Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


I. Legal framework

Constitutional privacy and data protection framework

Personal data protection in Croatia is primarily a constitutional category arising from Article 37 of the Croatian Constitution, which came into force 22 December 1990. The Croatian Constitution regards personal data protection as part of the protection of human rights and fundamental freedoms. Everyone is guaranteed security and secrecy of personal data. Personal data may only be collected, processed and used under the conditions determined by law unless the person's consent is given. Usage of personal data contrary to the purpose of its collection is forbidden.

The Croatian Constitution was amended in 2010, but there were no changes regarding privacy and data protection.1

On 16 November 2009, the Constitutional Court of the Republic of Croatia passed a resolution rejecting2 a motion for a procedure regarding an evaluation of the constitutionality of the Personal Data Protection Act3 and the Act on the Amendment of the Personal Data Protection Act.4 The motion was introduced by a Croatian citizen who claimed that the Personal Data Protection Act wasn't approved by the special majority that the Constitution requires in order to approve "organic acts". These acts regulate rights of national minorities, constitutionally defined human rights and fundamental freedoms, electoral system, organisation and jurisdiction of state's bodies, and organisation and jurisdiction of local self-government. The Constitutional Court (ruling U-I/1242/2004) ruled that the Personal Data Protection Act should have been considered "organic" and that in turn it should have been approved with the required majority of all representatives in the Croatian Parliament. This was not the case because the Personal Data Protection Act was approved with a simple majority. However, according to the Court, the fact that its subsequent Amendments were passed with such a majority validated the Act in full.

Privacy and data protection laws and regulations

Comprehensive law

The Croatian Personal Data Protection Act (Zakon o zaštiti osobnih podataka) entered into force on 4 July 2003.5 The Croatian Parliament also passed a decision promulgating the Act on Amendments to the Personal Data Protection Act in 2006 (Zakon o dopunama Zakona o zaštiti osobnih podataka), which entered into force on 10 November 2006,6 and another decision concerning further amendments in 2008 which entered into force on 17 April 2008 (Zakon o izmjenama i dopunama Zakona o zaštiti osobnih podataka).7

The Personal Data Protection Act regulates the protection of personal data regarding natural persons and the supervision of collecting, processing, and using personal data in the Republic of Croatia. The purpose of personal data protection is to protect the privacy of individuals as well as human rights and fundamental freedoms in the collection, processing, and use of personal data. The protection of personal data in the Republic of Croatia has been ensured for every natural person irrespective of his or her citizenship or place of residence, and regardless of race, colour, sex, language, religion, political or other convictions, national or social background, property, birth, education, social standing, or other characteristics.

Data protection principles provided for the Croatian Personal Data Protection Act are similar to those provided for other European countries' data protection laws. Personal data must be collected and processed for only the purposes allowed by the law and about which the data subject has been expressly informed. Collection must be limited to what is necessary for achieving the stated purpose. Personal data has to be accurate, complete and up to date. Personal data has to be kept in a form limiting identification of the subject to the period necessary for the purpose for which the data is collected or further processed.

Pursuant to Personal Data Protection Act, violations of this law are punishable as misdemeanours with relatively low fines, between €2,740 and €5,480. A responsible person within a legal entity can also be fined between €685 and €1,370.8 Pursuant to the Penal Law, a person who, without the consent of the data subject and contrary to the conditions determined by the law, collects, processes, or uses personal data or uses such data contrary to the purpose of its collection, can be sentenced to a fine or to imprisonment for up to six months.9 There is no reliable data on the actual penalties imposed since (i) they are administered by various local misdemeanour courts and (ii) there have been no reported criminal law penalties.

The Croatian Agency for Personal Data Protection has claimed that the Personal Data Protection Act has also been harmonised with all relevant provisions of European Union Directive 1995/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.10 However, the European Commission in its most recent (2009) Progress Report on Croatia's preparation for EU membership stated that full alignment with the Data Protection Directive and the Council of Europe legal instruments remains to be completed.11 The report does not specify the actions Croatia is required to complete.

Pursuant to the Personal Data Protection Act, the Government of the Republic of Croatia has also passed two regulations concerning the personal data protection domain. The first is the Regulation on the Manner of Maintaining Records on Personal Data Collections and the Form of such Records (Uredba o načinu vođenja i obrascu evidencije o zbirkama osobnih podataka), which entered into force on 5 August 2004.12 The Regulation defines the relevant data which the records on personal data collections should contain: name of the collection; name of the data handler and its domicile, purpose of processing; legal basis for the personal data collection; categories of persons to which the data relates; type of data contained in the collection; method of collecting and storing the data; time period for collecting and using the data; name and domicile of the users of the collection; notice of import or export of data from the Republic of Croatia with either the notice of the state or international organisation and foreign user of personal data and the purpose of the export or import determined by the international treaty, law. or other regulation, or the written consent of the person to whom the data relates; and notice of the measures taken for protection of personal data. The Regulation also defines the forms for such records. As for methods, the following are provided in the form:(i) manual processing of data; (ii) automatic processing of personal data; (iii) partially automated processing with a corresponding manual file register

The second is the Regulation on the Procedure for Storage and Special Measures of Technical Protection of Special Categories of Personal Data (Uredba o načinu pohranjivanja i posebnim mjerama tehničke zaštite posebnih kategorija podataka), which entered into force on 14 October 2004.13 It defines the measures, means and conditions of storing, securing, protecting, and transferring special categories of personal data, and sets forth personal data collection measures such as maintaining and verifying the proper operation of computer and telecommunication equipment and software of the systems for maintaining special personal data collection, the security of the workspace where such equipment is located, and the authorisation of persons responsible for the implementation and supervision of such measures.

