The Act is the principal legislative act dealing with data protection and privacy in Croatia. The English translation of the Act can be found at: http://azop.hr/page.aspx?PageID=79.

Apart from the Act, specific aspects of data protection are regulated in sector- specific statutes, such as the Labour Act (employment-related aspects of data protection and processes), the Patient Rights Protection Act (privacy of patient data), or the Electronic Communications Act (use of cookies).

As Croatian data protection legislation is fully harmonized with the EU data protection rules, communications, working papers and the jurisprudence of the EU data protection bodies is regularly used as an interpretative tool in all cases when local rules are silent on certain issues.

The national data protection authority is the Croatian Personal Data Protection Agency (AZOP’). AZOP has a registered seat in

Fra Grge Martica 14

Zagreb

www.azop.hr

If an entity employs more than 20 employees, it has to appoint a data protection officer and to publish his/her contacts on the company’s website. This appointment is to be notified to the AZOP within one (1) month. A data protection officer cannot be a person charged with violation of the company’s ethical code or is under disciplinary proceedings for breach of his/her duties.

The obligation to appoint data protection officers in Croatia is set out in both the Act and the Croatian Labour Act.

Under both statutes, employers hiring 20 or more employees are obliged to appoint a data protection officer who is in charge of monitoring the collection, processing, use and transfer of employees’ Personal Data. In particular, the data protection officer must:

• ensure that data processing is performed in accordance with applicable laws;
• inform all persons working on Personal Data protection about their legal obligation to protect Personal Data;
• ensure the exercise of the individual’s rights as provided in the Act; and
• cooperate with the DPA on implementing the supervision of Personal Data processing.

Data protection officers are appointed by a written decision of the employer, which has to be delivered to the DPA within one month from the appointment. The DPA maintains the Register of Data Protection Officers.

Employers must ensure to render two decisions on appointment of the data protection officers, one for fulfilment of their obligations under the Labour Act and another for fulfilment of the obligation set in the Act.

There is no data security breach notification duty explicitly prescribed by the DP Law.

Notification/Registration Requirements:

Under the Act, data collectors must report every collection and processing of Personal Data to the DPA. The reporting is done by registration of a database with the Data Protection Register administered by the DPA (“Register”). This process consists of two steps.

Prior to the actual registration of a database or the amendment of an existing registration (by registering, for example, the fact that the data in the database is transferred out of Croatia or otherwise re-processed), data collectors are obliged to notify the DPA about the intention of such registration. The notification should be made prior to commencing the collection of Personal Data or actual processing. However, in practice, this step is often overseen.

Once the Personal Data is collected and a database is compiled, or when the processing has been performed, the data collector is also obliged to register such database, or the fact of processing into an existing database, with the Register. These registrations should be made within 15 days from the creation of the new database or performing the processing action.

Opt-in regime: no direct marketing electronic mail can be legally sent without the express consent of the receiver, unless a pre-existing business or commercial relationship exists. (Consent is however not mandated for marketing to legal persons.)

Also, a specific opt out must be offered with each message. Disguised sender identities are prohibited, and a valid return address must be provided.

The term “Opt-Out Rule” means that the sending of e-marketing to the recipient is permitted on an opt-out basis if:

the recipient’s details were originally collected “in the context of a sale”.

the entity sending the marketing is the same legal entity that collected the recipient’s details initially.

the marketing relates to “similar” products and/or services for which the recipient’s details were originally obtained.

the recipient is given the opportunity free of charge to object to the e-marketing, both at the time their details were collected and in each subsequent communication.

Applicable Legislation:

Electronic Communications Act (Official Gazette No. 73/2008, 90/2011, 133/2012, 80/2013, 71/2014)

First party e-marketing

(entity that collects the data will send the e-marketing itself)

B2C: Opt-out

B2B: Opt-out

Third party e-marketing

(entity that collects the data will share with third party partner for e-marketing)

B2C: Opt-in

B2B: Opt-in.