Apart from the Croatian GDPR Implementation Act, regulation includes certain particularities of processing of personal data in relation to certain sectors, including the ones set out below.

The Croatian Electronic Communications Act and its bylaws set out data retention obligations in relation to the operators as well as, for example, prohibiting the use of automated calling and communication systems without human intervention, facsimile machines or electronic mail, including short messaging system (SMS) and multimedia messaging services (MMS), for the purposes of direct marketing and sale, without the data subject’s prior consent. 

In the field of employment, personal data processing is also impacted by the Employment Act and its bylaws (e.g. Ordinance on the Content and Manner of Keeping Records on Employees, which prescribes the scope of personal data that the employer must collect for the purpose of keeping employees’ records). 

The Act on Credit Institutions prescribes that regulations governing the protection of personal data apply to the processing of such data within the scope of activities of the credit institutions. Pursuant to its provisions, the Decision on Outsourcing has been adopted by the Croatian National Bank, imposing an obligation on the credit institutions that outsource services to a provider outside Croatia (in the EU or in a third country) to ensure that such data is processed in line with provisions of the GDPR. 

Moreover, the Health Data and Information Act regulates rights, obligations and responsibilities of legal and natural persons in the healthcare system of the Republic of Croatia in the field of data management in healthcare.

The Croatian Consumer Protection Act reiterates the obligation of traders with respect to the processing of consumers’ personal data in line with the GDPR. 

The Act on State Information Infrastructure envisages the obligation for the public registries to be stored in data centres located in Croatia. It applies to all public bodies and to all public registries.

The Act on the Protection of Natural Persons with regard to the Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties lays down respective rules including with respect to safeguarding against and the prevention of threats to public security. 

Generally, when it comes to personal data processing for each sector, applicable specific regulations should be taken into account, especially when it comes to determining the legal basis for processing and retention periods.

The laws primarily apply to data controllers (including joint data controllers) as well as data processors. In this respect, their roles are set out by the GDPR, as follows:

• “Data controller” includes the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by applicable EU or EU Member States’ law, the controller or the specific criteria for its nomination may be provided for by applicable EU or EU Member States’ law. Where two or more controllers jointly determine the purposes and means of processing, they are considered as joint controllers.
• “Data processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Respective regulations apply to Croatia-based data controllers. Moreover, in line with the GDPR, it also applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union, where the processing activities are related to: 

• the offering of goods or services to data subjects in the European Union; or
• the monitoring of data subjects’ behaviour as far as their behaviour takes place within the European Union.

The GDPR defines operations of personal data. Accordingly, processing of personal data includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

The GDPR applies with respect to the definition of personal data. Accordingly, personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The principles of data protection generally do not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. 

On the other hand, personal data which has undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person. Thus, applicable regulations governing the protection of personal data apply to pseudonymised data. 

Yes, especially: 

• data concerning health (personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveals information about their health status);
• genetic data (personal data relating to the inherited or acquired genetic characteristics of a natural person which gives unique information about the physiology or the health of that natural person and which results, in particular, from an analysis of a biological sample from the natural person in question);
• biometric data (personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data; race, ethnicity, sex, gender, sexual orientation, sex life); as well as
• data on racial or ethnic origin, political opinions, religious or philosophical beliefs;
• trade union membership; 
• data concerning a natural person’s sex life or sexual orientation; 
• children’s data; and
• other types of personal data that could be considered “sensitive” or that are afforded additional legal protections (e.g. criminal offence and conviction data).

Legal bases for processing of personal data within the scope of the GDPR are listed as follows:

• the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which the controller is subject;
• processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. 

Where consent is used as a legal basis for processing, in order to be valid, amongst other requirements it must be given for one or more specific purposes, by a clear affirmative act, granular, freely given and informed (the data subject has to be provided with all information regarding the processing of their personal data based on contemplated consent prior to giving consent). 

If given in a context of a written declaration which also concerns other matters (e.g. contract/terms of use), the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language, otherwise the consent will not be considered as a valid legal basis for processing. Certain categories and/or cases of processing of personal data (e.g. special categories of personal data), require an explicit consent in order for a consent to be valid. Generally, consent is a legal basis used also as a basis for marketing purposes.

In addition, the data subject has the right to withdraw their consent at any time, whereby the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. 

Anonymised data used for, e.g. statistical or research purposes, is not within the scope of the GDPR.

