GDPR Enforcement in Croatia

Trend: Have the national data protection authorities in Croatia focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

The Croatian Data Protection Agency (“Agencija za zaštitu osobnih podataka”, “Agency”) usually does not specifically emphasise the types of non-compliance they will be covering throughout a certain period. Until now the main focus of their monitoring, in terms of industries and sectors, was on media/social networks/internet, marketing, retail sector, gambling sector and debt collection agencies.

The most frequently detected non-compliance issues were (i) unauthorised processing of personal data (e.g. processing without a legal basis), (ii) unauthorised disclosure of personal data (i.e. availability of personal data to unauthorised persons), (iii) issues with data encryption and (iv) making personal data public. Further sanctioned cases encompassed lack of compliance with data subjects’ rights (e.g. access to personal data), issues with the data processing notices such as non-compliant or non-existent video-surveillance notices, unclear and incorrect information on legal bases of processing and failure to properly determine roles and enter into data processing agreements.  

Proceedings against smaller entities mostly deal with unlawful operations of video surveillance systems, including the lack of a compliant notice on processing.  

In the annual plan for 2025, aside from investigations stemming from data subjects’ complaints and complaints of public institutions, the following sectors are underscored for ongoing ex officio investigations: the health sector, the banking and financial sector, telecommunications, insurance, gambling and the trade sector. Nonetheless, this does not preclude other sectors from potential audits and should not be understood as an exclusive announcement of sector-specific inspections.

Overall, what was the most significant fine in Croatia to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

To date, the most significant fine in Croatia was imposed on a debt collection agency, in the amount of EUR 5.47 million.

The investigation was triggered by an anonymous complaint stating that the controller unlawfully processed personal data, with a USB stick attached to the complaint containing personal data of 181,641 individuals. As a controller, the debt-collection company unlawfully processed sensitive (health-related) data of their debtors, as well as the data of individuals who are not in a debtor-creditor relationship, most often collecting telephone numbers, first and last names and residential addresses. It was determined that the data controller did not adequately implement sufficient technical protection measures that could timely detect leakage of data from their system. Although there was a security system, the Agency determined that due to deficiencies the company lost control over the movement of their data subjects’ personal data. Furthermore, the company recorded comments related to the debtors’ state of health, which the Agency found to constitute excessive processing without an adequate legal basis. Additionally, the Agency determined that the data controller had unlawfully recorded telephone conversations with data subjects, as the legitimate interest test assessment that established a legal basis for processing had not been conducted prior to the start of such processing. Finally, the Agency found that the data subjects had not been transparently informed on the processing of their data.

To date, it remains undisclosed whether this fine has been contested in court. However, given the debt collection agency’s public statements indicating its intent to use all available legal remedies to safeguard its interests, it is to be assumed that the fine has been disputed.

How is the data protection authority organised in Croatia? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

The Agency is an independent national authority, autonomous and independent in its work. The Agency is not assigned to a specific ministry, but it is accountable for its work to the Croatian Parliament.

According to the most recent annual report, as of 31 December 2024, the Agency employed 41 staff members.

Funding for the Agency's operations is allocated through the state budget on an annual basis. For 2024, the allocated budget was EUR 1,984,712.00. The publicly accessible financial plan of the Agency for 2025 indicates a proposed allocation of EUR 2,616,472.00  

How does a fine procedure work in Croatia? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), aformal penalty notice)? What legal remedies are possible against an imposed fine?

After conducting proceedings that are initiated ex officio or based on a request to determine a breach of the rights guaranteed by the GDPR or the Croatian Act on the Implementation of the GDPR, the Agency can impose several measures, including a monetary fine.

The Agency can carry out announced or unannounced inspections. In case of an unannounced inspection, the supervised entity will be notified at the time and place that the inspection is carried out. If interference with the inspection is expected, the Agency can be assisted by forces of the Ministry of Internal Affairs (i.e. police).  

In the course of inspection, the Agency can make copies of the relevant documents and data storage systems and acquire other relevant data. If copies cannot be made for technical reasons, the Agency can also temporarily seize the equipment and documents for up to 15 days. Furthermore, the Agency can, for up to 15 days, seal the data storage system and equipment if there is a risk of destruction or tampering of evidence. Following the inspection, the Agency will prepare the minutes and provide them to the supervised entity for comment. In the event of comments, the Agency will provide a written reply whether the comments have been accepted.  

The monetary fine is imposed by a decision of the Agency and must be paid within 15 days from the day such decision becomes final. The legal remedy is to initiate administrative dispute proceedings against the Agency within 30 days of the delivery of the decision on the imposed fine. The administrative dispute proceedings suspend the finality of the decision on the fine (including the fine payment).

Upon delivery of the decision on the fine, the practice of the Agency is to immediately publish on its website the summary of the violation, with anonymised information on the sanctioned entity.  

Any decision that has become final will be published on the Agency’s website without being anonymised if the decision determines a breach in connection with processing of personal data of minors, special categories of personal data, automated individual decision-making or profiling, if the breach was committed by a data controller or processor who had already breached the provisions of Croatia’s Act on Implementation of the GDPR or the GDPR, or if a decision imposes an administrative fine in the amount of at least EUR 13,272.00 which has become final.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

The fines are paid into the state budget.  

Is there a common, official calculation methodology for fines in Croatia (such as the fining models in the Netherlands or Germany)? 

There is no official calculation methodology for fines in Croatia.  

When imposing a fine, the Agency takes into consideration the nature of the violation, its intensity, longevity, if the violation was committed with intent or out of negligence, actions which the controller/processor undertook to rectify the damage to the data subjects, the degree of liability of the controller/processor considering the implemented technical and organisational measures, all relevant, prior violations by the controller/processor, the level of cooperation with the Agency for the purpose of mitigating and rectifying negative repercussions of the violation, categories of personal data, how the Agency was informed of the violation with the emphasis on whether the controller/processor informed the Agency itself, if the controller/processor was previously fined for the same violation, compliance with approved codices or approved certification mechanisms and other aggravating or mitigating factors.  

Can public authorities be fined in Croatia? If they can: Where does this money go?

Public authorities cannot be sanctioned with a monetary fine.  

However, the Agency can use all remaining investigative (e.g. data protection audits, review of certifications) and corrective (e.g. order to bring processing into compliance; imposition of a temporary or definitive limitation including a ban on processing) powers towards public authorities in line with Article 58 GDPR.

In Croatia, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

On its website, the Agency publishes summaries on most cases involving individual fines. Also, the Agency sometimes publishes full decisions, but with the data of the sanctioned company anonymised. Although the information on the affected companies is usually not disclosed, in case of higher fines, the sanctioned entities are often recognisable.

In the cases of highest fines, the Agency has, in the published summaries, also noted the sanctioned entity.  

The summaries often contain information on procedural steps, such as a brief description of how the Agency received the information on the potential violation and how it proceeded.  

The Agency is authorised to publish the whole text of the decision, without anonymisation, when the decision becomes final and if the violation is in connection with processing of personal data of minors, special categories of personal data, automated individual decision-making, profiling, if the violation was committed by a data controller or processor who had already violated the provisions of the Croatian Act on Implementation of the GDPR or the GDPR, or if a decision was made in connection with the decision on an administrative fine in the amount of at least EUR 13,272.00 which has become final. Then the companies will be identifiable.  

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?

The information on individual fines is usually published, but in a summarised form. However, the Agency publishes aggregated information as well. The aggregated information is contained in the annual report, which the Agency should submit to the Parliament no later than 31 March of the current year, for the preceding year. The report contains information on the total number of cases resolved by the Agency and the number of cases that resulted with fines.

Does Croatia have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

The Croatian data protection law does not provide for any model declaratory proceedings/class actions.

However, data subjects may be able to join forces and take legal action together under other laws. In such cases, the conditions under the Civil Procedure Act or the Act on Class Actions for Protection of Collective Interests and Rights of Consumers have to be met and the lawsuit has to be brought by an authorised claimant, e.g. association or another authorised entity.

• Based on the Croatian Civil Proceedings Act, only associations, bodies, institutions or other organisations founded in accordance with the law, whose registered or statutory activity includes the protection of statutory collective interests and rights of citizens, can bring class actions. After the decision on the class action is adopted and it is determined that the defendant’s actions breached the rights of persons who the claimant is authorised to represent, every individual (a natural or legal person) can file a separate lawsuit requesting compensation for damages or payment from the defendant. In these subsequent proceedings, the court is bound by the findings of the court that decided on the class action.
   
• Based on the Croatian Act on Representative Claims for Protection of Collective Interests and Rights of Consumers, the authorised entities may initiate class actions for protection of collective interests and rights of consumers, including violations of the GDPR. The list of authorised entities is published by the ministry competent for consumer protection matters. Exceptionally, the court may also, with legal effect only in a specific case pending before the court, acknowledge the legal capacity of a claimant to associations that meet the prescribed requirements, but have not been included in the list of authorised entities.  

What is more relevant in Croatia: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

The fines from authorities have a higher burden on the controllers, particularly since information on individual claims for damages or injunctions is not publicly accessible.

To date, Croatia has experienced a relatively low number of fines, with a notable surge in 2023 and 2024.

Although these fines are likely to be challenged in court, the legal proceedings are usually lengthy before a final and binding decision is reached. Nonetheless, fines from authorities remain highly significant, primarily due to their potential to significantly harm the reputation of the sanctioned entities.

In the upcoming years, as data protection awareness increases and various consumer protection regulations, especially in the digital world, are adopted, it is anticipated that regulatory actions will remain pivotal in shaping data protection compliance.