The Privacy, Data Protection and Cybersecurity Law Review: Croatia
The Croatian Constitution, which entered into force on 22 December 1990, established privacy and protection of personal data as fundamental rights, stipulating legal protection of personal and family life, home, dignity, reputation and honour2 and in addition guaranteeing the security and confidentiality of personal data.3 Pursuant to the wording of the Constitution, personal data may be processed and used only with the data subject's consent or in accordance with the conditions prescribed by law. Additionally, the use of personal data contrary to the established purpose of their collection is prohibited.4
The Constitution established protection of personal data as a fundamental right. However, the implementation and further development of personal data protection legislation was lacking until 2003 when the Croatian parliament, under the influence of the Directive 95/46/EC5 and the Council of Europe Treaty 108,6 adopted the Personal Data Protection Act,7 which established the Croatian Data Protection Agency (CPDPA), and until 2018 represented the general fundamental framework law regulating the field of data protection in Croatia.8
Since Croatia joined the EU on 1 July 2013, the EU acquis communautaire also became a part of the Croatian legal system. Particularly important is the Charter of Fundamental Rights of the European Union9 (the Charter) which has foreseen the protection of personal data as a fundamental right, therefore stipulating that personal data may be processed only if 'processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law'.10 Moreover, the Charter has also envisaged as fundamental rights the right to access and the right to rectify one's own personal data in addition to the obligation that an independent authority supervise compliance with the data protection rules. In May 2016, what is known as the EU data protection package,11 that is, Regulation (EU) 2016/67912 (GDPR) and Directive (EU) 2016/68013 (DPLED), was adopted and alongside the Directive 2002/58/EC14 (the ePrivacy Directive), which established a harmonised framework in the EU for the protection of online privacy, represents a fundamental data protection legal framework in the EU. At the time of writing, the ePrivacy Regulation15 has still not been adopted.
In order to comply with the GDPR and DPLED, the Croatian parliament adopted the General Data Protection Regulation Implementation Act16 (the Implementation Act), which entered into force on the same day as the GDPR, and the Act on the protection of natural persons with regard to the processing and exchange of personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (the DPLED Implementation Act)17 entering into force shortly afterwards. The provisions of the ePrivacy Directive were transposed in the Croatian legal system through the Croatian Electronic Communications Act (ECA).18
Despite the general framework regarding the protection of personal data established by GDPR together with the Implementation Act, sector-specific acts (e.g., the Labour Act, ECA, Act on Data and Information in Health Care, Insurance Act) still provide data protection particularities generally regarding the means of processing or processing purpose.
To the best of our knowledge, no Croatian NGOs or self-regulatory industry groups have taken any significant actions regarding privacy and protection of personal data.
Regarding Croatia's approach to cybersecurity, on 7 October 2015, the Croatian government adopted the National Cybersecurity Strategy with the accompanying action plan for carrying it out. Its 'ultimate goal . . . [is] to facilitate efficient execution of the laws and regulations and the protection of democratic values in the virtual dimension of contemporary society, i.e. cybernetic space'.19 Furthermore, the Act on Cybernetic Security of Key Services Providers and Digital Service Providers (the Cybernetic Security Act')20 implementing Directive (EU) 2016/114821 entered into force on 26 July 2018, and along with the Ordinance on Cybernetic Security of Key Services Providers and Digital Service Providers (the Cybernetic Security Ordinance), which entered into force on 4 August 2018, further regulates the measures and procedure regarding the safety of key service providers and digital service providers, establishing the general framework of cybersecurity regulation in Croatia.
The year in review
In 2020, the CPDPA imposed its first administrative fine upon an unnamed bank for an unknown amount for not delivering credit documentation regarding consumer loans in Swiss francs to the respective consumers.
The rest of 2020 has so far been focused on processing of personal data in the context of covid-19. The CPDPA has issued an opinion in which it has stated that the employer may process covid-19-related personal data on basis of the legal obligation to comply with the Occupational Safety and Health Act and the Labour Act.22 Furthermore, the CPDPA reminded that the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and it must be equated with other fundamental rights in accordance with the principle of proportionality.23
i Privacy and data protection legislation and standards
The GDPR defined all the relevant main terms and the Implementation Act has unambiguously by a general provision24 accepted those terms defined in GDPR as its own. Therefore, there are no deviations regarding their meaning from the meanings ascribed to them by GDPR.
Pursuant to GDPR, two types of personal data exist, personal data and special categories of personal data (i.e., sensitive data).
