March 2023

1. Governing Texts

From 25 May 2018, the overall concept of personal data protection in the Republic of Croatia is regulated by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the General Data Protection Regulation Implementation Act 2018 (available only in Croatian here) ('the Act'), which in effect represents a new and stronger mechanism for personal data protection. While most provisions and rules for data protection are found in the GDPR and the Act, there are other national statutes and bylaws which prescribe specific rules for data processing and use. Some of those separate and specific rules are also mentioned below.

1.1. Key acts, regulations, directives, bills

The GDPR entered into force on 25 May 2018 throughout the European Union. On the same date, the Act also entered into force and application in the Republic of Croatia, repealing the previous Personal Data Protection Act of 2003.

The material scope of the Act is the same as the GDPR (see section on scope of application below). The Act ensures the implementation of the GDPR in Croatia and sets out additional rules (Chapter IV of the Act) on the processing of personal data in the following specific circumstances:

• children's consent in relation to information society services (see section on children's data below);
• processing of genetic data (see section on special categories of personal data below);
• processing of biometric data (see section on special categories of personal data below);
• processing of personal data in connection with video surveillance (see section on legal bases in other instances below); and
• processing of personal data for statistical purposes (see section on legal bases in other instances below).

1.2. Guidelines

The Personal Data Protection Agency ('AZOP') issues and publishes data protection guidance.

In addition, the AZOP has published numerous additional opinions, recommendations, and clarifications on specific data processing issues and provided useful links to guidelines issued by the European Data Protection Board ('EDPB') (all available on the AZOP's official website in Croatian).

1.3. Case law

The AZOP exercises its powers either ex officio or at the request of a data subject. The AZOP renders administrative decisions against which an administrative dispute may be initiated before the competent Administrative Court. In 2020, the AZOP rendered 152 decisions, against 32 of which administrative disputes were initiated.

Until 2020, the AZOP rendered the following noteworthy decisions described in its annual report for 2019 (available only in Croatian here) and 2020 (available only in Croatian here):

• In March 2020, the AZOP announced that it had imposed the first administrative fine against a bank from Zagreb for refusing data subjects access to their personal data in violation of Article 15(3) of the GDPR. Namely, the bank refused to provide the data subjects with requested documentation that contained their personal data. The fine was imposed after the bank failed to abide by numerous AZOP's orders to comply with the GDPR requirements. The AZOP has issued several decisions in similar legal matters stating that GDPR applies when the banks are storing personal data of data subjects and, therefore, pursuant to Article 15(3) of the GDPR, the banks are obligated to provide copies of personal data when requested by data subjects. The AZOP's legal standing has been confirmed by the High Administrative Court of the Republic of Croatia in several instances.
• A bank processed its client's personal data (name and surname, personal identification number, address, and IBAN), which were subsequently delivered to another client, thus resulting in an unlawful and unjust disclosure and use of the personal data for concluding a contract with another client. In the specific case the AZOP found a violation of Articles 5(1)(a) and (f) and 6(1) of the GDPR. The Centre for Upbringing, Education, and Rehabilitation published personal data of its students on its official website. As a result, personal data of children, as the most vulnerable group in society, could have been abused, given that the publication in question stated which school and which class students attended.
• A medical institution published on its website personal data of persons against whom court proceedings were conducted. The data was published without a valid legal basis and lawful purpose, in violation of Articles 5, 6, and 25 of the GDPR.
• Publication of a meeting minutes of a local self-government body containing a data subject's personal data violated the data subject's privacy due to the body's failure to take appropriate technical measures for personal data protection (Articles 25 and 32 of the GDPR). The personal data were made available to the public and thus exposed to abuse that might have far-reaching consequences for the data subject's privacy.
• Publication of a data subject's personal data (employment contract) on a website without a valid legal basis and lawful purpose is contrary to Articles 5 and 6 of the GDPR.
• Publication of a data subject's personal data on residence address in media is excessive having in mind the context of the journalistic article and the purpose of its publication.
• Disclosure of personal data to debt-collection agency acting as a new creditor is lawful as it is based on the Croatian Civil Obligations Act (available only in Croatian here), which serves as a legal basis for processing personal data. Since the contractual rights are being assigned to debt-collection agency, the personal data of the respective debtor must be disclosed. For such disclosure, consent of the data subject is not required and there is no obligation to inform the data subject of such disclosure, provided that the old creditor has assigned the processing of personal data to the new creditor based on such assignment agreement.
• Publication of a data subject's personal data (name and surname, photographs, or videos) on social media or video platforms without a legal basis based on the GDPR is unlawful. In such a case, a breach of personal data was determined against a person who had posted the respective personal data.
• Collection of students' personal data by schools if a student has been infected with COVID-19 or is in quarantine (name and surname, personal identification number, address, medical doctor, names and surnames of parents and their contact information) is lawful as it is based on the legal basis of protecting the interests of the data subject (i.e., the student) and public health. The same applies for collection of personal data by airlines from passenger and by organisers of events from guests.
• Display of personal data of co-owners of a building on the bulletin board in the building (name and surname, apartment number, household members), without consent of such co-owners, is unlawful because such display is available to general public and thus can be misused.

