• Insights

Croatia – The GDPR one year on

Written by
Divjak Topić Bahtijarević & Krka, Croatia’s largest corporate law firm, with one of the strongest employment practices in the country.
Since the implementation of the GDPR on 25 May 2018, data protection developments in Croatia include a campaign of awareness raising and the publication of guidance by the data protection authority and adjustments to national legislation.

The Croatian data protection authority (AZOP) has been among the most benevolent regulators in the EU. It has always concentrated on providing guidance and recommendations for compliance. Since the GDPR entered into effect, it has started conducting investigations, mainly in response to reports.

The AZOP publicised instructions on reporting data breaches along with a preferred reporting form. However, there is no publicly available information on any significant data breaches in Croatia or any fines imposed by the AZOP.

The General Data Protection Regulation Implementation Act was published in the Official Gazette No. 42/18. It contains additional restrictive provisions on the processing of genetic data and biometric data, as well as video surveillance, including in the workplace. For instance, in addition to the fines prescribed in the GDPR, a controller or a processor may be fined up to approximately EUR 6,730 for violating the provisions of the GDPR Implementation Act restricting video surveillance.

The national Labour Act and Work Safety Act also contain additional provisions on processing employee personal data, including on video surveillance. These provisions of the Labour Act predate the GDPR, but no amendments have been announced.

Different sector-specific laws and regulations also require certain categories of data about particular categories of data subjects to be stored or archived for maximum or minimum statutory periods.

In addition to the processing operations listed in Article 35(3) GDPR, the AZOP rendered a decision on processing operations requiring a data protection impact assessment (DPIA). The so-called ‘blacklist’ contains 13 types of processing which automatically require a DPIA.

There is no registration fee with the AZOP for controllers or processors. However, the AZOP will charge ‘commercial entities’ (such as law firms or consultants) for its opinions Data subjects, data protection officers, journalists, and public bodies are generally exempted from the fee, but the AZOP can charge a reasonable fee, depending on administrative costs or for unfounded, disproportionate, or excessively frequent requests.

The GDPR Implementation Act allows for so-called ‘class actions’ by non-profit organisations or associations acting in the public interest, protecting the rights and freedoms of data subjects.

GDPR is still causing confusion in the business sector. Although there is a general awareness of the GDPR and certain compliance requirements, our impression is that a significant share of the business and public sectors is not yet compliant, at least partially.

The AZOP has held numerous awareness events and presentations, particularly in 2018, while in 2019, it has published a number of opinions, recommendations and guidelines on the application of the GDPR. The most interesting and controversial topics include consent, the processing of children’s personal data, and processing in a marketing context.

Related Insights

Croatia – The GDPR one year on
The GDPR: one year on
United Kingdom