Data protection and cybersecurity laws in Croatia

• Act on Implementation of General Data Protection Regulation (Official Gazette, No. 42/18), prescribing certain additional rules to the basic text of the GDPR,  such as processing in the context of employment, processing of genetic and biometrical data and use of video surveillance.
• Electronic Communications Act (Official Gazette No. 73/08, 90/11, 133/12, 80/13, 71/14, 72/17), governing, among others, the use of cookies and similar tracing technologies, confidentiality of electronic communications, and conditions for direct marketing via email.
• Electronic Commerce Act (Official Gazette No. 173/03, 67/08, 36/09, 130/11, 30/14, 32/19), containing rules on transmission, caching and hosting of data in the communication network when providing information society services.
• Consumers Protection Act (Official Gazette No. 41/14, 110/15, 14/19), containing a general ban on disclosing consumer data without consent, as well as additional rules on direct marketing via phone or mail.
• Specific data protection provisions may also be found in other acts, such as Employment Act (Official Gazette No. 93/14, 127/17, 98/19), Credit Institutions Act (Official Gazette No. 159/13, 19/15, 102/15, 15/18, 70/19, 47/20, 146/20), etc. 

Croatian Personal Data Protection Agency (AZOP): Agencija za zaštitu osobnih podataka | AZOP

The competent national authority for electronic communications network is the Croatian Regulatory Authority for Network Industries (HAKOM): https://www.hakom.hr/default.aspx?id=7

According to the general notice of the Croatian Parliament about its legislation plans for 2021, it is planning new amendments to the Electronic Communications Act (no details are available). 

Apart from that, there are no anticipated changes.

Administrative sanctions:

• Croatian Personal Data Protection Agency is entitled to impose administrative fines in line with Article 83 of the GDPR;
• In addition to administrative fines under the GDPR, the Act on Implementation of General Data Protection Regulation provides for fines of up to EUR 6,700 for violations related to video surveillance;
• Electronic Communications Act provides for fines up to EUR 130,000 for breach of provisions concerning the use of cookies and similar tracing technologies, confidentiality of electronic communications, conditions for direct marketing, and other (as well as up to EUR 13,000 for the responsible person);
• Electronic Commerce Act provides for fines up to EUR 13,000 for breach of provisions concerning information obligations, data availability, handling of data, and other (as well as up to EUR 1,300 for the responsible person);
• Consumer Protection Act provides for fines up to EUR 13,000 for breach of provisions concerning prohibited marketing activities, and other (as well as up to EUR 2,000 for the responsible person).

Criminal sanctions:

• Unauthorised collection, processing and use of personal data punishable up to one year of imprisonment;
• Punishable up to three years of imprisonment: unauthorised transfer of personal data from Croatia for the purpose of further processing; unauthorised publishing data or otherwise making data available; unauthorised collection, processing and use of personal data (i) whereby significant proceeds are obtained / significant damage caused, (ii) related to children, or (iii) related to racial or ethnic origin, political views, religious or other beliefs, trade union membership, health or sexual life, criminal or misdemeanour proceedings. 
• If any of the above offences is committed by an official in the performance of a service or a responsible person in the exercise of public authority, such offence is punishable by imprisonment of six months to five years.

Others: 

• Act on Implementation of General Data Protection Regulation provides for misdemeanor fines of up to EUR 6,700 for violations by the supervisory authority’s employee;
• Electronic Communications Act provides for the possibility to impose the measure of ban of performance of activity up to one year;
• Electronic Commerce Act provides for the possibility to impose the measure of ban of performance of activity up to six months.

There are no derogations from the GDPR.

Main obligations and processing requirements, other than those from the GDPR, are stipulated by the Act on Implementation of General Data Protection Regulation as follows:

• processing in the context of employment – biometrical data and video surveillance;
• processing of special categories of data – genetic and biometrical data;
• use of video surveillance of apartment buildings and public areas.

Derogations from the GDPR: Public bodies which process data for official statistical purposes are not obliged to ensure rights to access, rectification, right to restriction of processing and right to object to processing.

There are no derogations from the GDPR.

There are no derogations from the GDPR.

There are no derogations from the GDPR.

There are no derogations from the GDPR.

There are no derogations from the GDPR.

The Electronic Communications Act generally prohibits the use of automated calling and communication systems without human intervention, facsimile machines (fax) or electronic mail, including SMS and MMS, for the purposes of direct marketing unless with a prior consent of subscribers / service users. 

