Introduction to Croatian personal data protection regime

Given that Croatia is a member state of the European Union, the main and primary legislative source for personal data protection in Croatia is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) („GDPR“). As such, the GDPR covers most of the relevant aspects of personal data protection. However, Croatia also passed the GDPR Implementation Act (Zakon o provedbi Opće uredbe o zaštiti podataka “Official Gazette” no. 42/18.) through which it stipulates country-specific data protection provisions, in accordance with the discretionary powers given to EU Member States by the GDPR.

Some of country-specific data protection provisions that we would like to draw your attention to are as follows:

  • Where consent is required for the lawful processing of personal data in relation to the offering of information society services directly to a child domiciled in Croatia, such consent shall only be valid if the child is at least 16 years of age;
  • Processing of genetic data for the purposes of calculating the likelihood of illnesses or other health aspects of data subjects in relation to concluding or executing health insurance contracts or contracts with life-expectancy clauses in cases where data subjects conclude such contracts in Croatia and the data controller is established or offers such services in Croatia is strictly prohibited, regardless of consent of the data subject;
  • Processing of biometric data in the private sector is permitted only where expressly envisaged by law, or in cases where it is required for the protection of persons, assets, classified data, business secrets or for individual and definite identification of the users of services. Additionally, processing of biometric data of employees is permitted only for the purpose of recording working time and for entry/exit records to/from business premises, if such processing is stipulated by law or if it is used as an alternative manner of keeping working hours records and only under the condition that the employee gave their explicit consent;
  • Processing of personal data via video surveillance is permitted only for the purpose of necessary and justified for the protection of persons and assets. To this end, data controllers must ensure that areas under video surveillance are adequately marked as being under such surveillance, with the visible notices displaying data on the controller, as well as contact data for the exercise of rights of the data subjects.

The Croatian Data Protection Supervisory Authority is the Personal Data Protection Agency (AZOP). Until recently, AZOP has been more focused on education in regard to GDPR obligations rather than on repressive supervision and issuing of fines. Regardless, AZOP issued one of its first monetary fines for non-compliance regarding data subjects requests for right of access to their personal data (Article 15 of the GDPR), specifically, the obligation of a bank to disclose and provide copies of documentation related to loans issued to the requesting data subjects free of charge.

The bank in question argued that such documentation is subject to administrative fees in accordance with consumer crediting provisions. AZOP decided otherwise and found that such conduct by the bank was contrary to the GDPR wherein it is the right of the data subject to access such information and as such, cannot be subject to fees, which represent a financial obstacle in exercising said right. After initial disobedience by the bank, AZOP finally decided to use its enforcement powers and fine the bank. The amount of the issued fine was not publicly available, however, according to information available within the data protection community, it is estimated to have been between EUR 250.000 and 400.000

Certain aspects of data privacy in specific areas are also enforced by other competent authorities. E.g., market regulator for electronic communications – Croatian Regulatory Authority for Network Industries (“HAKOM”) is tasked for enforcement of the rules on unsolicited communications, as well as use of cookies.  Recently HAKOM issued a decision by which it confirmed the position taken by the ECJ in Case No. C-673/17 regarding the standard of consent in relation to the use of cookie technology. HAKOM argues that effective consent regarding cookie banners requires an unambiguous action of confirmation, such as actively clicking a box confirming consent to the processing of personal data on the relevant website. Accordingly, cookie banners which assume consent through the users continued surfing on a specific website is inadequate. In the same decision a telecom provider was ordered to comply with said requirements, under the threat of a potential monetary fine.

For any legal advice regarding Croatian data protection law contact

Questions regarding Croatian business law? We are happy to assist you with our partner:

Mladen Vukmir attorney at law