Personal Data Protection Law in Bosnia and Herzegovina: Why it is Important to Take the Appointment of a Data Protection Officer (DPO) Seriously?

Recently, a lot of attention has been drawn to the news that Bosnia and Herzegovina has adopted a new Law on Personal Data Protection, which is largely harmonized with the provisions of the General Data Protection Regulation (GDPR). However, while the media and social networks mostly relay dry information about the adoption of the law, concrete explanations are lacking – what does this really mean for companies in Bosnia and Herzegovina?

In today’s article, I highlight the importance of complying with one of the obligations of controllers/processors, with reference to European practice.

Appointment of a DPO: A Legal Obligation That Requires Expertise

In today’s business environment, the protection of personal data has become imperative for organizations of all sizes. A key role in this process is played by the Data Protection Officer (DPO), whose responsibility is to ensure compliance with the legislation and to protect individuals’ rights.

One of the obligations introduced by the new law is the appointment of a Data Protection Officer (DPO) in certain cases.

According to Article 39(5) of the Law on Personal Data Protection of Bosnia and Herzegovina:

"The Data Protection Officer shall be appointed based on his or her professional qualifications, in particular expert knowledge of law and practice regarding personal data protection and the ability to perform the tasks referred to in Article 41 of this Law."

This means that companies should not formally appoint just any employee as a DPO simply to fulfill the legal requirement, without conducting a real assessment. The law clearly requires that the person possess appropriate legal and professional qualifications, including practical experience in the field of data protection.

It is therefore important to emphasize that appointing a Data Protection Officer cannot be a mere administrative act – companies that appoint an unqualified person may face issues with oversight, improper record-keeping, violation of individuals' privacy rights, and ultimately – penalties.

Companies can fulfill this legal obligation in several ways – the role of the Data Protection Officer (DPO) can be assigned to a qualified person already employed in the organization, a person engaged through a service contract, or an external expert, such as a lawyer with relevant knowledge and experience.

Lessons from Practice: How Inadequate Appointment of a DPO Leads to Fines

Recent cases from European practice clearly show that an inadequate approach to this function can result in serious consequences – both financial and reputational.

Norway Flag

Norway: Telecom Fined €350,000 for DPO-Related Failures

The Norwegian Data Protection Authority (Datatilsynet) imposed a fine of NOK 4,000,000 (approximately €351,478) on the telecommunications company Telenor ASA for non-compliance with GDPR provisions relating to the appointment and role of the Data Protection Officer (DPO), as well as for inadequate organizational measures for data protection.

  • Failure to appoint a DPO: Telenor ASA abolished the DPO position, believing that it did not meet the criteria for appointment under Article 37(1) of the GDPR. However, it did not provide documentation to support this assessment.
  • Lack of public contact information: The DPO’s contact details were not publicly available on the company’s website but only on the internal intranet, making them accessible only to employees.
  • Incomplete records of processing activities (ROPA): The investigation found that data processing records were incomplete, and the DPO was not adequately involved in data protection matters.
  • Conflict of interest: The DPO simultaneously held a legal counsel position, creating a potential conflict of interest.

This case clearly demonstrates that a superficial understanding of the DPO’s role and responsibilities can have serious consequences. The DPO must be independent, continuously and proactively involved in all activities involving data processing, and must be visible and accessible to both employees and the public.

Greece Flag

Greece: Fine for Ignoring Supervisory Authority’s Request

In 2023, as part of a broader initiative led by the European Data Protection Board (EDPB), the Hellenic Data Protection Authority (HDPA), along with most EDPB members, jointly conducted an investigation on the topic of "Definition and Position of the Data Protection Officer". The Hellenic DPA adopted a standardized questionnaire and sent it to 31 public bodies in Greece, including the Municipality of Athens. The Municipality failed to respond by the deadline, thereby violating the obligation to cooperate with supervisory authorities (Article 31 of the GDPR).

This case shows that the appointment of a DPO is not just an internal act, but also an obligation that requires open and continuous communication with regulators.

Croatia Flag

Croatia: €169,000 in Fines for Unlawful Processing and DPO-Related Failures

The Croatian Data Protection Authority (AZOP) issued fines totaling €169,000, including to a company that processed data from the Ministry of the Interior’s database without a legal basis. This highlights the importance of the DPO’s role in monitoring the lawfulness of processing and the legal grounds. Two other fines were issued for failures in appointing a DPO: one of €12,000 to a casino and another of €10,000 to a company producing oils and fats.

What Does This Mean for Companies in Bosnia and Herzegovina?

The new Law on Personal Data Protection in Bosnia and Herzegovina precisely defines the obligations that companies must fulfill, leaving little room for evasion or manipulation of legal provisions. Companies are required to bring their operations into compliance with this law no later than October 4, 2025.

As a lawyer specializing in personal data protection, I offer expert advice to help ensure your organization is fully compliant with the Law on Personal Data Protection. If you are unsure whether your organization needs to appoint a DPO, how to properly fulfill this obligation, how to include the DPO in business processes, or how to build internal policies and procedures – now is the right time to focus on this important issue and protect your organization from potential legal and reputational risks.