[co-authors: Željka Rostaš Blažeković and Zrinka Knezić Poljanić, Porobija & Porobija ]
Q1/ Applicable legislation
Q2/ Personal data of deceased persons
Q3/ Legal bases for processing
Q4/ Consent of children
Q5/ Processing of sensitive personal data
Q6/ Data relating to criminal offences or convictions
Q8/ Restrictions on data subjects’ rights
Q9/ Joint controllership
Q11/ Data protection Impact Assessments
Q12/ Prior authorisation and public interest
Q14/ International data transfers
Q16/ Claims by not-for-profit bodies
Q17/ Administrative fines, penalties and sanctions
Q18/ Freedom of expression and information
Q19/ National identification numbers
Q20/ Processing in the context of employment
Q21/ Other material derogations
Q22/ Current legal challenges
Q24/ Regulatory Guidance
(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?
New legislation has been passed.
(b) Relevant legislation includes:
(c) What is the status of national pre-GDPR data protection law?
The relevant pre-GDPR legislation has been repealed in full.
Does national law make specific rules regarding the processing of personal data of deceased persons?
There are no specific rules governing this issue.
(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?
(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?
There is no general provision in the law dealing with processing of personal data for the performance of tasks carried out in the public interest. However, CCTV of public areas can only be carried out by public authorities, entities vested with public powers and entities performing a public service, provided that such surveillance is prescribed by law and necessary for the performance of tasks and duties of public authorities, or for the protection of the life and health of individuals and property.
(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?
See Q3(b) above.
(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?
Further processing of health data is permitted for the purpose of archiving in the public interest, for scientific or historical research purposes or for statistical purposes, in the context of studying and monitoring the state of the health of the population, or for other purposes established by law.
At what age can a child give their consent to processing in relation to ISS?
16 years of age.
(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?
Under Croatian law, the processing of genetic data for the purposes of disease prognosis or other health aspects of the data subject is prohibited, even with the data subject’s consent, when that processing is undertaken in connection with the execution or performance of life insurance contracts and contracts with “survival-to-certain-age” clauses. The prohibition applies to data subjects entering into such contracts in Croatia, provided the processing is carried out by a controller with establishment in Croatia or by a controller that provides services in Croatia.
b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:
(i) Employment, social security and/or social protection law
Provided the employee has given his explicit consent for processing of biometric data in accordance with the GDPR, employees’ biometric data may be processed for the purpose of recording working hours and arrival and departure times, if such processing is prescribed by the law or is carried out as an alternative to another solution for recording working hours or employees’ ingress and egress from the business premises.
(ii) Substantial public interest
Public authorities may process biometric data if permitted by the law and if necessary for the protection of persons, property, classified information or business secrets, provided that the data subjects’ interests do not override the purpose of such processing. Processing biometric data is lawful where it is necessary for the fulfilment of obligations under international treaties regarding the identification of individuals crossing the state border.
(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services
The Croatian Act on Data and Information in the Health Care System regulates the processing of personal data within the healthcare system, and imposes GDPR-compliant principles in relation to such processing.
There must be a lawful purpose for the collection and processing of any health data, and the purpose of the collection must be associated with a direct or indirect positive effect on the health of the population.
Further processing of health data is permitted for the purpose of archiving in the public interest, for scientific or historical research purposes, or for statistical purposes, in the context of studying and monitoring the state of the health of the population or for other purposes established by law.
(iv) Public interest in the area of public health
There are no specific rules on processing this category of data.
(v) Archiving purposes, scientific or historical research purposes or statistical purposes
For processing personal data for official statistical purposes, statistics bodies are not obliged to ensure data subject’s rights of access to personal data, rectification of personal data, restriction of processing, nor the right to object to the processing, for the achievement of the official statistical purposes, to the extent that such rights are likely to prevent or seriously jeopardise the achievement of those purposes and where deviations from such rights are indeed necessary for the achievement of those purposes.
When transferring personal data to statistics bodies, controllers are not obliged to notify the data subjects about the transfer of personal data for statistical purposes.
Processing of personal data for statistical purposes is considered compatible with the purpose for which the personal data were initially collected, provided appropriate safeguards have been implemented.
Personal data processed for statistical purposes should not enable identification of the data subject to whom they relate to.
(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?
Processing of biometric data is permitted in the private sector, if permitted by the law or if necessary for the protection of persons, property, classified information, business secrets, or individual and secure identification of services users, provided that the data subjects’ interests do not override the purpose of such processing. When the processing of biometric data is carried out for the purpose of secure identification of service users, data subjects’ explicit consent is required as a legal basis for such processing.
In general, the provisions of the Implementation Act on the processing of biometric data:
Under what conditions does national law permit the processing of personal data relating to criminal convictions?
Processing of personal data related to criminal convictions or offences may be carried out by employers for the purposes of employment in specific industries such as education, social welfare, private security or public service.
In some professions it is not lawful to employ persons convicted of certain criminal offences (e.g., in the field of education, social welfare, private security, public service, etc.). Employers in these fields may be obliged to process personal data relating to criminal convictions for these limited purposes.
(a) Does national law specify exemptions to a data subject’s right to erasure?