Since the GDPR entered into application relatively recently and court proceedings generally last for several years in Croatia, there is not much noteworthy publicly available court practice yet.

The County Court in Pula decided that video surveillance of public areas by a private video camera is not contrary to the GDPR and the Act.

The Administrative Court in Rijeka determined that the Ministry of the Interior did not violate the right to the protection of personal data when it obtained from a driver's doctor and processed the data necessary for the performance a task of a public interest in compliance with Article 6 (1)(c) and (e) of the GDPR, as long as the disclosure of a medical secret is permitted under the Medical Practice Act.

A judgment of the Municipal Court in Bjelovar rendered in a criminal proceeding in August 2018 highlighted that unlawful use of personal data is a criminal offence under the Croatian Criminal Code (only available in Croatian here) ('the Criminal Code'). It derives from the description of the judgment that a natural person reported a competent authority for unlawfully processing their personal data without their written consent striving to avoid a fine for a traffic offence. The court clarified that the purpose of the GDPR is to protect individuals from unlawful processing of their personal data for marketing, economic, political, or any other purposes, but not to enable individuals to try evading liability under statutory law.

The County Court in Varaždin decided that entry of the recordation of legal guardianship (name and surname, personal identification number, address) in the publicly available land registry is not contrary to GDPR because it is based on the Croatian Family Law (only available in Croatian here). Pseudonymisation of such personal data is not allowed.

2. Scope of Application

2.1. Personal scope

The Act does not variate from the GDPR. The Act specifies the scope of application in the following specific circumstances (Chapter IV of the Act):

• children's consent in relation to information society services: applies to children with residency in Croatia;
• processing of genetic data: applies to data subjects who conclude life-insurance agreements and agreements with life-expectancy clauses on the territory of Croatia, provided that the data is processed by a controller with a registered seat in Croatia or by a controller who provides its services on the Croatian territory; and
• processing of biometric data: applies to data subjects in Croatia provided that the data is processed by either (i) the controller with a registered seat in Croatia or the controller who provides its services on the Croatian territory or (ii) public authority.

2.2. Territorial scope

Please refer to the above section on personal scope

2.3. Material scope

The material scope of the Act is the same as the GDPR, i.e. it does not apply to the processing of personal data by the competent authorities in the context of criminal prosecution, or in the area of national security and defence. The Act, inter alia, determines the competence and organisation of the national regulatory authority, the AZOP, as well as additional fines that may be imposed for non-compliance with the GDPR in Croatia.

More importantly, Chapter IV of the Act sets out additional rules on the processing of personal data in the following specific circumstances:

• children's consent in relation to information society services (see section on children's data below);
• processing of genetic data (see section on special cateogories of personal data below);
• processing of biometric data (see section on special cateogories of personal data below);
• processing of personal data in connection with video surveillance (see section on legal bases in other instances below); and
• processing of personal data for statistical purposes (see section on legal bases in other instances below).

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The main regulator for data protection is the AZOP. The AZOP was established in 2004 under the previous legislation as an independent legal entity with public authorities. Under the transitional and final provisions of the Act, the AZOP remains the national regulator and has become a public authority, while its employees have become civil servants. The AZOP is seated in Zagreb. It is accountable to the Croatian Parliament.

