[co-authors: Željka Rostaš Blažeković and Zrinka Knezić Poljanić, Porobija & Porobija ]

Croatia

In this chapter:

Q1/ Applicable legislation

(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?

New legislation has been passed.

———

(b) Relevant legislation includes:

• Act on the Implementation of the General Data Protection Regulation (in Croatian: Zakon o provedbi Opće uredbe o zaštiti podataka) (the “Implementation Act”)
  • Date in force: 25 May 2018
  • Link: see here

———

(c) What is the status of national pre-GDPR data protection law?

The relevant pre-GDPR legislation has been repealed in full.

———

Q2/ Personal data of deceased persons

Does national law make specific rules regarding the processing of personal data of deceased persons?

There are no specific rules governing this issue.

———

Q3/ Legal bases for processing

(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?

There are no specific rules governing this issue.

———

(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?

There is no general provision in the law dealing with processing of personal data for the performance of tasks carried out in the public interest. However, CCTV of public areas can only be carried out by public authorities, entities vested with public powers and entities performing a public service, provided that such surveillance is prescribed by law and necessary for the performance of tasks and duties of public authorities, or for the protection of the life and health of individuals and property.

———

(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?

See Q3(b) above.

———

(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?

Further processing of health data is permitted for the purpose of archiving in the public interest, for scientific or historical research purposes or for statistical purposes, in the context of studying and monitoring the state of the health of the population, or for other purposes established by law.

———

Q4/ Consent of children

At what age can a child give their consent to processing in relation to ISS?

16 years of age.

———

Q5/ Processing of sensitive personal data

(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?

Under Croatian law, the processing of genetic data for the purposes of disease prognosis or other health aspects of the data subject is prohibited, even with the data subject’s consent, when that processing is undertaken in connection with the execution or performance of life insurance contracts and contracts with “survival-to-certain-age” clauses. The prohibition applies to data subjects entering into such contracts in Croatia, provided the processing is carried out by a controller with establishment in Croatia or by a controller that provides services in Croatia.

———

b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:

(i) Employment, social security and/or social protection law

Provided the employee has given his explicit consent for processing of biometric data in accordance with the GDPR, employees’ biometric data may be processed for the purpose of recording working hours and arrival and departure times, if such processing is prescribed by the law or is carried out as an alternative to another solution for recording working hours or employees’ ingress and egress from the business premises.

(ii) Substantial public interest

Public authorities may process biometric data if permitted by the law and if necessary for the protection of persons, property, classified information or business secrets, provided that the data subjects’ interests do not override the purpose of such processing. Processing biometric data is lawful where it is necessary for the fulfilment of obligations under international treaties regarding the identification of individuals crossing the state border.

(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services

The Croatian Act on Data and Information in the Health Care System regulates the processing of personal data within the healthcare system, and imposes GDPR-compliant principles in relation to such processing.

There must be a lawful purpose for the collection and processing of any health data, and the purpose of the collection must be associated with a direct or indirect positive effect on the health of the population.

Further processing of health data is permitted for the purpose of archiving in the public interest, for scientific or historical research purposes, or for statistical purposes, in the context of studying and monitoring the state of the health of the population or for other purposes established by law.

(iv) Public interest in the area of public health

There are no specific rules on processing this category of data.

(v) Archiving purposes, scientific or historical research purposes or statistical purposes

For processing personal data for official statistical purposes, statistics bodies are not obliged to ensure data subject’s rights of access to personal data, rectification of personal data, restriction of processing, nor the right to object to the processing, for the achievement of the official statistical purposes, to the extent that such rights are likely to prevent or seriously jeopardise the achievement of those purposes and where deviations from such rights are indeed necessary for the achievement of those purposes.

When transferring personal data to statistics bodies, controllers are not obliged to notify the data subjects about the transfer of personal data for statistical purposes.

