Fining practice
Trend: Have the national data protection authorities in Croatia focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?
The Croatian Data Protection Agency (“Agencija za zaštitu osobnih podataka”, “Agency”) usually does not specifically emphasize the types of non-compliance they will be covering throughout a certain period. Until now the largest focus of their monitoring, in terms of industries and sectors, were media/social networks/internet, marketing, retail sector, gambling sector and, in 2023, debt collection agencies.
The most frequently detected non-compliance issues were (i) unauthorised processing of personal data (e.g. processing without a legal basis), (ii) unauthorised disclosure of personal data (i.e. availability of personal data to unauthorised persons), (iii) issues with data encryption and (iv) making personal data public. Further sanctioned cases encompassed lack of compliance with data subjects’ rights (e.g. access of personal data), issues with the data processing notices such as non-compliant or non-existent video-surveillance notices, unclear and incorrect information on legal bases of processing, and failure to properly determine roles and enter into data processing agreements.
Proceedings against smaller entities mostly deal with unlawful operations of video surveillance systems, including lack of compliant notice on processing.
In the annual plan for 2024, aside from investigations stemming from data subjects’ complaints and complaints of public institutions, the following sectors are underscored for ongoing ex officio investigations: social security and health sector, banking and financial sector, and tourism, insurance and gambling sector. Nonetheless, this does not preclude other sectors from potential audit and should not be understood as an exclusive announcement of sector-specific inspections.
Overall, what was the most significant fine in Croatia to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?
The most significant fine in Croatia was imposed on a debt collection agency, in the amount of EUR 5.47 million.
The investigation was triggered by an anonymous complaint stating that the controller unlawfully processed personal data, with a USB stick attached to the complaint containing personal data of 181,641 individuals. As a controller, the debt-collection company unlawfully processed sensitive data (health related) of their debtors, as well as the data of individuals who are not in a debtor-creditor relationship, most often collecting telephone number, first and last name and residential address. It was determined that the data controller did not adequately implement sufficient technical protection measures that could timely detect leakage of data from their system. Although there was a security system, the Agency determined that due to deficiencies the company lost control over the movement of their data subjects´ personal data. Furthermore, the company recorded comments related to the debtor´s state of health that the Agency found to be excessive processing without an adequate legal basis. Additionally, the Agency determined that the data controller has unlawfully recorded telephone conversations with the data subject, as the legitimate interest test assessment that established a legal basis for processing has not been conducted prior to the start of such processing. Finally, the Agency found that the data subjects have not been transparently informed on the processing of their data.
As to date, it remains undisclosed whether this fine has been contested in court. However, given the debt collection agency’s public statements indicating its intent to use all available legal remedies to safeguard its interests, it is to be assumed that the fine has been disputed.
Organisation of authorities and course of fine proceedings in Croatia
How is the data protection authority organised in Croatia? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?
The Agency is an independent national authority, autonomous and independent in its work. The Agency is not assigned to a specific ministry, but it is accountable for its work to the Croatian Parliament. According to the most recent annual report, as of 31 December 2022, the Agency employed 35 staff members.
Funding for the Agency's operations is allocated through the state budget on an annual basis. For 2022, the allocated budget was EUR 1,651,769.00. The publicly accessible financial plan of the Agency for 2024 indicates a proposed allocation of EUR 1,852,649.00 from the state budget and EUR 18,630.00 from EU related funds.
How does a fine procedure work in Croatia? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), aformal penalty notice)? What legal remedies are possible against an imposed fine?
- After conducting proceedings that are initiated ex officio or based on a request to determine breach of the rights guaranteed by the GDPR or the Croatian Act on the Implementation of the GDPR, the Agency can impose several measures, including a monetary fine.
- The Agency can carry out announced or unannounced investigations. In case of an unannounced inspection, the supervised entity will be notified at the time and place of carrying out the inspection. If interference with the inspection is expected, the Agency can be assisted by forces of the Ministry of Internal Affairs (i.e. police).
- In the course of inspection, the Agency can make copies of the relevant documents and data storage systems and acquire other relevant data. If copies cannot be made due to technical reasons, the Agency can also temporarily seize the equipment and documents for up to 15 days. Furthermore, the Agency can, for up to 15 days, seal the data storage system and equipment if there is risk of destruction or tampering of evidence. Following the inspection, the Agency prepares the minutes and provides them to the supervised entity for comments. In the event of comments, the Agency shall provide a written reply whether the comments have been accepted.
- The monetary fine is imposed by a decision of the Agency and must be paid within 15 days from the day such decision becomes final. The legal remedy is to initiate administrative dispute proceedings against the Agency within 30 days of the delivery of the decision on the imposed fine. The administrative dispute proceedings suspend the finality of the decision on the fine (including the fine payment).
- Upon delivery of the decision on the fine, the practice of the Agency is to immediately publish on its website the summary of the violation, with anonymized information on the sanctioned entity.