3.2. Main powers, duties and responsibilities

The AZOP's powers derive directly from the Articles 57, 58, and 83 of the GDPR, while Article 6 of the Act further specifies the AZOP's powers and responsibilities. The list of the AZOP's responsibilities is open and includes, without limitation, the following activities:

• instigation and participation in criminal, misdemeanour, administrative, and other court or out-of-court proceedings for breach of the GDPR and the Act;
• adoption of the criteria for determining the administrative fees;
• publication of individual decisions and opinion;
• instigating and conducting proceedings for breach of the GDPR;
• performing activities of the national regulator under the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680); and
• performing other activities prescribed by law.

In exercising its powers, the AZOP is authorised to perform announced or unannounced supervision subject to an order issued by the Director of the AZOP. The AZOP's authorised personnel may make copies of pertinent documentation or records, temporarily seize and/or seal filing systems or equipment for a period of up to 15 days. The AZOP makes an official protocol (minutes) of a supervision against which an objection can be lodged.

Finally, on requests of natural persons or legal entities, the AZOP renders official opinions in the area of data protection within a maximum of 60 days upon the receipt of requests. The AZOP may charge a fee for its opinion if requested by a commercial entity (e.g. a law firm, a professional consultant, etc.) in connection with the performance of their business activities or if it incurs administrative costs.

4. Key Definitions

Data controller: No national variation, GDPR applies.

Data processor: No national variation, GDPR applies.

Personal data: No national variation, GDPR applies.

Sensitive data: No national variation, GDPR applies.

Health data: No national variation, GDPR applies.

Biometric data: No national variation, GDPR applies.

Pseudonymisation: No national variation, GDPR applies.

5. Legal Bases

Article 6 of the GDPR prescribes the legal bases for the lawfulness of processing of personal data. The Act does not variate from the provisions of the GDPR.

It is noteworthy that the data controller cannot change the legal base for data processing once the data is collected. For example, it is not allowed to subsequently use the legitimate interest legal base for processing if there have been problems with the validity of the consent. Due to the mandatory indication of the legal base referred to by the controller at the time of the collection of personal data, the controller must decide before collection which legal base it will apply.

The AZOP has issued and published several opinions in relation to the legal bases and their interpretation, which are elaborated in sections on consent and legitimate interests of the data controller below.

5.1. Consent

The Act does not vary from the GDPR. However, processing of employees' personal data cannot be based on consent. The AZOP is of the opinion that due to the fact that employee is dependent on its employer, the consent therefore cannot be voluntary. The processing of personal data can primarily be based on the employment contract or on the obligation to perform legal obligations of the data controller (employer) prescribed by special legislation (the Labour Law (Official Gazette, No. 93/14, 127/17, 98/19) (only available in Croatian here) ('the Labour Law'), the Pension Insurance Act (Official Gazette 102/98) (only available in Croatian here), etc.)

The Act also prescribes that the data subject's consent cannot override the prohibition of processing of genetic data for the purpose of calculating the appearance of the disease and other health aspects for execution of life insurance contracts and contracts with life-expectancy clauses.

5.2. Contract with the data subject

The Act does not vary from the GDPR. The AZOP provided its opinion that the consent of the data subject is not required if personal data are collected and processed for the purposes of performing the contract or fulfilling the legal obligations of the controller. However, if the data of such customer/contractual party are not necessary for the execution of the contract or are used for other purposes (e.g. direct marketing), then the data processing must be based on other legal bases.

5.3. Legal obligations

The Act does not vary from the GDPR.

There are several legislations prescribing legal obligation of data controllers to collect and process personal data. For example, the Labour Law and the Act on Anti-Money Laundering and Terrorism Financing (available only in Croatian here) ('the AML Act') prescribe when and how personal data may be collected:

• Personal data of employees may be collected, processed, used, and provided to third parties only if it is so prescribed by the Labour Law or another statute or if it is necessary for the exercise of rights and performance of obligations arising from or in connection with the employment relationship. If the personal data need to be collected, processed, used, or provided to third parties in order to exercise rights and perform obligations arising from or in connection with the employment relationship, the employer must determine in advance which data it will collect, process, use, or provided to third parties in the labour bylaws. An approval by the working council is required. Further, an employer employing at least 20 employees must appoint a person enjoying the trust of the employees who will be authorised to supervise whether employee personal data are collected, processed, used, and provided to third parties in compliance with the applicable laws and regulations.
• The AML Act prescribes what personal data must be collected, processed, and used by entities such as, among other, banks. The collection and processing of personal data by the bank as the data controllers is allowed for the purpose of fulfilling their legal obligations in providing services. The citizens have the right to be informed and request information regarding the processing of their personal data and to exercise the rights under the GDPR. The AZOP is of the opinion that if the bank has a justifiable reason for which it is obliged to unequivocally establish the identity of the client and collect a range of data that is commensurate with the purpose of processing.