Processing of personal data for statistical purposes is considered compatible with the purpose for which the personal data were initially collected, provided appropriate safeguards have been implemented.

Personal data processed for statistical purposes should not enable identification of the data subject to whom they relate to.

———

(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?

Processing of biometric data is permitted in the private sector, if permitted by the law or if necessary for the protection of persons, property, classified information, business secrets, or individual and secure identification of services users, provided that the data subjects’ interests do not override the purpose of such processing. When the processing of biometric data is carried out for the purpose of secure identification of service users, data subjects’ explicit consent is required as a legal basis for such processing.

In general, the provisions of the Implementation Act on the processing of biometric data:

• apply to data subjects in the Republic of Croatia if the processing is carried out by a controller with establishment in the Republic of Croatia or providing services in the Republic of Croatia or by a public authority;
• do not affect the obligation to carry out Impact Assessments in accordance with Art. 35 GDPR; and
• do not apply to issues of national security.

———

Q6/ Data relating to criminal offences or convictions

Under what conditions does national law permit the processing of personal data relating to criminal convictions?

Processing of personal data related to criminal convictions or offences may be carried out by employers for the purposes of employment in specific industries such as education, social welfare, private security or public service.

In some professions it is not lawful to employ persons convicted of certain criminal offences (e.g., in the field of education, social welfare, private security, public service, etc.). Employers in these fields may be obliged to process personal data relating to criminal convictions for these limited purposes.

———

Q7/ Exemptions

(a) Does national law specify exemptions to a data subject’s right to erasure?

There are no specific exemptions to the right to erasure. However, personal data may be permanently retained in certain circumstances, including:

• for employment purposes and the maintenance of records relating to current and former employees;
• for the purposes of academic institutions retaining personal data relating to degrees and thesis; and
• for the purposes of public bodies retaining personal data relating to politicians that have been given in their formal capacities.

———

(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?

When transferring personal data to statistics bodies, controllers are not obliged to notify the data subjects about the transfer of personal data for statistical purposes.

———

(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?

There are no specific exemptions to the right to not be subject to automated individual decision-making.

———

Q8/ Restrictions on data subjects’ rights

Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?

There are no additional restrictions on data subjects’ rights.

———

Q9/ Joint controllership

Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?

There are no additional rules on apportionment of liability between joint controllers.

———

Q10/ Processor

In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?

There are no additional pieces of legislation.

———

Q11/ Impact Assessments

Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?

Impact Assessments are required in the following circumstances:

• processing personal data for systematic and extensive profiling or automated decision-making in order to make conclusions that have or might have a significant impact on an individual and/or multiple persons or which assist in making a decision about someone’s access to a service or benefit (e.g., processing of personal data related to economic or financial status, health, personal preferences, interests, reliability, behaviour, location, etc.);
• processing sensitive personal data for profiling or automated decision-making;
• processing minors’ personal data for:
  • profiling;
  • automated decision-making;
  • marketing purposes; or
  • direct offering of services intended for children;
• processing personal data collected from third parties that are taken into account for making decisions regarding the conclusion, termination, rejection or extension of service contracts to natural persons;
• extensive processing of sensitive personal data or personal data on criminal or misdemeanour liability;
• extensive processing of personal data by using systematic surveillance of publicly available areas;
• use of new technologies or technological solutions for processing of personal data or with the possibility for processing of personal data (e.g., application of “Internet of Things” such as smart TVs, smart home appliances, communications networks connected with toys, smart cities operating systems, smart energy meters, etc.), which can analyse or predict economic trends, health, personal preferences or interests, reliability or behaviour, location or movement of natural persons;
• processing biometric data, when at least one other criteria from the WP 248 rev. 01 Guidelines is fulfilled, to assess whether certain processing procedures are likely to cause high risk for the rights and freedoms of data subjects;
• processing genetic data, when at least one other criteria from the WP 248 rev. 01 Guidelines is fulfilled, to assess whether certain processing procedures are likely to cause high risk for the rights and freedoms of data subjects;
• processing personal data by linking, comparing or verifying matching from multiple sources;
• processing personal data in a way that involves monitoring the location or behaviour of an individual in the case of systematic processing of communication data (metadata) generated by the use of telephone, internet or other communication channels such as GSM, GPS, Wi-Fi, monitoring or processing of location data;
• processing personal data by using devices and technologies in which an incident may endanger the health of an individual or multiple persons; and
• processing personal data of employees using applications or monitoring systems (e.g., processing of personal data for monitoring work, movement, communication, etc.).

