The Croatian data protection authority ('AZOP') published, on 29 March 2023, its advice on how to proceed in case of suspected misuse of personal data. In particular, AZOP highlighted that pursuant to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), in the event of a data breach that is likely to cause a high risk to the rights and freedoms of individuals, the data controller must notify the subject of the breach of their personal data without undue delay. However, AZOP noted that controllers are not obliged to notify a data subject where the conditions provided under Article 34(3) of the GDPR are satisfied.

Nonetheless, AZOP stipulated that in case of suspected disclosure of personal data, citizens have the right to request information from the controller regarding whether their personal data was included in an incident. More specifically, AZOP highlighted that data controllers must respond to data subject requests within 30 days, and that, on failure to do so, data subjects may contact AZOP to determine a violation of their rights.

Finally, AZOP outlined data subject rights that may be exercised, including the right to be informed, access, deletion, rectification, objection, restriction of processing, data portability, and not be subject to automated individual decision-making.

You can read the press release, only available in Croatian, here.