February 2024

1. Governing Texts

From May 25, 2018, the overall concept of personal data protection in the Republic of Croatia is regulated by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the General Data Protection Regulation Implementation Act 2018 (available only in Croatian here) ('the Act'), which in effect represents a new and stronger mechanism for personal data protection. While most provisions and rules for data protection are found in the GDPR and the Act, there are other national statutes and bylaws which prescribe specific rules for data processing and use. Some of those separate and specific rules are also mentioned below.

1.1. Key acts, regulations, directives, bills

The GDPR entered into force on May 25, 2018, throughout the European Union. On the same date, the Act also entered into force and applied to the Republic of Croatia, repealing the previous Personal Data Protection Act of 2003.

The material scope of the Act is the same as the GDPR (see section on scope of application below). The Act ensures the implementation of the GDPR in Croatia and sets out additional rules (Chapter IV of the Act) on the processing of personal data in the following specific circumstances:

• children's consent in relation to information society services (see section on children's data below);
• processing of genetic data (see section on special categories of personal data below);
• processing of biometric data (see section on special categories of personal data below);
• processing of personal data in connection with video surveillance (see section on legal bases in other instances below); and
• processing of personal data for statistical purposes (see section on legal bases in other instances below).

1.2. Guidelines

The Personal Data Protection Agency ('AZOP') issues and publishes data protection guidance (only available in Croatian here).

In addition, the AZOP has published numerous additional opinions, recommendations, and clarifications on specific data processing issues and provided useful links to guidelines issued by the European Data Protection Board ('EDPB') (all available on the AZOP's official website in Croatian).

1.3. Case law

The AZOP exercises its powers either ex officio or at the request of a data subject. The AZOP renders administrative decisions against which an administrative dispute may be initiated before the competent Administrative Court. In Croatia, judicial supervision of the AZOP's decisions are available via Administrative Courts. So far, there have been no noteworthy cases publicized by Administrative Courts. Privacy violations, including personal data processing violations, may also give rise to civil and criminal proceedings. Currently, case law is not consistently publicized, but rather a selection of noteworthy court judgments from time to time. Thus, below, we mention only several court cases publicized in the relevant field.

The County Court in Pula decided that video surveillance of public areas by a private video camera is not contrary to the GDPR and the Act.

The Administrative Court in Rijeka determined that the Ministry of the Interior did not violate the right to the protection of personal data when it was obtained from a driver's doctor and processed the data necessary for the performance of a task of public interest in compliance with Article 6(1)(c) and (e) of the GDPR, as long as the disclosure of a medical secret is permitted under the Medical Practice Act (only available in Croatian here).

A judgment of the Municipal Court in Bjelovar rendered in a criminal proceeding in August 2018 highlighted that unlawful use of personal data is a criminal offense under the Croatian Criminal Code (only available in Croatian here) ('the Criminal Code'). It derives from the description of the judgment that a natural person reported a competent authority for unlawfully processing their personal data without their written consent striving to avoid a fine for a traffic offence. The court clarified that the purpose of the GDPR is to protect individuals from unlawful processing of their personal data for marketing, economic, political, or any other purposes, but not to enable individuals to try evading liability under statutory law.

The County Court in Varaždin decided that entry of the recordation of legal guardianship (name, surname, personal identification number, and address) in the publicly available land registry is not contrary to GDPR because it is based on the Croatian Family Law (only available in Croatian here). Pseudonymization of such personal data is not allowed.

2. Scope of Application

2.1. Personal scope

The Act does not deviate from the GDPR. The Act specifies the scope of application in the following specific circumstances (Chapter IV of the Act):

• children's consent in relation to information society services: applies to children with residency in Croatia;
• processing of genetic data: applies to data subjects who conclude life-insurance agreements and agreements with life-expectancy clauses on the territory of Croatia, provided that the data is processed by a controller with a registered seat in Croatia or by a controller who provides its services on the Croatian territory; and
• processing of biometric data: applies to data subjects in Croatia provided that the data is processed by either the controller with a registered seat in Croatia or the controller who provides its services on the Croatian territory or public authority.