———

Q12/ Prior authorisation and public interest

Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?

Prior authorisation from the DPA is only required in accordance with the provisions of the GDPR.

———

Q13/ DPOs

(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?

DPOs are only mandatory in the circumstances set out in Art. 37(1) GDPR.

———

(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?

DPOs are not subject to secrecy obligations under national law.

———

Q14/ International data transfers

(a) Does national law make specific rules about transfers of personal data from public registers?

Data transfers from public registers are not subject to specific rules.

———

(b) Does national law restrict the transfer of specific categories of personal data to third countries?

Data transfers are not subject to restrictions beyond those set out in the GDPR.

———

Q15/ DPAs

(a) Details of the DPA(s).

• Name of DPA: Personal Data Protection Agency (Agencija za zaštitu osobnih podataka)
  • Address: Martićeva ulica 14, HR - 10 000 Zagreb, Croatia
  • Website: azop.hr

———

(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?

Not applicable as there is only one DPA.

———

(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?

Not applicable.

———

(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?

Under the Implementation Act, the DPA has the following additional powers:

• it establishes criteria for determining the amount of administrative fees and remunerations related to its activities, excessive requests of data subjects or issuance of opinion to business subjects (such as lawyers, consultants, etc.);
• it may initiate and has the right to participate in criminal, misdemeanour, administrative and other court or out-of-court proceedings against violators of the GDPR or Implementation Act;
• it publishes individual decisions and opinions on its web page;
• it monitors the application of EU Directive 2016/680 as an independent DPA;
• it may initiate proceedings before the High Administrative Court of the Republic of Croatia where it doubts the validity of the Commission’s decision on adequacy and/or standard contractual clauses; and
• it supervises the implementation of the Implementation Act.

———

(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?

Decisions made by the DPA may not be challenged via an appeal but rather by filing a claim before the competent administrative court.

The same procedure applies regarding decisions made by the DPA on imposing administrative fines.

If a deletion or other irrevocable removal of personal data has been ordered by the DPA, a party may request the administrative court to delay the enforcement of that part of the decision provided it proves to the court that a new collection of those personal data would require disproportionate efforts.

———

(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?

Processing of classified data must be carried out in accordance with applicable law, and can normally only be carried out by officials who have a valid certificate for access to classified data.

———

Q16/ Claims by not-for-profit bodies

Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?

There are no not-for-profit bodies that are specifically mandated to bring such claims.

———

Q17/ Administrative fines, penalties and sanctions

(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?

Without prejudice to Art. 58 GDPR, in proceedings conducted against a public authority, a public authority may not be subject to an administrative fine for violation of the GDPR or Implementation Act. On the other hand, legal entities vested with public authority and legal entities performing public services may be subject to administrative fines, but such fines must not jeopardise the performance of the public service.

———

(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?

Under the Implementation Act, the DPA may publish on its website, without redacting the offender’s data, its final decision on certain personal data infringements.

Pursuant to the Croatian Criminal Code, unauthorised use of personal data is a criminal offence punishable by imprisonment for up to three years. Pursuant to the Law on Responsibility of Legal Persons for Criminal Acts, a legal entity may face fines for criminal offences up to HRK 8 million (approx. €1 million).

———

Q18/ Freedom of expression and information

(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?

There are no specific provisions governing this issue.