Sector-based law

So far there have been no significant developments regarding personal data protection in sector-based law, except for the law concerning the general protection of information, related to information society (information security and fight against cybercrime, information society services), electronic communications, and consumer protection.

As far as information security and the fight against cybercrime are concerned, the relevant legal framework is the Information Security Act,14 the Data Secrecy Act,15 the Regulation on Information Security Measures,16 the Regulation on Security Check-up for Access to Classified Data,17 the Regulation on the Manner of Labelling Classified Data, Contents, and Appearance of the Statement of the Executed Security Check-up and the Statement of Handling Classified Data18 and the Act on Confirming the Convention on Cybercrime.19 The provisions of the Convention on Cybercrime have been implemented accordingly in the Penal Law (Articles 223, 223a, 224, 224a and 224b) and Criminal Proceedings Act.20

With regard to Information Society Services, the relevant legal framework is provided for under the Electronic Signature Act,21 the Regulation on the Measures and Procedures of the Usage and Protection of the Electronic Signature and Advanced Electronic Signature, Certification System, and Obligatory Insurance of the Service Provider, and the Issuing of Qualified Certificates,22 the Electronic Commerce Act23 and the Electronic Public Document Act.24

Electronic Communications are regulated by: the Electronic Communications Act,25 the Telecommunications Act,26 the Act on the Amendments of the Telecommunications Act,27 the Regulation on Awarding Addresses and Numbers,28 the Regulation on the Transferability of Numbers,29 the Regulation on the Manner and Conditions of the Prevention of Fraud in the Provision of Electronic Mail Services,30 the Regulation on the Directory and Service Providing Information about Subscribers,31 the Regulation on Universal Services in Electronic Communications,32 the Regulation on the Working Procedure of the Interior Organisational Unit for Consumer Rights Protection,33 the Regulation on the Manner and Conditions of the Performing the Activities of Electronic Communication Networks and Services,34 the Regulation on the Manner and Conditions of the Access and Joint Usage of Electronic Communication Infrastructure and Related Equipment,35 the Addressing Plan,36 the Numeration Plan,37 and the Regulation on the Obligations in the Area of National Security of the Republic of Croatia for Legal and Physical Persons in Telecommunications.38

Consumer Protection is regulated by the Consumer Protection Act.39

The only acts and regulations that may be providing for the protection of personal data are those that entered into force after the entering into force of the Personal Data Protection Act in 2003, and some improvements could be found in the acts, amendments, and regulations promulgated after the PDPA amendment in 2008. These include the Electronic Commerce Act,40 Electronic Signature Act,41 Electronic Communications Act,42 Regulation on Awarding Addresses and Numbers,43 Regulation on Transferability of Numbers,44 Regulation on the Manner and Conditions of the Prevention of Fraud in the Provision of Electronic Mail Services,45 Regulation on the Working Procedure of the Interior Organisational Unit for Consumer Rights Protection,46 etc. For instance, the above-mentioned Regulation on the Transferability of Numbers specifies the form of the Request for the Transfer of a Phone Number, which includes the following statement: "In addition to this, the Subscriber consents explicitly by his/her signature on this request that his/her personal data may be used for the purpose of enabling the service of the transfer of a phone number and may be collected, processed and exchanged between the operator and the Agency. By signing this request, the Subscriber confirms that he/she has been thoroughly informed and consents to the conditions of the number transfer stated in this request".

However, telecommunications, consumer protection, and information society may be considered as essential sectors in personal data protection, whereas privacy protection in other sectors, e.g. health and social welfare, labour, economy and entrepreneurship, culture, agriculture, science, education, sports, regional development, construction, tourism, interior affairs, foreign affairs, or defence have not been specifically tackled by law. Perhaps some contributions to the sector-based law may be seen in a specific law related to credit institutions and their clients, namely the Credit Institution Act,47 which covers financial, insurance, and banking business in Croatia.