2.2. Territorial scope

Please refer to the above section on personal scope

2.3. Material scope

The material scope of the Act is the same as the GDPR, meaning it does not apply to the processing of personal data by the competent authorities in the context of criminal prosecution or in the area of national security and defense. The Act, inter alia, determines the competence and organization of the national regulatory authority, the AZOP, as well as additional fines that may be imposed for non-compliance with the GDPR in Croatia.

More importantly, Chapter IV of the Act sets out additional rules on the processing of personal data in the following specific circumstances:

• children's consent in relation to information society services (see section on children's data below);
• processing of genetic data (see section on special categories of personal data below);
• processing of biometric data (see section on special categories of personal data below);
• processing of personal data in connection with video surveillance (see section on legal bases in other instances below); and
• processing of personal data for statistical purposes (see section on legal bases in other instances below).

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The main regulator for data protection is the AZOP. The AZOP was established in 2004 under the previous legislation as an independent legal entity with public authorities. Under the transitional and final provisions of the Act, the AZOP remains the national regulator and has become a public authority, while its employees have become civil servants. The AZOP is seated in Zagreb. It is accountable to the Croatian Parliament.

3.2. Main powers, duties and responsibilities

The AZOP's powers derive directly from Articles 57, 58, and 83 of the GDPR, while Article 6 of the Act further specifies the AZOP's powers and responsibilities. The list of the AZOP's responsibilities is open and includes, without limitation, the following activities:

• instigation and participation in criminal, misdemeanor, administrative, and other court or out-of-court proceedings for breach of the GDPR and the Act;
• adoption of the criteria for determining the administrative fees;
• publication of individual decisions and opinions;
• instigating and conducting proceedings for breach of the GDPR;
• performing activities of the national regulator under the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680); and
• performing other activities prescribed by law.

In exercising its powers, the AZOP is authorized to perform announced or unannounced supervision subject to an order issued by the Director of the AZOP. The AZOP's authorized personnel may make copies of pertinent documentation or records, temporarily seize, and/or seal filing systems or equipment for a period of up to 15 days. The AZOP makes an official protocol (minutes) of supervision against which an objection can be lodged.

Finally, on requests of natural persons or legal entities, the AZOP renders official opinions in the area of data protection within a maximum of 60 days upon the receipt of requests. The AZOP may charge a fee for its opinion if requested by a commercial entity (e.g., a law firm, a professional consultant, etc.) in connection with the performance of its business activities or if it incurs administrative costs.

4. Key Definitions

Data controller: No national variation, GDPR applies.

Data processor: No national variation, GDPR applies.

Personal data: No national variation, GDPR applies.

Sensitive data: No national variation, GDPR applies.

Health data: No national variation, GDPR applies.

Biometric data: No national variation, GDPR applies.

Pseudonymization: No national variation, GDPR applies.

5. Legal Bases

Article 6 of the GDPR prescribes the legal bases for the lawfulness of processing of personal data. The Act does not vary from the provisions of the GDPR.

It is noteworthy that the data controller cannot change the legal base for data processing once the data is collected. For example, it is not allowed to subsequently use the legitimate interest legal base for processing if there have been problems with the validity of the consent. Due to the mandatory indication of the legal base referred to by the controller at the time of the collection of personal data, the controller must decide before collection which legal base it will apply.

The AZOP has issued and published several opinions in relation to the legal bases and their interpretation, which are elaborated in sections on consent and legitimate interests of the data controller below.

5.1. Consent

The Act does not vary from the GDPR. However, the processing of employees' personal data cannot be based on consent. The AZOP is of the opinion that due to the fact that an employee is dependent on their employer, the consent, therefore, cannot be voluntary. The processing of personal data can primarily be based on the employment contract or on the obligation to perform legal obligations of the data controller (employer) prescribed by special legislation such as the Labour Law (Official Gazette, No. 93/14, 127/17, 98/19) (only available in Croatian here) ('the Labor Law'), the Pension Insurance Act (Official Gazette 102/98) (only available in Croatian here), etc.)

