ILEJ & PARTNERS Law Firm LLC in cooperation with Karanović and Partners
What law(s) specifically govern personal data / information?
As Croatia is an EU member state, the General Data Protection Regulation (GDPR) is directly applicable. Furthermore, in Croatia the following acts apply to personal data: (i) Act on Implementation of the GDPR; (ii) Act on Data and Information in the Healthcare System; (iii) Act on Processing of Biometric Data.
What are the key data protection principles in this jurisdiction?:
Key principles that apply to data processing in Croatia correspond to the key principles of data processing set out in the GDPR.
Lawful basis for processing
The GDPR provides an exhaustive list of legal bases on which personal data may be processed:
- consent of the data subject for one or more specific purposes;
- contractual necessity;
- compliance with a legal obligation of the controller to perform the relevant processing;
- protection of the vital interests of the data subject or of another natural person;
- performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- legitimate interests (i.e. the processing is necessary for the purposes of legitimate interests pursued by the controller, except where the controller’s interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects).
The processing of sensitive personal data requires stronger grounds and is only permitted under certain conditions, of which the most relevant are:
- explicit consent of the affected data subject;
- the processing is necessary in the context of employment or social security law; or
- the processing is necessary for the establishment, exercise or defence of legal claims.
Transparency
Personal data must be processed lawfully, fairly and in a transparent manner. Regarding the processing of personal data, controllers are obliged to provide certain information to data subjects. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Purpose limitation
Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.
Data minimisation
The processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.
Accuracy
Personal data must be accurate and, where necessary, kept up to date.
Storage limitation
Personal data must be stored in a form that permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data was initially collected.
Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability
The controller is responsible for processing of data in accordance with the GDPR. In particular, the controller is obliged to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in compliance with the GDPR.
What is the supervisory authority / regulator in charge of data protection?
Croatian Personal Data Protection Agency (hereinafter: DPA)
Is there a requirement to register with a supervisory authority / regulator?
No registration is required for collection of personal data and personal data processing.
Is there a requirement to notify the supervisory authority / regulator?
No notification in relation to processing of personal data is required, however data protection officers (and their local liaisons) need to be notified to the DPA.
Is it possible to register with / notify the supervisory authority / regulator online?
Process of notification of a data protection officer (or local liaison) can be done only via post or e-mail. There is a standardized form that can be used for notifying the DPA..
What are the key data subject rights under the data protection laws of this jurisdiction?
Rights that data subjects have in Croatia correspond to the rights of data subjects in the rest of the EU in accordance with the GDPR.
- Right to information
Pursuant to Articles 13 and 14 GDPR, data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.
- Right of access
A data subject has the right to obtain from a controller certain information in respect of the data subject’s personal data as listed in Article 15 GDPR.
Additionally, the data subject may request a copy of the personal data being processed.
- Right to rectification of errors
Pursuant to Article 16 GDPR, data subjects have the right to rectification of inaccurate personal data.
- Right to deletion/right to be forgotten
Data subjects have the right to erasure of their personal data (the “right to be forgotten”) if one of the reasons as listed in Article 17 GDPR apply.
- Right to restriction of processing
Data subjects have the right to request restriction of the processing of personal data, which means that the data may only be processed for limited purposes as defined in Article 18 GDPR.
- Right to data portability
Data subjects have a right to receive a copy of their personal data in a commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers (Article 20 GDPR).
- Right to object to processing
Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest (Article 6 para 1(e) GDPR) or legitimate interest of the controller (Article 6 para 1(f) GDPR). The controller must cease such processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the relevant data subject or requires the data in order to establish, exercise or defend legal rights.
Data subjects have the right to object to the processing of personal data for marketing purposes, including profiling.
- Right to withdraw consent
A data subject has the right to withdraw their consent at any time (Article 7 para 3 GDPR). The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.
- Right to complain to the relevant data protection authority(ies)
Data subjects have the right to lodge complaints concerning the processing of their personal data with the competent data protection authority.
- Right not to be subject to automated individual decision-making
Under certain circumstances, data subjects have the right not to be subject to a decision based solely on automated processing of data (including profiling), which produces legal effects or similarly significant effects for the data subject (Article 22 GDPR).
This is a summary only and there are some qualifications and limitations to these rights which may be relevant.
Is there a requirement to appoint a data protection officer (or equivalent)?
Under the GDPR (articles 37 to 39), a Data Protection Officer (DPO) must be appointed by organisations that:
- are a public authority or body (except for courts acting in their judicial capacity);
- whose core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- whose core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors. Organisations that are not required to appoint a DPO may do so voluntarily. In making a voluntary appointment, organisations should be aware that the same requirements of the position and tasks apply as of the appointment had been mandatory.
The DPO must have expert knowledge of data protection law and practices, be independent and report to the highest management level.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Yes, in general, a data protection impact assessment is required where a type of processing, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.
A data protection impact assessment is required in particular in the case of:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences; or
- a systematic monitoring of a publicly accessible area on a large scale.
Does this jurisdiction have any specific data breach notification requirements?