If by email: Although the Electronic Communications Act generally requires a prior consent of the recipient (a natural person) before sending marketing emails, an exception applies (cumulative requirements) when:

• the recipient’s email address has been acquired for the purpose of sale of goods or services;
• the marketer uses the address for direct advertising of their own similar goods or services;
• the recipient has not objected to this use;
• the recipient is given a clear and unequivocal opportunity when the address was collected, and each time it is used, to object to such marketing at any time, free of charge. 

If by regular mail: The Consumers Protection Act envisages an opt-out regime (you can freely leave marketing materials in the mailbox or at the front door of consumers unless they have placed a sign reading ‘no junk mail’ or similar.

If by telephone: The Consumers Protection Act prohibits calls and phone messages to consumers who subscribed to a do-not-call-me register.

The aforementioned general prohibition under the Electronic Communications Act to use automated calling and communication systems without human intervention should also be considered.

The Electronic Communications Act stipulates that cookies may only be used with prior informed consent by the consumer. This rule does not apply to cookies including technical storing or access to data solely for the purpose of enabling the electronic communication, or when necessary to provide information society services (online shopping) upon explicit request by users.

Severe

• Link to the website of the Croatian Personal Data Protection Agency (AZOP): Agencija za zaštitu osobnih podataka | AZOP;
• Link to the website of the Croatian Regulatory Authority for Network Industries (HAKOM): https://www.hakom.hr/default.aspx?id=7

• Act on cybersecurity of operators of essential services and digital service providers (Official Gazette No. 64/18);
• Regulation on cybersecurity of operators of essential services and digital service providers (Official Gazette No. 68/18);
• Information Security Act (Official Gazette No. 79/07).
• Regulation on information security measures (Official Gazette No. 46/08).

Apart from the NIS2 directive proposed at the EU level, there are no anticipated changes at the local level before adoption at the EU level.

• To ensure best practice cybersecurity at essential services operators and digital service providers. It applies to (i) operators of essential services, regardless of whether they are public or private entities, which country they are headquartered, size, organisation and ownership and (ii) digital service providers if they are registered in Croatia or represented there as long as they are not a micro or small-sized enterprise.
• Information Security Act envisages IT security measures and standards and supervisory activities and applies to state authorities, local and regional authorities, legal entities with public authorities, which use classified and unclassified data, and to natural and legal persons that obtain access to or handle classified and unclassified data.

• The Information Systems Security Bureau
• National CERT
• The Office of the National Security Council

• Act on cybersecurity of operators of essential services and digital service providers:
  • Operators of essential services and digital service providers must implement appropriate, state-of-the-art organisational and technical measures to avoid security incidents within the network and IT systems (minimum security requirements). Operators of essential services must prove that these measures meet requirements at least every two years. Measures for digital service providers are defined by the European Commission Implementing Regulation pursuant to Art 16(8) of the NIS Directive;
  • Operators of essential services and digital service providers must notify the competent authority in the event of major cybersecurity incidents.
• Information Security Act:
  • Obligation to implement IT security measures (prescribed in the detail by the implementing regulation);
  • Obligation to appoint an IT security adviser.

Administrative sanctions:

In case of failure to comply with the obligatory instruction issued by the competent authority or rejection of provision of information related to significant impact incidents, fines of up to EUR 66,000 can be imposed on an operator of essential services or digital service provider (as well as up to EUR 6,600 for the responsible person).

Fines up to EUR 13,200 can be imposed if the operator of essential services or digital service provider fails to comply with the requests to cooperate with the competent supervisory authority or rejects, delays or creates difficulties for the technical bodies that conduct compliance assessments (as well as up EUR 3,300 for the responsible person). 

Yes. National CERT was established in accordance with the Information Security Act and its main task is to process incidents on the Internet, therefore ensuring IT security in Croatia. CERT gets involved if at least one party to the incident is in the .hr Internet domain or is a Croatian citizen using the hosting services of a foreign service provider;

Under the Cybersecurity Act for operators of essential services and digital service providers, competent CSIRTs are determined for different sectors.

Yes, the Croatian Government enacted the National Cybersecurity Strategy and the Action Plan for the Implementation of the National Cybersecurity Strategy.

N/A

• Link to The Information Systems Security Bureau web page: https://www.zsis.hr/default.aspx?id=30
• Link to CERT webpage: https://www.cert.hr/en/home-page/ 
• Link to the Office of the National Security Council webpage: http://www.uvns.hr/en