The Act also prescribes that the data subject's consent cannot override the prohibition of processing genetic data for the purpose of calculating the appearance of the disease and other health aspects for the execution of life insurance contracts and contracts with life-expectancy clauses.

5.2. Contract with the data subject

The Act does not vary from the GDPR. The AZOP provided its opinion that the consent of the data subject is not required if personal data are collected and processed for the purposes of performing the contract or fulfilling the legal obligations of the controller. However, if the data of such customer/contractual party are not necessary for the execution of the contract or are used for other purposes (e.g., direct marketing), then the data processing must be based on other legal bases.

5.3. Legal obligations

The Act does not vary from the GDPR.

There are several legislations prescribing legal obligation of data controllers to collect and process personal data. For example, the Labor Law and the Act on Anti-Money Laundering and Terrorism Financing (available only in Croatian here) ('the AML Act') prescribe when and how personal data may be collected:

• Personal data of employees may be collected, processed, used, and provided to third parties only if it is so prescribed by the Labor Law or another statute or if it is necessary for the exercise of rights and performance of obligations arising from or in connection with the employment relationship. If the personal data need to be collected, processed, used, or provided to third parties in order to exercise rights and perform obligations arising from or in connection with the employment relationship, the employer must determine in advance which data it will collect, process, use, or provided to third parties in the labor bylaws. An approval by the working council is required. Further, an employer employing at least 20 employees must appoint a person enjoying the trust of the employees who will be authorized to supervise whether employee personal data are collected, processed, used, and provided to third parties in compliance with the applicable laws and regulations.
• The AML Act prescribes what personal data must be collected, processed, and used by entities such as, among other, banks. The collection and processing of personal data by the bank as the data controllers is allowed for the purpose of fulfilling their legal obligations in providing services. The citizens have the right to be informed and request information regarding the processing of their personal data and to exercise their rights under the GDPR. The AZOP is of the opinion that if the bank has a justifiable reason for which it is obliged to unequivocally establish the identity of the client and collect a range of data that is commensurate with the purpose of processing.

5.4. Interests of the data subject

The Act does not vary from the GDPR.

5.5. Public interest

The Act does not vary from the GDPR.

5.6. Legitimate interests of the data controller

The Act does not vary from the GDPR.

The AZOP provided its opinion that the existence of a legitimate interest requires a careful assessment, inter alia, of whether the data subject can reasonably expect processing for the purpose in question at the time and in the context of the collection of personal data. The interests and fundamental rights of data subjects can outweigh the legitimate interests of the controller if personal data are processed in circumstances where data subjects do not reasonably expect further processing.

5.7. Legal bases in other instances

Direct marketing

The Electronic Communications Act (available only in Croatian here) ('the ECA') stipulates that the use of automatic calling and communication systems without human mediation, fax machines, or email, including SMS and MMS messages, for the purpose of direct promotion and sale is allowed only with the prior consent of the subscriber or service users. A natural person or legal entity may use information on email addresses, which it has obtained from its consumers for the purpose of selling products and services, for direct promotion and sale of their own similar products or services, provided that those consumers have a clear and unequivocal possibility of a free and simple objection to such use of data on email addresses on the occasion of their collection and on receipt of each electronic message, in case the consumer has not refused such use of the data in advance. The cited provisions do not apply to invitations to legal entities for the purpose of direct promotion and sale.

Further, with regard to the processing of personal data for the purpose of marketing by telephone, the Consumer Protection Act (available only in Croatian here) prohibits making calls and/or sending messages by telephone to consumers who have registered that they do not want to receive calls and/or messages as part of advertising and/or sales by telephone. The said register is kept at the Croatian Regulatory Authority for Network Industries ('HAKOM').