In the case of a personal data breach, the controller must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Data Protection Agency, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. The notification shall at least:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach; and
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must also communicate the breach to the data subject without undue delay. The communication to the data subject must describe in clear and plain language the nature of the personal data breach and contain at least the same information as provided in the notification to the supervisory authority (described in the indents above).
The EDPB (European Data Protection Board) has issued guidelines on the data breach notification, detailing requirements for data breach notifications (Guidelines 9/2022 on personal data breach notification under GDPR and Guidelines 01/2021 on Examples regarding Data Breach Notification).
What restrictions apply to the international transfer of personal data / information?
Transfer of personal data outside the EU/EEA is possible, under certain conditions in accordance with the GDPR.
The EU Commission has issued decisions concerning an adequate level of protection on the basis of Article 45 para 3 GDPR for the following countries: Andorra; Argentina; Canada; Faroe Islands; Guernsey; Isle of Man; Israel; Japan; Jersey; New Zealand; Republic of Korea, Switzerland; and Uruguay. The United Kingdom has been recognised by EU Commission as providing adequate protection under the GDPR and the Law Enforcement Directive.
For transfers to a country that is not subject to an adequacy, the best approach is often to rely on Standard Contractual Clauses (SCCs) adopted by the European Commission. The SCCs, which took effect from 27 June 2027, are available for the following transfers:
- Module 1: controller to controller
- Module 2: controller to processor
- Module 3: processor to processor
- Module 4: processor to controller
Other transfer safeguards can also be relied upon, such as the approved binding corporate rules, codes of conduct and certification mechanisms, and in certain specific situations further alternatives can be considered (such as data subject’s explicit consent, necessity for the establishment, exercise or defence of legal claims, or even an organisation’s compelling legitimate interests).
The transfer is covered by one of the permitted derogations set out in article 49 (in the absence of an adequacy regulation or appropriate safeguard), such as the explicit consent of the data subject, the transfer is necessary for the performance of a contract between the data subject and data controller at the data subject's request or in the interest of the data subject, or the transfer is necessary for the establishment, exercise or defence of legal claims.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, the GDPR applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, if the processing activities are related to offering of goods and services (irrespective of whether a payment by the data subject is required) or monitoring of their behaviour as far as their behaviour takes place within EU.
What rules specifically deal with marketing?
Croatia does not have any specific rules in addition to the ones regulated by the GDPR and EU Directive 2002/58/EC.
Do different rules apply to business-to-business and business-to-consumer marketing?
No, relevant provisions are neutral in terms of the nature of relationship, e.g. if personal data is used in corporate emails.
The rules do not apply to emails sent for marketing purposes to generic email addresses (e.g. if a recipient is [email protected]).
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Croatia has implemented EU Directive 2002/58/EC in its Electronic Communications Act. Electronic marketing via automatic calling machines, fax or e-mail is permitted if the subscriber has given prior consent. When a natural or a legal person obtains from its customers their electronic contact details for electronic email (in the context of the sale of a product or a service), the same natural or legal person may use these contact details for direct marketing of its similar products or services, provided that the customer is clearly and distinctly given the opportunity to object, easily and free of charge, to such use of their electronic contact details at any time.
What rules specifically deal with cookies?
Yes, cookies are governed by the Electronic Communications Act. The storage of data or access to data stored in the terminal equipment of the subscriber or user is allowed only on condition that the subscriber or user has consented to this after being clearly and comprehensively informed of the controller and the purposes of processing this data in accordance with the law governing the protection of personal data. The user may express their consent referred to by using the appropriate settings in a browser or other applications.
What are the consequences of non compliance with data protections laws (including marketing laws)?
Non-compliance with the GDPR can result in fines. The level of a fine may vary depending on the infringement. Fines for the controller and the processor may be as high as EUR 10 million or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, if the infringement of the GDPR is pursuant to Articles 8, 11, 25 to 39 and 42 and 43.
Furthermore, if the controller or the processor infringes the rights given to data subjects by Articles 5 to 7, 9, 12 to 22 and 44 to 49 of the GDPR, violates any of the specific processing situations defined by national legislation or is non-compliant with an order or temporary limitation on processing or suspension of data flow by the DPA, a fine may be as high as EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Non-compliance with the Electronic Communications Act regarding the usage of cookies or with the rules on electronic marketing may result in a fine of up to HRK 1,000,000 (approx. EUR 132,720).
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
The Croatian Act on Implementation of the GDPR has introduced rules for certain specific data processing activities such as processing of genetic and biometric data, as well as video-surveillance, which should be taken into account where relevant.
Controllers and processors who are not established in the EEA are generally required under Article 27 of the GDPR to designate a representative in the EEA where their activities fall within the territorial scope of the EEA data protection regime under Article 3, specifically if they involve processing personal data of data subjects within the EEA in connection with the provision of goods or services, or the monitoring of the behaviour of data subjects located in the EEA.
What upcoming data protection developments should multinational organisations be aware of?
The EU plans to enact Regulation on Privacy and Electronic Communications that shall address protection of rights and freedoms of persons regarding the use of electronic communication services, and in particular, the rights to respect for private life and communications and the protection of natural persons with regard to the processing of personal data, with an objective to increase trust in and the security of digital services. However, adoption of this new law could be prolonged for a couple of years.