Personal data is defined as 'any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person'.25
Personal data 'revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation'26 are considered as sensitive data and generally the processing of such data is prohibited, except when done pursuant to the exceptions prescribed in the GDPR and under certain conditions if they are prescribed by national legislation. As prescribed by the GDPR, national legislation may particularly 'introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health'.27 The Implementation Act has introduced further conditions regarding the processing of the foregoing.
Under the GDPR and the Implementation Act the entity (natural or legal person) that determines the purpose and means of processing of personal data is considered a 'controller',28 while the entity that processes on behalf of the controller is considered a 'processor'.29 Processing 'means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction'.30
The Implementation Act prescribed that the CPDPA shall act as a supervisory authority under the GDPR and DPLED and also as an accreditation body under the Regulation (EC) No. 765/2008,31 the internal requirements and scope of work of the CPDPA, the CPDPA's rules of procedure and legal remedies against the CPDPA's decision, additional requirements for the processing of personal data regarding children, genetic data, biometric data, processing data by video surveillance and processing data for statistical purposes.
ii General obligations for data handlers
Both controllers and processors who process personal data of data subjects who are in the EU, regardless of where the processing occurs and therefore including entities established outside the EU that process personal data as controllers or processors, offer goods in the EU or monitor the behaviour of data subjects in the EU as far as their behaviour takes place within the EU, must comply with the provisions of the GDPR.32
Furthermore, GDPR 'applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system', save when processing occurs in the course of purely personal or household activity, in the course of an activity that falls outside the scope of EU law, when Member States of the EU carry out activities that fall within the scope of Chapter 2 of Title V of the TEU,33 by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.34
Namely, in order to comply with the GDPR, personal data should be processed in accordance with the principles laid down under the GDPR, therefore entities processing personal data must:
- have a legal basis for processing as prescribed under the GDPR (the 'principle of lawfulness'), and so must provide one of the following legal bases:
- have the data subject's consent;
- be necessary for the performance of a contract to which the data subject is a party of or in order to take steps at the request of the data subject prior to entering into a contract;
- comply with controllers' legal obligation under law;
- be necessary for protection of data subject's or another natural persons vital interest;
- be necessary for the performance of tasks carried out in the public interest or in the exercise of official authority vested in the controller; or
- be a legitimate interest pursued by the controller or third party;35
- have a specified, explicit and legitimate purposes for processing (e.g., for marketing, provision of services) ('purpose limitation principle');
- collect accurate and when necessary up to date personal data ('accuracy principle');
- refrain from collecting excessive personal data that is not relevant for the purpose of processing ('data minimisation principle');
- process the personal data in a secure way, particularly protect the personal data from unauthorised access and destruction or loss of personal data ('integrity and confidentiality principle');
- keep the personal data in a form that permits identification of data subjects for no longer than is necessary for the purposes ('storage limitation principle'); and
- inform the data subject of all the relevant information (as applicable in Articles 13 and 14 of the GDPR) regarding the processing of the data subject's personal data in a way that would not deceive or mislead data subjects regarding the processing of their personal data (the 'transparency principle' and 'fairness principle').
When an entity acts as a controller, he or she must be able to demonstrate compliance with all the aforementioned principles applicable when processing data subject's personal data (the 'accountability principle').36
Particularly important for complying with the GDPR is the controller's obligation to notify the data subject regarding the processing of his or her personal data. Notifications to the data subject should contain information understandable to the data subject, inter alia, regarding the identity of the controller, contact details of the data protection officer, purposes of processing and intended legal basis of processing, categories of personal data, recipients of personal data, intention regarding the transfer of personal data to recipients in third countries, existence and enforcement of the data subject's rights and others as prescribed under Articles 13 or 14 of the GDPR.
Furthermore, under the GDPR, a record of processing activities must be established by controllers employing 250 or more persons or when processing is not occasional and shall likely result in a risk to rights or freedoms of the data subject or when sensitive data are being processed.
Controllers and processors that process personal data carried out by a public authority or body, except for courts acting in their judicial capacity shall have the obligation to designate a data protection officer (DPO) when their core activities consist of:
- processing operations that by virtue of their nature, scope or purpose, require regular and systematic monitoring of data subjects on a large scale; or
- processing sensitive data and personal data relating to criminal convictions and offences on a large scale.37
Even though the DPO may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract, the DPO should also have professional qualities and, in particular, expert knowledge of data protection law.38 DPOs directly report to the highest management level of the controller or the processor; however, in performing their task they do not receive any instructions regarding the exercise of their tasks from the controller or processor.39 DPOs, inter alia, inform and advise the controller or the processor regarding their obligations under the law, monitor compliance with respective data protection provisions and internal data protection policies, providing advice where requested on the data protection impact assessment and communicate with the supervisory authority.40
Pursuant to the previous Croatian Data Protection Act, controllers had the obligation to establish a personal data database and deliver to the CPDPA records regarding personal data databases;41 however this obligation has been removed under the GDPR and Implementation Act.