- A decision that became final shall be published on the Agency’s website without anonymization if the decision determines a breach in connection with processing of personal data of minors, special categories of personal data, automated individual decision-making, profiling, if the breach was committed by a data controller or processor who had already breached the provisions of the Croatia’s GDPR Act or the GDPR, or if a decision imposes an administrative fine in the amount of at least EUR 13,272.00 which has become final.
When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?
The fines are paid into the state budget.
Is there a common, official calculation methodology for fines in Croatia (such as the fining models in the Netherlands or Germany)?
There is no official calculation methodology for fines in Croatia.
When imposing a fine, the Agency takes into considerations the nature of the violation, its intensity, longevity, if the violation was with intent or out of negligence, actions which the controller /processor undertook to rectify the data subjects’ damages, degree of liability of the controller/processor considering implemented technical and organisational measures, all relevant, prior violations by the controller/processor, level of cooperation with the Agency for the purpose of mitigating and rectifying negative repercussions of the violation, categories of personal data, how the Agency was informed of the violation with the emphasis on whether the controller/processor informed the Agency by itself, if the controller/processor was previously fined for the same violation, compliance with approved codes or approved certification mechanisms, other aggravating or mitigating factors.
Can public authorities be fined in Croatia? If they can: Where does this money go?
Public authorities cannot be sanctioned with a monetary fine.
However, the Agency can use all remaining investigative (e.g. data protection audits, review of certifications) and corrective (e.g. order to bring processing into compliance; impose a temporary or definitive limitation including a ban on processing) powers towards public authorities in line with Article 58 of the GDPR.
In Croatia, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?
On its website, the Agency publishes summaries on most cases involving individual fines. Although the information on the affected companies is usually not disclosed, in case of higher fines, the sanctioned entities are often recognizable.
In the cases of highest fines, the Agency has, in the published summaries, also noted the sanctioned entity.
The summaries often contain information on procedural steps, such as a brief description of how the Agency received the information on the potential violation and how it proceeded.
The Agency is authorized to publish the whole text of the decision, without anonymization, when the decision becomes final and if the violation is in connection with processing of personal data of minors, special categories of personal data, automated individual decision-making, profiling, if the violation was committed by a data controller or processor who had already violated the provisions of the Croatian Act on Implementation of the GDPR or the GDPR, or if a decision was made in connection with the decision on an administrative fine in the amount of at least EUR 13,272.00 which has become final. Then the companies will be identifiable.
If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines?
The information on individual fines is usually published, but in a summarized form. However, the Agency publishes aggregated information as well. The aggregated information is contained in the annual report which the Agency should submit to the Parliament no later than 31 March of the current year, for the preceding year. The report contains information on the total number of cases resolved by the Agency and number of cases that resulted with fines.
| 2019 – total number of cases: 166 | Total number of fines: 0 |
| 2020 – total number of cases: 152 | Total number of fines: 1 |
| 2021 – total number of cases: 214 | Total number of fines: 4 |
| 2022 – total number of cases: 317 | Total number of fines: 14 |
Other legal consequences of non-compliance in Croatia
Does Croatia have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?
The Croatian data protection law does not provide for any model declaratory proceedings/class actions.
However, data subjects may be able to join forces and take legal action together under other laws. In such cases, the conditions under the Civil Procedure Act or the Act on Class Actions for Protection of Collective Interests and Rights of Consumers have to be met and the lawsuit has to be brought by an authorized claimant, e.g. association or another authorised entity.
- Based on the Croatian Civil Proceedings Act, only associations, bodies, institutions, or other organisations founded in accordance with the law, whose registered or statutory activity is the protection of statutory collective interests and rights of citizens, can bring class actions. After the decision on the class action is adopted and it is determined that the defendant’s actions breached the rights of persons the claimant is authorised to represent, every individual (a natural or legal person) can file a separate lawsuit requesting compensation for damages or payment from the defendant. In these subsequent proceedings, the court is bound by the findings of the court that decided on the class action.
- Based on the Croatian Act on Representative Claims for Protection of Collective Interests and Rights of Consumers, the authorised entities may initiate class actions for protection of collective interests and rights of consumers, including violations of the GDPR. The list of authorised entities is published by the ministry competent for consumer protection matters. Exceptionally, the court may also, with legal effect only in a specific case pending before the court, acknowledge the legal capacity of a claimant to associations that meet the prescribed requirements, but have not been included in the list of authorized entities.
What is more relevant in Croatia: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?
The fines from authorities have a higher burden on the controllers, particularly since information on individual claims for damages or injunctions is not publicly accessible.
To date, Croatia has experienced relatively low number of fines, with a notable surge in 2023.
Although these fines are likely challenged in court, the legal proceedings are usually lengthy before a final and binding decision is reached. Nonetheless, fines from authorities remain highly significant, primarily due to their potential to significantly harm the reputation of the sanctioned entities.
In the upcoming years, as the data protection awareness increases and various consumer protection regulations, especially in the digital world, are being adopted, it is anticipated that the regulatory actions will remain pivotal in shaping data protection compliance.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.