Data protection authority

As defined by the Personal Data Protection Act, the competent body for the protection of personal data in Croatia is the Agency for Protection of Personal Data (hereinafter the Agency).48 The seat of the Agency is in Zagreb. The scope of the Agency is defined in Articles 32 and 33 of the Act, encompassing both administrative and specialised tasks related to personal data protection. The Agency is an independent body with public authority and is responsible to the Croatian Parliament, meaning (i) that the organisation and method of work of the Agency is determined by its statute, which is confirmed by the Croatian Parliament; (ii) that the director and the assistant director of the Agency are appointed and recalled by the Croatian Parliament on the suggestion of the Government of the Republic of Croatia; and (iii) that the Agency submits a written report on its activities to the Croatian Parliament at its request and at least once a year.

The Agency plays a central role in data protection in the Republic of Croatia. Pursuant to Article 32 of the Data Protection Act its tasks include: supervision of the implementation of personal data protection; indication of possible violations noted while collecting personal data; composition of a list indicating national and international organisations which have adequately regulated personal data protection; maintenance of the Central Registry of Personal Data Collections, which is publicly available;49 resolution of requests regarding possible violations of rights guaranteed by Personal Data Protection Act. The Central Registry contains information concerning all personal data collections, namely: the name of the collection, the name and address of the person maintaining the collection, the purpose of processing the data, the legal basis for the personal data collection, the categories of persons the data covers, the type of data contained in the collection, the method of collecting and maintaining the data, the time period that the data will be maintained and used, the name and address of the user of the collection, notice of import or export of the data outside the Republic of Croatia including the user and purpose, and notice of the measures that have been implemented for the protection of personal data.50 Pursuant to the Annual Reports of the Agency for the years 200851 and 2009,52 the Central Registry contains 11,908 personal data collections (during the year 2008 a total of 2,230 personal data collections were registered with the Agency and 3,604 followed up in 2009).

In its supervisory activities the Agency is entitled to act ex officio and pursuant to individual requests to establish whether data subjects' rights have been violated during personal data processing. Pursuant to Article 34 of the Personal Data Protection Act, if during supervision activity the Agency determines there have been violations of the law regulating the protection of personal data, it has the right to notify or warn the data controller and to issue a decision: ordering rectification of any irregularities; temporarily prohibiting the processing of personal data; ordering erasure of personal data; prohibiting the export of data from the Republic of Croatia or the usage of such data by other persons; and prohibiting processing of data by persons who do not fulfil the conditions of the law. Pursuant to the Annual Report for the year 2008 the Agency has supervised 626 cases either pursuant to the claims of other parties or ex officio. The most common violations of the Personal Data Protection Act relate to the registration of personal data collections, the legal grounds for collection and processing of personal data, the purpose and scope of data collection, a lack of protection of the data, the duration of the usage and erasure of the data, and delivery of the data to the users and usage for the purposes of marketing.

The Croatian Personal Data Protection Agency is also tasked with raising awareness regarding the importance of effective data protection and is cooperating with numerous ministries, authorities, NGOs and other bodies, such as the Ministry of Science, Education, and Sports and the Croatian Chamber of Economy. In order to commemorate European Data Protection Day on the 28th January, the Agency organises annual Regional Round Tables addressing data protection. This year, in cooperation with a distinguished NGO, Society for Consumers' Protection Potrošać', two presentations were given: "Identity and data protection for users of financial and banking services" and "Identity and data protection for users of telecommunication services." These presentations aimed to raise overall awareness and knowledge in a practical manner from the perspective of an individual. The Agency also organises numerous educational seminars (approximately 12 per year) for both individuals and data controllers concerning privacy and data protection in the Republic of Croatia. On 25 November 2010 the national Conference on Privacy ("Privacy 2010") was held in Zagreb.53

The Agency proactively participates in international conferences and working parties as a member or observer, thus contributing to the development of data protection and aiding in the harmonisation of the Croatian legal framework of personal data protection with European norms and standards. It also ensures the fulfilment of stipulated obligations stemming from international conventions signed and ratified by the Republic of Croatia.54

The Agency cooperates professionally with numerous agencies from EU member states, especially the Austrian, Slovenian, Hungarian and Spanish agencies that work on data protection.

The Croatian Personal Data Protection Agency has full member status in the so-called Spring Conference of the Commissioners for personal data and privacy protection, and in the Working Group on Police and Justice. Thus it is facing the new field of data protection in connection with police and law enforcement.

The Agency has showed its ability to conduct investigations in response to complaints. In the case of a complaint of a client against a telecommunications firm, the firm provided the Agency for Protection of Personal Data with the customer data logs related to the personal data of the plaintiff. The logs for the previous six months were extracted from the aforementioned records and it was determined that the logs were made during the client's (plaintiff's) calls from his number to the firm’s Customer Service line. The Agency discovered that the firm’s employees were accessing the complainants’ records in the Customer Service department even when he was not calling the department. The Agency ruled that the firm was at fault and had to install an internal control and monitoring system to monitor when and how staff members access client files. The Agency also required the firm to change the provisions contained in the "Customer Data Protection Procedure" to allow users to control periodically the processing carried out by the firm.

Major privacy and data protection case law

The relevant case law concerning privacy and data protection is discussed infra in the text and categorised under the corresponding section.55