iii Data subject rights
Data subjects under Articles 15–22 of the GDPR, with alterations depending on the basis of processing, have the following rights:42
- the right of access: the data subject's right to obtain from the controller a confirmation if the personal data relating to the data subject is processed by the controller) and if the controller processes data subject's personal data, to gain access to data subject's personal data and information regarding, inter alia, processed personal data, the purpose of processing, storage period, categories of recipient and particularly deliveries to third countries, etc.;
- the right to rectification: the data subject's right to rectify his inaccurate personal data with the controller and supplementing additional personal data to the controller, including by providing a supplementary statement;
- the right to erasure ('right to be forgotten'): the data subject's right to obtain without undue delay the erasure of his or her personal data from the controller such as (1) when the processing of personal data is no longer necessary to the controller; (2) data subject withdrew its consent and the processor has no other legal ground for processing; or (3) personal data have been unlawfully processed. However, the subject's right to erasure shall not apply to the extent that processing is necessary for, inter alia, exercising the right of freedom of expression and information and for the establishment, exercise or defence of legal claims;
- the right to restriction of processing: the data subject's right to obtain from the controller restriction of processing in certain situations such as (1) when the accuracy of the data is contested or (2) when the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise of defence of legal claims. However, where the processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or of a Member State;
- the right to data portability: the data subject's right to receive his or her personal data, which he or she has previously provided to the controller, in a structured form, commonly used and machine-readable format, and to transmit those data to another controller without hindrance by the controller to which the personal data are provided, where the processing is, pursuant to the GDPR, based on consent or contract and carried out by automated means;
- the right to object: the data subject's right to file an objection to the controller regarding the processing of personal data (including profiling) necessary for the performance of a task carried out in the public interest or in the execution of the official authority vested in the controller or on the legitimate interests of the controller. After objection to the aforementioned processing the controller shall no longer process the data subject's personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The GDPR prescribes that if the data subject's personal data were processed on the basis of a legitimate interest for direct marketing purposes, data subjects may object to such processing and the controller may no longer process such personal data; and
- the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects for the data subject, unless such a decision is (1) necessary to enter or perform a contract between the data subject and the controller; (2) authorised by EU law or by Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (3) based on the data subject's explicit consent.
iv Specific regulatory areas
Pursuant to the Implementation Act, a child's consent in relation to the direct offer of information society services shall be valid if a child is at least 16 years old and if the child's residence is in the Republic of Croatia.43
The Amendments to the Company Act implemented the EU Directive (EU) 2017/1132,44 and added provisions regarding the processing of personal data of joint stock companies' stockholders, which shall enter into force on 1 January 2021. The relevant provision prescribed that the company and the intermediaries are entitled to process stockholders' personal data for the purposes of identifying, communicating, exercising stockholders' rights and cooperating with shareholders.45 However, since the foregoing provision shall enter into force on 1 January 2021, joint stock companies and intermediaries until that time shall have to collect personal data on another legal basis pursuant to the GDPR. In addition, the Amendments to the Company Act have not foreseen a similar provision regarding the processing of personal data of shareholders of other types of companies; therefore, companies must find an appropriate legal basis for processing the personal data of their shareholders and appropriately inform their shareholders.
Regarding the protection of personal data in the context of consumers, the Implementation Act did not prescribe any additional requirements; however, the Croatian Consumer Protection Act contains a provision stating that 'the retailer shall be prohibited from providing personal data to any third party without the prior consent of the consumer, in accordance with the law governing the protection of personal data'.46 In regard to the aforementioned and since the GDPR expressly stipulates that 'the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data',47 the applicability and the extent of the aforementioned provision of the Consumer Protection Act is currently not clear. However, it may be observed that business entities have largely relied solely on the provisions of the GDPR rather than on the provision of the Consumer Protection Act.
The Amendments to the Croatian Credit Institutions Act, which entered into force on 25 April 2020, allowed and regulated the transfer of personal data between credit institutions and the Croatian Register of Credit Liabilities for the purpose of assessing the creditworthiness of consumers. Namely, pursuant to the Consumer Housing Credit Act48 and the Consumer Credit Act,49 credit institutions are obliged to assess the creditworthiness of consumers before concluding a credit agreement, among other things, by inspecting the available credit registers. Since the Croatian Register of Credit Liabilities suspended the exchange of data on credit obligations for citizens on 21 May 2018, the foregoing amendments provide legal certainty in the exchange of information that credit institutions exchange directly or through a separate legal entity in order to assess creditworthiness of consumers. It also stipulates the obligation of a credit institution to exchange, on request, with other credit institutions a minimum coverage of information related to customer obligations, including the customer's personal data, for the purpose of creditworthiness assessment and credit risk management. However, credit institutions still have a duty to inform the consumers regarding the processing of their personal data by way of transferring their personal data to the Croatian Register of Credit Liabilities and other credit institutions in accordance with GDPR.