5.4. Interests of the data subject

The Act does not vary from the GDPR.

5.5. Public interest

The Act does not vary from the GDPR.

5.6. Legitimate interests of the data controller

The Act does not vary from the GDPR.

The AZOP provided its opinion that the existence of a legitimate interest requires a careful assessment, inter alia, of whether the data subject can reasonably expect processing for the purpose in question at the time and in the context of the collection of personal data. The interests and fundamental rights of data subject can outweigh the legitimate interests of the controller if personal data are processed in circumstances where data subjects do not reasonably expect further processing.

5.7. Legal bases in other instances

Direct marketing

The Electronic Communications Act (available only in Croatian here) ('the ECA') stipulates that the use of automatic calling and communication systems without human mediation, fax machines, or email, including SMS and MMS messages, for the purpose of direct promotion and sale is allowed only with the prior consent of the subscriber or service users. A natural person or legal entity may use information on email addresses, which it has obtained from its consumers for the purpose of selling products and services, for direct promotion and sale of their own similar products or services, provided that those consumers have a clear and unequivocal possibility of a free and simple objection to such use of data on email addresses on the occasion of their collection and on receipt of each electronic message, in case the consumer has not refused such use of the data in advance. The cited provisions do not apply to invitations to legal entities for the purpose of direct promotion and sale.

Further, with regard to the processing of personal data for the purpose of marketing by telephone, the Consumer Protection Act (available only in Croatian here) prohibits to make calls and/or messages by telephone to consumers who have registered that they do not want to receive calls and/or messages as part of advertising and/or sales by telephone. The said register is kept at the Croatian Regulatory Authority for Network Industries ('HAKOM').

Processing for scientific or historical research purposes

The national rules on archiving in public interest are prescribed in the Archive Materials and Archives Act 2018 (available only in Croatian here) ('the Archives Act'). Personal data contained in public archive material will be made available for use in 100 years from the birth of a person or after a person's death. If the date of a person's birth or death is unknown or unreasonably hard or costly to determine, the materials will be made available for use in 70 years from the date of their creation.

If archive materials are granted for use prior to the abovementioned term, the competent state archive will take technical measures to conceal the identity (anonymise) the data subject, while the user will sign a statement that they will not disclose the identity of a person, even if it will be known to them based on available data.

Additional provisions on the processing of personal data for statistical purposes are contained in the Act. Personal data may be collected and processed for statistical purposes in accordance with a special statute. The bodies performing official statistical analyses are not obligated to grant data subjects the rights to access their personal data, to have their data corrected, to restrict the processing of their personal data, or to object to such processing. This restriction is envisaged to provide for the conditions necessary to fulfil the purpose of official statistics, to the extent it is probable that the execution of said rights would hinder the purpose of statistical analyses and its results. Further, controllers are not obligated to inform individuals about transfer of their personal data to competent bodies for statistical purposes.

To ensure the protection of personal data collected for statistical purposes, the competent bodies must implement technical and organisational measures for the protection of personal data, and the processed information may not enable identification of any individual.

The Act contains no provisions on the processing of personal data for scientific and historical research purposes.

Video surveillance

The Act contains extensive provisions on the processing of personal data by means of video surveillance. Video surveillance is permitted only if it is necessary and reasonable for the protection of persons and property, to the extent that the interests of data subjects do not override the interests for the data processing.

The controller must properly designate the premises under video surveillance at least at the entrance into the camera's field of view. Only authorised personnel of the controller or processor may be allowed access to personal data processed by means of video surveillance. The controller and the processor must establish an automatic record system of who accessed the recordings and when. The recordings may be stored for no longer than six months, unless a longer retention period is prescribed by statutory law or used as evidence in a court or another proceeding.

Specifically, the Ministry of the Interior is authorised to record citizens (cars) by video surveillance for the purpose of determining road traffic misdemeanour offences made on public roads. This authorisation and legal basis are provided in the Croatian Road Traffic Security Act (available only in Croatian here).

Finally, the processing of employee personal data, including video surveillance in a workplace, is additionally regulated by the applicable labour laws and regulations.

6. Principles

The principles specified under the GDPR apply.

