Instructions for use E-mail
Homepage
Act implementing the General Data Protection Regulation
Law, OG 42 / 2018-805 More 
CROATIAN PARLIAMENT
805
Pursuant to Article 89 of the Constitution of the Republic of Croatia, I hereby
DECISION
DECLARING THE LAW ON IMPLEMENTATION OF THE GENERAL DATA PROTECTION REGULATION
I hereby promulgate the Law on Implementation of the General Data Protection Regulation, adopted by the Croatian Parliament at its session of 27 April 2018.
Class: 011-01 / 18-01 / 48
Reg. No: 71-06-01 / 1-18-2
Zagreb, May 3, 2018
President
Of the Republic of Croatia
Kolinda Grabar-Kitarović, v. R.
LAW
ON THE IMPLEMENTATION OF THE GENERAL DATA PROTECTION REGULATION
I. GENERAL PROVISIONS
The subject of the Act
Article 1.
(1) This Act provides for the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to
the processing of personal data and the free movement of such data and the repeal of Directive 95/46 / EC (General Data Protection Regulation)
(Text with EEA relevance) (OJ L 119, 4. 5. 2016) (hereinafter referred to as the General Data Protection Regulation).
(2) This Act does not apply to the processing of personal data carried out by competent authorities for the purpose of prevention, investigation, detection or persecution
criminal offenses or the enforcement of criminal sanctions, including protection against and prevention of public security threats, as well as in the area of ​​national
security and defense.
Gender neutrality
Article 2
Terms used in this Act that have a gender meaning, whether used in masculine or feminine gender, include:
the same way male and female.
concepts
Article 3
(1) Terms within the meaning of this Act have the same meaning as those used in the General Data Protection Regulation.
(2) "Public authorities" within the meaning of this Act are: state administration bodies and other state bodies, units of local and regional (regional)
self.
II. COMPETENT AUTHORITIES
The supervisory authority
Article 4
(1) The supervisory authority, within the meaning of Article 51 of the General Data Protection Regulation, is the Personal Data Protection Agency (hereinafter:
Agency).
(2) The Agency is an independent state body. The Agency is independent and independent in its work and is responsible for its work to the Croatian Parliament.
(3) The seat of the Agency shall be in Zagreb.
Accreditation body
Article 5
National accreditation body designated in accordance with Regulation (EC) No 1049/2001 765/2008 of the European Parliament and of the Council of 9 July 2008 o
determining the requirements for accreditation and market surveillance in respect of the placing on the market of a product and repealing Regulation (EEC) No. 339/93
the competent authority is to accredit certification bodies in accordance with Article 43 (1) of the General Data Protection Regulation.
Authority of the Agency
Article 6
(1) In addition to the powers set out in the General Data Protection Regulation, the Agency shall perform the following tasks:
- when prescribed by a special law, may institute and have the right to participate in criminal, misdemeanor, administrative and other judicial and
out-of-court proceedings for breach of the General Data Protection Regulation and this Act
- adopts the Criteria for determining the amount of compensation for administrative costs referred to in Article 43, paragraph 2 of this Law and the Criteria for determining the amount
fees referred to in Article 43, paragraph 3 of this Act
- publish individual decisions in accordance with Articles 18 and 48 of this Law on the Agency's web pages
- initiates and conducts appropriate actions against responsible persons for violation of the General Data Protection Regulation and this Law
- performs the tasks of an independent oversight body to monitor the application of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on
the protection of individuals with regard to the processing of personal data by competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or
the enforcement of criminal sanctions and the free movement of such data and the repeal of Council Framework Decision 2008/977 / JHA, unless
special regulations do not specify otherwise
- performs other legally prescribed tasks.
(2) If the Agency questions the validity of the European Commission's implementing decision on adequacy and standard contractual clauses, it shall suspend
will administrative proceedings and transfer the case to the High Administrative Court of the Republic of Croatia for the administrative matter.
(3) In the procedure referred to in paragraph 2 of this Article, the High Administrative Court of the Republic of Croatia, if it considers that the decision of the European Commission is not valid,
will apply for a review of the validity of the present decision to the Court of Justice of the European Union in accordance with Article 267 of the Treaty on the Functioning of the European Union.
