Twitter Logo Youtube Circle Icon LinkedIn Icon

Publishing firms

Legal Developments worldwide

Amendments to Personal Data Protection Act

May 2007 - Corporate & Commercial. Legal Developments by BABIC & PARTNERS Law Firm .

More articles by this firm.

On October 20, 2006 Croatian Parliament adopted amendments to the Personal Data Protection Act (the "Amendments"). The amendments were enacted with a view to further harmonize the Personal Data Protection Act with EU Directive 95/46/EC (the "Directive") as regards transfer of personal data to third countries.


Status of the Data Processing Regulation before Amendments

Personal data protection in Croatia is governed by wide variety of laws and regulations. Primary source of law is the Personal Data Protection Act enacted in 2003 (the "Act").Although the Croatian personal data protection legislation has been to a high degree harmonized with European Acquis during the Act's implementation it became apparent that some of the changes are still required. The EU Commission's opinion on the Croatia's application for membership emphasized that the Act omitted to provide for derogations from the principle rule on "adequate protection" in countries to which data is transferred. The Amendments are brought so as to ensure further harmonization with the Directive.


Competent authority for supervision of the personal data processing is the Croatian Personal Data Protection Agency (the "Agency"), established in 2003.

Main Issues Addressed in the Amendments

Main issues addressed in the Amendments relate to the following:

(i)                  Introduction of derogations to the principle rule on "adequacy of protection level" in the third country to which the data is transferred;

(ii)                clear and wider designation of the subjects to which the Act applies; and

(iii)               amendments to the supervision provisions of the Act in that that the Agency can impose measures and fines towards other persons infringing the Act and not only to the controller.


The Amendments provide that transfer of personal data to a third country or an international organization which does not ensure an adequate level of protection may take place on condition that:

  • the data subject has given his consent to the proposed transfer; or
  • the transfer is necessary in order to protect the vital interests of the data subject; or
  • controller provides adequate assurances in respect of privacy protection and fundamental rights and freedoms of data subject arising out of the contractual obligations; which is then assessed by the Agency as adequate in accordance with relevant personal data protection legislation.


Along the lines of Directive's wording, the Amendments provide for criteria for evaluation of "adequate protection level". The Amendments, however, fail to provide for standard contractual clauses which would be considered as offering the adequate safeguard as envisaged in the Commissions Decision of 15 June 2001 on standard contractual clauses. It remains to be seen whether these issues will be resolved via an implementing regulation.


The Amendments further provide wider range of subjects to which the Act applies. Under the Amendments, the Act now applies also to representative offices and branches of foreign legal persons. In addition, the Act applies to representatives of foreign persons (both natural and legal) that are processing personal data in Croatia but do not have a legal identity (e.g. proxies that organize personal data processing in Croatia for purposes of foreign companies as recipients). These subjects were not under the Agency's scrutiny before the Amendments were enacted.


Finally, the Amendments provide that the Agency in case of infringement of the Act can impose measures and fines against recipients and data processors as well as against the controller.


Contributed by Katarina Škvorc, Partner at Babić & Partners



Law Firm
Nova cesta 60/ 1st floor
10000 Zagreb, Croatia

Phone: +385 (0) 1 3821 124
Phone/Fax: +385 (0) 1 3820 451