CROATIA

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Zakon O Provedbi Opce Uredbe O Zastiti Podataka

Status: Adopted

SME EXCEPTION

No Deviation

LAWFULNESS OF PROCESSING (ART 6)

No Deviation

CHILD'S CONSENT (ART 8)

SPECIFYING REQUIREMENT:

1. Age: A user must be at least 16 years old to consent to information society services directed at children (Art 19(1) Croatian Act).

2. Territorial Scope of Application: It is explicitly set forth that the consent rule shall apply to a child resident in Croatia (Art 19(2) Croatian Act).

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))

DEVIATING REQUIREMENT:

1. Genetic Data Processing: The processing of genetic data to assess health conditions for the purpose of life insurance contracts is prohibited. The prohibition cannot be lifted with the consent of the data subject (Art 20(1) Croatian Act). This applies to data subjects concluding life insurance agreements in Croatia with a data controller that is established in Croatia or provides services there (Art 20(4) Croatian Act).

2. Biometric Data Processing: Public authorities and private companies may process biometric data if (1) there is a legal basis for it; (2) it is necessary to protect natural persons, confidential information, or trade secrets; and (3) the interests of the data subject involved have been taken into account (Art 21(1) Croatian Act). Public authorities may also process biometric data when it is necessary for border control (Art 21(2) Croatian Act).

3. Employee Biometric Data Processing: The processing of biometric data of employees is allowed for the purpose of monitoring employment performance (working hours) and access control (company premises) if there is a legal basis for it or the employee gives explicit consent and the biometric data processing serves as an alternative to other means of performing these types of monitoring (Art 23 Croatian Act).

4. Territorial Application of Biometric Data Processing: The provisions on biometric data processing in the Croatian Act apply to data subjects if processing is carried out by a data controller that is established or providing services in Croatia or by a public authority (Art 24(1) Croatian Act). They do not apply to public defense, national security, and national intelligence services (Art 24(3) Croatian Act).

CCTV (ART 6)

ADDITIONAL REQUIREMENT:

1. General Scope and Purposes: The processing of personal data through video surveillance can only be carried out for security reasons and to the extent overriding interests of the data subject do not prevail (Art 26(1) Croatian Act). Video surveillance may cover the inside and external façade of a building, parts of a building, and inside public transportation (Art 26(2) Croatian Act).

2. Notice: The controller or processor is responsible for signage indicating which parts of the premises are under video surveillance. This signage should be put up and made clear to the data subject at the latest when entering the area under video surveillance (Art 27(1) Croatian Act). This signage should contain all information required in light of transparency under the GDPR, but in particular an easily understandable pictogram with the following: (1) the fact that the space is under surveillance; (2) information about the controller; and (3) contact information through which the data subject can exercise his rights (Art 27(2) Croatian Act).

3. Security and Data Subject Rights: The CCTV images must be subject to access control to restrict access to authorized persons (the controller and processor are responsible for setting up a system that logs date and time stamps of each access to the CCTV images and who has obtained access). Competent authorities will be granted access to CCTV images in the context of the exercise of their duties (Art 28 Croatian Act).

4. Retention Period: Records obtained through CCTV can be stored for a maximum of six months unless an applicable law prescribes a longer retention term or if the records are evidence in judicial, administrative, or arbitration proceedings (Art 29 Croatian Act).

5. CCTV in the Workplace: This is permitted provided applicable health and safety regulations are taken into account and the employees were adequately informed of the use of CCTV. CCTV cannot cover changing rooms, relaxation and resting areas, or bathrooms (Art 30 Croatian Act).

6. CCTV in Residential Buildings: To the extent a residential or commercial property is subject to co-ownership, two-thirds of co-owners must agree to the installation of a CCTV system in order for it to be placed. Only entrances, exits, and common areas can be covered by the CCTV (Art 31 Croatian Act).

7. CCTV in Public Areas: This is only permitted when carried out by public authorities, when it is prescribed by law and necessary for the performance of tasks of the public authority, or for public interests (Art 32 Croatian Act).