(4) The Agency shall supervise the implementation of this Act.
III. AGENCY FOR PERSONAL DATA PROTECTION
Managing the Agency
Article 7
(1) The work of the Agency shall be managed by the Director (hereinafter: the Director).
(2) The director has a deputy.
(3) The Director and Deputy Director shall be appointed by the Croatian Parliament at the proposal of the Government of the Republic of Croatia, based on a public invitation for delivery.
candidacy.
(4) The director and the deputy director shall be appointed for a term of four years and may be appointed to this position no more than twice.
(5) The central state administration body competent for the state administration system shall announce a public invitation for submission of candidatures for the director and the deputy
of the Director no later than six months before the expiry of the term of office of the Director and Deputy Director, or 30 days after the termination of office at the latest
the term of office ceased before the expiration of his term of office. The central state administration body shall submit the competent state administration system to the Government of the Republic of Croatia
nominations submitted, indicating the candidates who submitted timely and complete candidacy.
(6) The Government of the Republic of Croatia shall determine the proposal of the candidate for director or deputy director and submit it to the Croatian Parliament.
(7) In the event of termination of the Director's term of office, before the expiration of the term for which the Director has been appointed, the Deputy Director shall act until
appointing a director in a procedure initiated pursuant to paragraph 5 of this Article, for a maximum of six months.
Conditions for appointment of the Director and Deputy Director
Article 8
(1) A person who fulfills the following conditions may be appointed Director and Deputy Director:
- holds Croatian citizenship and residence in the Republic of Croatia
- has undergraduate and graduate university degree or integrated undergraduate and graduate university degree or specialist
undergraduate and graduate professional studies
- has at least ten years of professional experience
- is a prominent expert with a recognized professional reputation and expertise in the field of personal data protection
- has not been convicted and is not being prosecuted for the offenses for which the proceedings are instituted ex officio
- not a member of a political party.
(2) The provisions of the regulations governing the obligations and rights of state officials and regulations governing the application of the Director and Deputy Director shall apply to the Director.
regulates conflict of interest prevention.
(3) The coefficient for calculating the salary of the Director is 5.50.
(4) The coefficient for calculating the salary of the Deputy Director is 4.26.
Dismissal of the Director and Deputy Director
Article 9
(1) The Croatian Parliament shall dismiss the duties of the Director and the Deputy Director before the expiration of the term for which he was elected:
- if he asks for it himself
- if circumstances no longer qualify for election arise
- if he committed a serious breach of duty. A director or a deputy director is considered to have committed a serious breach of duty if he or she does not perform
duty in accordance with law.
(2) The procedure for dismissal of the Director and the Deputy Director shall be initiated at the proposal of the Government of the Republic of Croatia.
Expert service
Article 10
(1) The Agency shall have a professional service.
(2) The provisions of the regulations governing the rights and obligations of civil servants shall apply to employees of the Agency's professional service.
(3) The manner of work, the manner of planning and carrying out the affairs, the internal organization and other matters important for the performance of the Agency's activities shall be regulated.
Rules of Procedure of the Agency issued by the Director.
(4) The Agency's Rules of Procedure shall be approved by the Croatian Parliament. The Ordinance shall be published in the Official Gazette.
(5) A decree laying down the principles governing the internal organization of the body shall be appropriately applied to the internal organization of the Agency's professional service.
state administration, in the part related to state administrative organizations.
(6) The Director shall adopt the Ordinance on the Internal Order, which regulates the number of civil servants required to perform their jobs indicating their status.
basic tasks and tasks, and the professional conditions necessary for their performance, their powers and responsibilities, and other issues of relevance to the work
Agencies.
Article 11
The director, deputy director and officers of the Agency may not perform the duties of data protection officer for another manager or executor
Release.
Article 12
(1) The director, the deputy director and the officers of the Agency who carry out the supervision activities shall have an official ID card proving their official identity.
trait, identity and authority.
(2) The form and content of the official identity card shall be determined by the Rules of Procedure referred to in Article 10 of this Act.
