Law: Law on the Implementation of the General Data Protection Regulation 2018 ('the Law') and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: Personal Data Protection Agency (AZOP)

Summary: Croatia implemented the GDPR in 2018 through the Law on the Implementation of the General Data Protection Regulation 2018 (the Law).

The Law implements the GDPR but also sets out additional rules on the processing of personal data in specific circumstances, such as with regard to children's consent, the processing of genetic data in relation to life insurance, and the processing of biometric data in the private sector. In addition, the Law contains extensive provisions on the processing of personal data by means of video surveillance, as well as specific requirements for the processing of personal data for statistical purposes.

The Personal Data Protection Agency (AZOP) is the supervisory authority under the Law. The AZOP is fairly active and has published numerous opinions, recommendations, and clarifications on specific data processing issues. It has also imposed a few fines, including a fine of €5.47 million on a debt collection agency for the lack of organizational and security measures and unlawful processing of data.