———

(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?

There are no specific provisions governing this issue.

———

Q19/ National identification numbers

Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?

There are no specific provisions governing this issue.

There is no single provision in the law dealing with processing the national identification number (the “OIB number”). Provisions dealing with this category of personal data are subject to specific provisions regarding processing. For example, the Insurance Act prescribes that insurance companies and the Croatian Insurance Bureau are permitted to process OIB numbers or other applicable identifiers that uniquely identify a data subject for the purposes of concluding and executing the insurance contract and exercising the legal rights of the insurer.

———

Q20/ Processing in the context of employment

(a) For what purposes can employees’ personal data in the employment context be processed under national law?

The Labour Act provides that employees’ data may be collected, processed, used or delivered to third parties only if permitted by the Labour Act or another law, or if it is necessary for the exercise of rights and obligations arising from the employment relationship.

———

(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?

Under the Labour Act, employers who have an internal employment rulebook or are obliged to have one under the law (i.e., any organisation with 20 employees or more) have an obligation to determine the rules for processing employees’ personal data, in advance, in the employment rulebook.

Prior approval by a works council is needed for the collection, processing, use and transfer to third parties of employees’ personal data. In cases where a works council is not established, a union representative will take over the role of the works council. In cases where there is no works council or union representative, the employer is free to act without obtaining any prior approval with respect to collection, processing, use and transfer to third parties of employees’ personal data.

• All employers having at least 20 employees are obliged to appoint person(s) who are authorised to:
• supervise the lawful collection, processing, use and delivery to third parties of employees’ personal data; and
• receive and handle complaints related to the dignity of employees.

The Labour Act and related laws set out further safeguards to protect employees’ dignity, as well judicial remedies where an employer has failed to protect an employee’s dignity.

Any employer and any person who, during performance of his or her duties has access to employees’ personal data, is obliged to keep such data permanently confidential. Additionally, all information procured in any procedure related to the protection of employees’ dignity is confidential.

———

Q21/ Other material derogations

Are there any other material derogations from, or additions to, the GDPR under national law?

The Implementation Act imposes certain restrictions for processing personal data via CCTV. It may be carried out only when is necessary and justified for the protection of persons and property, provided that the data subjects’ interests do not override the processing of biometric data.

Controllers conducting CCTV are obliged to:

• properly inform data subjects of the surveillance, at least
• from the moment they enter the monitored area;
• ensure that person(s) granted the authority to access personal data collected via CCTV do so strictly in accordance with the purpose of the collection;
• establish an automated recording system to properly evidence access to the video recordings;
• keep recordings for no longer than six months, unless the data is necessary for the purposes of judicial, arbitral or similar proceedings.

The Implementation Act further prescribes additional rules for CCTV of employees, requiring that such surveillance be compliant with the Work Safety Act. Employees must be appropriately informed in advance before the CCTV is implemented.

Also, the Implementation Act prescribes additional rules for CCTV of residential buildings as well as for CCTV of public areas.

In addition, the DPA has issued a decision requiring DPOs to be registered with the DPA via a prescribed form. The form requires submission of details regarding the controller (name, registered seat, OIB number, and data relating to the appointment of the DPO) and the DPO (name, address and place of work, capacity if he or she is not an employee of the controller and/or the processor, and business contact details). The original form should be signed by the responsible person at the controller and/or the processor and should be delivered via regular post to the DPA.

———

Q22/ Current legal challenges

Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?

There are no current legal challenges ongoing.

———

Q23/ Enforcement

Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?

The DPA has yet to take enforcement action for breaches of the GDPR.

———

Q24/ Regulatory Guidance

Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?

At present, the DPA has issued the following guidance and decisions:

• general guidance on the implementation of the GDPR (see here);
• decision on types of processing requiring an Impact Assessment to be performed (see here); and
• decision regarding registering the DPO with the DPA (see here).

———

[View source.]