Article 13
(1) The director, deputy director and employees of the Agency shall be bound by professional secrecy or other appropriate type of secret, in accordance with
the law governing the confidentiality of information, to safeguard all personal and other confidential information they learn in the performance of their duties.
(2) The obligation referred to in paragraph 1 of this Article shall continue after the termination of the duties of the director, deputy director, or after the termination of service
in the Agency.
Cooperation with state administration bodies and other bodies
Article 14
Central state administration bodies and other state bodies are obliged to submit draft laws and other regulations to the Agency.
regulate issues related to the processing of personal data for the purpose of giving expert opinions in relation to the field of personal data protection.
Collaboration with data protection supervisory authorities of other countries
Article 15
(1) Representatives of the visiting supervisory authority shall have the power to conduct joint operations, including investigations and joint enforcement measures, in
in accordance with the provisions of this Act and the General Data Protection Regulation.
(2) By agreement between the Agency and the Visiting Supervisory Body, the Agency shall authorize the representatives of the Visiting Supervisory Body to monitor and
participate in the conduct of surveillance activities in accordance with Article 62 of the General Data Protection Regulation.
(3) The agreement referred to in paragraph 2 of this Article shall establish the investigative powers referred to in Article 58 (1) of the General Data Protection Regulation to be granted.
the visiting supervisory authority and the personal name and position of the representative of the visiting supervisory authority to participate in the joint operation.
(4) When representatives of the visiting supervisory authority participate in joint operations in the territory of the Republic of Croatia, the processing manager, the executor
the processing and the respondent and all other parties directly involved in the specific action must be aware that before the joint operation begins
The operation is also attended by representatives of the visiting supervisory authority.
Funds for the Agency's work
Article 16
Funds for the work of the Agency are provided in the state budget of the Republic of Croatia.
Annual Work Report
Article 17
(1) The Agency shall submit an annual report on its work to the Croatian Parliament no later than March 31 of the current year for the previous year.
The annual report must include:
- number of inquiries of respondents and number of complaints
- the number of decisions taken on the complaint of the respondents and ex officio, including the number of supervisory activities carried out
- number of reports received by the processing manager on the breach of personal data referred to in Article 33 of the General Data Protection Regulation and on surveillance activities
conducted on the occasion of such reports
- number of prior consultations carried out in accordance with Article 36 of the General Data Protection Regulation
- Code of Conduct and Certification actions pursuant to Articles 40 to 43 of the General Data Protection Regulation
- number of approved contractual clauses and provisions of administrative arrangements in accordance with Article 46 (3) of the General Data Protection Regulation
- number and type of violations identified, issued warnings, official warnings and imposed administrative fines and other types of measures taken
in accordance with Article 58 (2) of the General Data Protection Regulation
- Number and description of international treaties, laws and regulations to which he / she gave an opinion regarding the area of ​​personal data protection, with
indication of when the opinion was given at the request of the competent authority and when ex officio
- a description of activities within the European Data Protection Board and other umbrella organizations in the field of personal data protection
- description of cooperation activities with state and other bodies in the Republic of Croatia
- a description of the awareness activities of individuals, processing managers, processing executives and other target groups
- analysis and evaluation of the exercise of the right to the protection of personal data.
(2) The annual report shall also contain information on the realized revenues and expenses for the reporting period for which the report is submitted.
on the number of employees and the structure of employees by qualifications.
(3) The annual report shall be published on the Agency's website.
Publication of the Agency's opinions and decisions
Article 18
(1) Agency decisions and opinions regarding the types of processing that, given the nature, extent, context and purpose of processing, may cause
high risk to the rights and freedoms of individuals are published on the Agency's website.
(2) The opinions and decisions referred to in paragraph 1 of this Article shall be anonymised or pseudonymized.
(3) By way of derogation from paragraph 2 of this Article, where the opinions and decisions of the Agency referred to in paragraph 1 of this Article refer to minors,
the technique of anonymizing information relating to them to ensure a high level of protection of their privacy.
IV. PERSONAL DATA PROCESSING IN SPECIAL CASES
Child consent in relation to information society services
Article 19
(1) In applying Article 6 (1) (a) of the General Data Protection Regulation, in relation to the provision of information society services directly to a child,
the processing of personal data of a child is legal if the child is at least 16 years old.