Processing for scientific or historical research purposes

The national rules on archiving in the public interest are prescribed in the Archive Materials and Archives Act 2018 (available only in Croatian here) ('the Archives Act'). Personal data contained in public archive material will be made available for use in 100 years from the birth of a person or after a person's death. If the date of a person's birth or death is unknown or unreasonably hard or costly to determine, the materials will be made available for use in 70 years from the date of their creation. If archive materials are granted for use prior to the abovementioned term, the competent state archive will take technical measures to conceal the identity (anonymize) of the data subject, while the user will sign a statement that they will not disclose the identity of a person, even if it will be known to them based on available data.

Additional provisions on the processing of personal data for statistical purposes are contained in the Act. Personal data may be collected and processed for statistical purposes in accordance with a special statute. The bodies performing official statistical analyzes are not obligated to grant data subjects the rights to access their personal data, to have their data corrected, to restrict the processing of their personal data, or to object to such processing. This restriction is envisaged to provide for the conditions necessary to fulfill the purpose of official statistics, to the extent it is probable that the execution of said rights would hinder the purpose of statistical analyses and its results. Further, controllers are not obligated to inform individuals about the transfer of their personal data to competent bodies for statistical purposes.

To ensure the protection of personal data collected for statistical purposes, the competent bodies must implement technical and organizational measures for the protection of personal data, and the processed information may not enable the identification of any individual.

The Act contains no provisions on the processing of personal data for scientific and historical research purposes.

Video surveillance

The Act contains extensive provisions on the processing of personal data by means of video surveillance. Video surveillance is permitted only if it is necessary and reasonable for the protection of persons and property, to the extent that the interests of data subjects do not override the interests for the data processing.

The controller must properly designate the premises under video surveillance at least at the entrance into the camera's field of view. Only authorized personnel of the controller or processor may be allowed access to personal data processed by means of video surveillance. The controller and the processor must establish an automatic record system of who accessed the recordings and when. The recordings may be stored for no longer than six months, unless a longer retention period is prescribed by statutory law or used as evidence in a court or another proceeding.

Specifically, the Ministry of the Interior is authorized to record citizens (cars) by video surveillance for the purpose of determining road traffic misdemeanor offenses made on public roads. This authorization and legal basis are provided in the Croatian Road Traffic Security Act (available only in Croatian here).

Finally, the processing of employee personal data, including video surveillance in a workplace, is additionally regulated by the applicable labor laws and regulations.

6. Principles

The principles specified under the GDPR apply.

7. Controller and Processor Obligations

7.1. Data processing notification

There is no general notification, registration, or fee payment requirement under the Act. Controllers must notify the AZOP of their appointed DPOs. The AZOP published a recommended reporting form (available only in Croatian here) and maintains a non-public register of DPOs. The AZOP may assess fees for its services as elaborated upon in the section on main powers, duties, and responsibilities above.

7.2. Data transfers

Provisions on data transfers specified in the GDPR apply.

7.3. Data processing records

Provisions specified on data processing records in the GDPR apply.

Bylaw on the Content and Manner of Keeping Records on Employees (available only in Croatian here) ('the Bylaw') prescribes the scope of personal data that the employer must collect for the purpose of keeping records of employees. The records are kept for the entire duration of employment and at least six years after its termination.

7.4. Data protection impact assessment

Pursuant to Article 35(4) of the GDPR, in December 2018, the AZOP adopted the Decision on Determining and Publicising a List of the Kind of Processing Operations which are Subject to the Requirement for a Data Protection Impact Assessment (available only in Croatian here) ('the Croatia Blacklist').

The Croatia Blacklist prescribes circumstances in which a Data Protection Impact Assessment ('DPIA') is necessary, taking into account the Article 29 Working Party's ('WP29') Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679 ('the WP29 DPIA Guidelines') and the EDPB's Opinion 25/2018 on the Draft List of the Competent Supervisory Authority of Croatia Regarding The Processing Operations Subject to the Requirement of a Data Protection Impact Assessment.