CRIMINAL CONVICTIONS/SECURITY MEASURES (ART 10)

No Deviation

INFORMATION OBLIGATION (ART 13 & 14)

No Deviation

AUTOMATED INDIVIDUAL DECISION-MAKING (ART 22)

No Deviation

RESTRICTIONS TO DATA SUBJECT'S RIGHTS (ART 23)

DEVIATING REQUIREMENT:

Processing for Statistical Purposes: When personal data is processed by public bodies for the purpose of producing statistics, such bodies are not obliged to grant rights of access, correction, processing restrictions, or objection when this is strictly necessary in light of statistics. In addition, data controllers are not required to inform data subjects about data transfers when necessary for statistical purposes (Art 33 Croatian Act).

JOINT CONTROLLER RESPONSIBILITIES (ART 26 (1))

No Deviation

AD HOC NOTIFICATIONS - RECORDS OF PROCESSING ACTIVITIES (ART 30)

No Deviation

SECURITY OF PROCESSING (ART 32)

No Deviation

DATA BREACH (ART 33 & 34)

No Deviation

DATA PROTECTION IMPACT ASSESSMENT (ART 35)

No Deviation

DATA PROTECTION OFFICER (ART 37(4))

No Deviation

CERTIFICATION (ART 42)

SPECIFYING REQUIREMENT:

Accreditation: The national accreditation body designated on the basis of Regulation (EC) No. 765/2008 for accreditation and marketing surveillance relating to the marketing of products shall be responsible for accreditation of certification bodies (Art 5 Croatian Act).

DATA TRANSFER DEROGATIONS (ART 49(5))

No Deviation

POWERS SUPERVISORY AUTHORITIES (ART 58)

SPECIFYING REQUIREMENT:

1. Initiation: A procedure before the Croatian supervisory authority may be initiated upon individual request. The authority shall make a decision on this request (against which no appeal can be filed) (Art 34 Croatian Act).

2. Removal of Data: To the extent the deletion/removal of data is ordered, disproportionate deletion/removal can be contested (Art 35 Croatian Act).

3. Investigation: On-site investigations may be carried out by the authority; its members will present proof of identification when they perform the investigation. The authority may request assistance from the Ministry of Internal Affairs to the extent there is resistance to the investigation (Art 36 Croatian Act). The authority may make all copies and duplications and collect all other information it deems necessary. It can also seize storage systems or equipment for a maximum period of 15 days or seal those systems when strictly necessary. In those instances, it will draw up an official report detailing the need for these measures (Art 37 Croatian Act). The authority will also draw up minutes of the entire investigation detailing the course of action of the investigation (Art 40 Croatian Act).

4. Confidential Data: Data covered by confidentiality (such as legal privilege) pursuant to a specific legislative regime will only be copied or accessed by the authority in line with that regime and will be accessed in the presence of public officials who are certified to access that data (Art 38 Croatian Act).

CLASS ACTIONS (ART 80 (2))

No Deviation

ADMINISTRATIVE SANCTIONS (ART 83)

ADDITIONAL REQUIREMENT:

1. No Appeal: The Croatian supervisory authority determines the amount and payment modalities of the administrative fine in a decision, which is not open to appeal with the authority. The defendant may, however, commence proceedings before the competent administrative court (Art 45 Croatian Act).

2. Seizure: To the extent the defendant refrains from payment of the administrative fine imposed on it in due course, the authority may inform the competent Regional Office of Tax Administration, which is authorized to obtain payment through seizure (Art 46 Croatian Act).

3. Exception for Public Authorities: No administrative fines may be imposed on public authorities (Art 47 Croatian Act).

4. CCTV Fines: Controller and/or processors can be fined 50,000.00 HRK if (1) they do not indicate which parts of the premises are covered by CCTV; (2) no automatic recording/logging system is installed that logs access to CCTV recordings; and (3) CCTV recordings are used for purposes other than those mentioned in the Croatian Act (Art 51 Croatian Act).

PENALTIES (ART 84)

No Deviation

HR PROCESSING (ART 88)

No Deviation

PROCESSING FOR ARCHIVING, SCIENTIFIC, HISTORICAL RESEARCH OR STATISTICAL PURPOSES (ART 89)

DEVIATING REQUIREMENT:

Statistical Data Processing: Data must be de-identified when included in statistical reports (Art 33 Croatian Act).

OBLIGATIONS OF SECRECY (ART 90)

ADDITIONAL REQUIREMENT:

SA Members: Officials and directors of the Croatian supervisory authority itself will be subject to fines if they do not respect the obligation to keep secret any confidential information they learn in the performance of their function at the authority.

LOCAL DPA GUIDANCE & LEGAL SOURCES