Law: Law on the Protection of Personal Data No. 49/06 ('the PDPL')

Regulator: Agency for Personal Data Protection in Bosnia and Herzegovina ('AZLP')

 Summary: The PDPL governs data protection in Bosnia and Herzegovina ('BiH'), which consists of administrative units divided into the Federation of BiH, the Republika Srpska, and Brčko District. Notably, the PDPL does not contain a general breach notification obligation. However, the PDPL does require data controllers to ensure information is provided to data subjects and that data controllers enter into a written data processing agreement with any data processors. Furthermore, the PDPL stipulates that data controllers must submit a notification or request for intention to create a personal data filing system to the AZLP and may not commence processing until after approval or two months from the AZLP's receipt of the request. As part of its role as regulator, the AZLP has issued some decisions, opinions and activity reports.