(2) The provision of paragraph 1 of this Article shall apply to a child whose place of residence is in the Republic of Croatia.
(3) Any act contrary to the provisions of this Article shall be considered a violation of Article 8 of the General Data Protection Regulation and shall be subject to sanction.
in accordance with Article 83 of the General Data Protection Regulation.
Genetic data processing
Article 20
(1) It is forbidden to process genetic data for the purpose of calculating the appearance of diseases and other health aspects of subjects in the framework of assembly actions or
executing life insurance contracts and contracts with lifetime clauses.
(2) With the consent of the respondents, the prohibition referred to in paragraph 1 of this Article cannot be lifted.
(3) The provision of paragraph 1 of this Article shall apply to respondents who, in the Republic of Croatia, conclude life insurance contracts and contracts with
experience clauses if processing is carried out by a processing manager established in the Republic of Croatia or providing services in the Republic of Croatia.
(4) Any act contrary to the provisions of this Article shall be considered a violation of Article 9 of the General Data Protection Regulation and shall be subject to sanction.
in accordance with Article 83 (5) of the General Data Protection Regulation.
Biometric data processing
Article 21
(1) The processing of biometric data in public authorities may only be carried out if it is specified by law and if it is necessary for the protection of persons,
property, classified information or trade secrets, taking into account that the interests of respondents who are contrary to the processing do not prevail
biometric data from this article.
(2) The processing of biometric data shall be deemed to be in accordance with the law if it is necessary to fulfill the obligations of international treaties in
related to identifying an individual in crossing a state border.
Article 22
(1) The processing of biometric data in the private sector can only be carried out if it is prescribed by law or if it is necessary for the protection of persons,
property, classified information, trade secrets or to individually and securely identify users of the services, taking into account that they do not prevail
the interests of respondents who are contrary to the processing of biometric data from this article.
(2) The legal basis for processing biometric data of respondents for the purpose of secure identification of users of services is the express consent of such respondent
given in accordance with the provisions of the General Data Protection Regulation.
Article 23
It is allowed to process biometric data of employees for the purpose of recording working hours and for entering and leaving official premises, if
is required by law or if such processing is carried out as an alternative to another solution for recording working hours or entering and exiting official
premises, provided that the employee has given express consent to such processing of biometric data in accordance with the provisions of the General Data Protection Regulation.
Article 24
(1) The provisions of this Act on the processing of biometric data shall apply to respondents in the Republic of Croatia if the processing is carried out by:
- Head of processing with business establishment in the Republic of Croatia or providing services in the Republic of Croatia
- public authority.
(2) The provisions of this Act on the processing of biometric data shall not affect the obligation to carry out an impact assessment in accordance with Article 35 of the General Decree on
data protection.
(3) The provisions of this Act on the processing of biometric data shall not apply to the fields of defense, national security and security,
intelligence system.
Processing of personal data by video surveillance
Article 25
(1) Video surveillance within the meaning of the provisions of this Act refers to the collection and further processing of personal data, which includes the creation of a recording
which makes or is intended to form part of a storage system.
(2) Unless otherwise stipulated by another law, the provisions of this shall apply to the processing of personal data through video surveillance systems.
Act.
Article 26
(1) The processing of personal data through video surveillance may only be carried out for the purpose necessary and justified for the protection of persons and property, if not
the interests of respondents who are opposed to the processing of data via video surveillance prevail.
(2) Video surveillance may include rooms, parts of rooms, the exterior surface of the building, as well as the interior space in public
traffic, and the supervision of which is necessary to achieve the purpose referred to in paragraph 1 of this Article.
Article 27
(1) The processing manager or the processing executor is obliged to indicate that the object or individual room in it and the exterior surface of the object are under
video surveillance, and the tag should be visible at the latest when entering the recording perimeter.
(2) The notification referred to in paragraph 1 of this Article must contain all relevant information in accordance with the provisions of Article 13 of the General Data Protection Regulation, and
a particularly simple and easy-to-understand image with text that provides respondents with the following information:
- the space is under video surveillance
- information about the processing manager
- contact information through which the respondent can exercise his rights.
