Croatia implemented the EU Data Protection Directive 95/46/EC by the Personal Data Protection Law ('Official Gazette of the Republic of Croatia', nos. 103/2003, 118/2006, 41/2008 and 130/2011) ('DP Law'). The DP Law is in force as of 4 July 2003.
Croatia implemented the EU Data Protection Directive 95/46/EC by the Personal Data Protection Law ('Official Gazette of the Republic of Croatia', nos. 103/2003, 118/2006, 41/2008 and 130/2011) ('DP Law'). The DP Law is in force as of 4 July 2003.
Defenition of personal data
Personal data means any information relating to an identified or identifiable private individual (natural persons).
Term identifiable refers to a person that can be identified, directly or indirectly, in particular by reference to his/her personal identification number or one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
Defenition of sensitive personal data
Sensitive personal data is data relating to:
- racial or ethnic origin
- political opinions
- trade union membership
- religious or philosophical beliefs
- health or sex life of a natural person, and
- personal information regarding criminal procedure and petty offence procedure.
The national data protection authority is the Croatian Personal Data Protection Agency (AZOP'). AZOP has a registered seat in
Fra Grge Martica 14Zagrebwww.azop.hrA data controller has to inform the AZOP on its database containing personal data ('Database'). The respective information includes the Database's name, information about the controller, the data processing's purpose and legal ground, data subjects, types of the processed data, methods of the data collection and storing, expected time period for storing and usage of the stored data, certain information on the data transfer (if any) and indication of the undertaken protection measures.
If an entity employs more than 20 employees, it has to appoint a data protection officer and to publish his/her contacts on the company’s website. This appointment is to be notified to the AZOP within one (1) month. A data protection officer cannot be a person charged with violation of the company’s ethical code or is under disciplinary proceedings for breach of his/her duties.
Collection and further processing of personal data has to be legally grounded and made only to the extent necessary for fulfilment of a specific purpose. The data subjects have to be informed on the data collected and on the purpose of its collection and processing.
Personal data has to be accurate, exact and complete. It has to be stored in a way to allow the data subject's identification, but only for the time needed to fulfil the data processing's purpose.
A data subject's consent is necessary for the legitimate processing of his/her personal data unless in certain cases prescribed by law or in particular cases explicitly prescribed by the DP Law (for example, if the processing's purpose is to fulfil the data controller's statutory obligations or to execute and realize a contract where a data subject is a contractual party, or if a data subject has published the respective data himself/herself, etc).
Transfer of personal data from Croatia is allowed to the countries and international organizations with the adequate level of data protection. This adequacy is subject to the AZOP's assessment provided that the opinion of the European Commission regarding the same is, when applicable, the opinion on which the AZOP fully relies. More precisely, if the European Commission has established for a particular third country that it does not provide an adequate level of data protection, the AZOP will forbid a transfer to such country.*
On the other hand, it is considered that the countries which are signatories to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data provide the adequate level of data protection. A data controller is only to notify the AZOP of such transfers.
Under the DP Law, it is also allowed to transfer personal data to the countries or international organizations which do not provide the adequate level of data protection, but only in certain cases stipulated by the DP Law (eg when the data subject consented to the transfer or when the transfer is necessary for the protection of the data subject's life or physical integrity).
* Please note that following the Judgment of the Court of Justice of the European Union on 6 October 2015 in the case of Schrems (C-362/14) the US-EU safe harbor regime is no longer regarded as a valid basis for transferring personal data to the US. This section of the Handbook will be updated in due course to reflect regulator actions in the wake of the decision. In the meantime, please refer to DLA Piper’s Privacy Matters blog http://blogs.dlapiper.com/privacymatters/ for more information and insight into the decision.
Personal data has to be adequately protected from abuse, destruction, loss and unauthorized changes or alterations.
A data controller has to undertake all necessary technical, personnel and organizational precautions to protect data from loss or destruction, unauthorized access, alteration, publication and every other malpractice. All data controller's employees have to sign a confidentiality statement.
There is no data security breach notification duty explicitly prescribed by the DP Law.
AZOP is competent for the enforcement of the DP Law. It monitors the legislation's implementation, determines possible malpractices, compiles a list of countries with an adequate level of data protection, conducts the Central Data Register and passes decisions in cases initiated by data subjects.
If the AZOP determines a breach of the DP Law, it can:
- issue a warning to the data controller
- order removal of the existing irregularities within certain period of time
- temporarily ban collection, processing or usage of illegally collected data
- order deletion of illegally collected data
- ban transfer of data outside of Croatia, or
- ban data processing by an outsourced data processor.
AZOP's decisions may be disputed before an administrative court.
AZOP may also propose an initiation of criminal proceedings (imprisonment up to five (5) years) or petty offence proceedings (monetary fine in range from approximately EUR 2,600 to EUR 5,200).
Electronic marketing is regulated by the DP Law. A data controller has to inform a data subject in advance on intention to collect and process his/her data for marketing purposes. A data subject can decline to give his/her consent for the respective processing. However, even if a data subject consents to the particular processing for the respective purposes, the processing is allowed only for as long as the data subject does not oppose the same (opt-out provisions are commonly used in consent forms).
All rules on data protection are applicable to the electronic communication and on-line privacy as well. AZOP is in charge of control of all on-line data processing.
On-line privacy and cookies are regulated by the Electronic Communications Act ('Official Gazette of the Republic of Croatia', nos. 73/2008, 90/2011, 133/2012, 80/2013 and 71/2014) which has implemented Directive 2002/58/EZ on personal data processing and privacy protection in electronic communications sector.
Usage of electronic communication network for data storage or access to already stored data in terminal data subject equipment is allowed only with a data subject's consent after he/she was clearly and completely informed on the purpose of the data processing (opt-in option).
