Data Protection in Croatia

Data protection laws in Croatia

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Croatia regulation

The Act on the Implementation of the General Data Protection Regulation (in Croatian as Zakon o provedbi Opće uredbe o zaštiti podataka) was enacted in the Croatian Parliament on April 27, 2018 and came into force on May 25, 2018 (the ‘Act’).

Also, the Act on Healthcare Data and Information, which came into force on 15 February 2019, regulates rights, obligations and responsibilities of legal and natural persons within the Croatian healthcare system with respect to healthcare data and information and, inter alia, sets out fundamental principles and standards of their collection, processing and protection.

Finally, Electronic Communications Act and Cybersecurity Act provide important framework for protection of people’s rights in online environment, including specific rules relating to usage of cookies and to processing of personal data by public electronic networks and public electronic service providers.

Continue reading

  • no results

Back to top