Privacy Law at Croatia
Croatia's privacy and data protection laws are primarily governed by the General Data Protection Regulation (GDPR), which is directly applicable across the European Union, including Croatia. To complement the GDPR, Croatia enacted the Act on the Implementation of the General Data Protection Regulation (Zakon o provedbi Opće uredbe o zaštiti podataka) on April 27, 2018, which entered into force on May 25, 2018.
Key Features of Croatia’s Data Protection Framework
1. Supervisory Authority
The Croatian Personal Data Protection Agency (AZOP) is the independent authority responsible for overseeing the implementation of the GDPR in Croati. AZOP has advisory, corrective, and investigative powers, including the authority to issue decisions and opinions related to data processing activitie.
2. Legal Basis for Data Processing
Under Croatian law, personal data processing is lawful only if at least one of the following conditions is me:
The data subject has given explicit consen.
Processing is necessary for the performance of a contrac.
Processing is necessary to comply with a legal obligatio.
Processing is necessary to protect vital interest.
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authorit.
Processing is necessary for legitimate interests pursued by the controller or a third party, provided these interests are not overridden by the data subject's rights and freedom.
3. Rights of Data Subjects
Individuals in Croatia have the following rights under the GDP:
Right to access personal dat.
Right to rectificatio.
Right to erasure ("right to be forgotten".
Right to restriction of processin.
Right to data portabilit
Right to object to processin.
Right not to be subject to automated decision-making, including profilin.
4. Processing of Sensitive Data
The processing of sensitive personal data (e.g., data revealing racial or ethnic origin, political opinions, religious beliefs, health data) is subject to stricter condition. Such processing is permitted only under specific circumstances, includin:
Explicit consent from the data subjec.
Processing is necessary for the purposes of carrying out obligations and exercising specific rights of he controller or of the data subject in the field of employment and social security and social protection law.
Processing is necessary for the establishment, exercise, or defense of legal claim.
5. Enforcement and Penalties
AZOP has the authority to impose administrative fines for non-compliance with data protection law. Fines can be up to €20 million or 4% of global annual turnover, whichever is higher, for the most serious infringement. In addition to administrative fines, criminal sanctions may apply for unauthorized collection, processing, or use of personal data, with penalties including imprisonment.
📌 Summary
Croatia's data protection framework is robust, aligning with the GDPR to ensure the protection of personal data. The Croatian Personal Data Protection Agency (AZOP) plays a central role in overseeing compliance and enforcing data protection laws. Individuals in Croatia are afforded comprehensive rights regarding their personal data, and organizations are required to adhere to stringent conditions when processing such data, particularly sensitive information.
RELATED Blog
0 comments