Pursuant to ECA, the use of automatic calling or communication system without human intermediation, telefax devices or emails, including SMS and MMS messages, is allowed for the purpose of direct marketing and sale only with prior consent of subscribers or users, save as when the subscriber or the user is a legal entity. However, business entities, including both natural and legal entities, in the event that the consumer has not previously rejected such use of personal data, may use email addresses collected from its consumers when selling products and services only for direct marketing and sale of similar products and services, provided that such consumers have a clear and unambiguous possibility of free and simple objection to such use of email address in time of collection of their email address and each subsequent receipt of such email.50
On 19 April 2019, CPDPA issued its opinion51 regarding the processing of personal data for the purpose of marketing in which it stated that under ECA relevant business entities may process personal data on basis of consent and legitimate interest in accordance with the foregoing rules provided in ECA. Furthermore, CPDPA particularly pointed out that it is not allowed to subsequently use the basis of legitimate interest in processing if there were problems with the validity of consent.
Regarding the validity of the consent, CPDPA expressly stated that consent must be a:
voluntarily, in particular, informed and unambiguous expression of the wishes of the data subject regarding the processing of his/her personal data, such as by declaration or clear confirmation, which could include marking the checkmark field when visiting web pages, selecting technical information service provider's settings or other statements or behaviours that clearly indicate in that context that the data subject accepts the proposed processing of his/her personal data. Silence, a pre-ticked checkmark, or lack of activity, should therefore not be considered as consent.
Moreover, in the foregoing opinion CPDPA stated that official business email and official business mobile phones numbers are considered as official business data, however if it is possible to directly or indirectly identify a particular natural person using the structure of the official email (web protocol address), it shall also be considered as not only official business data, and in that case the provisions of the GDPR shall apply. However, according to the respective opinion, CPDPA is of the stance that an official business email and official business mobile phone number may be used exclusively for the purpose of official (business) contact with a legal entity and may not be used for other purposes.
Regarding the processing of personal data in the context of employment the Croatian Labour Act (CLA)52 prescribes that an employee's personal data may be collected, processed, used and delivered to third parties only if this is provided by CLA or other law or, if necessary, for the purpose of exercising the rights and obligations arising from the employment relationship.53 The foregoing shall be prescribed in advance in the employment rulebook, containing information regarding which personal data shall be collected, purposes of processing and third parties which may receive employees' personal data. Also, personal data may be delivered to third parties only by the employer or a person specifically authorised by the employer. Incorrect personal data must be corrected immediately and personal data for which legal or factual reasons do no longer exist must be deleted or otherwise removed.54
In addition, an employer employing at least 20 employees is obliged to appoint a trustee who enjoys the trust of the employees (employee trustee) and who, except for the employer, is authorised to supervise if the collection, processing, usage and delivery of personal data to third parties are in accordance with the law.55 To appoint the employee trustee, prior approval from the works council is necessary.56 In other words, the employee trustee and the DPO is not always the same person since the employee trustee must be a person who enjoys the trust of employees and was approved by the work's council prior to his appointment.
The employer, the employee trustee and any other person who, in the performance of his or her duties, shall have access to the personal data of employees, must keep such data permanently confidential.57
Moreover, pursuant to the CLA, prior to making a decision important for the position of the employees, the employer must consult with the works council on the intended decision and must provide the works council with information relevant to the decision making and the perception of its impact on the position of the employees. In case the employer does not comply with the foregoing obligation to consult with the works council the decision shall be pursuant to the CLA null and void.58 Such consultations may be necessary in case the processing of employees' personal data is done in an intrusive way, such as when systematically monitoring employee emails, online logs of websites visited or 24-hour tracking of the movement of an employee's official vehicle or when using biometric employee data.59 In relation to the aforementioned, the Implementation Act explicitly permits that controllers (employers) having establishment or offering services in Croatia may process employees' biometric data for the purpose of recording of working hours and for entering and leaving the official premises, provided that the employee has explicitly consented to such processing of biometric data in accordance with the provisions of the GDPR. However, it is not entirely clear if employers should always consult with the works council prior to processing employees' biometric data.
