Law: Law on the Protection of Personal Data No. 49/06

Regulator: Agency for Personal Data Protection in Bosnia and Herzegovina (AZLP)

 Summary: The Law on the Protection of Personal Data No. 49/06 (PDPL) governs data protection in Bosnia and Herzegovina (BiH), which consists of administrative units divided into the Federation of BiH, the Republika Srpska, and Brčko District. Notably, the PDPL does not contain a general breach notification obligation. However, the PDPL does require data controllers to notify data subjects of their intention to establish a personal data filing system along with specific information, and that data controllers enter into a written data processing agreement with any data processors. Furthermore, the PDPL stipulates that data controllers must submit a notification or request for intention to create a personal data filing system to the Agency for Personal Data Protection in Bosnia and Herzegovina (AZLP) and may not commence processing until after approval or two months from the AZLP's receipt of the request. As the regulator, the AZLP has issued some decisions, opinions, and guidelines on data protection.

As part of the EU approximation process, BiH has taken the obligation to harmonize all of its legislation with the EU laws, which includes the harmonization of the PDPL with the GDPR. Moreover, BiH has ratified the Protocol amending the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (the Convention 108+).