable insight than any self-assessment checklist.

How to bring your company into compliance: steps to GDPR compliance

Achieving compliance looks daunting until you break it down into phases. The following sequence works well for small and medium-sized enterprises in BiH.

1. Data mapping. List all the data you process, the systems it passes through and who has access to it. Without this step, the rest is guesswork.
2. Risk assessment. For each processing activity, evaluate the sensitivity of the data and the possible consequences of a breach. This is how you set investment priorities.
3. Legal basis and documentation. Arrange consents, agreements with processors and the privacy policy so that they reflect the actual situation.
4. Technical measures. Introduce encryption, two-factor authentication, access control and reliable backups. Remediate the vulnerabilities uncovered by testing.
5. Incident response plan. Define who does what in the event of a data breach and how it is reported within the deadline. A plan is only worth something if it has been rehearsed.
6. Training and oversight. Train employees and introduce regular reviews, because both data and threats change over time.

If you are not sure where your current level stands, a useful first step is a structured self-assessment. Our security assessment questionnaire helps you quickly identify the weakest points before you invest in more expensive measures.

The link with ISO 27001 and SOC monitoring

Companies that want a systematic approach often adopt the ISO 27001 standard for information security management. Methodologically, it also dovetails well with GDPR because it requires risk assessment and continuous improvement. For real-time threat detection, more and more enterprises, in the region too, use external security monitoring (MDR/SOC), which watches systems 24/7 and shortens the time to detect an incident, which is precisely what GDPR requires when it speaks of timely breach notification.

Data minimisation and retention periods

One of the most underrated principles is data minimisation: collect only what you genuinely need for a specific purpose and keep it only for as long as necessary. Many companies accumulate old applications, CVs of candidates who were never hired and contacts from long-finished campaigns for years. Every such record is a liability, not an asset: in the event of a leak it widens the damage, and in the event of an inspection it makes it harder to prove the lawfulness of processing.

The practical solution is a retention policy that, for each category of data, defines a period and a procedure for deletion or anonymisation after that period expires. When setting periods, take into account legal obligations (for example, accounting records have prescribed retention periods) and actual business need. Regularly "cleaning up" data reduces risk and simplifies compliance at the same time.

Transferring data outside BiH and the EU

As soon as you use cloud tools, your data very likely leaves the country. An email platform, hosting, a support system or analytics often store data on servers in other countries. GDPR specifically regulates the transfer of personal data to countries outside the European Union and requires appropriate safeguards, most often standard contractual clauses with the service provider.

For a company in BiH, this means two concrete actions. First, list which external services process your data and where that data is physically located. Second, check whether you have a processing agreement with those providers that includes a legal basis for the transfer. This is easy to overlook because services are arranged with a click, but the responsibility towards your customers remains with you as the data controller.

The most common mistakes companies make in BiH

A few patterns recur in practice that needlessly expose companies to risk:

• Assuming GDPR does not apply because the company is based in BiH, while it actively does business with EU customers.
• A privacy policy copied from someone else's website that does not describe the actual processing activities.
• Collecting more data than necessary, which also increases the damage in the event of a leak.
• No backups, or backups that no one has ever tested for recovery.
• The absence of an incident plan, so the company loses precious time in the first hours of a breach.

Most of these mistakes can be remedied without a large budget. The key is to start from data mapping and a realistic risk assessment, and only then invest in technology. If you would like an external assessment or help with compliance, get in touch with the NeoBit team for a concrete conversation about the state of your company.

Frequently asked questions

Does GDPR apply to companies in BiH?

GDPR does not automatically apply to all companies in BiH, but it applies as soon as a company offers goods or services to people in the European Union or monitors their behaviour. A webshop in Mostar that sells to customers in the EU falls under GDPR, regardless of the fact that it is based outside the Union. Domestic companies are also always subject to the Law on the Protection of Personal Data of BiH.

What is the difference between the domestic law and GDPR?

The Law on the Protection of Personal Data of BiH is a domestic regulation overseen by the Personal Data Protection Agency and applies to processing on the territory of BiH. GDPR is a European regulation with extraterritorial effect and is generally stricter. If you bring your operations into line with the GDPR standard, you usually also satisfy the domestic requirements, so you do not have to maintain two separate systems.

Within what deadline must a data breach be reported?

Under GDPR, a serious personal data breach must be reported to the supervisory authority within 72 hours of becoming aware of it, and in certain cases the affected individuals must also be notified. That is why it is crucial to have an incident response plan prepared in advance, because the first hours decide how great the damage and exposure will be.

Does a small company need a Data Protection Officer?

Most small companies are not required to appoint a Data Protection Officer (DPO). The obligation arises in the case of regular and systematic monitoring of individuals on a large scale, or the processing of special categories of data, such as health data. Even so, every company should internally designate who is responsible for data protection, and that function can also be entrusted to an external expert.

Related guides: Cyber security in BiH - the complete guide · ISO 27001 preparation: a guide through certification for companies · The NIS2 Directive: what it means for companies in the Balkans