The right to the protection of personal data is a constitutional category under Article 37.1 of the Constitution of the Republic of Croatia (Official Gazette 56/90, 135/97, 8/98, 113/00, 124/00, 28/01, 41/01, 55/01, 76/10, 85/10, 05/14) which guarantees security and confidentiality of personal data to every individual.
The aim of personal data protection is to protect the private life and other human rights as well as fundamental freedoms when collecting, processing and using personal data.
The protection of personal data in the Republic of Croatia is guaranteed to any natural person.
- The Act on the protection of natural persons with regard to the processing and exchange of personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (Official Gazette 68/18)
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
- Act on the implementation of General Data Protection Regulation (Official Gazette 42/18)
Rights of the Data Subject
Data controller is obliged to, at the latest within 30 days, provide the following to every data subject, upon his or her request or upon the request of his or her legal representative or attorney:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source.
Data controller is obliged to, upon the request of the data subject or upon the request of his or her legal representatives or attorneys, supplement, modify or delete personal data in case they are incomplete, incorrect or not up-to-date. The data controller is obliged to notify the person to whom the personal data are related as well as the recipients of personal data of any supplementation, modification or deletion of personal data within 30 days at the latest.
Any person who considers that any of his or her rights guaranteed by the Personal Data Protection Act have been violated may submit a request for establishing a violation of rights to the Personal Data Protection Agency.
Data Protection Officer
The data controller appoints a data protection officer who is in charge of ensuring that personal data are processed in compliance with the law and that the right to personal data protection is exercised.
Tasks of the personal data protection officer are laid down in Article 39 of the General Data Protection Regulation and in Article 35 of the Act on the protection of natural persons with regard to the processing and exchange of personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
The data protection officer has following tasks:
- to inform and advise the controller and the employees who carry out processing of their obligations pursuant to data protection provisions;
- to monitor compliance with data protection provisions and with the policies of the controller in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance;
- to cooperate with the supervisory authority;
- to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation, and to consult, where appropriate, with regard to any other matter.
Personal data protection in the Schengen Information System
What is the Schengen Information System?
The Schengen Information System is a common information system allowing the competent authorities in the Schengen Area Member States to cooperate by exchanging information. It is also an essential tool for the application of the provisions of the Schengen acquis. It was established to help maintain internal security within the Member States of the Schengen Area in the absence of internal border checks. The Schengen Information System constitutes a compensatory measure contributing to maintaining a high level of security within the area of freedom, security and justice of the European Union by supporting operational cooperation between police authorities and judicial authorities in criminal matters. It is a large-scale information system that enables police, judicial and other authorities with right of access to enter and consult alerts on missing persons, on persons or objects related to criminal offences and on non-EU nationals who are not allowed to enter or stay in the Schengen Area. The latest version of the second-generation Schengen Information System (SIS II) came into operation on 9 April 2013.
Depending on the type of alert, SIS II is regulated either by the Regulation (EC) 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second-generation Schengen Information System (SIS II) or by the Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second-generation Schengen Information System (SIS II).
What type of data does SIS II contain?
SIS II contains two categories of data which are supplied by each of the Member States: data on objects or persons in relation to whom an alert has been issued. SIS II contains the following alerts:
- alerts issued in respect of third-country nationals for the purpose of refusing entry and stay,
- alerts in respect of persons wanted for arrest for surrender or extradition purposes,
- alerts on missing persons,
- alerts on persons sought to assist with a judicial procedure,
- alerts on persons and objects for discreet checks or specific checks and
- alerts on objects for seizure or use as evidence in criminal proceedings.
When the alert concerns a person, the information must always include the first and last name and any aliases, the sex, a reference to the decision giving rise to the alert and the action to be taken. If available, the alert may also contain information such as any specific, objective, physical characteristics not subject to change; the place and date of birth; photographs; fingerprints; nationality(ies); whether the person concerned is armed, violent or has escaped; reason for the alert; the authority issuing the alert; links to other alerts issued in SIS II and the type of offence.
What rights does a data subject have in relation to SIS II?
All individuals whose data are processed in SIS II are granted specific rights by the SIS II Regulation and the SIS II Decision. These rights can be exercised in any country that operates SIS II, regardless of the Member State that issued the alert.
Any person is entitled to request access to data related to him or her and entered into SIS II by the Member States, the correction of inaccurate data and deletion of unlawfully stored data. Also, any person may bring an action before the courts or the authority competent under the law of any Member State to access, correct, delete or obtain information or to obtain compensation in connection with an alert relating to him or her.
Right of access
Any person has the right to access personal data related to them and entered in SIS II which is exercised in accordance with the national law of the Member State concerned. Access may only be refused when this is indispensable for the performance of a lawful task in connection with an alert or for the protection of the rights and freedoms of third parties. The individual concerned is informed as soon as possible and, in any event, not later than 60 days from the date on which he requests access or sooner if national law so provides.
Right of correction of inaccurate data and deletion of unlawfully stored data
Any person has the right to have factually inaccurate data relating to him or her corrected or unlawfully stored data relating to him or her deleted.
The individual must be informed about the follow-up given to the exercise of his rights of correction and deletion as soon as possible and, in any event, not later than three months from the date on which he requests correction or deletion or sooner if national law so provides.
Any person may bring an action before the courts or the authority competent under the law of any Member State to access, correct, delete or obtain information or to obtain compensation in connection with an alert relating to him or her.
How to exercise the right of access, correction of inaccurate data and deletion of unlawfully stored data in SIS II in the Republic of Croatia?
The individuals can exercise their rights via the submission of a request to the address of the Ministry of the Interior:
Ministarstvo unutarnjih poslova
Ulica grada Vukovara 33
HR - 10 000 Zagreb, Croatia
Requests should be signed personally by the data subject – the person submitting the request, that is, his or her legal representatives or attorneys.
The procedure is free of charge.
When filling out the request, the applicant must state his or her personal information (first and last name, personal identification number, place of residence, place and date of birth and nationality). The request must be accompanied by a photocopy of a document proving the identity of the data subject – i.e. a national identity card or passport. In order to facilitate the exercise of data subject’s rights, the forms for access, correction and deletion of data from SIS II are available on the MoI website.
In the process of claiming his or her right to access, correction or deletion, the data subject can be represented by a legal representative. The legal representative of the data subject is obliged to submit evidence of the authorisation to represent the applicant.
Any questions regarding the exercise of the data subject’s rights can be directed to the data protection officer.
Any person who considers that any of his or her rights have been violated may submit a request to establish the violation of rights to the Personal Data Protection Agency.
Contact information of the data protection officer:
Ministarstvo unutarnjih poslovi
Ulica grada Vukovara 33
HR - 10 000 Zagreb, Croatia
Tel: 00385 1 6122 595