top of page

CROATIA - Data Protection and GDPR Review

Croatia's history of data protection has evolved significantly over the years, particularly as the country aligned its laws with European Union standards. Below is an overview of the key milestones and developments in data protection within Croatia.

1. Early Legislation and Initiatives

Croatia's interest in data protection began to take shape in the late 1990s and early 2000s. During this time, the country recognized the need to protect individuals' personal information in the face of advancing technology and the growing digital economy.

2. Personal Data Protection Act (PDPA) of 2003

The adoption of the Personal Data Protection Act in 2003 marked Croatia's first comprehensive legislation aimed at safeguarding personal data. The Act laid down principles, obligations, and rights relating to data protection, reflecting the standards set by the EU Data Protection Directive (95/46/EC).

3. Establishment of the Croatian Personal Data Protection Agency (AZOP)

Concurrent with the PDPA's enactment, the Croatian Personal Data Protection Agency (AZOP) was established as an independent body responsible for overseeing compliance with data protection laws, providing guidance, and handling complaints.

4. Amendments and Revisions

Over the years, the PDPA underwent several amendments to align with evolving technologies and international standards. Revisions included clarifications on the roles of data controllers and processors and enhancements to individuals' rights.

5. Accession to the European Union in 2013

Croatia's accession to the European Union in July 2013 marked a critical juncture in its data protection journey. As a member state, Croatia was required to harmonize its national legislation with EU standards, leading to further adjustments to its data protection laws.

6. Implementation of the GDPR

The EU's General Data Protection Regulation (GDPR), effective from May 25, 2018, replaced the Data Protection Directive, necessitating significant changes to Croatia's data protection landscape. Croatia adopted the GDPR, bringing its laws into full alignment with the new regulation. The GDPR introduced new principles, rights, and obligations, transforming how personal data is handled within Croatia and across the EU.

7. Ongoing Evolution and Challenges

Since the implementation of the GDPR, Croatia continues to face challenges in areas such as enforcement, awareness, and technological adaptation. The AZOP actively works to promote compliance and address issues as they arise.

Croatia's history of data protection reflects a committed approach to evolving with international standards, especially in alignment with the European Union's framework.

The journey from the initial PDPA to the full implementation of the GDPR represents significant progress in protecting individuals' personal data within the country. Efforts continue to ensure that data protection remains responsive to technological advancements and the changing global environment.

Since joining the European Union in 2013, Croatia has fully aligned its data protection laws with EU regulations, including the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018. This comprehensive guide provides an overview of the main principles, rights, and obligations concerning data protection under the GDPR in Croatia.

1. Scope and Applicability of the GDPR in Croatia

The GDPR applies to all organizations and individuals processing personal data within Croatia, as well as those outside Croatia if they target or monitor EU residents. This includes both public and private sectors.

2. Key Principles of Data Processing

The GDPR sets out several key principles for data processing, including:

  • Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully and transparently.

  • Purpose Limitation: Data must be collected for specific and legitimate purposes.

  • Data Minimization: Only necessary data should be processed.

  • Accuracy: Data must be accurate and up to date.

  • Storage Limitation: Data should not be kept longer than necessary.

  • Integrity and Confidentiality: Data must be handled securely.

3. Rights of Data Subjects

Individuals have several rights under the GDPR, including:

  • Right to Information: Data subjects must be informed about how their data is used.

  • Right of Access: Individuals have the right to access their personal data.

  • Right to Rectification: Data subjects can correct inaccurate data.

  • Right to Erasure: Also known as the "right to be forgotten."

  • Right to Object: Right to object to specific uses of data, such as direct marketing.

  • Right to Data Portability: Individuals can request their data in a portable format.

4. Obligations for Data Controllers and Processors

Organizations handling personal data have specific obligations:

  • Data Protection Impact Assessments: Required for high-risk processing activities.

  • Appointment of a Data Protection Officer: Necessary for certain organizations.

  • Record-Keeping: Maintaining records of processing activities.

  • Data Breach Notification: Obliged to report data breaches within 72 hours to the supervisory authority.

5. Croatian Personal Data Protection Agency (AZOP)

AZOP is Croatia's supervisory authority for data protection. It provides guidance, oversees compliance, and handles complaints.

6. Cross-Border Data Transfers

Transfers of personal data outside the EU/EEA must meet specific requirements to ensure an adequate level of protection.

7. Penalties and Enforcement

Non-compliance can lead to significant fines, up to €20 million or 4% of the annual global turnover, whichever is higher.

8. Special Considerations in Croatia

Though the GDPR is a uniform regulation across the EU, member states may have specific provisions or interpretations. In Croatia, these may relate to areas like employment data or data processing by public authorities.


Compliance with the GDPR in Croatia involves understanding and implementing a broad array of principles, rights, and obligations. Organizations must ensure that their practices align with the regulation and that they are prepared to respond to the rights and requests of data subjects. Engaging with local legal expertise and keeping abreast of guidance from AZOP can help navigate the complex landscape of data protection in Croatia.


bottom of page