7. Controller and Processor Obligations

7.1. Data processing notification

There is no general notification, registration, or fee payment requirement under the Act.

Controllers must notify the AZOP of their appointed data protection officers ('DPOs'). The AZOP published a recommended reporting form (available only in Croatian here) and maintains a non-public register of DPOs.

The AZOP may assess fees for its services as elaborated upon in section on main powers, duties and responsibilities above.

7.2. Data transfers

Provisions specified in the GDPR apply.

7.3. Data processing records

Provisions specified in the GDPR apply.

Bylaw on the Content and Manner of Keeping Records on Employees (available only in Croatian here) ('the Bylaw') prescribes the scope of personal data that the employer must collect for the purpose of keeping records of employees. The records are kept for the entire duration of employment and at least six years after its termination.

7.4. Data protection impact assessment

Pursuant to Article 35(4) of the GDPR, in December 2018, the AZOP adopted the Decision on Determining and Publicising a List of the Kind of Processing Operations which are Subject to the Requirement for a Data Protection Impact Assessment (available only in Croatian here) ('the Croatia Blacklist').

The Croatia Blacklist prescribes circumstances in which a Data Protection Impact Assessment ('DPIA') is necessary, taking into account the Article 29 Working Party's ('WP29') Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679 ('the WP29 DPIA Guidelines') and the EDPB's Opinion 25/2018 on the Draft List of the Competent Supervisory Authority of Croatia Regarding The Processing Operations Subject to the Requirement of a Data Protection Impact Assessment.

Pursuant to the Croatia Blacklist, besides the cases prescribed in Article 35(3) of the GDPR, a DPIA is also compulsory in the processing of personal data in the following cases:

• processing of personal data for systematic and extensive profiling or automated decision-making to bring conclusions that are of significant influence or may affect an individual and/or several persons, or that help deciding about someone's access to a service or convenience (e.g. such as personal data processing related to economic or financial status, health, personal preferences, interests, reliability, behaviour, location data, etc.);
• processing of special categories of personal data for profiling or automated decision-making;
• processing of personal data of children for profiling or automated decision-making, for marketing purposes, or for direct offering of services intended for them;
• processing of personal data collected from third parties that are considered for making decisions regarding the conclusion, termination, rejection, or extension of service contracts with natural persons;
• processing of special categories of personal data or personal data on criminal or misdemeanour liability on a large scale;
• processing of personal data by using systematic monitoring of publicly available places on a large scale;
• use of new technologies or technological solutions for personal data processing or with an option of personal data processing (e.g. the application of Internet of Things such as smart TVs, smart home appliances, smart toys, smart cities, smart energy meters, etc.) that serve to analyse or predict the economic situation, health, personal preferences or interests, reliability or behaviour, location or movement of natural persons;
• processing of biometric data in combination with any of the other criteria set out in the WP29 DPIA Guidelines used to evaluate whether certain processing operations are likely to cause a high risk to the rights and freedoms of the data subjects;
• processing of genetic data in combination with any of the other criteria set out in the WP29 DPIA Guidelines used to evaluate whether certain processing operations are likely to cause a high risk to the rights and freedoms of the data subjects;
• processing of personal data by linking, comparing, or verifying their matching by using multiple sources;
• processing of personal data in a manner that involves monitoring of the location or behaviour of an individual in case of systematic processing of communication data (metadata) generated by the use of a telephone, the internet, or other communication channels such as GSM, GPS, WiFi, monitoring or processing of location data;
• processing of personal data by means of devices and technologies where an incident may put at risk the health of an individual or more persons; and
• processing of employee personal information by means of applications or monitoring systems (e.g. processing of personal data for monitoring of work, movement, communication, etc.).

The AZOP emphasises that the above list does not diminish the general obligation of controllers to perform appropriate risk assessments and risk management. Further, the performance of a DPIA does not relieve controllers of the obligation to comply with other obligations under the GDPR or other applicable laws and regulations, whether EU or national.

The list is not exhaustive and is subject to amendments depending on additional processing risks observed or incurred.

If the risk can be adequately reduced by appropriate technical and organisational measures, no prior consultation with the AZOP is necessary.

So far, the AZOP has not published a so called 'white list,' i.e. a decision on activities that are not subject to prior consultation with or authorisation by the AZOP.

