Personal Data Protection

The right to the protection of personal data is a constitutional category under Article 37.1 of the Constitution of the Republic of Croatia (Official Gazette 56/90, 135/97, 8/98, 113/00, 124/00, 28/01, 41/01, 55/01, 76/10, 85/10, 05/14) which guarantees security and confidentiality of personal data to every individual.

The aim of personal data protection is to protect the private life and other human rights as well as fundamental freedoms when collecting, processing and using personal data.
The protection of personal data in the Republic of Croatia is guaranteed to any natural person.
 

Legislation

  • The Act on the protection of natural persons with regard to the processing and exchange of personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (Official Gazette 68/18)
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
  • Act on the implementation of General Data Protection Regulation (Official Gazette 42/18)
 

Rights of the Data Subject​


Data controller is obliged to, at the latest within 30 days, provide the following to every data subject, upon his or her request or upon the request of his or her legal representative or attorney:
  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source.

Data controller is obliged to, upon the request of the data subject or upon the request of his or her legal representatives or attorneys, supplement, modify or delete personal data in case they are incomplete, incorrect or not up-to-date. The data controller is obliged to notify the person to whom the personal data are related as well as the recipients of personal data of any supplementation, modification or deletion of personal data within 30 days at the latest.

Any person who considers that any of his or her rights guaranteed by the Personal Data Protection Act have been violated may submit a request for establishing a violation of rights to the Personal Data Protection Agency.

 

Data Protection Officer


The data controller appoints a data protection officer who is in charge of ensuring that personal data are processed in compliance with the law and that the right to personal data protection is exercised.

Tasks of the personal data protection officer are laid down in Article 39 of the General Data Protection Regulation and in Article 35 of the Act on the protection of natural persons with regard to the processing and exchange of personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.


The data protection officer has following tasks:
  1. to inform and advise the controller and the employees who carry out processing of their obligations pursuant to data protection provisions;
  2. to monitor compliance with data protection provisions and with the policies of the controller in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  3. to provide advice where requested as regards the data protection impact assessment and monitor its performance;
  4. to cooperate with the supervisory authority;
  5. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation, and to consult, where appropriate, with regard to any other matter.

 


Personal data protection in the Schengen Information System (SIS)

Regulations (EU) of the European Parliament and the Council (2018/1860, 2018/1061 i 2018/1062) on the establishment, operation and use of the Schengen Information System (SIS) in the field of the return of illegally staying third-country nationals, border checks and the police cooperation and judicial cooperation in criminal matters, a common information system is established which allows the competent national authorities in the Schengen Area Member States to cooperate by exchanging information, also enables police, judicial and other authorities with right of access to enter and consult alerts on missing persons, on persons or objects related to criminal offences and on non-EU nationals who are not allowed to enter or stay in the Schengen Area.

The aforementioned Regulations grant to every individual whose data is processed in SIS  the right to access personal data, correct inaccurate personal data and delete unlawfully stored personal data, unless such processing is carried out by national competent authorities for the purposes of preventing, investigating, detecting or prosecuting criminal offenses of terrorism or other serious criminal acts.


How to exercise the right of access, correction of inaccurate data and deletion of unlawfully stored data in SIS in the Republic of Croatia?

Application forms for exercising the right to access personal data, correct inaccurate personal data and delete unlawfully stored personal data from the SIS, as well as from the Information System of the Ministry of the Interior, are available on the website of the Ministry of the Interior.

The procedure is free of charge.

The request shall be submitted to the address of the Ministry of the Interior:

Republika Hrvatska

Ministarstvo unutarnjih poslova


Ulica grada Vukovara 33

HR - 10 000 Zagreb, Croatia

Any questions regarding the exercise of the data subject’s rights can be directed to the data protection officer. 

Contact information of the data protection officer:

Jagoda Ezgeta dipl.iur

Ministarstvo unutarnjih poslova

Ulica grada Vukovara 33

10 000 Zagreb

telefon: +385 1 6122 348

telefaks: +385 1 6122 775

e-pošta: zastita.osobnih.podataka@mup.hr