Additionally, the Implementation Act prescribed that employees' personal data may be processed by means of video surveillance, except in premises intended as spaces of rest, personal hygiene and dressing rooms, only if the employees have been adequately informed, and if all the provisions laid down by regulations governing occupational safety and health care and the Implementation Act have been fulfilled.60
On 15 February 2019, the Act on Data and Information in Health Care (ADH)61 entered into force, regulating the processing of health data and health information. Pursuant to ADH, health data is considered as data regarding the physical or mental health of an individual, including the data on provided health services in the Croatian health system, and health information is considered information generated by processing of health data for the purpose of its further use in the health system or for the needs of the system connected with the health system.62 Both health data and health information may be considered sensitive data, or at least as personal data under the GDPR. Furthermore, ADH prescribes additional provisions, inter alia, regarding the quality, accessibility, data minimisation and transfer of health data and health information, also including the processing of personal data through the Central Health Care Information System and National Public Health Care Information System. Following from the foregoing, it would be advisable that entities providing health services, when informing their clients regarding the processing of health data and health information, also reflect in their privacy notices the applicable provisions of ADH regarding the processing of the data subject's personal data.
The amendments to the Insurance Act,63 which entered into force on 22 December 2018, explicitly prescribe that insurance companies are allowed to process health personal data when it is necessary to process health personal data to conclude and execute an insurance contract and enforcement of legal rights of the insured. From the wording of the relevant provision it may be concluded that the processing of health personal data regarding insurance contracts may be done on the legal basis of contract; however, under GDPR, the processing of sensitive data is generally prohibited, save as prescribed by Article 9(2) of the GDPR. The Final Proposal of the Act Amending the Insurance Act set forth a rationale stating that insurance activities may be considered as activities of public interest since they aim to preserve life conditions in the event of insured risk occurrence.64 Furthermore, the Insurance act prescribed that, inter alia, insurance companies may process the national identification number and collect a copy of the identification document or bank card for the purpose of concluding and executing an insurance contract, and store personal data until the expiry of the respective statute of limitations period.65
Additionally, the Implementation Act prohibited, including on basis of data subject's consent, the processing of genetic data for calculating the chances of illnesses or other health conditions of data subjects when concluding or executing life insurance contracts or contracts including survivorship clause.66 The foregoing applies when data subjects conclude the respective contracts in Croatia with controllers having establishment or offering services in Croatia.67
Processing of personal data by means of video surveillance pursuant to the Implementation Act is allowed only for the purpose necessary and only when justified for protecting natural persons and property.68 Controllers may conduct video surveillance for this purpose on the premises, parts of the premises, the outer surface of an object as well as inside public transport.69 When using video surveillance, an object must be designated with an easily intelligible picture containing text about the controller, contact details and information that the object is under video surveillance, visible by the time a person enters into the recording perimeter. Additionally, a notice containing all the relevant information under Article 13 of the GDPR must also be accessible to the data subjects (usually by stating the respective web address below the easily intelligible picture).70 Records acquired by means of video surveillance may be stored for no longer than six months, unless prescribed otherwise by law, or if those records are evidence in a court or another equivalent proceeding.71 The CPDPA, in its Opinion issued on 7 June 2019, stated that livestreaming of public spaces by means of webcams, where the films are not stored or there is no possibility to retroactively access the films, are not subject to the GDPR, since the latter only applies to the processing of personal data wholly or partly by automated means that form a part of a filing system or are intended to form part of a filing system.72
Furthermore, the Implementation Act additionally prescribes that to conduct video surveillance in residential or business and residential buildings, approval of those owning at least two-thirds of the building is required.73
v Technological innovation
Processing of biometric data, pursuant to the Implementation Act, is subjected to different provisions depending if the processing is done by bodies of public authority or entities carrying out business activities in the private sector. Public authority bodies may process biometric data only if it is prescribed by law and if it is necessary for protection of people, property, classified data and business secrets; however, entities acting in the private sector may process biometric data if it is prescribed by law or if it is necessary for protection of people, property, classified data, business secrets or safe identification of a user.74 Therefore, entities acting in the private sector are free to choose any of the prescribed legal bases under the GDPR for such processing, save as for safe identification of a user in which case explicit consent must be obtained.75
The Act on Processing of Biometric Data76 entered into force on 4 January 2020. It prescribes which authorities and for what purposes may process the biometric personal data of data subjects.
International data transfer and data localisation
The provisions regulating the transfer of data are prescribed by the GDPR, the Implementation Act does not prescribe additional requirements for transferring personal data.
