BiH DPA 2025

Data Protection Act of Bosnia and Herzegovina

Flag of BA
Bosnia and HerzegovinaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
October 1, 2025
Enacted
January 30, 2025
Enforcing Authority
AZLP (Agency for Personal Data Protection of Bosnia and Herzegovina)
Consent Model
Opt-in
Applies To
Any organization processing personal data of individuals in Bosnia and Herzegovina

Overview

Bosnia and Herzegovina adopted a new GDPR-aligned Data Protection Act on January 30, 2025, with enforcement beginning October 2025. The law aligns with both the GDPR and the EU Law Enforcement Directive, establishing GDPR-level penalties and granting the AZLP significant enforcement powers.

What This Means for Your Website

  • Consent will be required for personal data processing including cookies when enforcement begins in October 2025
  • GDPR-level penalties apply: up to EUR 20 million or 4% of global annual turnover
  • The AZLP has been granted significant enforcement powers, though its initial approach remains to be seen
  • Data breach notification and cross-border transfer rules apply

Key Requirements

The AZLP enforces the new law with GDPR-level penalties of up to EUR 20 million or 4% of global turnover. The law introduces strengthened data subject rights, data breach notification obligations, and an accountability-based compliance framework. Whether the AZLP will take an aggressive or gradual advisory approach to initial enforcement remains unclear.

How ConsentStack Handles This

ConsentStack applies GDPR-compliant consent standards for visitors from Bosnia and Herzegovina, ensuring compliance as enforcement begins in October 2025.

Penalties

Up to 4% of global annual turnover or EUR 20 million (GDPR-aligned).

Maximum Fine
€20,000,000 aggregate
Revenue-based
4% of annual revenue

Key Requirements

  • Consent for personal data processing including cookies
  • Strengthened data subject rights
  • Data breach notification obligations
  • Cross-border data transfer regulations
  • Accountability-based compliance framework

Notable Provisions

  • GDPR-level penalties (up to 4% turnover / EUR 20 million)
  • Enforcement begins October 2025
  • AZLP granted significant enforcement powers
  • Aligns with both GDPR and Law Enforcement Directive

Other Europe Regulations

GDPREuropean Union + EEA
The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.
PECRUnited Kingdom
PECR is the UK's cookie-specific law, requiring consent before storing or accessing cookies. The DUAA 2025 significantly increased penalties from GBP 500,000 to GBP 17.5 million and introduced analytics exceptions on an opt-out basis. Only strictly necessary cookies are exempt.
ePrivacy DirectiveEuropean Union + EEA
Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.
FDPAFrance
France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.
UK GDPRUnited Kingdom
The UK GDPR is the retained EU GDPR post-Brexit, with consent standards identical to the EU version. The UK adequacy decision was renewed December 2025, valid until December 2031. Combined with PECR, it forms the legal framework for cookie consent in the UK.
TDDDGGermany
Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.

Frequently Asked Questions

When does Bosnia's new data protection law take effect?

Enforcement begins October 2025. The law was adopted by parliament on January 30, 2025.

What are the penalties under Bosnia's data protection law?

Up to EUR 20 million or 4% of global annual turnover — matching GDPR penalty levels.

Is Bosnia's law aligned with GDPR?

Yes. The law aligns with both the GDPR and the EU Law Enforcement Directive, establishing comprehensive GDPR-level data protection requirements.

Stay compliant with BiH DPA 2025

ConsentStack helps you implement Opt-in consent for Bosnia and Herzegovina automatically.

Get started free