Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Croatia
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Expensive Lessons in Data Protection: Inside Croatia’s 2025 GDPR Enforcement Actions

28 Jan 2026 Croatia 13 min read

The Croatian Personal Data Protection Agency ( “AZOP”) continued its streak of fines in 2025, confirming once again that GDPR enforcement in Croatia is to be taken seriously. A series of penalties totalling nearly EUR 7 million targeted sectors ranging from telecommunications and banking to energy production and insurance.

When it comes to behaviours leading to fines, the basis varies, but AZOP has shown increasing intolerance for vague privacy notices, excessive data collection, and security measures that exist more in theory than in practice. To understand these trends in practice, it is worth looking more closely at the highest fines imposed in 2025.   

Telecommunications: cross‑border intragroup data sharing is still bound by GDPR compliance

The highest fine, amounting to an impressive EUR 4,500,000 targeted the telecommunications sector, primarily for unlawful international data transfers and lack of transparency towards the data subjects. In this case, personal data had been transferred to an intra-group processor located in a third country without a valid transfer mechanism. The processor, a company within the controller’s corporate group, was providing software maintenance services and had access to controller’s data.

Although the transfer was initially based on the old SCCs, the controller failed to comply with the obligation to switch to the new SCCs within the period granted by the European Commission (i.e. by 27 December 2022). As a result, all transfers taking place after that date were deemed unsafe. The third country processor had access to the controller’s entire database, meaning that personal data of almost 850,000 data subjects could be accessed, including their personal identification number, addresses, IBAN, phone numbers and information on subscribed services. The controller also failed to conduct a Data Transfer Impact Assessment (i.e. TIA), further aggravating the violation.

The way the controller communicated its third‑country data transfers to data subjects was equally problematic. A review of the company’s privacy policies revealed language suggesting that data “may” be transferred outside the EEA, or that processing “as a rule” takes place within the EU, with transfers abroad presented as a rare exception. Such ambiguity is directly contrary to the GDPR, which requires information to be clear, precise, and unambiguous. In other words, individuals must be properly informed about where and by whom their data can be accessed.

AZOP also identified excessive processing of employee data. The controller collected copies of employees’ identity cards without a valid legal basis. This practice was considered particularly problematic as the controller’s own DPO had explicitly warned that such collection could be excessive given the intended purpose of processing. AZOP treated the decision to disregard the DPO’s advice as an aggravating factor. Similarly, the controller collected employees’ certificates of no pending criminal proceedings without any lawful basis.

Finally, additional deficiencies were found in the controller’s oversight of processors. A processor that was engaged for telemarketing services lacked even the basic security measures, and the controller failed to carry out elementary due diligence on a processor’s security measures before engagement.

Banking: device data collection in mobile apps must be limited

The second-largest fine, totalling EUR 1,500,000, was imposed on a bank for multiple violations linked to its mobile banking application. The supervisory proceedings, initiated following a complaint by an app user, identified that the bank processes data of 433,922 users via the mobile app. The app scanned users’ devices, collected lists of all installed applications, and transmitted this data to the bank’s central database. The bank argued that the Payment System Act allows this type of data collection. AZOP, however, pointed out that the Act contains no such provision and that this type of processing cannot be justified under it.

A further issue concerned the lack of transparency towards users. During the download process, users were provided with a link to a privacy notice, but the document accessible on the link was intended for visitors of the bank’s website and made no reference whatsoever to the mobile app. Although the app’s processing was briefly mentioned in another privacy notice, AZOP found this insufficient and concluded that the users have not been properly informed and that the processing was effectively kept secret. This lack of clarity also hindered users’ ability to exercise their right of access.

Lastly, AZOP determined that during the design of the application, the bank failed to implement appropriate technical and organizational measures necessary to ensure compliance with the data minimization principle. AZOP highlighted that collecting a full inventory of installed apps can easily reveal highly sensitive data related to health, religion, political views, or sexual orientation. Also, AZOP emphasized that less intrusive alternatives were available, such as storing only information about “blacklisted” apps.

Energy sector: insecure password‑reset design puts users at risk

Another notable fine of EUR 320,000 was imposed on a company engaged in the production and distribution of thermal energy, following supervisory proceedings triggered by a data subject’s complaint. The complaint stated that when requesting a reset for a forgotten password, customers were actually being sent the last password they had set themselves.

During the supervision, AZOP confirmed that the company’s password-reset system indeed emailed users their previous passwords instead of generating temporary ones. In addition, all user passwords, almost 16,000 of them, were stored in plain text in the controller’s database. In simple terms, all passwords were exposed to the risk of unauthorised disclosure and misuse.

Unsurprisingly, AZOP found that the controller had failed to implement even the basic security measures such as encryption or proper password management. No risk assessment had been conducted either. To make matters worse, the controller failed to cooperate adequately during the supervisory proceedings and took no mitigating measures to address the potential harm, for example, affected users were not notified.

AZOP also noted that the controller did not provide access to all information required for AZOP to perform its tasks, which constitutes a failure to duly cooperate with the authority.

Sports betting: unencrypted ID verification and poor security controls

A fine of EUR 175,000 was imposed on a sports betting operator for failing to implement adequate technical measures to protect users’ personal data and for improperly storing those data. AZOP initiated ex officio proceedings after receiving a complaint that the betting operator required users to send copies of their ID cards via unencrypted email to verify their accounts at the time of the payout.