The GDPR envisages principles relating to processing of personal data that need to be complied with. Those principles are: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and accountability.

Also, further to the provision of the GDPR, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and to ensure and to be able to demonstrate that processing is performed in accordance with the provisions of the GDPR. Those measures shall be reviewed and updated where necessary and include, inter alia as appropriate:

• the pseudonymisation and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; and
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Related technical measures may include, according to the Croatian Personal Data Protection Agency (AZOP)’s guidance:

• Setting passwords and access rights to data, programs and equipment.
• Regular upgrading of the operating system and computer programs.
• Installing an antivirus program on devices.
• Data backups (Backup). 
• Installing a firewall.
• Protection of access to the network infrastructure. 
• Encryption of data and portable devices. 
• Protection of data stored in paper form. 
• Physical protection against unauthorised access.
• Internet router protection against unauthorised access.
• Protection of access to data from remote locations against unauthorised access.
• Access to equipment and programs via chip cards. 

Organisational measures refer to internal acts and documents and may include:

• The Information Security Bylaw, which prescribes technical protection measures that are applied to protect data from unauthorised access in a business entity.
• The Bylaws regulating the processing of personal data, prescribing who processes personal data, for what purpose, the legal basis for processing, the scope of personal data that is processed, who has the right to access and process personal data, how long the data is kept and similar.
• The contractual clauses within an employment contract may define the collections of personal data that the employee will process and what rights they will have for the processing of these storage systems (or databases). 
• The contractual clauses within a business co-operation agreement defining the collections of personal data that are the subject of the contract, the rights and obligations of each of the contracting parties regarding the processing of personal data, and which technical protection measures each of the parties undertakes to protect the data storage systems (databases). 
• Declarations of confidentiality stipulating that an employee of a business entity or an external collaborator gives a written statement that they will process personal data in accordance with the legal provisions on the protection of personal data, as well as implementing appropriate protection measures on them and not abusing it or giving it to unauthorised third parties. 

When it comes to breach notifications, the GDPR applies and envisages that in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority or, if later than 72 hours, accompanied by a reason for delay. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the details of the personal data breach to the data subject without undue delay. Also, the processor shall notify the controller without undue delay after becoming aware of a personal data breach.

In addition, further to the GDPR Implementation Act, when processing data through video surveillance, the data controller or data processor is obliged to mark that the premises or individual room within the premises and the outer surface of the premises are under video surveillance, and the notice must be visible at the latest when entering the recording perimeter.

The notice should contain all relevant information in accordance with the provisions of Article 13 of the GDPR, and in particular a simple and easy-to-understand image along with text that provides the following information to data subjects:

• that the space is under video surveillance;
• information on the data controller; and
• contact information through which the data subject can exercise their rights.

Further to the AZOP’s guidance, the rest of the information envisaged in Article 13 can be either placed on the surveillance notice or in another document easily accessible to the data subjects. If this is the case, the video surveillance notice should contain information on how data subjects can get this information. 

The responsible person of the data controller and of the data processor and/or the person authorised by the same have the right of access to personal data collected through video surveillance. The authorised persons cannot use the recorded materials from the video surveillance system outside/contrary to the purposes envisaged by the law. The video surveillance system must be protected against access by unauthorised persons. To that effect, the data controller and data processor are obliged to establish an automated record system for recording access to video surveillance recordings, which will contain the time and place of access, as well as the designation of the persons who accessed the data collected through video surveillance. The recordings obtained through video surveillance can be stored for maximum of six months unless they are evidence in court, administrative, arbitration or other equivalent proceedings.

Finally, the Act on State Information Infrastructure envisages the obligation for public registries to be stored in data centres located in Croatia. It applies to all public bodies and to all public registries.