Pursuant to the Croatia Blacklist, besides the cases prescribed in Article 35(3) of the GDPR, a DPIA is also compulsory in the processing of personal data in the following cases:

• processing of personal data for systematic and extensive profiling or automated decision-making to bring conclusions that are of significant influence or may affect an individual and/or several persons, or that help decide about someone's access to a service or convenience (e.g., such as personal data processing related to economic or financial status, health, personal preferences, interests, reliability, behavior, location data, etc.);
• processing of special categories of personal data for profiling or automated decision-making;
• processing of personal data of children for profiling or automated decision-making, for marketing purposes, or for direct offering of services intended for them;
• processing of personal data collected from third parties that are considered for making decisions regarding the conclusion, termination, rejection, or extension of service contracts with natural persons;
• processing of special categories of personal data or personal data on criminal or misdemeanor liability on a large scale;
• processing of personal data by using systematic monitoring of publicly available places on a large scale;
• use of new technologies or technological solutions for personal data processing or with an option of personal data processing (e.g., the application of the Internet of Things such as smart TVs, smart home appliances, smart toys, smart cities, smart energy meters, etc.) that serve to analyze or predict the economic situation, health, personal preferences or interests, reliability or behavior, location or movement of natural persons;
• processing of biometric data in combination with any of the other criteria set out in the WP29 DPIA Guidelines used to evaluate whether certain processing operations are likely to cause a high risk to the rights and freedoms of the data subjects;
• processing of genetic data in combination with any of the other criteria set out in the WP29 DPIA Guidelines used to evaluate whether certain processing operations are likely to cause a high risk to the rights and freedoms of the data subjects;
• processing of personal data by linking, comparing, or verifying their matching by using multiple sources;
• processing of personal data in a manner that involves monitoring of the location or behavior of an individual in case of systematic processing of communication data (metadata) generated by the use of a telephone, the internet, or other communication channels such as GSM, GPS, Wi-Fi, monitoring or processing of location data;
• processing of personal data by means of devices and technologies where an incident may put at risk the health of an individual or more persons; and
• processing of employee personal information by means of applications or monitoring systems (e.g., processing of personal data for monitoring of work, movement, communication, etc.).

The AZOP emphasizes that the above list does not diminish the general obligation of controllers to perform appropriate risk assessments and risk management. Further, the performance of a DPIA does not relieve controllers of the obligation to comply with other obligations under the GDPR or other applicable laws and regulations, whether EU or national. The list is not exhaustive and is subject to amendments depending on additional processing risks observed or incurred.

If the risk can be adequately reduced by appropriate technical and organizational measures, no prior consultation with the AZOP is necessary.

So far, the AZOP has not published a so-called 'whitelist,' meaning a decision on activities that are not subject to prior consultation with or authorization by the AZOP.

Method

The AZOP has published the Q&A on conducting a DPIA (only available in Croatian here) ('the Q&A'), which notes that, while there are different methodologies to conduct a DPIA, the methodology should assess the risks while allowing the taking of measures to mitigate said risks. In addition, the Q&A outlines the steps to be included in the DPIA, namely (Question 16 of the Q&A):

• a systematic description of the envisaged processing operations and the purposes behind the processing;
• an assessment of the necessity and proportionality of said processing procedures;
• an assessment of the risks to the rights and freedoms of data subjects; and
• measures for mitigating risks and demonstrating compliance with the GDPR.

In addition, the AZOP has also published Guidance on DPIAs (only available in Croatian here) and provided a template for conducting a DPIA (only available to download in Croatian here).

7.5. Data Protection Officer appointment

The Act contains no additional provisions on DPOs and their appointment, role, or tasks beyond the GDPR. Notably, the AZOP has a web form that can be used to send details on DPOs (only available in Croatian here).

In particular, Article 37 of the GDPR provides for situations in which controllers and processors must designate a DPO. As envisaged in Article 37(5) of the GDPR, the DPO may be a staff member of the controller or processor or fulfill the tasks on the basis of a service contract.