Pursuant to the GDPR, transfers within the EU are not treated differently than transfers within a Member State, while data transfers to non-EEA countries are allowed if in accordance with the GDPR.80
In that sense, under the GDPR, data transfers outside the EU may be executed on the basis of an adequacy decision (i.e., a prior European Commission decision deciding that a third country (e.g., Switzerland, Argentina)), a territory within the Member State, or the international organisation ensures an adequate level of protection regarding protection of personal data; subject to appropriate safeguards (i.e., transfers based on, (1) a legally binding and enforceable instrument between public authorities or bodies, (2) transfers based on binding corporate rules, (3) standard data protection clauses adopted by the Commission or (4) by the data protection authorities, (5) approved codes of conduct or (6) approved certification mechanisms; and on specific situations derogations, such as when the data subject has explicitly consented to the proposed transfer, or if the transfer is necessary for the establishment, exercise or defence of legal claims.81
Pursuant to the GDPR, onward transfers (i.e., subsequent transfers done outside the EU) are also subject to the foregoing provision and requirements prescribed under the GDPR.82
Company policies and practices
Medium and large companies that are more data-protection-oriented also tend to have internal privacy policies regarding the processing of employees' personal data and employees' rights and responsibilities regarding the processing of personal data of clients and consumers. Internal privacy policies may be included in the employment rulebooks or as a separate rulebook.
- processing of personal data for systematic and extensive profiling or automated decision making for making conclusions which substantially effect or may affect the data subject's right of access to a service or benefit;
- processing of special categories of personal data for profiling or automated decision making;
- processing biometric or genetic data when at least one additional criteria from the Guidelines on Data Protection Impact Assessment (DPIA) (WP 248 rev 01) are fulfilled; and
- processing of employee personal data by applications or tracking systems.
Discovery and disclosure
Disclosure of personal data to Croatian public authorities is done generally on the basis of the law, while foreign authority requests may be executed if they comply with legally binding and enforceable instruments between the domestic and foreign public authority or on basis of necessity for reason of establishing, exercising or defending a legal claim.84
The Implementation Act explicitly excluded the application of the provision regarding biometrical data when processing personal data for reasons of defence, national security or security intelligence systems. Furthermore, when processing personal data in relation to national security and serious crime surveillance, the DPLED Implementation Act explicitly excluded its applicability when the processing and exchange of personal data is done during activities performed by the security intelligence bodies in the area of national security, activities related to matters of national security carried out by the defence system, as well as when processing and exchanging personal data in carrying out activities covered by Chapter V of Chapter 2 of the Treaty on the European Union.85
Public and private enforcement
i Enforcement agencies
The CPDPA is, pursuant to the Implementation Act, presented as an autonomous and independent national data protection authority as prescribed by the GDPR. The CPDPA is, inter alia, authorised to (1) when prescribed by law, initiate criminal, misdemeanour, administrative, and other court proceedings, be they court or out-of-court proceedings as a result of violations of the GDPR, (2) publicly announce particular decision, (3) initiate and conduct relevant proceedings against persons liable as a result of violations of the GDPR, (4) supervise the application of the DPLED, (5) issue opinions regarding the processing of personal data on the request of natural or legal entities and (6) order administrative monetary fines under the GDPR. Notwithstanding the foregoing under the GDPR, the CPDPA also acts as an advisory body regarding the processing of personal data.
Any persons who consider that their rights guaranteed under the GDPR and the Implementation Act are violated may submit a request to establish a violation of data subject's rights before the CPDPA. The CPDPA has the power to carry unannounced and announced investigations regarding their tasks and competences, pursuant to the CPDPA's director's order.86 Moreover, if deemed necessary, the CPDPA is entitled to copy, seal and temporarily seize the storage systems or equipment.87 When a breach of the GDPR or the Implementation Act is established, the CPDPA may issue warnings, reprimands, order the controller or processor to comply with the data subject's requests, impose a temporary or definitive limitation including a ban on processing, order a fine of up to €20 million and order an erasure regarding the processed personal data. An administrative lawsuit may be initiated before the administrative court against the decisions, orders and other acts of the CPDPA.88
ii Recent enforcement cases
The CPDPA has dealt with requests to establish violations of data subjects' rights due to public announcements of data subjects' personal data in the newspaper or other media and as a result of video surveillance on an object without complying with the necessary requirements under the Implementation Act or the GDPR. In most of the foregoing cases, the CPDPA did not establish that a violation of the data protection regulation had occurred and subsequently the data subjects submitted an administrative lawsuit against those decisions. In two cases, the CPDPA established a violation of data subjects' rights and ordered that the controller must erase the processed personal data and stop with the unlawful processing of personal data; however, it did not impose any monetary fines against the controllers.89
The CPDPA has imposed its first administrative fine upon an unnamed bank for an unknown amount for not delivering credit documentation regarding consumer loans in swiss francs to the respective consumers; however, further details regarding the administrative fine are currently unknown.
