With the EU’s General Data Protection Regulation (GDPR) taking effect in 2018, privacy laws in Croatia have substantially changed to align with this new regulatory framework. This in-depth guide from Vision Compliance, a leading GDPR consultancy in Croatia and the broader region, examines how the GDPR applies within the Croatian legal context.

Overview of Key Data Protection Laws in Croatia

The Primary Laws

The main data protection law in Croatia is the GDPR itself, which became directly binding and applicable in Croatia upon its enactment on May 25, 2018.

To support implementation of the GDPR, Croatia also enacted the national General Data Protection Regulation Implementation Act 2018. This legislation helps integrate the GDPR within the Croatian legal system.

Together, these two instruments comprise the central regulatory framework around data protection and privacy in Croatia at present.

Scope and Applicability

The territorial scope of both the GDPR and the Croatian implementation act extend to any processing of personal data carried out in Croatia, regardless of whether the organization is based in Croatia or abroad. The laws also apply to the processing of personal data of data subjects located in Croatia by controllers or processors not established in the EU, where the processing relates to offering goods or services to those data subjects.

The material scope of the laws covers data processing carried out through automated means or as part of a filing system. Exemptions exist for certain processing by competent authorities for law enforcement or national security purposes.

Overall, the extensive obligations around lawful processing, data minimization, transparency, data security, and accountability outlined in the GDPR apply to most organizations processing Croatian personal data.

The Croatian Data Protection Authority

AZOP’s Powers and Responsibilities

The main regulatory authority responsible for overseeing data protection in Croatia is the Personal Data Protection Agency (AZOP in Croatian). AZOP serves as the national supervisory authority under the GDPR.

The powers and responsibilities of AZOP include:

• Conducting investigations, audits, and inspections of organizations to assess GDPR compliance
• Issuing warnings, reprimands, and administrative orders to enforce compliance
• Publishing statutory guidance and opinions on GDPR application and interpretation
• Maintaining a public registry of data protection officers (DPOs) appointed in Croatia
• Imposing administrative fines for GDPR infringements, up to the maximum limits set out in the Regulation
• Initiating misdemeanour proceedings for violations of the Croatian data protection implementation act

Essentially, AZOP oversees enforcement of data protection laws in Croatia and supports compliance through its guidance and opinions.

GDPR Principles and Croatian Derogations

Key GDPR Principles

Many of the central principles and data protection obligations under the GDPR apply directly within the Croatian legal context. For instance:

• Obtaining valid consent from data subjects wherever consent is the lawful basis for processing
• Restricting processing to only what is necessary for specified purposes
• Maintaining data security and reporting data breaches that put data subjects at risk
• Appointing a DPO when required under the GDPR criteria
• Conducting DPIAs for high-risk processing activities

So GDPR fundamentals like privacy by design, transparency, purpose limitation, and accountability are binding in Croatia.

Croatian Derogations and Specific Rules

While the core GDPR requirements apply, Croatia has introduced some limited derogations and additional rules around certain areas that build on the Regulation:

• Additional restrictions on processing genetic data, biometric data, and children’s data beyond the GDPR framework
• Requiring parental consent for online services offered directly to children under 16
• National rules around video surveillance, including mandatory signs and time limits for footage retention
• Additional provisions for processing for statistical purposes and scientific research

So organizations must comply not just with the GDPR, but also follow the relevant Croatian legislation that adds supplemental requirements in certain contexts.

Data Subject Rights Under Croatian Law

The GDPR Rights

As mandated by the GDPR, Croatian data subjects enjoy a robust set of rights around their personal information. These include:

• Right to access their data processed by a controller
• Right to rectification of inaccurate or incomplete personal data
• Right to erasure in specific circumstances
• Right to restriction of processing pending rectification or erasure
• Rights related to profiling and automated decision-making systems
• Right to data portability, to receive their data in a machine-readable format
• Right to object to processing based on legitimate interests or for direct marketing

So Croatian individuals can leverage these mechanisms to gain transparency and a degree of control over use of their personal data.

Limitations and Restrictions

There are some partial limitations on the ability to exercise these GDPR rights when processing of personal data occurs:

• For statistical or research purposes in the public interest
• By public authorities for national security, defense, or criminal enforcement purposes

However, in most contexts, Croatian data subjects retain the access, transparency, and control rights granted under the GDPR.

GDPR Enforcement and Penalties in Croatia

Administrative Fines Under the GDPR

As the national supervisory authority, AZOP has the authority to impose administrative fines for GDPR infringements occurring in Croatia or affecting Croatian data subjects.

These fines can reach up to €20 million or 4% of an organization’s global annual revenue, depending on the violation. Violations of core principles like lawful processing or data subject rights carry the highest maximums.

AZOP must follow the GDPR’s provisions around regularity and proportionality in assessing fines. Fines cannot be imposed on public authorities, though other corrective measures are available.

Criminal Offenses Under Croatian Law

In addition to administrative penalties, the unlawful processing of personal data in violation of privacy laws can constitute a criminal offense under the Croatian Criminal Code.

Potential criminal penalties for unlawful processing depend on factors like:

• The gravity and scope of the violation
• If the data concerned children or sensitive data
• Whether the violation was for financial gain

But at minimum, conviction can carry up to a 1 year prison sentence under Croatian law.

Avoiding GDPR Penalties Through Compliance

By following AZOP’s published guidance, as well as evolving best practices across the EU, organizations can take proactive steps to comply and minimize their risk of significant fines or criminal sanctions in Croatia.

Navigating GDPR Compliance in Croatia

Adapting a GDPR Program to Croatia

Given the alignment between Croatian data protection laws and the GDPR, many recommended compliance best practices will apply directly. For instance:

• Conducting data mapping and gap analyses to understand processing activities
• Revising policies and procedures to ensure lawful processing with data subject rights enabled
• Training staff on essential data protection concepts and requirements
• Creating response plans and Security of Processing measures
• Following recognized methodologies for data protection impact assessments

However, given Croatia’s additional rules and derogations, organizations must adapt their GDPR compliance programs to fully address the Croatian legal context.

Relying on Croatian Legal Expertise

Engaging an expert GDPR consultancy familiar with both the GDPR and Croatian privacy law intricacies can help guide an organization’s compliance efforts. Firms like Vision Compliance have in-depth knowledge of Croatia’s regulatory environment.

This can prove invaluable in areas like:

• Interpreting AZOP’s guidance and opinions
• Conducting Croatian DPIAs customized to reflect national requirements
• Training staff on key aspects of Croatian data protection law
• Preparing for AZOP inspections and demonstrating compliance

Staying Current on Croatian Data Protection Developments

As AZOP continues building out its advisory materials, and with possible future changes to Croatia’s data protection laws, keeping current will be an ongoing process for organizations.

Relying on legal counselors who actively track Croatian regulatory developments provides a mechanism to stay up to date on obligations and expectations. Paired with a scalable foundation aligned to the GDPR’s principles, companies can continue maturing their compliance program fit for the Croatian context.