Bosnian Data Protection Agency issues a list of processing operations requiring a DPIA

The Personal Data Protection Agency in Bosnia and Herzegovina created, in November 2025, a list of the types of processing of personal data subject to a data protection impact assessment (DPIA). In the selection of processing activities requiring a DPIA, the Agency follows the path previously taken by data protection authorities in EU member states. The relevant processing activities identified by the BiH Agency are listed at the end of this insight.

Implicit inclusion of the two-criteria approach from Guidelines (WP 248)

The data protection authorities in the EU member states, as a rule, require a DPIA to be conducted when the intended processing activities meet at least two of the nine criteria from the Guidelines on Data Protection Impact Assessment (DPIA) (WP 248), adopted by Article 29 Working Party in 2017 and subsequently endorsed by the EDPB.

Bosnia and Herzegovina is not an EU member state. Nevertheless, a closer look into the processing activities from the BiH Agency list shows that all but two of those activities meet two or more criteria from the Guidelines (WP 248). To take only a couple of examples:

• monitoring of employees’ activities (no. 8 on the BiH list) meets the criteria “systematic monitoring” and “data concerning vulnerable data subjects” from the Guidelines (WP 248); and
• large-scale processing of special categories of personal data or personal data relating to criminal responsibility or responsibility for small offences (no. 5 on the BiH list) meets the criteria “sensitive data or data of a highly personal nature” and “data processed on a large scale” from the Guidelines (WP 248).

With respect to the two processing activities from the BiH list that do not by themselves meet two or more of the criteria from Guidelines (WP 248), the decision of the BiH Agency explicitly states that, for those activities to trigger the obligation to carry out a DPIA, an additional criterion from the Guidelines (WP 248) must be met. This requirement of an additional criterion exists in relation to the processing of biometric data (no. 10 on the BiH list) and the processing of genetic data (no. 11).

Types of processing requiring DPIA, of particular relevance for businesses in BiH

For the commercial entities in Bosnia and Herzegovina, the types of processing from the BiH Agency’s list that will most often require carrying out a DPIA are probably the monitoring of employees’ activities (no. 8 on the list) and data matching (no. 9), the latter in the context of background checks for recruitment purposes.

The wording in the decision of the BiH Agency, concerning the monitoring of employees’ activities, is “the processing of personal data of employees by employers using applications or systems for monitoring their work, movement, communication, etc.” This can include anything from the monitoring of email and internet usage, use of GPS systems in employees’ trucks, and use of CCTV to combat theft and fraud, to the use of cyber surveillance devices to detect information leaks, and access verification.

As far as the data matching is concerned, the document of the BiH Agency states that linking, comparing, or cross-checking personal data from multiple sources are data processing activities requiring a DPIA. That type of processing exists, for example, when companies carry out background checks for recruitment purposes.

Local specificities concerning sensitive data and children’s data

In the EU member states or non-EU countries that base their data protection laws on the GDPR, certain types of processing activities are included in the national DPIA lists with certain variations that reflect the local preferences. The list created by the BiH Agency also offers some limited local flavour, concerning the processing of special categories of personal data and the processing of personal data of children and minors.

Typically, in other European countries, the processing of special categories of personal data triggers the obligation to conduct a DPIA if the processing is carried out on a large scale (Romania, Italy, Serbia) or special category data are systematically exchanged between several data controllers (Belgium, the Netherlands). The decision by the BiH Agency includes large-scale processing of special category data in the list (no. 5 on the BiH list), but it also requires a DPIA if special category data are processed for the purpose of profiling or automatic decision-making (no. 3 on the list). In that regard, Bosnia and Herzegovina has taken the same path as Croatia, where the obligation to carry out a DPIA also depends on both the purpose and the volume of the processing of special categories of personal data.

The processing of personal data of children and minors (no. 2 on the BiH list) requires a DPIA when the processing is carried out for the purpose of profiling or automated decision-making or for marketing purposes. In Croatia, as well as in the United Kingdom and Serbia (two non-EU countries in which data protection laws are based on the GDPR), the lists of DPIA-triggering activities also include that type of processing. In certain EU member states, data protection authorities typically include children and minors in the broader category of “vulnerable persons” and require a DPIA when the processing of their personal data is carried out on a large scale (Romania), or “non-occasionally” (Italy).

Some types of processing that are often found in EU member states’ lists, but are absent from the list in Bosnia and Herzegovina, include:

• use of a joint whistleblowing system in which employees within the same group of companies may report misconduct at the workplace;
• processing that prevents data subjects from exercising a right or using a service or contract; and
• processing of personal data of asylum seekers, elderly persons, or persons with disabilities, when carried out on a non-occasional basis.

The list

 The following types of processing activities are included in the list of the BiH Agency:

1. Processing of personal data for the purposes of systematic and extensive profiling or automated decision-making.
2. Processing of personal data of children and minors for the purposes of profiling or automated decision-making or for marketing purposes.
3. Processing of special categories of personal data for the purposes of profiling or automated decision-making.
4. Processing of personal data collected from third parties that is taken into consideration for making decisions related to the conclusion, termination, rejection, or extension of a service provision contract with data subjects.
5. Large-scale processing of special categories of personal data or personal data relating to criminal responsibility or responsibility for small offences.
6. Processing of personal data through large-scale systematic monitoring of publicly accessible areas.
7. The use of new technologies or technological solutions for the processing of personal data or with the capability to process personal data.
8. Processing of biometric data for the purpose of unique identification of employees or processing employees’ personal data with the use of applications or systems for monitoring employee activities.
9. Processing of personal data by linking, comparing, or cross-checking from multiple sources.
10. Processing of biometric data when at least one additional criterion from the Guidelines on Data Protection Impact Assessment (WP 248 rev. 01) is fulfilled.
11. Processing of genetic data when at least one additional criterion from the Guidelines on Data Protection Impact Assessment (WP 248 rev. 01) is fulfilled.