iii Private litigation
Private litigations regarding violations of a data subjects' right to privacy and data protection are quite rare and there has not been a developed case law thereof. Pursuant to GDPR it is possible to file a claim for damages if a controller violates the data subject's right prescribed under GDPR, however CPDPA or the courts have not issued any guidelines regarding the amount that may be claimed for violations of data subjects' rights. Furthermore, pursuant to the Croatian Civil Procedure Act,90 particular entities may file a lawsuit for the protection of collective interests and rights – a type of lawsuit similar to a class action – but there has been no significant public interest regarding such a lawsuit.
Considerations for foreign organisations
Foreign entities should generally take higher precautions when processing employee-related personal data, sensitive data or processing personal data by means of video surveillance, since such processing may trigger the jurisdiction of the CPDPA as a result of potential complaints regarding such processing from the data subjects. Besides the foregoing, foreign organisations that have affiliates in Croatia or offering services in Croatia must also have in mind that transferring employee or customer personal data outside the EU may potentially also trigger the jurisdiction of the CPDPA.
Generally, there are no localisation requirements regarding data servers or storage of personal data in relation to foreign organisations.
Cybersecurity and data breaches
Key service operators, pursuant to the Cybernetic Security Act, are obliged to undertake technical and organisational measures to (1) establish risks regarding incidents, (2) prevent, detect and solve incidents, and (3) mitigate the impact of incidents.91 In the event of an incident, key service operators are obliged to report it to the competent computer security incident response team, which may with prior consultation with the key service operator announce to the public that an incident occurred. Furthermore, CERT has issued Guidelines for reporting incidents with significant impact on the key service operators and digital service providers,92 as well as forms for reporting the incidents.93
The Cybernetic Security Ordinance regulates in detail measures for obtaining high levels of cybernetic security and prescribed that key service operators are, inter alia, obliged to establish and document the key systems governance policy, establish a risk governance system, continually undertake activities regarding improvements and maintenance of their key systems and conduct incident impact assessments.94
Furthermore, controllers must implement a system that provides a timely response to data breaches since, pursuant to the GDPR, supervisory authorities should be notified about a data breach without undue delay and within 72 hours at the latest.95 In the notification, controllers should describe the nature of the personal breach, likely consequences and measures taken or proposed to address the personal data breach or measures to mitigate its possible adverse effects, and should communicate the name and details of the DPO.96 Where the personal data breach is likely to result in high risk to the rights and freedom of natural persons, the controller should also notify the data subject.97
Since the outbreak of the covid-19 pandemic, the CPDPA has focused their attention on the legality and proportionality of collecting and transferring personal data for the purpose of preventing further covid-19 infections. The Croatian legislator has not yet enacted detailed laws and regulations that would provide legal certainty regarding the processing of personal data in various fields.
1 Sanja Vukina is a partner at Vukina & Partners Ltd.
2 Constitution of the Republic of Croatia, Official Gazette 56/1990, 135/1997, 113/2000, 28/2001, 76/2010, 5/2014, Article 35.
3 ibid., Article 37.
4 ibid., Article 37.
5 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23 November 1995, p. 31–50.
6 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, ETS No. 108.
7 Official Gazette 103/2003.
8 Croatian Data Protection Agency, Campaign for Raising Awareness Regarding Data Protection and privacy rights, accessed 4 July 2019 https://azop.hr/images/dokumenti/217/zastita_op_rh.pdf.
9 OJ C 326, 26 October 2012, p. 391–407.
10 Charter of Fundamental Rights of the European Union, OJ C 326, 26 October 2012, p. 391–407, Article 8(2).
11 https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en, accessed 4 July 2019.
12 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), OJ L 119, 4 May 2016, p. 1–88.
13 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
14 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31 July 2002, p. 37–47, amended by: Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006, OJ L 105, 13 April 2006, p. 54, Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, OJ L 337, 18 December 2009, p. 11, corrected by Corrigendum, OJ L 241, 10 September 2013, p. 9.
15 Proposal for a Regulation of the European Parliament and of the Council Concerning the Respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) COM/2017/010 final – 2017/03 (COD), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52017PC0010, accessed on 11 July 2019.