According to the AZOP, it is up to the controller and the processor to independently assess who will be appointed as DPO and where the DPO will be located. It is recommended that the DPO is situated in the EU. The DPO is appointed based on their qualifications, especially their knowledge of law and practice in relation to data protection. The GDPR, however, does not envisage any special qualification or degree that DPOs must have. Therefore, the DPO can be a person who is not a qualified lawyer. Apart from providing services as DPO, unauthorized provision of legal aid for a fee is a criminal offense in Croatia, punishable by imprisonment for six months. In our opinion, it is not permitted for persons who are not qualified lawyers to carry out the tasks of a DPO (if not appointed as DPO) that are considered legal aid.

Moreover, the AZOP has issued the following guidance in relation to appointing DPOs:

• Appointment of DPO guidance (only available in Croatian here);
• WP29 Guidance on the appointment of the DPO (available in Croatian here);
• Webpage on the appointment of the DPO (only available in Croatian here)
• Guidance on obligations of the DPO (only available in Croatian here); and
• Frequently Asked Questions on DPO (only available in Croatia here).

7.6. Data breach notification

Controllers must report data breaches to the AZOP pursuant to Article 33 of the GDPR. There are no derogations in the Act. The AZOP has published a recommended reporting form (available only in Croatian here). For urgency reasons, the AZOP also allows for reporting a breach in English, with an obligation to submit a Croatian translation as soon as possible.

There are certain sectoral obligations as well. Pursuant to the ECA, an operator of publicly available electronic communication services must notify HAKOM and the AZOP of a data breach without delay. The notification must contain a description of the consequences of the breach and the measures proposed or taken to eliminate its cause. If the breach is likely to adversely affect the personal data or privacy of service users or other natural persons, the operator must notify such persons of the breach without delay.

7.7. Data retention

The Act does not specify the timeframe nor the exemptions for retaining data.

The Bylaw prescribes the scope of personal data that the employer must collect for the purpose of keeping records of employees. The records are kept for the entire duration of employment and at least six years after its termination.

7.8. Children's data

The Act prescribes that a child's consent in relation to information society services is valid if the child is at least 16 years of age. This provision applies to children who are Croatian residents. If a child is under 16, the consent of their legal guardian (meaning, the holder of parental responsibility) must be obtained in compliance with the GDPR.

7.9. Special categories of personal data

Section IV of the Act contains the following national derogations regarding the processing of genetic and biometric personal data. The Act prohibits the processing of genetic data for the purposes of calculating a risk of illnesses and other health aspects pertaining to the data subject in connection with life insurance or other contracts containing life expectancy clauses. This prohibition cannot be overridden by the data subject's consent. The prohibition applies to the data subjects concluding such contracts in Croatia if the controller is established or provides its services in Croatia. The Act provides for additional restrictions regarding the processing of biometric data, whether in the public or private sector. Its provisions neither affect the DPIA obligation under Article 35 of the GDPR nor apply to the processing of biometric data for national security, defense, and intelligence.

In relation to the public sector, a public authority may process biometric data if it is prescribed by statutory law and necessary for the protection of persons, property, classified data, or business secrets, provided that the interests of data subjects do not override the interests for the processing of their biometric data. It is presumed that the processing of biometric data is compliant if it is necessary to meet the obligations under international agreements in connection with the identification of persons crossing national borders.

In the private sector, biometric data may be processed solely if it is prescribed by statutory law and necessary for the protection of persons, property, classified data, business secrets, or for individual and safe identification of service users, provided that the interests of data subjects do not override the interests for the processing of biometric data. The processing of biometric data for the safe identification of service users may be based solely on the express consent of such data subjects in compliance with the GDPR. Further, employee biometric data may be processed for the purpose of keeping a record of working hours or entrance to and exit from the place of work, provided that it is prescribed by statutory law, or if an alternative manner of keeping such a record is available and subject to the express consent of data subjects in compliance with the GDPR.

In relation to criminal conviction data, there are no derogations in the Act, while the national Act on Legal Consequences of a Conviction, Criminal Records, and Rehabilitation 2012 (available only in Croatian here) ('ACLC') has not been amended since the GDPR entered into force, meaning its provisions have not been harmonized with the GDPR. It prescribes, inter alia, that criminal records are maintained by the Ministry of Justice and Administration, except for juvenile convicts, which are maintained by the Ministry of Demography, Family, Youth, and Social Policy. Direct access to criminal records is provided to courts and the State Attorney's Office, as well as the police, for the prevention, detection, and prosecution of criminal offenses, subject to the provisions of the ACLC.