Article 28
(1) The right of access to personal data collected through video surveillance is vested in the responsible person of the processing manager or the processing executor and / or
the person he authorizes.
(2) Persons referred to in paragraph 1 of this Article may not use video recordings from the video surveillance system contrary to the purpose specified in Article 26, paragraph 1 of this
Act.
(3) The video surveillance system must be protected from access by unauthorized persons.
(4) The processing manager and the processing executor shall establish an automated system of records for recording access to video surveillance recordings, which shall
contain the time and place of access, as well as the tag of the persons who accessed the data collected through the video surveillance.
(5) The competent state bodies shall have access to the information referred to in paragraph 1 of this Article within the framework of carrying out activities within their scope determined by law.
Article 29
Recordings obtained through video surveillance can be stored for a maximum of six months, unless otherwise prescribed by law or longer
evidence in judicial, administrative, arbitration or other equivalent proceedings.
Video surveillance of workrooms
Article 30
(1) The processing of personal data of employees through video surveillance systems may be carried out only if they are subject to the conditions laid down in this Act
the conditions laid down by the regulations governing occupational safety have been fulfilled and if the employees were adequately informed in advance of such
measures, and if the employer informed the employees before making the decision to set up a video surveillance system.
(2) Video surveillance of work premises shall not include rest rooms, personal hygiene and changing rooms.
Video surveillance of residential buildings
Article 31
(1) The establishment of video surveillance in residential or commercial-residential buildings requires the consent of co-owners of at least 2/3
co-ownership parts.
(2) Video surveillance may cover only access to entrances and exits of residential buildings and common rooms in residential buildings.
(3) It is prohibited to use video surveillance to monitor the performance of janitors, cleaners and other persons working in an apartment building.
Video surveillance of public areas
Article 32
(1) Monitoring of public areas through video surveillance is allowed only to bodies of public authority, legal persons with public authority and legal entities.
to persons performing public service only if prescribed by law, if necessary for the performance of the tasks and tasks of public authorities or for the protection
the life and health of the people of that property.
(2) The provisions of this Article shall not preclude the application of Article 35 of the General Data Protection Regulation to the systematic monitoring of a publicly accessible area in
largely.
Processing of personal data for statistical purposes
Article 33
(1) In the framework of the processing of personal data for the purpose of producing official statistics in accordance with specific regulations in the field of official statistics, the bodies
which produce official statistics are not obliged to provide respondents with the right of access to personal data, the right to correct personal data, the right to
restriction of the processing of personal data or the right to object to the processing of personal data in order to ensure the conditions necessary for the achievement of the purpose
official statistics to the extent that such rights are likely to be precluded or seriously jeopardized and, where such rights are attained,
derogations necessary to achieve these purposes.
(2) Bodies responsible for producing official statistics shall apply the technical and organizational measures for the protection of data collected for
official statistics needs.
(3) Managers of the processing of personal data are not obliged to inform bodies responsible for official statistics when transferring personal data
respondents on the transfer of personal data for statistical purposes.
(4) The processing of personal data for statistical purposes is considered to be in line with the purpose for which the data were collected, provided that they are undertaken
appropriate safeguards.
(5) Personal data processed for statistical purposes shall not allow identification of the data subject.
V. PROCEDURE IN AGENCY'S JURISDICTION AND REMEDIES
Article 34
(1) Anyone who considers that a right guaranteed by this Act and the General Data Protection Regulation has been violated may submit to the Agency
a claim for infringement.
(2) The Agency shall decide on the violation of rights by a decision.
(3) The decision of the Agency is an administrative act.
(4) No appeal shall be allowed against the Agency's decision, but an administrative dispute may be brought before the competent administrative court.
Article 35
(1) If the decision requires the deletion or other irreversible removal of personal data, the dissatisfied party may ask the competent
the administrative court postpones the deletion or other irreversible removal of personal data if it proves that a disproportionate effort would again
collected personal information whose deletion or irreversible removal is requested.