Rights the data subjects have in relation to personal data are envisaged in the GDPR. Namely, 

• Right of access. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipient of data (in particular, recipients in third countries or international organisations and information of the appropriate safeguards in place), the envisaged period for which the personal data will be stored or the criteria used to determine that period, the existence of the right to request rectification or erasure of personal data or restriction of processing or to object to such processing, the right to lodge a complaint with a supervisory authority, the source of information when personal data is not collected from the data subject, and the existence of automated decision-making, including profiling. The controller shall provide a copy of the personal data undergoing processing.
• Right to rectification. The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them and the right to have incomplete personal data completed.
• Right to erasure. The data subject shall have the right to obtain from the controller the erasure of personal data concerning them without undue delay and the controller shall have the obligation to erase personal data without undue delay if: personal data is no longer necessary in relation to the initial purposes, the data subject withdraws consent and there is no other legal ground for the processing, the data subject objects to the processing and there are no overridden legitimate grounds for the processing, the personal data has been unlawfully processed, the personal data has to be erased for compliance with a legal obligation to which the controller is subject, or the personal data has been collected in relation to the offer of information society services.
• Right to withdraw consent. The right to withdraw the consent to the processing at any time, if the processing is carried out based on the consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 
• Right to restriction of processing. The data subject shall have the right to obtain from the controller restriction of processing where the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy, where the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead, where the controller no longer needs the personal data for the purposes of the processing but they are required by the data subject for the establishment, exercise or defence of legal claims, and where the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
• Right to data portability. The data subject shall have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller where the processing is based on consent or on a contract and the processing is carried out by automated means. Where technically feasible, the data subject shall have the right to have the personal data transmitted directly from one controller to another.
• Right to object. The right to object to the processing of personal data, where processing is based on a legitimate interest or was necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 
• Right not to be subject to a decision based solely on automated processing. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
• Right to lodge a complaint with the supervisory authority. The Croatian Data Protection Agency can be contacted as follows: Croatian Personal Data Protection Agency, Ulica grada Vukovara 54, 10000 Zagreb ([email protected], 00385 (0)1 4609-000); 00385 (0)1 4609-099; www.azop.hr.

The use of automated calling and communication systems without human intervention, facsimile machines or electronic mail, including SMS and MMS, for the purposes of direct marketing and sales, require the data subject’s prior consent. Consent for electronic messages is not required if the controller has received the personal data in connection with a transaction, the marketing communication concerns similar products and services, and the data subject has been given the opportunity to opt out when data has been collected for this purpose as well as with every communication (soft-opt-in).

Prior consent for the above communications for the purposes of direct marketing and sale to legal persons is not required. However, this is only applicable if such communications do not involve personal data (i.e. if you cannot identify an individual either directly or indirectly).

All electronic mails (including SMS and MMS) sent for the purposes of direct marketing and sales must correctly display and not conceal the identity of the sender on whose behalf the electronic mail or message is sent, and they should always have a valid electronic mail address or number to which the recipient may, free of charge, send a request that such communications cease.

In addition, the Croatian Consumer Protection Act envisages provisions in connection to unsolicited communication via telephone and/or messages. Namely, it is prohibited to make calls and/or send messages by telephone to consumers who have entered the registry of consumers who do not want to receive calls and/or messages in the context of advertising and/or sales by telephone (“do not call” registry). The registry is held by Croatian Regulatory Authorities for Network Industries, and it is available online at www.hakom.hr/.

The “do not call” registry applies only to consumers. Consumers are defined by the Croatian Consumer Protection Act as any natural person who enters a legal transaction or operates on the market outside of its trade, business, craft, or professional activity.

Any transfer of personal data which is undergoing processing or intended for processing after transfer to a third country (a country outside of the European Union or European Economic Area) or to an international organisation shall take place only if the conditions laid down in the respective provision of the GDPR are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. 

Namely, personal data may be transferred to third countries or an international organisation for which an adequacy decision has been issued by the European Commission (i.e. transfers based on an adequacy decision). More precisely, when the European Commission decides that the third country, area, or one or more specific sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer does not require special approval. The European Commission compiles and publishes a list of third countries/organisations that provide an adequate level of personal data protection and to which personal data can be transferred to without further restrictions. The subject list can be found at the following link: www.commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

If no such decision has been made by the European Commission, the data controller or processor may transfer personal data to a third country or international organisation only if the data controller or processor has foreseen appropriate protective measures/safeguards and on the condition that the data subject has enforceable rights and effective judicial protection available. 

The appropriate safeguards on the basis of which it is possible to transfer personal data to third countries are exhaustively listed in the GDPR, and these are: legally binding instruments between public bodies, binding corporate rules, standard contractual clauses (standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority and approved by the Commission), approved codes of conduct and an approved certification mechanism. In addition, subject to the authorisation from the competent supervisory authority, contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation and provisions from administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights. 