7.10. Controller and processor contracts

Provisions specified in the GDPR apply.

8. Data Subject Rights

8.1. Right to be informed

Provisions on the right to be informed specified in the GDPR apply.

8.2. Right to access

Within the processing of personal data for the purpose of producing official statistics, it is not obligatory for the entities performing official statistics to provide the data subjects with the right to access their personal data, the right to rectify their personal data, and the right to limit their personal data processing. These derogations are allowed to ensure the conditions necessary to achieve official statistics, but only to the extent that such rights would likely impede or seriously jeopardize the achievement of those purposes and to the extent that such derogations are strictly necessary to achieve those purposes.

8.3. Right to rectification

Please refer to the section on the right to access above.

8.4. Right to erasure

Please refer to the section on the right to access above.

8.5. Right to object/opt-out

No national variation, the GDPR applies.

8.6. Right to data portability

No national variation, the GDPR applies.

8.7. Right not to be subject to automated decision-making

No national variation, the GDPR applies.

8.8. Other rights

No national variation, the GDPR applies.

9. Penalties

Pursuant to Article 83 of the GDPR, the Act prescribes that the AZOP must impose administrative fines for breaches of the GDPR and/or the Act. Administrative fines may not be imposed on governmental authorities. This exemption does not extend to legal entities with public powers or those providing public services, which may be fined, but the amount of the fines imposed on such legal entities may not jeopardize the performance of their public powers or public services. The AZOP imposes an administrative fee by a formal decision, whereby the amount of the fine and the manner of its payment must be determined. The AZOP's decision may not be appealed, but rather an administrative dispute may be initiated before the competent administrative court. The administrative fines are paid for the benefit of the state budget.

The AZOP's final decisions must be published on its official website without anonymization of the offender's data if a decision is rendered for a breach of the GDPR or the Act in connection with the processing of personal data of children or special categories of personal data, or automatic decision-making or profiling, or in case of a repeated offender, or if the decision imposes an administrative fine higher than €13,272.28. Besides the administrative fines prescribed in the GDPR, the Act prescribes an additional administrative fine against controllers and processors for violations of its provisions on video surveillance in the amount of €6,636.14.

As mentioned above, under the Criminal Code, unlawful storage, processing, and use of personal data is a criminal offense punishable by imprisonment of up to one year. Furthermore, the perpetrator may be punished by imprisonment for up to three years:

• if the criminal offense was committed against a child;
• for the processing of special categories of personal data or criminal or misdemeanor conviction data;
• if the criminal offense was committed with the aim of obtaining a substantial illicit gain or causing significant damage;
• if personal data was unlawfully transferred outside Croatia for further processing; or
• if personal data was published or otherwise made available to third persons.

Finally, if the criminal offense is committed by a civil servant in the performance of their service or by a responsible person in the performance of a public service, they may be sentenced to imprisonment for a term ranging from six months to five years.

9.1 Enforcement decisions

In 2023, the AZOP published information on several cases in which an administrative fine was imposed due to unlawful processing of personal data. The AZOP has not yet published any decisions in their entirety, but to keep the public informed, they have published a short description of noteworthy decisions and fines in 2023.

In March, the AZOP issued a fine of €20 million against a controller, a telecommunications company, for unlawfully retaining a former customer's personal data after the end of the customer's contract. The controller informed the data subject about a personal data breach, due to a security incident, even though the data subject was not a customer of the data controller for more than 10 years. The AZOP stated that the controller failed to maintain up-to-date and accurate data and retained the personal data longer than 12 months after the termination of the contractual relationship in violation of Article 6(1) of the GDPR.