(2) If the competent administrative court accepts the request referred to in paragraph 1 of this Article, the party ordered to delete or otherwise irreversibly remove the personal
the data is obliged to block all processing of the disputed personal data, except their storage, until a final court decision is rendered.
Implementation of supervision
Article 36
(1) Authorized officers of the Agency independently, and in certain cases with the participation of representatives of the visiting supervisory body (hereinafter
"Authorized persons") may carry out announced or unannounced surveillance. Supervised person or processing manager supervises the implementation of unannounced supervision
or the processing executor will be notified at the location and at the time of the inspection.
(2) Prior to the commencement of the supervision referred to in paragraph 1 of this Article, authorized persons shall present themselves by presenting an official ID and order for
supervision.
(3) If the obstruction is expected to be impeded by the conduct of surveillance, the Agency shall submit a written request to the ministry responsible for
internal affairs to assist in carrying out these supervisory activities.
(4) Upon request of the Agency, the ministry responsible for internal affairs shall, in accordance with special regulations, provide assistance in
the implementation of the surveillance referred to in paragraph 2 of this Article.
(5) The order for carrying out the supervision referred to in paragraph 1 of this Article shall be issued by the Director of the Agency.
Copies, printing and temporary taking of storage systems and equipment
Article 37
(1) Authorized persons may, where necessary, make copies of available documents, copy all contents of the storage system and collect others
relevant information.
(2) If, for technical reasons, it is not possible to make copies of the necessary documentation during surveillance, the authorized persons shall, as appropriate, withdraw
necessary storage systems and equipment that contains other relevant information and retain it as long as necessary to produce copies of that documentation, and
up to 15 days from the date of seizure of storage and equipment.
(3) Authorized persons may seal storage systems or equipment during surveillance and to the extent necessary for the implementation of surveillance
activities if there is a risk of destruction or alteration of evidence, for a maximum of 15 days from the date of printing of the storage system or equipment.
(4) An authorized person shall be obliged to make an official note on the copying, printing and temporary taking of the storage system and equipment.
provide relevant information about the data or equipment covered by the operation and hand over a copy to the supervised entity.
Suspicion of a criminal offense
Article 38
If, during the course of the surveillance, he / she becomes aware or finds objects that indicate that he / she has been prosecuted
Duties, authorized persons shall inform the competent police station or the State Attorney as soon as possible.
Classified information
Article 39
(1) Any access, copying and any other processing of data classified with a security classification by a specific regulation
shall be conducted in accordance with the regulations governing the protection of confidentiality of information.
(2) Any access, copying and any other processing of data classified with a classification by virtue of a special regulation
it will be conducted by officials who hold a valid certificate of access to classified information in accordance with the regulations governing the protection of confidentiality of information.
Record of supervision carried out
Article 40
(1) Minutes shall be made of the supervision carried out. The minutes shall contain in particular:
1. place and date of implementation of supervision
2. an indication of whether the surveillance was announced or unannounced
3. the personal names and signatures of the authorized persons who participated in the surveillance and the representative of the supervised person
4. a description of the course and content of each action taken during the monitoring and the statements made
5. a list of documents and other objects used, copied, sealed and / or temporarily seized during the surveillance activity
6. a lesson on the right to comment on the minutes.
(2) If the record referred to in paragraph 1 of this Article has been drawn up directly at the place of supervision, the supervised person may file observations on
the record that the authorized person will enter into it.
(3) If the record referred to in paragraph 1 of this Article has been drawn up after the supervision has been carried out, it shall be forwarded to the supervised person.
(4) The supervised person shall have the right to file observations in the minutes referred to in paragraphs 2 and 3 of this Article within 15 days from the date of his receipt.
in writing. Within 15 days from the receipt of the objection, the supervised person will be provided with a written response on acceptance or non-acceptance.
objections.
(5) If the supervised person does not submit objections to the record within the time limit referred to in paragraph 4 of this Article, it shall be considered that it has no objection to it.
Representing respondents
Article 41
Respondent has the right to authorize a non-profit body, organization or association established in accordance with the law, which states the goals
is of public interest and is active in the field of the protection of the rights and freedoms of respondents with regard to the protection of their personal data, to file a complaint in
to exercise on his behalf and to exercise on his behalf the rights referred to in Articles 77, 78 and 79 of the General Data Protection Regulation and the right to compensation referred to in Article 82 of the General Regulation on
data protection.
