Home / Publications / Data Law Navigator | Croatia

Data Law Navigator | Croatia

Information on Data Protection and Cyber Security laws from CMS experts

<< back to Overview
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security >>

Data Protection

Last reviewed 23 March 2020

Risk scale

Risk Scale Red

Laws

  • General Data Protection Regulation No. 2016/679 (GDPR)
  • Act on Implementation of General Data Protection Regulation (Official Gazette, No. 44/18)
  • Electronic Communications Act (Official Gazette No. 73/08, 90/11, 133/12, 80/13, 71/14, 72/17)
  • Electronic Commerce Act (Official Gazette No. 173/03, 67/08, 130/11, 36/09, 30/14, 32/2019)
  • Consumers Protection Act (Official Gazette No. 41/14, 110/15, 14/2019)

Authority

If applicable: stage of legislative implementation of GDPR

Implemented by virtue of the Act on Implementation of General Data Protection Regulation (“Implementing Act”) on 25 May 2018.

If applicable: local derogations as permitted by GDPR 

  • Administrative fines cannot be imposed on public authorities (Article 83 GDPR)
  • Processing and freedom of expression and information (Article 85 GDPR)
  • Processing and public access to official documents (Article 86 GDPR)
  • Processing of national identification numbers (Article 87 GDPR)
  • Processing in the context of employment (Article 88 GDPR)
  • Safeguards and derogations to processing for statistical purposes (Article 89 GDPR)
  • Obligations of secrecy (Article 90 GDPR)
  • Processing special categories of data (Article 9 (4) GDPR)
  • Video surveillance.

Scope

The scope is defined in the GDPR.

Penalties/enforcement

  • Croatian Personal Data Protection Agency is entitled to impose administrative fines in line with Article 83 of the GDPR
  • In addition to administrative fines under the GDPR, the Implementing Act provides for administrative fines of up to approx. EUR 6,700 for violations related to video surveillance
  • Implementing Act provides for misdemeanor fines of up to approx. EUR 6,700 for violations by the supervisory authority’s employees.

Registration/notification

No derogation from the GDPR.

Main obligations and processing requirements

The main obligations and processing requirements that a data controller is obliged to comply with are specified in the GDPR.

Additionally, main obligations and processing requirements stipulated by the Implementing Act are:

  • processing in the context of employment – biometrical data and video surveillance;
  • processing of special categories of data – genetic and biometrical data;
  • use of video surveillance of apartment buildings and public areas.

Data subject rights

Derogations from the GDPR: Public bodies which process data for official statistical purposes are not obliged to ensure rights to access, rectification, right to restriction of processing and right to object to processing.

Processing by third parties

No derogation from the GDPR.

Transfers out of country

No derogation from the GDPR.

Data Protection Officer

No derogation from the GDPR.

Security

No derogation from the GDPR.

Breach notification

No derogation from the GDPR.

Direct marketing

If by electronic mail: The Electronic Communications Act requires a prior consent of the recipient (a natural person) before sending marketing e-mails. An exception applies (cumulative requirements) when:

  • the recipient’s e-mail address has been acquired for the purpose of sale of goods or services
  • the marketer uses the address for direct advertising of their own similar goods or services
  • the recipient has not objected to this use
  • the recipient is given a clear and unequivocal possibility when the address was collected, and each time it is used, to object to such marketing at any time, free of charge.

If by regular mail: The Consumers Protection Act envisages an opt-out regime (you can freely leave marketing materials in the mail box / in front of door of consumers unless they placed a prohibition sign on the mail box/ door).

If by telephone: The Consumers Protection Act envisages an opt-out regime (you can freely call consumers unless they subscribed to a do-not-call-me register).

Cookies

The Electronic Communications Act stipulates that use of cookies is allowed only with a prior informed consent by the consumer. This rule does not apply to cookies collecting data solely for the purpose of enabling the electronic communication or for providing information society services (online shopping) upon explicit request by users.

Useful links


Cyber Security

Last reviewed 23 March 2020

Risk scale

Risk Scale Orange

Laws and regulations

  • Act on cyber security of operators of essential services and digital service providers (Official Gazette No. 64/18)
  • Regulation on cyber security of operators of essential services and digital service providers (Official Gazette No. 68/18)
  • Information Security Act (Official Gazette No. 79/07)
  • Regulation on information security measures (Official Gazette No. 46/08)

Anticipated changes to law

No major changes anticipated; EU NIS Directive has already been implemented.

Application

  • Act on cyber security of operators of essential services and digital service providers envisages procedures and measures for ensuring high cyber security in providing services of essential social and economic importance and functioning of digital market. It applies to (i) operators of essential services, regardless of whether they are public or private entities, country of registered seat, size, organisation and ownership and (ii) digital service providers if they have registered seat in Croatia or a representative under condition that they are not a micro or small sized enterprise.
  • Information Security Act envisages measures and standards of information security, areas of information security, supervisory activities and applies to state authorities, local and regional authorities, legal entities with public authorities, which use classified and unclassified data and to natural and legal persons which obtain access to or handle classified and unclassified data.

Authority

Key obligations

  • Act on cyber security of operators of essential services and digital service providers:
    • Operators of essential services and digital service providers must implement appropriate, state-of-the-art organisational and technical measures to avoid security incidents of the network and information systems (minimum security requirements). Operators of essential services must prove that these measures fulfil the requirements at least every two years. Measures for digital service providers are defined by the European Commission Implementing Regulation pursuant to Art 16(8) of the NIS Directive.
    • Operators of essential services and digital service providers must notify the competent authority in the event of major cyber security incidents.
  • Information Security Act:
    • Obligation to implement information security measures (prescribed in the detail by the Regulation)
    • Obligation to appoint the adviser for information security

Penalties/enforcement

Act on cyber security of operators of essential services and digital service providers envisages fines up to approx. EUR 67,000.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

Yes. National CERT was established in accordance with the Information Security Act and its main task is processing of incidents on the Internet, i.e., preservation of the information security in Croatia. CERT deals with incident if one party to the incident is in .hr Internet domain or is a Croatian citizen using “hosting” services of a foreign service provider.

Under the Act on cyber security of operators of essential services and digital service providers competent CSIRTs are determined for different sectors.

Is there a national incident management structure for responding to cybersecurity incidents?

Yes, the Croatian Government enacted the National Cyber Security Strategy and the Action Plan for the Implementation of the National Cyber Security Strategy.

 

<< back to Overview

Authors

Picture of Gregor Famira
Gregor Famira
Partner
Vienna