The supervisory proceedings showed that the controller processed personal data, including ID card scans, without implementing appropriate safeguards in light of the related risks. The controller also failed to ensure deletion of personal data after the expiry of the prescribed retention period.

In addition, AZOP discovered that the controller has deliberately avoided creating data backups, citing excessive cost. Given that the betting operator processed personal data of more than 70,000 online betting users, it was obliged to ensure secure data backups.

Several issues were also identified in the area of password security. Some employees used extremely weak passwords, sometimes as short as three characters, despite having access to email accounts containing personal data and copies of ID documents from a large number of users. It was further established that employees accessed the administrative part of the betting platform via an unsecured HTTP connection.

Insurance sector: poor security and missing retention rules trigger data leak

The Croatian Insurance Bureau ( “HUO”) was fined EUR 101,000 following an investigation prompted by an anonymous report alleging a leak of personal data relating to more than one million vehicle owners from the national Register of Registered Vehicles. The dataset delivered to AZOP on a USB stick triggered supervisory proceedings across several entities connected to the incident, including the Croatian Insurance Bureau, the Croatian Vehicle Centre, and the Ministry of the Interior.

AZOP confirmed that the dataset delivered on a USB stick, containing personal details of vehicle owners and insurance‑related data, matched the database held by HUO, establishing it as the responsible controller.

The authority found that HUO had failed to implement adequate organisational and technical measures to protect the personal data it processed. These shortcomings compromised the security of the system and made the data more easily accessible to unauthorised persons. AZOP also established that HUO had not defined maximum retention periods for personal data.

These violations contributed to the possibility of personal data being extracted from HUO’s database. AZOP further noted that, as HUO is a legal entity vested with public authority, the fine has to be imposed in accordance with the national rules governing penalties for public bodies stipulating that the penalty cannot endanger the performance of the public authorities.

Parking services: repurposing vehicle‑owner data without legal basis

Vehicle data handling was under heightened attention in 2025. Another fine, this time EUR 80,000, was imposed on a parking services company for unlawfully processing personal data from the Ministry of the Interior’s Register of Registered Vehicles. AZOP found that the company used its authorised access to the Register, originally granted for parking enforcement in a different city, to obtain personal data for managing and charging parking in several retail chains and a general hospital, without any valid legal basis. In summary, the company had excessively relied on its access rights and unlawfully repurposed the data.

Regarding the parking services provided to the hospital, AZOP further determined that no data processing agreement was in place to regulate the controller–processor relationship for the hospital parking service. In addition, the company failed to implement appropriate organisational and technical security measures when processing personal data.

This supervisory proceeding also prompted additional inquiries into parking-payment practices of other controllers. As a result, the hospital itself was fined EUR 4,000. AZOP found that the hospital used the parking company’s mobile application without transparently informing users about the personal data processing within the app. The missing data processing agreement was identified as an additional deficiency. In determining the amount, AZOP again emphasised that fines imposed on entities vested with public authority must not jeopardise the performance of their public functions.

Other fines confirm fundamental breaches

According to the publicly available information on AZOP’s website, the remaining enforcement actions resulted in penalties ranging from EUR 2,500 to EUR 50,000.

Several smaller fines were imposed on entities such as restaurants, retails shops, and an elementary school. Based on the published violations, it is evident smaller entities continue to struggle with basic GDPR obligations, particularly when it comes to cooperating with AZOP, identifying an appropriate legal basis, and accurately reflecting it in their privacy notice. These cases underline that GDPR compliance applies equally to organizations of all sizes and that basic obligations, such as establishing a valid legal basis, remain non-negotiable.

The higher-end fines were linked to cybersecurity issues that led to unlawful export of data over several days, excessive data processing and deficiencies in privacy notices. Transparency continues to be a general challenge among controllers in Croatia. Unsurprisingly, shortcomings in technical measures, or complete lack thereof if a recurring theme as well.

Finally, although not all decisions are publicly available, AZOP’s summarized overview of fines notes that penalties were also related to the appointment and positioning of Data Protection Officers.

Transparency as the defining GDPR theme of 2026

The 2025 enforcement actions make one thing clear: businesses must ensure their legal documentation genuinely reflects what is happening in practice. Transparency must be concrete rather than conditional, data collection limited to what is genuinely necessary, and security measures designed to withstand foreseeable risks.

According to the European Data Protection Board, transparency will be one of the central enforcement priorities in 2026. Many GDPR breaches are not caused by hidden processing, but rather from explanations that are unclear, incomplete, or misleading.

In practical terms, having a privacy policy “on paper” is not sufficient. The 2025 penalty trends show that phrases such as personal data “may be transferred”, “could be shared”, or “is generally processed within the EU” are not adequate to meet transparency standards. Information must be concise, precise, and written in clear and plain language, enabling individuals to understand what data are processed, for what purposes, on which legal basis, for how long, and with whom it is shared, including any transfers outside the EEA.

Keeping this in mind, the start of the year is the ideal time to review and align privacy notices. Ensuring that privacy notices comply with Articles 12, 13 and 14 GDPR, not only formally, but also substantively is essential for meeting transparency requirements and avoiding enforcement risks.

More insights

Explore more

Publication Croatia

CMS European M&A Study 2026

27 Mar 2026 2 min read
Expert Guide International

International arbitration law and rules in Croatia

33 min read
Event Croatia

IP Insights webinar series 2026

28 Apr 2026
Back to top Back to top
Warning: Fraudulent emails and messages
Find out more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.