Tue, Feb
62 New Articles

Croatian Implementation and Enforcement of GDPR: State of Play as at December 2019

Croatian Implementation and Enforcement of GDPR: State of Play as at December 2019


Following the adoption of the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC („GDPR“) on April 27, 2016, the Croatian GDPR Implementing Act („GDPR Act“) entered into force on May 25, 2018, simultaneously with the start of application of the GDPR.

Specific processing operations 

GDPR Act has made use of a number of GDPR's opening clauses. Most notably, the GDPR Act has set out further conditions and limitations with regard to the processing of genetic and biometric data based upon Article 9(4) of the GDPR. In this regard, the GDPR Act has essentially introduced a prohibition on the processing of genetic data in the context of life insurance agreements or endowment clauses and has set out specific rules for the processing of biometric data, which apply differently depending on whether biometric data is processed by public or private sector entities. Furthermore, the GDPR Act has introduced specific conditions for the processing of biometric data in the context of employment. 

The GDPR Act also set out detailed conditions applicable to the processing of personal data by means of video surveillance, including rules governing specific types of surveillance, notably of residential buildings, working premises, and public areas. Following the start of the application of the GDPR and the GDPR Act, the Croatian Personal Data Protection Agency („DPA“) issued several opinions dealing with video surveillance. In these opinions, the DPA clarified the distinction between video surveillance and live streaming in public areas where the data does not constitute a part of the filing system as well as the transparency requirements related to video surveillance in residential buildings. 

Data Protection Impact Assessment (DPIA)

As required by Article 35(4) of the GDPR, in December 2018 DPA adopted a resolution on the list of processing operations kinds that are subject to the DPIA requirement from Article 35(1) of the GDPR. The list published by the DPA essentially follows the principles set out in the Article 29 Working Party Guidelines on Data Protection Impact Assessment by specifying 13 kinds of processing operations that require a DPIA (in addition to the activities that require a DPIA under the GDPR), including systematic and large-scale profiling, processing sensitive data, use of new technologies, processing data on criminal convictions and offenses, processing geolocation data, etc.

Enforcement activities of the DPA 

Based on the publicly available decisions of the DPA, no administrative fines for violations of either the GDPR or the GDPR Act have been imposed in Croatia by 31 December 2019. Instead, the DPA has exercised its other corrective powers from Article 58 of the GDPR in cases where the DPA established that processing operations concerned infringe the provision of the GDPR and GDPR Act. In addition, following the start of application of the GDPR and the GDPR Act, DPA has published a number of opinions dealing with specific processing operations in different sectors, including banking and anti-money laundering activities, debt collection activities, processing operations in an employment context and other areas.  


Based on the European Data Protection Board's Information Note on data transfers under the GDPR in the event of a no-deal Brexit, the DPA has published a note on the post-Brexit data transfers from Croatia to the UK in the event of a no-deal Brexit. Considering that in the no-deal Brexit scenario, the UK would become a third country within the meaning of GDPR, any data transfers from Croatia to the UK would have to be based on either standard clauses, binding corporate rules, approved codes of conduct and certification mechanisms, or specific derogations which should be interpreted restrictively

By Marija Gregoric, Partner, and Lovro Klepac, Associate, Babic & Partners Law Firm

Croatian Knowledge Partner

Čipčić-Bragadin Mesić & Associates is one of the leading law firms in Croatia that serve companies, credit & financial institutions and public entities. We have been recommended and recognized as the legal experts and service leaders by many leading international legal guides for more than 15 consecutive years. With roots dating from 1928. we now probably have more tradition, experience and market presence than almost any other law firm in Croatia. We work closely with the leading international law firms and consultants so we’re able to manage complex, cross-border projects and deals seamlessly and successfully. Around 85% of our clients are international enterprises doing business in Croatia. List of our clients include some of the world-renowned companies such as Amazon Europe Core, China Machinery Engineering Corporation, Tate & Lyle, Nafta a.s., Unilever Croatia, Unilever Hungary, Lenovo, Innoenergy CE, Flixmobility, Flixbus CEE South, Okoenergie Group, CTC Holding, Bunge Limited, Chipita, Rolls-Royce, Canvas Holidays, Vacalianselect, Redgate Software, Red gate Investment, Yahoo!, Aston Martin Lagonda, Domino Printing UK, Domino Printing Sciences, Goldman Sachs, Deutsche Bank, Barclays Bank, HSBC, State Street Bank, Citigroup Global Markets, Credit Suisse, Bank of America Merill Lynch, Standard Chartered, Och-Ziff Capital Management, Amundi Asset Management, Altima International, Red Arc Global Investments, SMBC Nikko Capital Partners, Royal Bank of Scotland, Morgan Stanley International, J.P. Morgan group, Allianz Global Investors, Schroders, Macquarie Bank, Digital Finance International, Winton Capital Management, Citibank, Invesco Asset Management Österreich, Croatian Pension Investment Company, Unicredit Bank AG etc. We enjoy learning about our clients’ businesses and want to understand them completely so we can provide the best possible and complete service.

All News about, and Legal Analysis by, Čipčić-Bragadin Mesić & Associates can be found here.

Firm's website: cipcic-bragadin.com


Our Latest Issue