New Law in Bosnia and Herzegovina: Video Surveillance and Biometrics Under Strict Control

A new Personal Data Protection Law has come into force in Bosnia and Herzegovina, marking the fulfillment of one of the key requirements on the country’s path toward European Union membership. The law will begin to be applied on October 4 and is fully aligned with the EU’s General Data Protection Regulation (GDPR). In addition to names and photographs, it now covers IP addresses, email addresses, and biometric data such as fingerprints, particularly when used for recording working hours.

One of the major novelties is the introduction of the “right to be forgotten,” which allows citizens to request the deletion of their data when there is no longer a legal basis for its processing. At a professional seminar in Mostar, Professor Marija Boban emphasized that “basic technical measures are no longer sufficient—every processing activity must have a clear legal basis, whether it is a statutory obligation, legitimate interest, or explicit consent.”

The law also sets strict penalties, ranging from 500 BAM (approx. EUR 250) for individuals to up to 40 million BAM or 4% of global annual turnover for companies, depending on the severity of the violation. It obliges organizations in both the public and private sectors to educate staff and appoint data protection officers. A common violation, such as sending newsletters without user consent, is now considered unlawful.

The Personal Data Protection Agency will be granted broader supervisory and sanctioning powers, while biometric data may not be processed without the explicit consent of employees.

Professor Boban stressed that “protection starts with education and clear procedures, and organizations that make an effort to comply may only receive warnings, while those that fail to act will inevitably face penalties.”

The law applies not only to digital systems but also to everyday practices, such as publishing employee information on company websites or the use of video surveillance, which must now be clearly marked and legally justified. Similar regulations have already been implemented in EU member states like Croatia and Slovenia, and they are now mandatory for institutions and businesses in Bosnia and Herzegovina as well. Experts underline that timely preparation is the best way to avoid heavy fines.