What to do in the case of the infringement of the data subject’s rights?

Data protection Agency as a national supervisory authority supervises the implementation of personal data protection at the request of the data subject or ex officio. In accordance with Article 34. of The Act on Implementation of General Data Protection Regulation (Official Gazette, No. 44/2018), anyone who considers that a right guaranteed by this Act and the General Data Protection Regulation (GDPR) has been violated may submit a request to the Agency for the determination of a violation of rights.


Request for the determination of a violation of rights can be submitted in following ways:

  • personally
  • in the written form at the address: Personal Data Protection Agency – Selska cesta 136, 10 000 Zagreb (Croatia)
  • By Fax on number: +38514609099
  • Via E-mail: azop@azop.hr

Request for the determination of a infringement of rights needs to be understandable and complete.


Personal data which need to be provided in the request are:

  • Name, surname and address – information is necessary for the implementation of the procedure and the delivery of relevant acts and decisions
  • Indication what data subject right has been breached
  • If necessary at the request of the Personal Data
  • Protection Agency, you will be asked to submit copies of acts or documents related to the resolution of the infringement upon data subject’s request

Processing of personal data of data subjects through video surveillance – rights and obligations?

The General Data Protection Regulation provides for specifications or limitations to it’s rules by Member State laws, by whom Member States may, to the extent necessary for the sake of harmonisation and in order for national provisions to be understood by the persons to whom they apply, include the elements of the General Data Protection Regulation in their national law.

Furthermore, recital 10 of the General Data Protection Regulation defines that it does not exclude the law of a Member State which establishes the circumstances of the specific situations of processing, which includes a more precise determination of the conditions under which the processing of personal data is lawful.

Consequently, on 27. April 2018, the Republic of Croatia adopted the Act on the implementation of the General Data Protection Regulation which entered into force on 25 May 2018 (Official Gazette 42/2018).

The processing of personal data by means of a video surveillance may be carried out only for the purposes which are necessary and justified for the protection of persons and property, if the interest of the data subject which are contrary to the processing of a video surveillance do not prevail.

The controller or processor shall indicate that the facility or particular room therein and the external surface of the establishment are under a video surveillance, and the label shall be visible at the latest when entering the recording perimeter and shall contain a simple and understandable image accompanied by a text providing data subjects with at least the following information:

  • that the area is under a video surveillance
  • information about the controller;
  • contact details through which the data subject can exercise his rights.

The video surveillance system must be protected from an access by unauthorized persons, while responsible persons entitled to access personal data must not use recording contrary to the purpose for which the video surveillance is installed.

In the case of video surveillance in residential buildings, the co-owners of the residential building represent controllers within the meaning of the provisions of the General Data Protection Regulation, while the company with which the agreement on the installation of the video surveillance system was signed represents the processor and therefore the contract signed with that undertaking as processor must contain all the information referred to in Article 28(3) General Data Protection Regulation.

In this sense, it is also important to emphasize that the establishment of video surveillance in the residential/business-residential buildings requires the consent of co-owners who own at least 2/3 of the co-owners shares. The video surveillance may cover only access to and exit from residential buildings and common premises in the residential building.

Continuous video surveillance of public areas is allowed only to public authorities, legal persons with public authority and legal persons performing public service, only if prescribed by law, if necessary for the performance of tasks and tasks of public administration bodies or for the purpose of protecting the life and health of people and property. Therefore, natural persons are not allowed to continuously monitor/record the public area (e.g. through fixed cameras).


‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Transparency: providing information in the process of collection of the personal data where the controller has to inform the data subject, inter alia, of its identity and contact data, the purposes of the processing and the legal basis for the processing of data, recipients, presentation to third countries, storage period, ability to withdraw consent, etc.

Access to data: data subject is entitled to obtain from the controller a confirmation that the personal data relating to him or her are being processed and, where such personal data are being processed, access to personal data and information, inter alia, on personal data processed, on the purpose of processing, storage period, export to third countries.

Right to rectification; the data subject has the right to request the correction of his/her incorrect personal data, and taking into account the purposes of the processing, the data subject has the right to supplement incomplete personal data, inter alia, by making additional statement.

Right to erasure (to be forgotten); the data subject is entitled to request from the controller the erasure of personal data relating to him/her without undue delay if, inter alia, personal data are no longer necessary in relation to the purpose of the processing, the data subject has withdrawn his/her consent to the processing, personal data have been illegally processed, etc., this right has limitations, so for example, the politician cannot request the deletion of information about himself/herself given in the framework of his/her political action.

Right to restriction of processing; in certain situations (for example where the accuracy of the data is contested or where the right to erase the data subject wants the controller to retain his/her data), the data subject has the right to request that the processing be limited with the exception of storage and some other types of processing.

Right to data portability; the data subject has the right to receive his or her personal data previously provided to the controller in a structured form and in a commonly used and machine-readable format and has the right to transmit those data to another controller without interfering by the controller to which the personal data were supplied if the processing is carried out by automated means and is based on the consent or contract.

Right to object; the data subject has the right to object to the processing of personal data if it is based on tasks of public interest, on the exercise of the official powers of the controller or on the legitimate interests of the controller (including profiling), then the controller may no longer process personal data of the data subject unless he proves that his legitimate grounds for processing go beyond the interests of the data subject and in order to protect legal requirements, also if the data subject is contrary to processing for the purposes of direct marketing, personal data may no longer be processed.

Right to oppose the adoption of automated individual decisions (profiling); the data subject has the right not to be affected by a decision based exclusively on automated processing, including profiling, which produces legal effects concerning him or her or in similar way significantly affect him or her, unless such decision is necessary for the conclusion or performance of a contract between the data subject and the data controller, if it is permitted by EU or national law prescribing appropriate measures for the protection of rights and freedoms and legitimate interests of the data subject or based on the explicit consent of the data subject.


Help is improve!


Skip to content