Method

The AZOP has published the Q&A on conducting a DPIA (only available in Croatian here) ('the Q&A'), which notes that, while there are different methodologies to conduct a DPIA, the methodology should assess the risks while allowing the taking of measures to mitigate said risks. In addition, the Q&A outlines the steps to be included in the DPIA, namely (Question 16 of the Q&A):

• a systematic description of the envisaged processing operations and the purposes behind the processing;
• an assessment of the necessity and proportionality of said processing procedures;
• an assessment of the risks for the rights and freedoms of data subjects; and
• measures for mitigating risks and demonstrating compliance with the GDPR.

In addition, the AZOP has also published Guidance on DPIAs (only available in Croatian here) and provided a template for conducting a DPIA (only available to download in Croatian here).

7.5. Data protection officer appointment

The Act contains no additional provisions on DPOs and their appointment, role, or tasks, beyond the GDPR.

Notably, the AZOP has issued a DPO notification form (only available in Croatian here).

In particular, Article 37 of the GDPR provides for situations in which controllers and processors must designate a DPO. As envisaged in Article 37(5) of the GDPR, the DPO may be a staff member of the controller or processor or fulfil the tasks on the basis of a service contract.

According to the AZOP, it is up to the controller and the processor to independently assess who will be appointed as DPO and where the DPO will be located. It is recommended that the DPO is situated in the EU. The DPO is appointed based on their qualifications, especially their knowledge of law and practice in relation to data protection. The GDPR, however, does not envisage any special qualification or degree that DPOs must have. Therefore, the DPO can be a person who is not a qualified lawyer.

However, apart from providing services as DPO, unauthorised provision of legal aid for a fee is a criminal offense in Croatia, punishable by imprisonment for six months. In our opinion, it is not permitted for persons who are not qualified lawyers to carry out the tasks of a DPO (if not appointed as DPO) that are considered legal aid.

Moreover, the AZOP has issued the following guidance in relation to appointing DPOs:

• Appointment of DPO guidance (only available in Croatian here);
• Guidance on the appointment of the DPO (only available in Croatian here);
• Webpage on the appointment of the DPO (only available in Croatian here)
• Guidance on obligations of the DPO (only available in Croatian here); and
• Frequently Asked Questions on DPO (only available in Croatia here).

7.6. Data breach notification

Controllers must report data breaches to the AZOP pursuant to Article 33 of the GDPR. There are no derogations in the Act. The AZOP has published a recommended reporting form (available only in Croatian here). For urgency reasons, it also allows for reporting a breach in English, with an obligation to submit a Croatian translation as soon as possible.

There are certain sectoral obligations as well. Pursuant to the ECA, an operator of publicly available electronic communication services must notify HAKOM and the AZOP of a data breach without delay. The notification must contain a description of the consequences of the breach and the measures proposed or taken to eliminate its cause. If the breach is likely to adversely affect personal data or privacy of service users or other natural persons, the operator must notify such persons of the breach without delay.

7.7. Data retention

The Act does not specify the timeframe nor the exemptions for retaining data.

The Bylaw prescribes the scope of personal data that the employer must collect for the purpose of keeping records of employees. The records are kept for the entire duration of employment and at least six years after its termination.

7.8. Children's data

The Act prescribes that a child's consent in relation to information society services is valid if the child is at least 16 years of age. This provision applies to children who are Croatian residents. If a child is under 16, the consent of their legal guardian (i.e. the holder of parental responsibility) must be obtained in compliance with the GDPR.

7.9. Special categories of personal data

Section IV of the Act contains the following national derogations regarding the processing of genetic and biometric personal data.

The Act prohibits the processing of genetic data for the purposes of calculating a risk of illnesses and other health aspects pertaining to the data subject in connection with life insurance or other contracts containing life expectancy clauses. This prohibition cannot be overridden by the data subject's consent. The prohibition applies to the data subjects concluding such contracts in Croatia if the controller is established or provides its services in Croatia.

The Act provides for additional restrictions regarding the processing of biometric data whether in public or private sector. Its provisions neither affect the DPIA obligation under Article 35 of the GDPR nor apply to the processing of biometric data for national security, defence, and intelligence.

In relation to the public sector, a public authority may process biometric data if it is prescribed by statutory law and necessary for the protection of persons, property, classified data, or business secrets, provided that the interests of data subjects do not override the interests for the processing of their biometric data. It is presumed that the processing of biometric data is compliant if it is necessary to meet the obligations under international agreements in connection with the identification of persons crossing national borders.