Giving expert opinions
Article 42
(1) At the written request of a natural or legal person, the Agency shall give an expert opinion in the field of personal data protection, not later than 30 days from
days of submission, depending on the complexity of the application.
(2) If it is necessary to involve other bodies at home or abroad when giving expert opinion for the purpose of obtaining data or information
relevant for expert opinion, the deadline for giving the opinion referred to in paragraph 1 of this Article may be extended by another 30 days.
Fee for acting on request
Article 43
(1) The performance of the Agency's tasks shall be carried out without charge in respect of respondents, personal data protection officers, journalists and public authorities.
(2) The Agency will charge a reasonable fee based on administrative costs or refuse to act on the request if the respondent's requests are clearly
unfounded or excessive, and especially because of their frequency.
(3) The Agency shall charge a fee for giving opinions to business entities (law firms, consultants, etc.) that are business
subjects requested for the purpose of carrying out their regular business or providing services.
(4) The criteria for determining the amount of compensation referred to in paragraphs 2 and 3 of this Article shall be laid down by the Agency. The criteria shall be published in the Official Gazette and on
the Agency's website.
(5) The amount of compensation referred to in paragraphs 2 and 3 of this Article shall be paid in favor of the state budget.
YOU. EXPRESSION OF ADMINISTRATIVE FINES
Article 44
(1) The Agency shall impose administrative fines for violations of the provisions of this Act and the General Data Protection Regulation, in accordance with Article 83 of the General Regulation
on data protection.
(2) If an administrative fine is imposed against a legal person with public authority or against a legal person performing public service, pronounced
the administrative fine shall not jeopardize the exercise of such public authority or public service.
Article 45
(1) Administrative fines shall be imposed by decision.
(2) The decision referred to in paragraph 1 of this Article shall determine the amount and manner of payment of the administrative fine. The decision may determine that the administrative money
the penalty is paid in installments.
(3) Where, in accordance with Article 83 of the General Regulation, administrative fines are imposed in addition to the measures referred to in Article 58 (2) (a) to (h) and (j) of the General
of the decree, the decision on the administrative fine is made upon the validity of the decision imposing the measure.
(4) No appeal shall be allowed against the decision referred to in paragraph 1 of this Article, but an administrative dispute may be instituted before the competent administrative court.
(5) The criteria for installment repayment and conditions for termination of installment repayment of the administrative fine shall be determined by the Agency according to the amount of the administrative fine.
The criteria shall be published in the Official Gazette and on the Agency's website.
Article 46
(1) An administrative fine shall be paid within 15 days from the date of the final decision rendering it.
(2) If the party fails to pay the administrative fine within the prescribed period or upon maturity of the last installment if installment payment is approved,
The Agency shall inform the Regional Office of the Tax Administration of the Ministry of Finance in the territory of which it is domiciled or the seat of the party to which it is
imposed administrative fine, for the purpose of collecting administrative fine by compulsory payment under the regulations on compulsory tax collection.
(3) Administrative fines shall be paid in favor of the state budget.
(4) By way of derogation from paragraph 2 of this Article, no interest shall be charged on the overdue and unpaid administrative fine.
Exclusion of administrative fines
to public authorities
Article 47
Without prejudice to the exercise of the Agency's powers set out in the provision of Article 58 of the General Data Protection Regulation in the proceedings conducted
an administrative fine may not be imposed on a public authority against a public authority for violations of this Act or the General Data Protection Regulation.
Article 48
The final decision shall be published on the Agency's website without anonymizing the perpetrator, if the decision determines
violations of this Act or of the General Data Protection Regulation in relation to the processing of personal data of minors, special categories of personal data,
automated individual decision-making, profiling, if the violation was committed by the processing manager or the processing performer who had already violated
provisions of this Act or of the General Data Protection Regulation or if a decision has been taken on an administrative fine in the amount of
at least HRK 100,000.00 which has become final.
