Implementation Guidebook for GDPR: Croatia's Approach

Implementation Guidebook for GDPR: Croatia's Approach

Croatia Adheres Closely to GDPR for Data Protection

Croatia has implemented the EU General Data Protection Regulation (GDPR) into national law through the Law on the Implementation of the GDPR (2018). This legislation governs the processing of personal data, including provisions on sensitive data, children’s consent, data subject rights, joint controllership, processors, impact assessments, prior authorizations, international transfers, data protection officers (DPOs), and administrative enforcement measures.

The Implementation Act further prescribes specific rules for CCTV in residential buildings, public areas, and employment settings, ensuring compliance with the Work Safety Act and GDPR principles.

Processing of Personal Data via CCTV

CCTV surveillance can only be carried out when necessary and justified for the protection of persons and property, providing that the data subjects' interests do not override the processing of biometric data. Controllers conducting CCTV are obliged to inform data subjects of the surveillance, restrict access to personal data, establish an automated recording system, keep recordings for no longer than six months, and adhere to other guidelines prescribed by the Implementation Act.

Data Protection Authority in Croatia

The Personal Data Protection Agency (Agencija za zaštitu osobnih podataka) is the Data Protection Authority in Croatia, located at Martićeva ulica 14, HR - 10 000 Zagreb, Croatia, and can be found online at azop.hr. The agency has additional powers beyond those set out in Art. 58 GDPR, including establishing criteria for administrative fees, initiating and participating in court proceedings, publishing individual decisions and opinions, monitoring the application of EU Directive 2016/680, initiating proceedings before the High Administrative Court of the Republic of Croatia, and supervising the implementation of the Implementation Act.

Enforcement and Breaches

The DPA in Croatia has yet to take enforcement action for breaches of the GDPR, but it actively issues fines for non-compliance. Decisions made by the DPA may not be challenged via an appeal but rather by filing a claim before the competent administrative court. Under Croatian law, a public authority may not be subject to an administrative fine for violation of the GDPR or Implementation Act, but legal entities vested with public authority and legal entities performing public services may be subject to administrative fines, with penalties ranging up to tens of thousands of euros.

Data Protection for Deceased Persons

Personal data of deceased persons is generally not protected under the GDPR framework or Croatian law explicitly. However, national laws sometimes address such data differently, but no clear distinct rules for data of deceased persons are noted in recent Croatian acts or guidance.

Future Developments

Croatia continues to align with evolving EU standards, but no new Croatian-specific regulatory guidance on these points beyond GDPR implementation and AZOP enforcement has been published recently. At present, the DPA in Croatia has issued general guidance on the implementation of the GDPR, decisions on types of processing requiring an Impact Assessment to be performed, and decisions regarding registering the DPO with the DPA.

1. White & Case, a prominent international law firm, offers extensive legal services in the field of finance, including capital markets, regulatory practice, and compliance.
2. The firm's corporate practice often collaborates with associate lawyers to provide intellectually sound advice to clients, covering a wide range of industries and sectors.
3. White & Case LLP also publishes numerous educational-and-self-development materials and news articles related to various practice areas; these publications can be accessed on their official website, whitecase.com.
4. In the area of technology, the firm's lawyers are well-versed in data protection issues, ensuring clients adhere to regulations such as the EU General Data Protection Regulation (GDPR).
5. They also assist clients in obtaining compliance with international transfers and strategic transactions,, including cross-border data flow and regulatory due diligence.
6. White & Case's team of counsel can help clients navigate complex intellectual property matters, such as patent applications, trademark registration, and copyright protection.
7. The firm's international presence allows them to offer globally integrated services, making them a valuable partner for businesses operating across multiple jurisdictions.
8. In addition to GDPR, White & Case is experienced in providing services related to other data protection regulations and practices, including those of different countries and regions.
9. The firm's lawyers are active in various industry organizations and regularly contribute to public discourse on matters related to data protection, cybersecurity, and privacy.
10. Recognized for their expertise and dedication, White & Case lawyers have been named as top-ranked in various practice areas by prestigious legal publications.
11. Through a combination of legal expertise, deep industry knowledge, and commitment to client service, White & Case partners help businesses navigate the complexities of the legal landscape and achieve their objectives.
12. For those seeking guidance on data protection, capital markets, or any other legal matter, White & Case offers a team of experienced lawyers, dedicated to delivering innovative and practical solutions.

Read also: