ACT ON THE IMPLEMENTATION OF THE GENERAL DATA PROTECTION REGULATION

 

I. GENERAL PROVISIONS

Subject matter of the Act

Article 1

(1) This Act ensures the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) (OJ L 119, 4.5.2016) (hereinafter: General Data Protection Regulation).

(2) This Act does not concern processing of personal data carried out by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or the area of national security and defence.

 

Gender neutrality

Article 2

The terms used in this Act, in a gender-specific form, be it masculine or feminine, shall refer to both male and female genders alike.

 

Definitions

Article 3

(1) For the purposes of this Act, the terms shall have the same meanings as defined in the General Data Protection Regulation.

(2) “Public authorities”, for the purposes of this Act, shall mean state administration bodies and other public authorities, and local and regional self-administration units.

 

II. COMPETENT AUTHORITIES

Supervisory authority

Article 4

(1) The supervisory authority within the meaning of the provision of Article 51 of the General Data Protection Regulation is the Croatian Personal Data Protection Agency (hereinafter: the Agency).

(2) The Agency is an independent public authority. The Agency is independent in its work and is responsible for its work to the Croatian Parliament.

(3) The head office of the Agency is in Zagreb.

 

Accreditation body

Article 5

The national accreditation body appointed in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 is the competent authority for accreditation of certification bodies in accordance with Article 43, paragraph 1 of the General Data Protection Regulation.

 

Powers of the Agency

Article 6

(1) In addition to its powers laid down by the General Data Protection Regulation, the Agency shall perform the following duties:

– when laid down by a special law, it may initiate and has the right to participate in criminal, misdemeanour, administrative and other court and out-of-court proceedings for breaches of the General Data Protection Regulation and this Act

– adopts the Criteria for determination of the amount of the compensation of administrative costs referred to in Article 43, paragraph 2 of this Act and the Criteria for determination of the amount of the compensation referred to in Article 43, paragraph 3 of this Act

– publishes individual decisions on the Agency’s website in accordance with Articles 18 and 48 of this Act

– initiates and conducts appropriate procedures against responsible persons for breaches of the General Data Protection Regulation and this Act

– carries out its duties of the independent supervisory authority for monitoring the implementation of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, unless otherwise laid down by special regulations and

– carries out other duties laid down by law.

(2) If the Agency has doubts about the validity of the implementing decision of the European Commission on the adequacy and on standard contractual clauses, it shall discontinue the administrative procedure and refer the case to the High Administrative Court of the Republic of Croatia to decide on an administrative matter.

(3) In the procedure referred to in paragraph 2 of this Article, the High Administrative Court of the Republic of Croatia shall, if it considers that the decision of the European Commission is not valid, submit a request for the assessment of the validity of the decision in question to the Court of Justice of the European Union in accordance with Article 267 of the Treaty on the Functioning of the European Union.

(4) The Agency shall carry out supervision over the implementation of this Act.

 

III. CROATIAN PERSONAL DATA PROTECTION AGENCY

Management of the Agency

Article 7

(1) The work of the Agency shall be managed by its Director (hereinafter: the Director).

(2) The Director shall have a Deputy.

(3) The Director and the Deputy Director shall be appointed by the Croatian Parliament at the proposal of the Government of the Republic of Croatia, on the basis of a public call for submission of candidacies.

(4) The Director and the Deputy Director shall be appointed for a term of four years and may not be appointed for that duty for more than two terms of office.

(5) The central state administration body competent for the state administration system shall publish a public call for submission of candidacies for the Director and the Deputy Director not later than six months before the expiry of the term of office of the Director and the Deputy Director or not later than 30 days after the cessation of their duty if their duty ceased before the expiry of their term of office. The central state administration body competent for the state administration system shall forward the submitted candidacies to the Government of the Republic of Croatia, indicating which candidates have submitted timely and complete candidacies.

(6) The Government of the Republic of Croatia shall make a proposal of candidates for the Director and the Deputy Director and shall refer it to the Croatian Parliament.

(7) In case the term of office of the Director ceases before the expiry of the term for which the Director was appointed, the duty of the Director shall be carried out by the Deputy Director until the Director is appointed in the procedure initiated in accordance with paragraph 5 of this Article, but for not longer than six months.

 

Conditions for the appointment of the Director and the Deputy Director

Article 8

(1) A person fulfilling the following conditions may be appointed Director or Deputy Director:

– he or she has Croatian citizenship and permanent residence in the territory of the Republic of Croatia

– he or she has completed an undergraduate and graduate university study programme or an integrated undergraduate and graduate university study programme or a specialist graduate professional study programme

– he or she has at least ten years of work experience in his or her profession

– he or she is a prominent expert with acknowledged professional reputation and expert knowledge and experience in the field of personal data protection

– he or she has not been convicted and criminal proceedings are not conducted against him or her for criminal offences for which criminal proceedings are instituted ex officio

– he or she is not a member of a political party.

(2) Provisions of regulations governing obligations and rights of state officials and regulations governing the prevention of conflict of interest shall apply to the Director and the Deputy Director.

(3) The coefficient for the calculation of the salary of the Director is 5.50.

(4) The coefficient for the calculation of the salary of the Deputy Director is 4.26.

 

Relief from duty of the Director and the Deputy Director

Article 9

(1) The Croatian Parliament shall relieve from duty the Director and the Deputy Director before the expiry of the term of office for which they were appointed:

– at his or her own request

– if circumstances arise due to which he or she no longer fulfils the conditions for appointment

– if he or she committed a serious misconduct. It shall be considered that the Director or the Deputy Director committed a serious misconduct if he or she does not carry out his or her duty in accordance with the law.

(2) The procedure for relieving from duty of the Director and the Deputy Director shall be initiated at the proposal of the Government of the Republic of Croatia.

 

Professional service

Article 10

(1) The Agency shall have a professional service.

(2) Provisions of regulations governing rights and obligations of civil servants shall apply to the employees of the Agency’s professional service.

(3) The method of work, the manner of planning and carrying out of duties, the internal structure and other issues important for the performance of Agency’s duties shall be laid down in the Ordinance on the work of the Agency issued by the Director.

(4) The Ordinance on the work of the Agency shall be confirmed by the Croatian Parliament. The Ordinance shall be published in the Official Gazette.

(5) The regulation laying down the principles for the internal structure of state administration bodies, in the part relating to state administration organisations shall be applied accordingly to the internal structure of the Agency’s professional service.

(6) The Director shall issue the Ordinance on the internal order laying down the number of civil servants necessary to carry out the duties with the indication of their principle duties and tasks and professional qualifications required for their performance, their powers and responsibilities and other issues of importance for the work of the Agency.

 

Article 11

The Director, the Deputy Director and the employees of the Agency shall not carry out duties of data protection officers for another controller or processor.

 

Article 12

(1) The Director, the Deputy Director and the employees of the Agency carrying out supervision duties shall hold an official identity card demonstrating their official capacity, identity and powers.

(2) The shape and content of the official identity card shall be laid down in the Ordinance on the work of the Agency referred to in Article 10 of this Act.

 

Article 13

(1) The Director, the Deputy Director and the employees of the Agency shall keep as a professional secret or another appropriate type of secret, in accordance with the law governing data secrecy, all personal and other confidential data that come to their knowledge during the performance of their duties.

(2) The obligation referred to in paragraph 1 of this Article shall continue even after the cessation of carrying out of the duty of the Director and the Deputy Director or after the termination of service in the Agency.

 

Cooperation with state administration bodies and other bodies

Article 14

Central state administration bodies and other public authorities shall submit to the Agency the drafts of proposals of laws and proposals of other regulations governing issues related to personal data processing in order to enable giving expert opinions regarding the area of personal data protection.

 

Cooperation with supervisory authorities for data protection of other states

Article 15

(1) Representatives of the seconding supervisory authority shall have the powers to carry out joint operations, including investigations and joint enforcement measures, in accordance with the provisions of this Act and the General Data Protection Regulation.

(2) By means of an agreement between the Agency and the seconding supervisory authority, the Agency shall give the power to the representatives of the seconding supervisory authority to monitor and participate in carrying out supervisory activities in accordance with Article 62 of the General Data Protection Regulation.

(3) The agreement referred to in paragraph 2 of this Article shall lay down the investigative powers referred to in Article 58, paragraph 1 of the General Data Protection Regulation to be conferred on the seconding supervisory authority and the personal name and the position of the representative of the seconding supervisory authority who will participate in the joint operation.

(4) When representatives of the seconding supervisory authority participate in joint operations in the territory of the Republic of Croatia, the controller, the processor and the data subject and all other parties directly involved in a specific operation shall, before the beginning of the joint operation, be acquainted with the fact that the representatives of the seconding supervisory authority also participate in the operation.

 

Resources for the work of the Agency

Article 16

The resources for the work of the Agency shall be provided for in the state budget of the Republic of Croatia.

 

Annual report

Article 17

(1) The Agency shall submit an annual report on its work to the Croatian Parliament, at the latest by 31 March of the current year for the previous year. The annual report shall contain:

– the number of requests of data subjects and the number of complaints

– the number of rulings issued on complaints of data subjects and ex officio, including the number of supervisory activities carried out

– the number of received reports from controllers on personal data breaches referred to in Article 33 of the General Data Protection Regulation and on the supervisory activities carried out based on such reports

– the number of prior consultations carried out in accordance with Article 36 of the General Data Protection Regulation

– the number of actions with respect to the code of conduct and certification in accordance with Articles 40 ‒ 43 of the General Data Protection Regulation

– the number of approved contractual clauses and provisions of administrative agreements in accordance with Article 46, paragraph 3 of the General Data Protection Regulation

– the number and type of established breaches, warnings issued, reprimands and administrative fines imposed and other types of measures carried out in accordance with Article 58, paragraph 2 of the General Data Protection Regulation

– the number and the description of international treaties, legislative and regulatory acts to which it gave its opinion with respect to the area of personal data protection, indicating which opinions were given at the request of the competent authority, and which were given ex officio

– the description of activities within the framework of the European Data Protection Board and other umbrella organisations in the area of personal data protection

– the description of activities of cooperation with public and other authorities in the Republic of Croatia

– the description of activities on promoting the awareness of natural persons, controllers, processors and other targeted groups

– the analysis and evaluation of exercising the right to personal data protection.

(2) The annual report shall also contain data on the realised income and expenditures for the reporting period and data on the number of employees and their structure by professional qualifications.

(3) The annual report shall be published on the Agency’s website.

 

Publication of Agency’s opinions and rulings

Article 18

(1) The Agency’s rulings and opinions relating to the types of processing which, taking into consideration the nature, scope, context and purposes of processing, may involve a high risk for the rights and freedoms of individuals shall be published on the Agency’s website.

(2) Opinions and rulings referred to in paragraph 1 of this Article shall be rendered anonymous or undergo pseudonymisation.

(3) By way of derogation of paragraph 2 of this Article, when the Agency’s opinions and rulings referred to in paragraph 1 of this Article are regarding minors, the technique of rendering information related to them anonymous shall be applied in order to ensure a high level of protection of their privacy.

 

IV. PROCESSING OF PERSONAL DATA IN SPECIFIC CASES

Children’s consent in relation to information society services

Article 19

(1) Where Article 6, paragraph 1, point (a) of the General Data Protection Regulation applies, with respect to offer of information society services directly to a child, processing of personal data of a child shall be lawful where the child is at least 16 years old.

(2) The provision of paragraph 1 of this Article shall apply to children with permanent residence in the Republic of Croatia.

(3) Acting contrary to provisions of this Article shall be considered a breach of Article 8 of the General Data Protection Regulation and shall be subject to sanctions in accordance with Article 83 of the General Data Protection Regulation.

 

Processing of genetic data

Article 20

(1) Processing of genetic data for the calculation of the risk of disease and other health aspects of data subjects within the framework of activities for the conclusion or execution of life insurance contracts and contracts with clauses on survival shall be prohibited.

(2) The prohibition referred to in paragraph 1 of this Article may not be lifted by the consent of the data subject.

(3) The provision of paragraph 1 of this Article shall apply to data subjects who conclude life insurance contracts and contracts with clauses on survival in the Republic of Croatia if the processing is carried out by a controller established in the Republic of Croatia or providing services in the Republic of Croatia.

(4) Acting contrary to provisions of this Article shall be considered a breach of Article 9 of the General Data Protection Regulation and shall be subject to sanctions in accordance with Article 83, paragraph 5 of the General Data Protection Regulation.

 

Processing of biometric data

Article 21

(1) Public authorities may process biometric data only if laid down by law and necessary to protect persons, property, classified data or professional secrets, taking into consideration that interests of data subjects which are contrary to the processing of biometric data from this Article should not prevail.

(2) It shall be considered that the processing of biometric data is in accordance with the law if it is necessary to fulfil obligations from international treaties with regard to identification of individuals crossing the state border.

 

Article 22

(1) Processing of biometric data in the private sector may be carried out only if laid down by law or necessary to protect persons, property, classified data, professional secrets or for individual and reliable identification of users of services, taking into consideration that interests of data subjects which are contrary to the processing of biometric data from this Article should not prevail.

(2) The expressly stated consent of such data subjects given in accordance with the General Data Protection Regulation shall represent the legal basis for processing of biometric data of data subjects for the purpose of reliable identification of users of services.

 

Article 23

Processing of biometric data of employees for the purpose of recording working hours and entry and exit from official premises shall be allowed, if laid down by law or if such processing is carried out as an alternative to another solution for recording working hours or entry and exit from official premises, under the condition that the employee has given an explicit consent for such processing of biometric data in accordance with the General Data Protection Regulation.

 

Article 24

(1) The provisions of this Act on processing of biometric data shall apply to data subjects in the Republic of Croatia if the processing is carried out by:

– a controller established in the Republic of Croatia or providing services in the Republic of Croatia

– a public authority.

(2) The provisions of this Act on processing of biometric data shall not affect the obligation to carry out impact assessment in accordance with Article 35 of the General Data Protection Regulation.

(3) The provisions of this Act on processing of biometric data shall not apply to the area of defence, national security and the security and intelligence system.

 

Processing of personal data by video surveillance

Article 25

(1) Video surveillance, within the meaning of provisions of this Act, shall relate to collection and further processing of personal data, which includes creation of a recording that forms part or is intended to form part of a filing system.

(2) Unless otherwise laid down by another law, the provisions of this Act shall apply to processing of personal data by video surveillance systems.

 

Article 26

(1) Processing of personal data by video surveillance may be carried out only for a purpose that is necessary and justified for the protection of persons and property, unless interests of data subjects that are contrary to the processing of personal data by video surveillance prevail.

(2) Video surveillance may cover premises, parts of premises, outer surface of the building, as well as internal spaces in the means of public transportation, the surveillance of which is necessary to achieve the purpose referred to in paragraph 1 of this Article.

 

Article 27

(1) The controller or the processor shall designate that the building or particular premises in it and the outer surface of the building are under video surveillance, and this indication shall be visible at the latest when entering the perimeter of recording.

(2) The notice referred to in paragraph 1 of this Article shall contain all relevant information in accordance with the provision of Article 13 of the General Data Protection Regulation, and especially a simple and easily understandable picture with a text that provides the following information to data subjects:

– that the area is under video surveillance

– information on the controller

– contact information through which data subjects may exercise their rights.

 

Article 28

(1) The responsible person of the controller or the processor and/or a person authorised by him or her shall have the right of access to personal data collected by video surveillance.

(2) Persons referred to in paragraph 1 of this Article shall not use recordings from the video surveillance system contrary to the purpose laid down in Article 26, paragraph 1 of this Act.

(3) Video surveillance system shall be protected from access by unauthorised persons.

(4) The controller and the processor shall establish an automated recording system for recording access to video surveillance recordings which shall contain the time and place of access, and the indication of persons who had access to data collected by video surveillance.

(5) Competent state authorities shall have access to data referred to in paragraph 1 of this Article within the framework of carrying out duties from their scope laid down by law.

 

Article 29

Recordings obtained by video surveillance may be kept for not more than six months, unless a longer time limit for their keeping has been laid down by another law or if they are evidence in a judicial, administrative, arbitral or another equivalent procedure.

 

Video surveillance of working premises

Article 30

(1) Personal data processing of employees by means of a video surveillance system may be carried out only if, in addition to the conditions laid down by this Act, the conditions laid down by regulations governing safety at work have also been fulfilled and if employees have been informed in an appropriate manner and in advance on such measure and if the employer informed the employees before making the decision on the installation of the video surveillance system.

(2) Video surveillance of working premises must not cover premises intended for resting, personal hygiene and changing clothes.

 

Video surveillance of residential buildings

Article 31

(1) Approval of co-owners possessing at least two thirds of co-owners’ shares shall be required for installation of video surveillance in residential buildings and commercial-residential buildings.

(2) Video surveillance may cover only access to entry and exit from residential buildings and common premises in residential buildings.

(3) Video surveillance shall not be used for monitoring working performance of janitors, cleaners and other persons working in a residential building.

 

Video surveillance of public areas

Article 32

(1) Monitoring of public areas by means of video surveillance shall be allowed only to public authorities, legal persons vested with public authority and legal persons performing a public service, only if prescribed by law, if necessary for performing duties and tasks of public authorities or for protection of lives and health of persons and property.

(2) The provisions of this Article shall be without prejudice to the application of Article 35 of the General Data Protection Regulation to systematic monitoring of a publicly accessible area on a large scale.

 

Personal data processing for statistical purposes

Article 33

(1) Within the framework of personal data processing for the purpose of production of official statistics in accordance with special regulations in the field of official statistics, bodies producing official statistics need not give to data subjects the right of access to personal data, the right to correct personal data, the right to restriction of personal data processing or the right to object to personal data processing, in order to ensure conditions necessary to achieve the purpose of official statistics in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.

(2) Authorities competent for production of official statistics shall apply technical and organisational measures for protection of data collected for the purposes of official statistics.

(3) Personal data controllers, when transferring personal data to authorities competent for official statistics, need not inform data subjects about the transfer of personal data for statistical purposes.

(4) Personal data processing for statistical purposes shall be considered relevant for the purpose of which data have been collected, under the condition that appropriate safeguards are provided.

(5) Personal data processed for statistical purposes shall not allow identification of the person to whom they relate.

 

V. PROCEDURE WITHIN THE COMPETENCE OF THE AGENCY AND LEGAL REMEDIES

Article 34

(1) Anyone who considers that any of his or her rights guaranteed by this Act and the General Data Protection Regulation have been violated, may submit to the Agency a request for determination of a violation of a right.

(2) The Agency shall decide on the violation of rights by a ruling.

(3) The ruling of the Agency shall be an administrative act.

(4) No appeal shall be allowed against the ruling of the Agency, but an administrative dispute may be instituted by lodging a complaint before a competent administrative court.

 

Article 35

(1) If the ruling prescribes erasure or other irreversible removal of personal data, a dissatisfied party may request the competent administrative court to delay the erasure or other irreversible removal of personal data if he or she proves that it would involve a disproportionate effort to re-collect personal data whose erasure or irreversible removal has been requested.

(2) If the competent administrative court accepts the request referred to in paragraph 1 of this Article, the party who was ordered erasure or other irreversible removal of personal data must block any processing of the disputable personal data, except their keeping, until the final court judgement is made.

 

Implementation of supervision

Article 36

(1) Authorised employees of the Agency may independently, and is specific cases also with participation of a representative of the seconding supervisory authority (hereinafter: authorised persons), carry out announced or unannounced supervisions. The supervised person and the controller or the processor shall be notified about the carrying out of the unannounced supervision at the site and at the time of carrying out of the supervision.

(2) Before the beginning of the supervision referred to in paragraph 1 of this Article authorised persons shall identify themselves by presenting an official identity card and the order for supervision.

(3) If, during the supervision, it is expected that it would be hampered by putting up resistance, the Agency shall submit a written request to the ministry competent for internal affairs for assistance in carrying out those supervisory activities.

(4) On the basis of the request of the Agency, the ministry competent for internal affairs shall, in accordance with special regulations, provide assistance in carrying out of the supervision referred to in paragraph 2 of this Article.

(5) The order for carrying out the supervision referred to in paragraph 1 of this Article shall be issued by the Director of the Agency.

 

Copying, sealing and temporary seizure of filing systems and equipment

Article 37

(1) Authorised persons, where appropriate, may make copies of the available documents, record all contents of filing systems and collect other relevant information.

(2) If, due to technical reasons, it is not possible to make copies of the required documentation during the supervision, the authorised persons shall, where appropriate, seize the required filing systems and equipment containing other relevant information and keep them for as long as necessary to make copies of that documentation, but no longer than 15 days from the day of the seizure of the filing systems and equipment.

(3) Authorised persons may seal filing systems or equipment during the supervision in the extent absolutely necessary for carrying out supervisory activities if there is a danger of destruction or modification of evidence, but no longer than 15 days from the day of sealing of filing systems or equipment.

(4) The authorised person shall make an official record about the copying, sealing and temporary seizure of filing systems and equipment, containing all relevant information on the data or equipment covered by the action and shall hand out a copy of it to the supervised entity.

 

Suspicion of a criminal offence

Article 38

If, during the supervision, knowledge is gained or objects found that indicate a criminal offence prosecuted ex officio has been committed, the authorised persons shall, within the shortest term possible, inform the competent police station or a state attorney.

Classified data

Article 39

(1) Any access, copying or any other processing of classified data with an established level of secrecy on the basis of a special regulation shall be carried out in accordance with regulations governing protection of data secrecy.

(2) Any access, copying or any other processing of classified data with an established level of secrecy on the basis of a special regulation shall be carried out by employees having a valid certificate for access to classified data in accordance with regulations governing protection of data secrecy.

Minutes on the carried out supervision

Article 40

(1) Minutes shall be made on the carried out supervision. The minutes shall contain in particular:

  1. the place and date of carrying out supervision
  2. the indication whether the supervision was announced or unannounced
  3. the names and signatures of authorised persons who participated in the supervision and of the representative of the supervised entity
  4. the description of the course and content of every action conducted during the supervision and statements given
  5. the list of documents and other objects used, copied, sealed and/or temporarily seized during the supervisory activities
  6. the instruction on the right to give objections to the minutes.

(2) If the minutes referred to in paragraph 1 of this Article were drafted directly at the location of the supervision, the supervised person may give his or her objections to the minutes, which will be entered into the minutes by the authorised person.

(3) If the minutes referred to in paragraph 1 of this Article were drafted after the supervision has been carried out, they shall be forwarded to the supervised person.

(4) The supervised person shall have the right to give objections to the minutes referred to in paragraphs 2 and 3 of this Article in the written form within 15 days of the day of their receipt. Within 15 days of the day of the receipt of objections, the supervised person shall be delivered a written reply on acceptance or non-acceptance of objections.

(5) If the supervised person, within the deadline referred to in paragraph 4 of this Article, does not submit objections to the minutes, it shall be deemed that he or she does not have any objections to them.

Representation of data subjects

Article 41

A data subject shall have the right to authorise a non-profit body, organisation or association established in accordance with the law, whose articles of association state objectives of public interest and which is active in the area of protection of rights and freedoms of the data subject with respect to protection of his personal data, to lodge a complaint in his name and to exercise in his name the rights referred to in Articles 77, 78 and 79 of the General Data Protection Regulation and the right to compensation referred to in Article 82 of the General Data Protection Regulation.

 

Provision of expert opinions

Article 42

(1) At a written request of a natural or legal person, the Agency shall provide an expert opinion in the area of personal data protection, no later than within 30 days from the day of submission of the request, depending on the complexity of the request.

(2) If, for the provision of expert opinion, it is necessary to involve other bodies in the country or abroad for the purpose of obtaining data or information essential for providing the expert opinion, the deadline for providing the opinion referred to in paragraph 1 of this Article may be extended for another 30 days.

 

Compensation for acting upon the request

Article 43

(1) The Agency shall perform its tasks without compensation with respect to data subjects, personal data protection officers, journalists and public authorities.

(2) The Agency shall collect a reasonable compensation based on administrative expenses or shall refuse to act upon a request if requests of data subjects are clearly unfounded or excessive, and especially because of their frequency.

(3) The Agency shall charge the compensation for providing opinions to business entities (law firms, consultants etc.) requested by business entities for the purpose of carrying out their regular activities or provision of services.

(4) The criteria for determining the amount of the compensation referred to in paragraphs 2 and 3 of this Article shall be established by the Agency. The criteria shall be published in the Official Gazette and on the Agency’s website.

(5) The amount of the compensation referred to in paragraphs 2 and 3 of this Article shall be paid to the state budget.

 

VI. IMPOSING ADMINISTRATIVE FINES

Article 44

(1) The Agency shall impose administrative fines for breaches of provisions of this Act and the General Data Protection Regulation, in accordance with Article 83 of the General Data Protection Regulation.

(2) If the administrative fine is imposed on a legal person vested with public authority or on a legal person performing a public service, the imposed administrative fine shall not jeopardise the performance of such public authority or public service.

Article 45

(1) Administrative fines shall be imposed by a decision.

(2) The decision referred to in paragraph 1 of this Article shall lay down the amount and the manner of payment of the administrative fine. The decision may lay down that the administrative fine shall be paid in instalments.

(3) When, in accordance with Article 83 of the General Data Protection Regulation, administrative fines are imposed together with measures referred to in Article 58, paragraph 2, points from (a) to (h) and point (j) of the General Data Protection Regulation, the decision on the administrative fine shall be made after the ruling imposing the measure becomes final.

(4) No appeal shall be allowed against the decision referred to in paragraph 1 of this Article, but an administrative dispute may be initiated before a competent administrative court.

(5) The criteria for the payment in instalments and the conditions for the termination of payment of the administrative fine in instalments shall be determined by the Agency in accordance with the amount of the administrative fine. The criteria shall be published in the Official Gazette and on the Agency’s website.

 

Article 46

(1) The administrative fine shall be paid within 15 days from the day the decision imposing it becomes final.

(2) If the party does not pay the administrative fine within the set deadline or after the last instalment is due if payment in instalments was approved, the Agency shall inform the regional office of the Tax Administration of the Ministry of Finance in whose area the permanent residence or the head office of the party on which the administrative fine was imposed is located, for the purpose of enforcement of the administrative fine in accordance with the regulations on the enforcement of taxes.

(3) Administrative fines shall be paid to the state budget.

(4) By way of derogation from paragraph 2 of this Article, interest shall not be charged on due, but unpaid administrative fines.

 

Exclusion of application of administrative fines to public authorities

Article 47

Without prejudice to exercising the powers of the Agency laid down by the provision of Article 58 of the General Data Protection Regulation, in procedures conducted against public authorities, an administrative fine for a breach of this Act or the General Data Protection Regulation cannot be imposed on a public authority.

 

Article 48

Final ruling shall be published on the Agency’s website without anonymising data on the perpetrator, if that ruling establishes a breach of this Act or the General Data Protection Regulation regarding the processing of personal data of minors, special categories of personal data, automated individual adopting of a decision, profiling, if the breach was committed by a controller or a processor who has already breached the provisions of this Act or the General Data Protection Regulation or if, in connection with the ruling, a decision was made on the administrative fine in the amount of at least HRK 100,000.00 which has become final.

 

Statute of limitations on the execution of administrative fines

Article 49

(1) The provisions of the general law governing the tax procedure shall apply to the statute of limitations on the collection of administrative fines.

(2) The statute of limitations shall start running from the day of the finality of the decision.

(3) The statute of limitations shall not run during the payment of the administrative fine in instalments.

 

VII. MISDEMEANOUR PROVISIONS

Article 50

(1) An administrative fine for a misdemeanour in an amount between HRK 5,000.00 and 50,000.00 shall be imposed on:

– a person exercising the duty of the Director or the Deputy Director of the Agency who discloses confidential data learned in the performance of his or her duty to an unauthorised person, in accordance with Article 13 of this Act

– an employee of the Agency who discloses confidential data learned in the performance of duties of his or her job, in accordance with Article 13 of this Act.

(2) The state attorney shall be the authorised prosecutor for misdemeanours referred to in this Article.

 

VIII. ADMINISTRATIVE FINES

Article 51

An administrative fine in an amount of up to HRK 50,000.00 shall be imposed on:

– a controller and a processor who do not designate the building, premises, parts of the premises and the external surface of the building in the manner laid down in Article 27 of this Act

– a controller and a processor who do not establish an automated recording system for recording access to video surveillance recordings, in accordance with Article 28, paragraph 4 of this Act

– persons referred to in Article 28, paragraph 1 of this Act who use recordings from the video surveillance system contrary to Article 28, paragraph 2 of this Act.

 

IX. TRANSITIONAL AND FINAL PROVISIONS

Article 52

(1) On the day of entry into force of this Act:

– the Croatian Personal Data Protection Agency established by the Personal Data Protection Act (Official Gazette 103/03, 118/06, 41/08, 130/11 and 106/12 ‒ revised text; hereinafter: Personal Data Protection Agency) as a legal person vested with public authority, shall become a public authority and shall continue its work under the same name

– the Agency, as a legal successor of the Personal Data Protection Agency, shall take over its duties, archives and other documentation, instruments of labour, funds, rights and obligations, as well as employees

– employees of the Personal Data Protection Agency shall become civil servants or employees.

(2) Until the adoption of the ordinance on the internal order referred to in Article 54 of this Act and the assignment to jobs in accordance with regulations on civil servants, employees of the Personal Data Protection Agency shall continue to carry out their duties they were carrying out on the day of entry into force of this Act and shall retain all their rights arising from the employment relationship.

 

Article 53

(1) Within eight days from the day of entry into force of this Act, the central state administration body competent for the state administration system shall initiate the procedure for appointing the Director and the Deputy Director.

(2) The person carrying out the duty of the Director of the Personal Data Protection Agency on the day of entry into force of this Act shall continue to carry out the duty of the Director until the appointment of the Director of the Agency in accordance with this Act.

 

Article 54

(1) The Director shall, within 60 days from the day of appointment, submit the Ordinance on the work of the Agency to the Croatian Parliament for confirmation.

(2) The Director shall, within 30 days from the day of entry into force of the Ordinance referred to in paragraph 1 of this Article, issue the Ordinance on the internal order.

(3) Until the entry into force of the Ordinance on the work of the Agency, the Articles of Association of the Personal Data Protection Agency shall apply.

 

Article 55

Proceedings initiated before the entry into force of this Act shall be continued and completed in accordance with the provisions of the Personal Data Protection Act (Official Gazette 103/03, 118/06, 41/08, 130/11 and 106/12 – revised text).

 

Repeals

Article 56

On the date of entry into force of this Act, the following shall cease to have effect: the Personal Data Protection Act (Official Gazette 103/03, 118/06, 41/08, 130/11 and 106/12 – revised text), the Regulation on the manner of keeping the records of personal data filing systems and the pertinent records form (Official Gazette 105/04) and the Regulation on the procedure for storage and special measures relating to the technical protection of special categories of personal data (Official Gazette 139/04).

 

Entry into force

Article 57

This Act shall be published in the Official Gazette, and shall enter into force on 25 May 2018.

 

Class: 022-03/18-01/55

Zagreb, 27 April 2018

 

THE CROATIAN PARLIAMENT

 

X
Skip to content