The limitation period for executing an administrative fine
Article 49
(1) The statute of limitations on the right to collect administrative fines shall be governed by the provisions of the general law governing the tax procedure.
(2) The statute of limitations begins to run from the day the decision becomes final.
(3) During the period of installment repayment, the administrative fine shall not run.
VII. INFRINGEMENTAL PROVISIONS
Article 50
(1) A fine for an offense in the amount of HRK 5000.00 to HRK 50,000.00 shall be imposed on:
- a person acting as the Director and Deputy Director of the Agency if he discloses to the unauthorized person confidential information which he has learned in
performing their duties in accordance with Article 13 of this Law
- an official of the Agency who discloses to an unauthorized person confidential information which he has learned in the performance of his duties in accordance with Article 13.
of this Act.
(2) The authorized prosecutor for the offense referred to in this Article shall be the Attorney General.
VIII. ADMINISTRATIVE FINES
Article 51
An administrative fine of up to HRK 50,000.00 shall be imposed on:
- the processing manager and the processing contractor who do not mark the object, premises, parts of the room and the exterior surface of the facility in the manner prescribed in Article 27.
of this Act
- processing manager and processing executor who do not establish an automated system of records for recording access to video surveillance recordings, in accordance with
Article 28, Paragraph 4 of this Law
- persons referred to in Article 28, paragraph 1 of this Act, who use video recordings from the video surveillance system contrary to Article 28, paragraph 2 of this Act.
IX. TRANSITIONAL AND FINAL PROVISIONS
Article 52
(1) On the day this Law enters into force:
- Personal Data Protection Agency established by the Law on Personal Data Protection (Official Gazette 103/03, 118/06, 41/08, 130/11 and
106/12. - consolidated text; hereinafter referred to as the Personal Data Protection Agency), as a legal person with public authority, becomes a state body and
continues to operate under the same name
- The Agency, as a successor of the Personal Data Protection Agency, takes over its affairs, records and other documentation, funds for
work, financial resources, rights and obligations, as well as employees
- Employees of the Personal Data Protection Agency become civil servants or employees.
(2) Until the adoption of the ordinance on the internal order referred to in Article 54 of this Act and the allocation to posts in accordance with the regulations on state
employees of the Agency for the Protection of Personal Data continue to perform the activities they were found on the day this Law enters into force.
Law and retain all employment rights.
Article 53
(1) Within eight days from the day this Law enters into force, the central state administration body competent for the state administration system shall initiate
the process of appointing a director and a deputy director.
(2) A person found in the position of the Director of the Agency for Protection of Personal Data on the day this Law enters into force shall continue to perform
the duty of the Director until the appointment of the Director of the Agency in accordance with this Act.
Article 54
(1) The Director shall, within 60 days from the day of his appointment, submit to the Croatian Parliament for approval the Agency's Rules of Procedure.
(2) The Director shall, within 30 days from the entry into force of the Ordinance referred to in paragraph 1 of this Article, adopt the Ordinance on the Internal Order.
(3) Until the Agency's Rules of Procedure enter into force, the Statute of the Agency for the Protection of Personal Data shall apply.
Article 55
Proceedings initiated before the entry into force of this Act shall continue and be completed in accordance with the provisions of the Personal Data Protection Act (
Gazette «, no. 103/03., 118/06., 41/08., 130/11. and 106/12. - consolidated text).
Termination of regulations
Article 56
With the entry into force of this Act, the Law on Protection of Personal Data (Official Gazette 103/03, 118/06, 41/08, 130/11 and 130/11 and
106/12. - consolidated text), the Decree on the manner of keeping and the form of records on personal data collections (Official Gazette, No. 105/04) and the Decree on the
the manner of storage and special measures of technical protection of special categories of personal data (Official Gazette 139/04).
Entry into force
Article 57
This Law shall be published in the Official Gazette and shall enter into force on 25 May 2018.
Class: 022-03 / 18-01 / 55
Zagreb, 27 April 2018
CROATIAN PARLIAMENT
President
Of the Croatian Parliament
Gordan Jandroković, v. R.
General Terms of Use Privacy Policy European Legislation Identifier (ELI) © 2020. g. Official Gazette d.d. , production of Noven d.o.o.