In the private sector, biometric data may be processed solely if it is prescribed by statutory law and necessary for the protection of persons, property, classified data, business secrets, or for individual and safe identification of service users, provided that the interests of data subjects do not override the interests for the processing of biometric data. The processing of biometric data for safe identification of service users may be based solely on an express consent of such data subjects in compliance with the GDPR.

Further, employee biometric data may be processed for the purpose of keeping a record of working hours or entrance to and exit from the place of work, provided that it is prescribed by statutory law, or if an alternative manner of keeping such a record is available and subject to express consent of data subjects in compliance with the GDPR.

In relation to criminal conviction data, there are no derogations in the Act, while the national Act on Legal Consequences of a Conviction, Criminal Records, and Rehabilitation 2012 ('ACLC') (available only in Croatian here) has not been amended since the GDPR entered into force, i.e. its provisions have not been harmonised with the GDPR. It prescribes, inter alia, that criminal records are maintained by the Ministry of Justice and Administration, except for juvenile convicts, which is maintained by the Ministry of Demography, Family, Youth and Social Policy. Direct access to criminal records is provided to courts and the State Attorney's Office, as well as the police for the prevention, detection and prosecution of criminal offences, subject to the provisions of the ACLC.

7.10. Controller and processor contracts

Provisions specified in the GDPR apply.

8. Data Subject Rights

8.1. Right to be informed

Provisions specified in the GDPR apply.

8.2. Right to access

Within the processing of personal data for the purpose of producing official statistics, it is not obligatory for the entities performing official statistics to provide the data subjects with the right to access their personal data, the right to rectify their personal data, and the right to limit their personal data processing. These derogations are allowed in order to ensure the conditions necessary to achieve official statistics, but only to the extent that such rights would likely impede or seriously jeopardize the achievement of those purposes and to the extent that such derogations are strictly necessary to achieve those purposes.

8.3. Right to rectification

Please refer to the section on the right to access above.

8.4. Right to erasure

Please refer to the section on the right to access above.

8.5. Right to object/opt-out

No national variation, the GDPR applies.

8.6. Right to data portability

No national variation, the GDPR applies.

8.7. Right not to be subject to automated decision-making

No national variation, the GDPR applies.

8.8. Other rights

No national variation, the GDPR applies.

9. Penalties

Pursuant to Article 83 of the GDPR, the Act prescribes that the AZOP must impose administrative fines for breaches of the GDPR and/or the Act. Administrative fines may not be imposed on governmental authorities. This exemption does not extend to legal entities with public powers or those providing public services, which may be fined, but the amount of the fines imposed on such legal entities may not jeopardise the performance of their public powers or public services. The AZOP imposes an administrative fee by a formal decision, whereby the amount of the fine and the manner of its payment must be determined. The AZOP's decision may not be appealed, but rather an administrative dispute may be initiated before the competent administrative court. The administrative fines are paid for the benefit of the state budget.

The AZOP's final decisions must be published on its official website without anonymisation of the offender's data if a decision is rendered for a breach of the GDPR or the Act in connection with the processing of personal data of children or special categories of personal data, or automatic decision-making or profiling, or in case of a repeated offender, or if the decision imposes an administrative fine higher than HRK 100,000 (approx. €13,198).

Besides the administrative fines prescribed in the GDPR, the Act prescribes an additional administrative fine against controllers and processors for violations of its provisions on video surveillance in the amount of HRK 50,000 (approx. €6,600). Further information on administrative fines is available in section on territorial scope above.

As mentioned above, under the Criminal Code, unlawful storage, processing, and use of personal data is a criminal offence punishable by imprisonment of up to one year. Furthermore, the perpetrator may be punished by imprisonment for up to three years:

• if the criminal offence was committed against a child;
• for the processing of special categories of personal data or criminal or misdemeanour conviction data;
• if the criminal offence was committed with the aim of obtaining a substantial illicit gain or causing a significant damage;
• if personal data was unlawfully transferred outside Croatia for further processing; or
• if personal data was published or otherwise made available to third persons.

Finally, if the criminal offence is committed by a civil servant in the performance of their service or by a responsible person in the performance of a public service, they may be sentenced to imprisonment for a term ranging from six months to five years.

9.1 Enforcement decisions

There are no publicly available enforcement decisions in relation to data protection.