16 Official Gazette 42/2018.
17 Official Gazette 68/2018.
18 Official Gazette 73/2008, 90/2011, 133/2012, 80/2013, 71/2014, 72/2017.
19 Summary of the National Cybersecurity Strategy, accessed on 4 July 2019 www.uvns.hr/hr/normativni-akti/informacijska-sigurnost/kiberneticka-sigurnost.
20 Official Gazette 64/2018.
21 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, OJ L 194, 19 July 2016, p. 1–30.
izvanredne-situacije-izazvan, accessed on 1 August 2020
izvanredne-situacije-izazvan, accessed on 1 August 2020
24 'Terms for the purposes of this Act shall have the same meaning as the terms used in the General Data Protection Regulation', Implementation Act, Article 3.
25 GDPR, Article 4(1) item 1.
26 ibid., Article 9.
28 ibid., Article 4(1) item 7.
29 ibid., Article 4(1) item 8.
30 ibid., Article 4(1) item 2.
31 Regulation (EC) No. 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No. 339/93 (Text with EEA relevance), OJ L 218, 13 August 2008, p. 30–47
32 ibid., Article 3.
33 Treaty on European Union, OJ C 326, 26 October 2012, p. 13–390, consolidated version.
34 GDPR, Article 2.
35 ibid., Article 5 and 6.
36 ibid., Article 5.
37 ibid., Article 37.
39 ibid., Article 38.
40 ibid., Article 39.
41 Croatian Data Protection Act, Article 16.
42 https://azop.hr/prava-ispitanika/detaljnije/osnovna-prava-ispitanika, CPDPA general rights of data subjects, accessed on 11 July 2019.
43 Implementation Act, Article 19.
44 Directive (EU) 2017/1132 of the European Parliament and of the Council of 14 June 2017 relating to certain aspects of company law (Text with EEA relevance.), OJ L 169, 30 June 2017, pp. 46–127.
45 Company Act, Official Gazette 111/1993, 34/1999, 121/1999, 52/2000, 118/2003, 107/2007, 146/2008, 137/2009, 111/2012, 125/2011, 68/2013, 110/2015, 40/2019, Article 297.e.
46 Consumer Protection Act, Official Gazette 41/2014, 110/2015, 14/2019, Article 11.
47 GDPR, Article 1(3).
48 Official Gazette, No. 101/2017.
49 Official Gazette, No. 75/2009, 112/2012, 143/2013, 147/2013, 9/2015, 78/2015, 102/2015, 52/2016.
50 ECA, Article 107.
51 https://azop.hr/misljenja-agencije/detaljnije/obrada-osobnih-podataka-u-svrhe-marketinga, CPDPA Opinion dated 19 April 2019, accessed on 11 July 2019.
52 Official Gazette 93/2014, 127/2017.
53 CLA., Article 29.
56 ibid., Article 151(1) item 8.
57 ibid., Article 29.
58 ibid., Article 150(12).
59 ibid., Article 150.
60 Implementation Act, Article 30.
61 Official Gazette 14/2019.
62 ADH, Article 3.
63 Official Gazette 30/2015, 112/2018.
64 Final proposal of the Act Amending the Insurance Act, http://edoc.sabor.hr/Views/AktView.aspx?type=HTML&id=2023117, accessed on 12 July 2019, p. 125.
65 Insurance Act, Article 388.
66 Implementation Act, Article 20.
68 Implementation Act, Article 26.
69 ibid., Article 26.
70 ibid., Article 27.
71 ibid., Article 29.
72 https://azop.hr/misljenja-agencije/detaljnije/videonazdor-livestreaming, accessed on 5 July 2019.
73 ibid., Article 31.
74 Implementation Act, Article 21 and 22.
76 Official Gazette 127/2019.
77 Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, OJ L 337, 18 December 2009, pp. 11–36, the 'Cookie Directive'.
78 ECA, Article 100 (4).
80 GDPR, Article 1(3) and Article 44.
81 ibid., Articles 44–49.
82 ibid., Article 44.
84 Guidelines on Article 49 of Regulation 2016/679, https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614232, accessed on 11 July 2019.
85 DPLED Implementation Act, Article 3(2).
86 Implementation Act, Article 36.
87 ibid., Article 37.
88 ibid., Article 34.
publikaciji-udruge, accessed on 13 July 2019.
90 Official Gazette 53/1991, 91/1992, 112/1999, 129/2000, 88/2001, 117/2003, 88/2005, 2/2007, 96/2008, 84/2008, 123/2008, 57/2011, 25/2013, 89/2014.
91 Cybernetic Security Act, Article 15.
93 Cybernetic Security Act, Article 21 and 24.
94 Cybernetic Security Ordinance, Article 6, 9, 10 and 37.
95 GDPR, Article 33.
97 ibid., Article 34.