GDPR Enforcement in Croatia

Trend: Have the national data protection authorities in Croatia focused on certain types of non-compliance... Do you see a focus on certain industries/sectors? If so, which ones?

The Croatian Data Protection Agency (Agencija za zaštitu osobnih podataka, the "Agency") markedly increased its enforcement activity in 2025, with the aggregate value of imposed fines reaching EUR 6.7 million. This represents a significant rise compared to 2024, when total fines amounted to EUR 538,200. In addition to monetary sanctions, the Agency imposed 180 corrective measures aimed at remedying identified irregularities.

The Agency maintains a broad enforcement approach, without formally limiting its oversight to specific types of infringement. 

The most frequent infringements remain related to the unlawful processing of personal data, particularly processing without a valid legal basis, including excessive data collection and unauthorised disclosure of personal data. Further common issues include the transfer of personal data to third countries without valid safeguards and the insufficient implementation of technical and organisational measures. Transparency violations also persist, including non-compliant or absent privacy notices and failure to provide transparent information on processing purposes and legal bases. Finally, issues were also detected in terms of compliance with data subjects' rights, particularly the right of access.

From a sectoral perspective, enforcement activity continues to affect a wide range of industries. The Agency's recent enforcement actions encompassed data controllers from several sectors, including telecommunications, banking, energy, insurance, sports betting and hospitality.

Overall, what was the most significant fine in Croatia to date (recipient, amount, violation, sector, short summary)? Has it been challenged in court?

The most significant fine imposed in Croatia to date remains the administrative fine of EUR 5.47 million issued against a debt collection agency. The case concerned extensive unlawful processing of personal data, including sensitive health-related data, affecting more than 180,000 individuals.

The investigation was triggered by an anonymous complaint stating that the controller had unlawfully processed personal data. A USB stick containing the personal data of 181,641 individuals was included with the complaint. As a controller, the debt-collection company unlawfully processed sensitive (health-related) data of their debtors, as well as the data of individuals who are not in a debtor-creditor relationship, most often collecting telephone numbers, first and last names and residential addresses. It was determined that the data controller had not implemented sufficient technical protection measures to detect data leakage from their system in a timely manner. Although there was a security system in place, the Agency determined that, due to deficiencies, the company had lost control over the movement of their data subjects' personal data. Furthermore, the company recorded comments related to the debtor's state of health that the Agency found to be excessive processing without an adequate legal basis. Additionally, the Agency determined that the data controller had unlawfully recorded telephone conversations with data subjects as the legitimate interest assessment that established a legal basis for processing had not been conducted prior to the start of such processing. Finally, the Agency found that the data subjects had not been transparently informed about the processing of their data.

To date, it remains undisclosed whether this fine has been contested in court. However, given the debt collection agency's public statements indicating its intent to use all available legal remedies to safeguard its interests, it is reasonable to assume that the fine has been disputed.

How is the data protection authority organized in Croatia? Budget, staff, assignment to a ministry?

The Agency is an independent national authority that is autonomous and independent in its work. The Agency is not assigned to a specific ministry, but it is accountable to the Croatian Parliament for its work. The Agency is funded through the state budget, with annual allocations determined as part of the national budget process.

In recent years, there has been a steady increase in funding, reflecting the growing scope of its supervisory activities. For example, the allocated budget for 2024 amounted to approximately EUR 1.98 million, with a further increase to approximately EUR 2.62 million in 2025. The planned budget for 2026 amounts to approximately EUR 2.9 million, but official confirmation is still pending.

In terms of staffing, the Agency remains a relatively small authority. According to the most recent available data, as of 31 December 2025, the Agency employed 32 staff members. Despite its limited size, the Agency carries out a broad range of tasks, including complaint handling, investigations, advisory activities, and participation in the work of the European Data Protection Board. It should also be noted that the Agency may increase its staffing levels, as the applicable internal regulations envisage a total of 82 positions.

How does a fine procedure work in Croatia? Can the authority impose fines itself? Procedural steps? Legal remedies?

The Agency has the authority to impose administrative fines directly by way of a formal decision in accordance with Article 83 GDPR.

After conducting proceedings that are initiated ex officio or based on a request to determine a breach of the rights guaranteed by the GDPR or the Croatian Act on the Implementation of the GDPR, the Agency can impose several measures, including a monetary fine.

The Agency can carry out announced or unannounced inspections. In the case of an unannounced inspection, the supervised entity will be notified at the time and place that the inspection is being carried out. If interference with the inspection is expected, the Agency can be assisted by forces of the Ministry of Internal Affairs (i.e. police).

In the course of the inspection, the Agency can make copies of the relevant documents and data storage systems and acquire other relevant data. If copies cannot be made for technical reasons, the Agency can also temporarily seize the equipment and documents for up to 15 days. Furthermore, the Agency can, for up to 15 days, seal the data storage system and equipment if there is a risk of destruction or tampering of evidence. Following the inspection, the Agency will prepare the minutes and provide them to the supervised entity for comment. If comments are made, the Agency will provide a written reply stating whether the comments have been accepted.

The monetary fine is imposed by a decision of the Agency and must be paid within 15 days from the day such decision becomes final. The legal remedy is to initiate administrative dispute proceedings against the Agency within 30 days of delivery of the decision on the imposed fine. The administrative dispute proceedings suspend the finality of the decision on the fine (including the fine payment).

Upon delivery of the decision on the fine, the practice of the Agency is to immediately publish a summary of the violation on its website, with anonymised information on the sanctioned entity.  