Exceptionally, in special situations and if data transfers are not of a regular type, it is possible to transfer personal data to third countries with the consent of the data subject if they were previously informed about the risks of transfer, if the transfer is necessary for concluding or executing a contract concluded with the data subject or in their interest, if the transfer is necessary for important reasons of public interest or for legal requirements, if it is necessary to protect the key interests of the data subjects and they cannot give their consent, and if the transfer is carried out from the register of public bodies in accordance with special regulations. 

Further to provisions of the GDPR, each supervisory authority has the following investigative powers:

• to order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks;
• to carry out investigations in the form of data protection audits;
• to notify the controller or the processor of an alleged infringement of this Regulation;
• to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks; and
• to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.

It also has the following corrective powers:

• to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of the GDPR;
• to issue reprimands to a controller or a processor where processing operations have infringed provisions of the GDPR;
• to order the controller or the processor to comply with the data subject’s requests to exercise their rights pursuant to the GDPR;
• to order the controller or processor to bring processing operations into compliance with the provisions of the GDPR;
• to order the controller to communicate a personal data breach to the data subject;
• to impose a temporary or definitive limitation including a ban on processing;
• to order the rectification or erasure of personal data or restriction of processing;
• to withdraw a certification, or to order the certification body to withdraw a certification issued, or not to issue certification if the requirements for the certification are not or are no longer met;
• to impose an administrative fine in addition to or instead of these measures; and
• to order the suspension of data flows to a recipient in a third country or to an international organisation.

In addition, further to the GDPR Implementation Act, authorised officials of the Croatian Personal Data Protection Agency (AZOP) can conduct announced or unannounced inspections independently, and in certain cases with the participation of representatives of the visiting supervisory body. Authorised officials, as necessary, can make copies of available documents, copy all contents of the storage system and collect other relevant information. If this is not feasible, if necessary, during inspection/supervision they will confiscate the necessary storage systems and equipment containing other relevant information and keep it as long as necessary to make copies of that documentation, albeit no longer than 15 days from the day the storage system and equipment were confiscated. Authorised persons may seal storage systems or equipment during inspection/surveillance and to the extent necessary for the implementation of surveillance activities if there is a risk of destruction or alteration of evidence, and no longer than 15 days from the day of sealing the storage system or equipment. If, during the inspection/supervision, information is obtained or objects are found that indicate occurrence of a criminal offence for which ex officio prosecution is envisaged, the authorised officials will inform the competent police station or the state attorney as soon as possible.

According to the provisions of the GDPR, any violation of the provisions thereof will be sanctioned by administrative fines, which will be imposed in addition to or instead of other sanctions such as warnings, prohibitions, restrictions, etc. Exceptionally, if it is a minor violation of a natural person and if the administrative fine would represent a disproportionate punishment, a warning will be issued instead.

There are two sets of violations:

• for some violations (i.e. obligations of the data controller and data processor in respect to, among others, conditions applicable to a child’s consent in relation to information society services, processing which does not require identification, data protection by design and by default requirements, joint controller requirements, data processor specific requirements, records of processing activities requirements, security of processing requirements, notification of a personal data breach requirements, Data Protection Impact Assessment (DPIA) requirements and data protection officer (DPO) requirements) — sanction prescribed — administrative fines up to EUR 10,000,000, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher; and
• for some violations (i.e. obligations of the data controller and data processor in respect to the basic principles for processing (including conditions for consent), the data subjects’ rights, transfers to third countries, obligations pursuant to national law, non-compliance with an order by the supervisory authority or failure to provide access) — sanction prescribed —administrative fines up to EUR 20,000,000, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
• any data controller and data processor who do not mark the building, premises, parts of the premises and the external surface of the building in the manner prescribed by the GDPR Implementation Act;

When deciding whether to impose an administrative fine and the amount thereof in each individual case due regard shall be given, among others, to the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement, any relevant previous infringements, the degree of co-operation with the supervisory authority, the categories of personal data affected and similar.

In addition, pursuant to the GDPR Implementation Act, the following shall be punished with an administrative fine in the amount of up to HRK 50,000.00 (EUR 6,636.14): 

• any data controller and data processor who do not establish an automated record system for recording access to video surveillance recordings, in accordance with the GDPR Implementation Act; and
• any persons authorised to access data who use recordings from the video surveillance system contrary to the law.