Question 1

What is a GDPR readiness assessment?

Accepted Answer

A GDPR readiness assessment evaluates how well your organisation meets the requirements of the General Data Protection Regulation (EU 2016/679). It identifies gaps across key areas such as legal basis for processing, consent management, data subject rights, breach notification, and accountability — helping you prioritise remediation before a supervisory authority inspection.

Question 2

Who needs to comply with GDPR?

Accepted Answer

GDPR applies to any organisation that processes personal data of individuals in the EU, regardless of where the organisation is based. This includes companies, non-profits, and public bodies. If you collect names, emails, IP addresses, or any data that identifies a person in the EU, GDPR applies to you.

Question 3

What are the fines for GDPR non-compliance?

Accepted Answer

GDPR fines can reach up to €20 million or 4% of annual global turnover, whichever is higher. In Croatia, the supervisory authority AZOP has issued fines including €2.2 million to a debt collection company and €380,000 for unlawful video surveillance. Even smaller organisations face enforcement for basic violations like missing privacy notices or invalid consent.

Question 4

What is AZOP and how does it enforce GDPR in Croatia?

Accepted Answer

AZOP (Agencija za zaštitu osobnih podataka) is Croatia's data protection authority, responsible for supervising GDPR compliance. AZOP conducts inspections, handles data subject complaints, and issues corrective measures including fines. Their enforcement priorities include consent management, transparency obligations, and data breach notification — all areas covered by this assessment tool.

Question 5

How does this free GDPR assessment tool work?

Accepted Answer

Our GDPR assessment tool asks 15 weighted questions covering all major GDPR obligations — from legal basis and consent to breach notification and accountability. Each question is scored (Yes, Partial, No, or N/A) and weighted by enforcement risk. You receive a percentage score, compliance level rating, and prioritised gap analysis with references to real AZOP enforcement cases.

Question 6

Do I need a Data Protection Officer (DPO)?

Accepted Answer

Under GDPR Article 37, a DPO is mandatory if you are a public authority, if your core activities involve regular and systematic monitoring of individuals on a large scale, or if you process special categories of data (health, biometric, criminal records) on a large scale. Even when not legally required, appointing a DPO demonstrates accountability and can reduce enforcement risk.

Question 7

What is a Data Protection Impact Assessment (DPIA)?

Accepted Answer

A DPIA is required under GDPR Article 35 before processing that is likely to result in a high risk to individuals' rights and freedoms. This includes systematic profiling, large-scale processing of sensitive data, and public area monitoring. AZOP publishes a list of processing operations requiring a DPIA in Croatia. Failing to conduct a required DPIA is itself a GDPR violation subject to fines.

Question 8

How quickly must I report a data breach under GDPR?

Accepted Answer

Under GDPR Article 33, you must notify your supervisory authority (AZOP in Croatia) within 72 hours of becoming aware of a personal data breach that poses a risk to individuals. If the breach poses a high risk, you must also notify affected individuals without undue delay (Article 34). Late or missing breach notifications are among the most common reasons for AZOP enforcement actions.

GDPR Readiness Assessment

Does your organization identify and document a lawful basis (consent, contract, legitimate interest, etc.) for every type of personal data processing?

Frequently Asked Questions About GDPR Compliance

GDPR Readiness Assessment

Does your organization identify and document a lawful basis (consent, contract, legitimate interest, etc.) for every type of personal data processing?

Frequently Asked Questions About GDPR Compliance