Any decision that has become final will be published on the Agency's website without being anonymised if the decision determines a breach in connection with processing of personal data concerning minors, special categories of personal data, automated individual decision-making or profiling, if the breach was committed by a data controller or processor who had already breached the provisions of Croatia's Act on Implementation of the GDPR or the GDPR, or if a decision imposes an administrative fine in the amount of at least EUR 13,272.00 which has become final.

When fines are imposed: Where does the money go? (state treasury / authority budget / other)

Administrative fines imposed by the Agency are paid in the state budget and do not constitute revenue of the Agency itself. 

Is there an official calculation methodology for fines in Croatia?

There is no official calculation methodology for fines in Croatia.

When imposing a fine, the Agency takes into consideration the nature, intensity and duration of the violation, whether the violation was intentional or occurred through negligence, the actions undertaken by the controller/processor to rectify the data subjects' damages, the degree of liability of the controller/processor considering the technical and organisational measures implemented, all relevant prior violations by the controller/processor, the level of cooperation with the Agency for the purpose of mitigating and rectifying the negative repercussions of the violation, the categories of personal data, how the Agency was informed of the violation, with emphasis on whether the controller/processor informed the Agency themselves, whether the controller/processor had previously been fined for the same violation, compliance with approved codes of conduct or approved certification mechanisms, and any other aggravating or mitigating factors. 

Can public authorities be fined in Croatia? If yes: Where does this money go?

Public authorities cannot be sanctioned with a monetary fine. 

However, the Agency can use all remaining investigative (e.g. data protection audits, review on certifications) and corrective (e.g. orders to bring processing into compliance; imposing a temporary or definitive limitation including a ban on processing) powers towards public authorities in line with Article 58 of the GDPR.

Does the authority publish information on individual fine cases (website/annual report)? Are companies identifiable?

On its website, the Agency publishes summaries on most cases involving individual fines. Also, the Agency sometimes publishes full decisions, but with the sanctioned company's data anonymised. Although information on the affected companies is usually not disclosed, the sanctioned entities are often recognisable in cases involving higher fines.

In cases involving the highest fines, the Agency has noted the sanctioned entity in the published summaries. 

The summaries often contain information on procedural steps, such as a brief description of how the Agency received information on the potential violation and how it proceeded.

The Agency is authorised to publish the full text of the decision without anonymisation when the decision becomes final and if the violation is in connection with the processing of personal data concerning minors, special categories of personal data, automated individual decision-making or profiling. This also applies if the violation was committed by a data controller or processor who had already violated the provisions of the Croatian Act on Implementation of the GDPR or the GDPR, or if a decision was made in connection with the decision on an administrative fine in the amount of at least EUR 13,272.00 which has become final. In these cases, the companies will be identifiable.

If no individual publication: aggregated figures? Provide annual figures from 2019 onwards (if available).

The information on individual fines is usually published, but in a summarised form. However, the Agency publishes aggregated information as well. The aggregated information is contained in the annual report, which the Agency should submit to the Parliament no later than 31 March of the current year for the previous year. The report contains information on the total number of cases resolved by the Agency and the number of cases that resulted in fines.

Does Croatia have model declaratory proceedings/class actions in data protection law?

Croatian data protection law does not provide for any model declaratory proceedings/representative actions.

However, data subjects may be able to join forces and take legal action together under other laws. In such cases, the conditions set out under the Civil Procedure Act or the Act on Representative Actions for the Protection of Collective Interests and Rights of Consumers  must be met and the lawsuit must be brought by an authorised claimant, e.g. an association or another authorised entity.

Based on the Croatian Civil Procedure Act, only associations, bodies, institutions, or other organisations founded in accordance with the law whose registered or statutory activity is the protection of statutory collective interests and rights of citizens can bring representative actions. After the decision on the representative action has been adopted and it has been determined that the defendant's actions breached the rights of persons the claimant is authorised to represent, any individual (a natural or legal person) can file a separate lawsuit requesting compensation for damages or payment from the defendant. In these subsequent proceedings, the court is bound by the findings of the court that decided on the representative action.

Based on the Croatian Act on Representative Actions for the Protection of Collective Interests and Rights of Consumers, the authorised entities may initiate representative actions to protect the collective interests and rights of consumers, including violations of the GDPR. The list of authorised entities is published by the ministry responsible for consumer protection matters. In exceptional cases, the court may also, with legal effect only in a specific case pending before the court, acknowledge the legal capacity of claimants belonging to associations that meet the prescribed requirements but are not included in the list of authorised entities.

What is more relevant: fines from authorities or court proceedings (damages/injunctions)? Outlook for the coming 12 months?

In practice, administrative fines imposed by the Agency remain the primary enforcement mechanism and carry significantly greater practical relevance than litigation. This is largely due to the limited visibility of court proceedings and the relatively low number of publicly known damages claims.

Since 2023, Croatia has seen a notable increase in imposed fines. Although the total number of fines decreased last year, the aggregate value of fines rose compared to the previous year, reaching approximately EUR 6.7 million in 2025.

Although these fines are likely to be challenged in court, legal proceedings usually take a long time before a final and binding decision is reached. Nonetheless, fines from authorities remain highly significant, primarily due to their potential to significantly harm the reputation of the sanctioned entities.

In the coming years, as data protection awareness increases and various consumer protection regulations, especially in the digital world, are adopted, it is anticipated that regulatory action will remain pivotal in shaping data protection compliance.