In May, the AZOP issued an administrative fine of approx. €2.26 million against a controller, a debt collection agency, for three violations of the GDPR: not informing the data subjects about the processing and legal basis as required by Article 13(1) of the GDPR; not concluding a data processing agreement with the processor for handling the data of 88,896 data subjects, and not implementing appropriate technical and organizational measures for the processing of the data of at least 132,652 data subjects, including financial data.

In September, a publicly owned company that offers municipal services was fined €25,000 for not implementing any internal procedures for handling customer data, which resulted in excessive and unlawful processing, contrary to Article 25(2) of the GDPR. The company requested a copy of an ID card before issuing a copy of an invoice to the customer, due to the structure of their e-mail address, which was contrary to the company's previous practice. The AZOP noted that the controller should have worked out the business processes of identification via electronic mail in a way that would ensure that the process of identifying service users is the same for all users, regardless of the structure of the e-mail. The company also failed to inform the data subjects about the legal basis of the processing and the data retention period, in violation of Articles 13(1)(c) and 13(2)(a) and (e) of the GDPR.

Additionally, two data controllers, companies that offer gambling and betting services, were fined €20 million and €30 million for unlawful processing of personal data via cookies on their websites. The cookie banners on the controllers' websites did not collect valid consents, and there was no adequate information about the processing of personal data via cookies. The AZOP found that, in this case, Articles 6(1), 7, 13(1) and 13(2) were violated.

Another controller, a company that manages a hotel, was fined €15 million due to multiple violations of the GDPR in the context of data processing via an online booking system. The AZOP found that the controller processed the personal data of the data subject, a hotel guest, excessively when collecting the security number of the bank card (CVC number), as well as requiring copies of personal documents when booking hotel accommodation via the hotel's online form and by e-mail. The hotel had no obligation to collect the CVC number from the bank card of the persons who made a reservation, considering that the reservation was possible without submitting the relevant data, contrary to Article 6(1). Further, the AZOP held that the controller failed to adopt appropriate technical and organizational measures to ensure an adequate level of security of processing. Among others, the controller did not encrypt the collected personal data nor was any process implemented for regular testing, evaluation, and assessment of the effectiveness of technical and organizational measures, which violated Article 32(1)(a) and (d), as well as 32(4) of the GDPR. While reviewing the controller's policies, the AZOP found that Articles 13(1) and (2) were not respected since the policies did not provide clear, complete, and accurate information about the processing.

In this case, the AZOP also found that there was a conflict of interest in the appointment of the Data Protection Officer (DPO), in violation of Article 38(6) of the GDPR. The AZOP deemed that the controller had to be aware that there was a conflict of interest of the DPO in relation to the tasks and duties he performs. From the job description of the hotel manager, the role is largely responsible for making management decisions at the level of personal data processing, while on the other hand, as a DPO, he is obliged to monitor the compliance of the business in the processing of personal data with the regulations governing the protection of personal data.

In October, the AZOP issued an administrative fine of €5.47 million against another debt collecting agency, stating multiple violations of the GDPR. The AZOP initiated the process after receiving a USB stick containing the personal data of 181,641 natural persons who had outstanding debt, which was purchased by the controller. After concluding their supervisory activities, the AZOP deemed that the controller:

• did not implement appropriate technical measures in order to protect the personal data that was being processed in their system, violating Article 32(1)(b) of the GDPR;
• processed personal data of data subjects that were not debtors and for which data there was no legal basis for processing, in violation of Article 6(1) of the GDPR;
• processed special category data: health data, without any legal basis from Article 6(1) in connection with Article 9(2) of the GDPR;
• did not inform the data subjects in a transparent and clear manner about the processing of their health data in their privacy policies, contrary to Articles 12(1) and 13(1) and (2) of the GDPR;
• did not have a legal basis for data processing that was carried out by recording telephone conversations with data subjects in the period from May 25, 2018, up to January 16, 2019, contrary to Articles 6(1) and 5(2) of the GDPR; and
• did not inform the data subjects in an understandable and clear manner about the processing of personal data by recording telephone conversations, contrary to Article 12 (1).

This is the biggest fine imposed by the DPA to date.