Skip to main content Scroll Top
Complico (5)
Contact Us
Get in touch

Croatia Compare Privacy laws

4-1 (Demo)
  • Home
  • Croatia Compare Privacy laws
4-2 (Demo)
PRIVACY LAWS

The Complete Guide to GDPR in Croatia: Navigating National Deviations and the Implementation Act

ABCDESFFafdfsfd

While the General Data Protection Regulation (GDPR) establishes a unified baseline for data privacy across the European Union, it is not a rigid, one-size-fits-all framework. Through designated “opening clauses,” EU member states have the authority to introduce national deviations to adapt the regulation to their specific legal and cultural landscapes.

In Croatia, the GDPR is directly applicable but is heavily supplemented by the Act on the Implementation of the General Data Protection Regulation (Zakon o provedbi Opće uredbe o zaštiti podataka). This Act introduces highly specific, strict requirements—particularly concerning workplace privacy, surveillance, and sensitive data—that businesses simply cannot ignore.

Enforced by the Croatian Personal Data Protection Agency (AZOP), failing to align with these local nuances can result in significant penalties. Whether your company is expanding into Zagreb or managing a remote Croatian workforce, understanding these local deviations is essential. At Complico Consulting GmbH, we specialize in decoding these localized laws to keep your business secure and compliant.

Key Deviations: The Croatian Implementation Act vs. EU GDPR

Croatia has utilized the GDPR’s opening clauses to enact specific rules regarding sensitive data processing, employee monitoring, and digital consent. To avoid regulatory enforcement, companies must adjust their compliance frameworks to account for the following local deviations:

1. The 6-Month Rule and Strict Limits on Video Surveillance (CCTV)

Video surveillance is one of the most heavily regulated areas under Croatian privacy law, far exceeding the general text of the GDPR.

Retention Limits: Personal data collected via video surveillance must not be retained for longer than six months, unless required as evidence in judicial, arbitral, or similar administrative proceedings.

Workplace Restrictions: Employers must inform employees in advance before implementing CCTV. Furthermore, video surveillance is strictly prohibited in rest areas, personal hygiene facilities (restrooms), and changing rooms.

Double Fines: Violating video surveillance rules in Croatia is uniquely risky. The Implementation Act prescribes specific local administrative fines (up to approximately €6,700) for CCTV violations, which can be levied in addition to overarching GDPR fines.

2. Absolute Prohibition on Specific Genetic Data Processing

The GDPR classifies genetic data as a “special category,” generally prohibiting its processing unless explicit consent is provided (Article 9).

The Croatian Deviation: Croatia has introduced an absolute ban on processing genetic data for the purpose of calculating the probability of disease or other health aspects when executing life insurance contracts. In Croatia, this processing is strictly prohibited even if the data subject gives explicit consent.

3. Processing Biometric Data in the Workplace

Biometric data (such as fingerprint scanning or facial recognition) is frequently used globally for time tracking and security.

The Croatian Deviation: Both public and private entities in Croatia can process biometric data, but only if it is necessary for protecting people, property, or business secrets. If an employer wishes to use biometric data to record employee working hours or attendance, they must obtain the employee’s explicit consent. Furthermore, employees must be provided with a non-biometric alternative (e.g., a swipe card or PIN) if they refuse to consent.

4. The Age of Digital Consent Remains Strict

While the GDPR sets the default age of digital consent for information society services at 16, it allows member states to lower it to as young as 13.

The Croatian Stance: Unlike countries such as Bulgaria or Austria, Croatia did not lower the age limit. The age of valid digital consent remains firmly at 16 years old. Any business offering online services, apps, or social platforms to Croatian residents under 16 must obtain verifiable consent from a parent or legal guardian.

5. Mandatory DPIA “Blacklist” by AZOP

The Croatian Data Protection Agency (AZOP) is a highly active supervisory authority. While the GDPR requires a Data Protection Impact Assessment (DPIA) for high-risk processing, AZOP has published a specific, mandatory “blacklist.”

This list outlines 13 specific types of processing operations that automatically require a DPIA in Croatia. Companies operating locally must cross-reference their activities against AZOP’s specific list to ensure they are not inadvertently skipping a mandatory risk assessment.

Why Your Business Needs Complico Consulting GmbH

Attempting to enforce a generic “EU-wide” compliance strategy in Croatia is a significant legal risk. The AZOP is actively conducting investigations and issuing fines, particularly in response to data subject complaints regarding surveillance and unauthorized data processing.

At Complico Consulting GmbH, we bridge the gap between overarching EU regulations and the specific demands of the Croatian Implementation Act. We provide:

  • Localized Croatian Privacy Audits: We evaluate your data processing frameworks especially CCTV and HR data against the specific requirements of the Croatian Implementation Act.

  • DPIA Execution against AZOP Standards: We help you identify if your activities fall under AZOP’s 13-point blacklist and conduct the mandatory Data Protection Impact Assessments.

  • Employee Data & Surveillance Compliance: We align your workplace monitoring, video surveillance, and biometric time-tracking systems with strict Croatian labor and privacy laws.

  • Consent & Policy Localization: We adjust your Privacy Policies, cookie banners, and marketing protocols to respect the 16-year age of consent and local transparency requirements.

Conclusion

Expanding your business operations into Croatia or hiring local talent requires a precise understanding of the country’s specific national additions to the GDPR. By understanding how Croatia approaches video surveillance, biometric data, and genetic information, you can safeguard your business from costly fines and build lasting trust with your users and employees.