There are no specific exemptions to the right to erasure. However, personal data may be permanently retained in certain circumstances, including:
(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?
(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?
There are no specific exemptions to the right to not be subject to automated individual decision-making.
Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?
There are no additional restrictions on data subjects’ rights.
Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?
There are no additional rules on apportionment of liability between joint controllers.
In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?
There are no additional pieces of legislation.
Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?
Impact Assessments are required in the following circumstances:
Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?
Prior authorisation from the DPA is only required in accordance with the provisions of the GDPR.
(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?
DPOs are only mandatory in the circumstances set out in Art. 37(1) GDPR.
(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?
DPOs are not subject to secrecy obligations under national law.
(a) Does national law make specific rules about transfers of personal data from public registers?
Data transfers from public registers are not subject to specific rules.
(b) Does national law restrict the transfer of specific categories of personal data to third countries?
Data transfers are not subject to restrictions beyond those set out in the GDPR.
(a) Details of the DPA(s).
(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?
Not applicable as there is only one DPA.
(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?
(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?
Under the Implementation Act, the DPA has the following additional powers:
(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?
Decisions made by the DPA may not be challenged via an appeal but rather by filing a claim before the competent administrative court.
The same procedure applies regarding decisions made by the DPA on imposing administrative fines.
If a deletion or other irrevocable removal of personal data has been ordered by the DPA, a party may request the administrative court to delay the enforcement of that part of the decision provided it proves to the court that a new collection of those personal data would require disproportionate efforts.
(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?
Processing of classified data must be carried out in accordance with applicable law, and can normally only be carried out by officials who have a valid certificate for access to classified data.
Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?
There are no not-for-profit bodies that are specifically mandated to bring such claims.
(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?
Without prejudice to Art. 58 GDPR, in proceedings conducted against a public authority, a public authority may not be subject to an administrative fine for violation of the GDPR or Implementation Act. On the other hand, legal entities vested with public authority and legal entities performing public services may be subject to administrative fines, but such fines must not jeopardise the performance of the public service.
(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?
Under the Implementation Act, the DPA may publish on its website, without redacting the offender’s data, its final decision on certain personal data infringements.
Pursuant to the Croatian Criminal Code, unauthorised use of personal data is a criminal offence punishable by imprisonment for up to three years. Pursuant to the Law on Responsibility of Legal Persons for Criminal Acts, a legal entity may face fines for criminal offences up to HRK 8 million (approx. €1 million).
(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?
There are no specific provisions governing this issue.
(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?
Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?
There is no single provision in the law dealing with processing the national identification number (the “OIB number”). Provisions dealing with this category of personal data are subject to specific provisions regarding processing. For example, the Insurance Act prescribes that insurance companies and the Croatian Insurance Bureau are permitted to process OIB numbers or other applicable identifiers that uniquely identify a data subject for the purposes of concluding and executing the insurance contract and exercising the legal rights of the insurer.
(a) For what purposes can employees’ personal data in the employment context be processed under national law?
The Labour Act provides that employees’ data may be collected, processed, used or delivered to third parties only if permitted by the Labour Act or another law, or if it is necessary for the exercise of rights and obligations arising from the employment relationship.
(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?
Under the Labour Act, employers who have an internal employment rulebook or are obliged to have one under the law (i.e., any organisation with 20 employees or more) have an obligation to determine the rules for processing employees’ personal data, in advance, in the employment rulebook.
Prior approval by a works council is needed for the collection, processing, use and transfer to third parties of employees’ personal data. In cases where a works council is not established, a union representative will take over the role of the works council. In cases where there is no works council or union representative, the employer is free to act without obtaining any prior approval with respect to collection, processing, use and transfer to third parties of employees’ personal data.
The Labour Act and related laws set out further safeguards to protect employees’ dignity, as well judicial remedies where an employer has failed to protect an employee’s dignity.
Any employer and any person who, during performance of his or her duties has access to employees’ personal data, is obliged to keep such data permanently confidential. Additionally, all information procured in any procedure related to the protection of employees’ dignity is confidential.
Are there any other material derogations from, or additions to, the GDPR under national law?
The Implementation Act imposes certain restrictions for processing personal data via CCTV. It may be carried out only when is necessary and justified for the protection of persons and property, provided that the data subjects’ interests do not override the processing of biometric data.
Controllers conducting CCTV are obliged to:
The Implementation Act further prescribes additional rules for CCTV of employees, requiring that such surveillance be compliant with the Work Safety Act. Employees must be appropriately informed in advance before the CCTV is implemented.
Also, the Implementation Act prescribes additional rules for CCTV of residential buildings as well as for CCTV of public areas.
In addition, the DPA has issued a decision requiring DPOs to be registered with the DPA via a prescribed form. The form requires submission of details regarding the controller (name, registered seat, OIB number, and data relating to the appointment of the DPO) and the DPO (name, address and place of work, capacity if he or she is not an employee of the controller and/or the processor, and business contact details). The original form should be signed by the responsible person at the controller and/or the processor and should be delivered via regular post to the DPA.
Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?
There are no current legal challenges ongoing.
Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?
The DPA has yet to take enforcement action for breaches of the GDPR.
Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?
At present, the DPA has issued the following guidance and decisions: