On July 1, 2013, the Republic of Croatia joined the European Union, increasing the number of EU Member States to 28. As of the day of its accession, Croatia must implement the acquis communautaire (the complete body of the EU legislation), which includes the EU Data Protection Directive 95/46/EC (“Data Protection Directive”).
In 2003, Croatia adopted the Act on Personal Data Protection (the “Act”), which it subsequently amended in 2006, 2008 and 2011. The Act closely tracks the principles of the Data Protection Directive. For example, international data transfers outside of Croatia are only allowed when an adequate level of protection of personal data is ensured (unless a derogation applies). Additionally, the Act requires data controllers to maintain records of their processing activities, which must be submitted to the Personal Data Protection Agency for compilation in a Central Register. This generally corresponds to the notification obligation under the Data Protection Directive. For certain specified violations, the Act establishes fines in the amount of HRK 20,000 to 40,000 (approximately €2,700 to €5,400).
In addition, Croatia has enacted several specific laws and regulations. For example, the Electronic Communications Act implements the e-Privacy Directive 2002/58/EC, as amended by Directive 2009/136/EC, and the Regulation on the Procedure for Storage and Special Measures Relating to the Technical Protection of Special Categories of Personal Data sets forth detailed information security measures.
The Croatian Personal Data Protection Agency monitors compliance with the Act on Personal Data Protection.