New Implementation of the GDPR Law in Croatia
January 18, 2022 | 4 minutes read
Croatia’s Law on the Implementation of the General Data Protection Regulation 2018 is a data protection law that was recently enacted in 2018. As Croatia is a member of the European Union, the Law on the Implementation of the General Data Protection Regulation 2018 implements the provisions of the EU’s GDPR law into Croatian law, as the name of the legislation suggests. To this point, the Law on the Implementation of the General Data Protection Regulation 2018 establishes the legal framework that must be followed when the personal data of Croatian citizens is collected or processed, as well as the penalties that can be imposed as a result of violating the rights of said citizens.
What are the variations between the Law on the Implementation of the General Data Protection Regulation 2018 and the EU’s GPDR law?
Croatia’s Law on the Implementation of the General Data Protection Regulation 2018 varies from the EU’s GDPR law in certain respects as it pertains to the obligations of data controllers and processors. This is particularly true as it pertains to the collection and processing of special categories of personal data. For example, the “processing of genetic data for the calculation of the risk of disease and other health aspects of data subjects within the framework of activities for the conclusion or execution of life insurance contracts and contracts with clauses on survival shall be prohibited.” Alternatively, as it relates to biometric data processing, “public authorities may process biometric data only if laid down by law and necessary to protect persons, property, classified data, or professional secrets, taking into consideration that interests of data subjects which are contrary to the processing of biometric data from this Article should not prevail.”
Moreover, Croatia’s Law on the Implementation of the General Data Protection Regulation 2018 also mandates that certain restrictions are adhered to with respect to personal data that is collected via video surveillance. As stated in the law, the “processing of personal data by video surveillance may be carried out only for a purpose that is necessary and justified for the protection of persons and property, unless interests of data subjects that are contrary to the processing of personal data by video surveillance prevail.” Furthermore, the law also states that “video surveillance may cover premises, parts of premises, the outer surface of the building, as well as internal spaces in the means of public transportation, the surveillance of which is necessary to achieve the purpose referred to in paragraph 1 of this Article.”
What are the rights of Croatian citizens under the Law on the Implementation of the General Data Protection Regulation 2018?
Under Croatia’s Law on the Implementation of the General Data Protection Regulation 2018, the rights that are provided to Croatian citizens are largely the same as those offered to citizens residing within other EU member states. Such rights include but are not limited to the right to be informed of pertinent information concerning the processing of their personal data, the right to access any personal data pertaining to them that has been collected, processed, or disseminated, the right to request that their personal data be rectified or erased if said information has been found to be inaccurate, and the right to data portability. Additionally, the Law on the Implementation of the General Data Protection Regulation 2018 also provides Croatian citizens with the right to “to lodge a complaint in his name and to exercise in his name the rights referred to in Articles 77, 78, and 79 of the General Data Protection Regulation.”
To this end, Croatia’s Law on the Implementation of the General Data Protection Regulation 2018 is enforced by the Croatian Personal Data Protection Agency, or the Agency for short. As such, the Agency has the authority to impose a variety of fines and administrative sanctions against data controllers and processors within Croatia who are found to have violated the law, in accordance with the provisions of the EU’s GDPR law. Such sanctions and fines include:
- A monetary fine ranging from HRK 5,000.00 ($750) to HRK 50,000.00 ($7,508) for misdemeanor offenses.
- A fine of up to HRK 100,000.00 ($15,017) for repeated violations.
- Fines ranging from 2% of a company’s global turnover; or €10,000,000.00 ($11,291,250), whichever is higher.
- Fines ranging from 4% of a company’s global turnover, or €20,000,000.00 ($22,583,400), whichever is higher.
The enactment of Croatia’s Law on the Implementation of the General Data Protection Regulation 2018 ensured that the provisions of the EU’s GDPR law would be fully implemented into Croatian law. As such, Croatia has joined the litany of other nations around the world that has sought legislative measures for the purposes of protecting the personal data and privacy of their respective citizens. Through the advent of such legislation, Croatian citizens have multiple avenues of recourse should they feel as though their rights have been infringed or otherwise violated, as the provisions of Croatia’s Law on the Implementation of the General Data Protection Regulation 2018 allow for steep punishments to be imposed against parties who fail to comply with the law.