Personal Data is protected according to the Constitution of the Republic of Croatia, Article 37 (Official Gazette, No. 85/10): “Everyone shall be guaranteed the safety and secrecy of personal data. Without consent from the person concerned, personal data may be collected, processed and used only under conditions specified by law. Protection of data and supervision of the work of information systems in the Republic shall be regulated by law.”
The Law on the Protection of Personal Data was in force from 2003 (NN 103/2003) with amendments in 2006, 2008, 2011 and 2012 (NN 118/06, NN 41/08, NN 130/11, NN 106/12) until 2018.In line with the transposition of the Directive 95/46/EC (General Data Protection Regulation-GDPR), the new Law on the Implementation of the General Data Protection Regulation (Official Gazette, No. 44/2018) was enacted on 25th May 2018 to ensure full implementation of the GDPR in Croatia.
It should be noted that as a Member State of the Council of Europe, the Republic of Croatia has accepted provisions of Convention 108 (Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data). On the 14th of April 2005 the Croatian Parliament ratified Convention 108 (Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and Additional Protocol to the Convention for the Protection of Individuals with regard to automatic Processing of Personal Data regarding supervisory authorities and trans-border data flows) (Official Gazette, No. 04/05). The Croatian Personal Data Protection Agency is a supervisory authority in the Republic of Croatia established in 2004 by the Law on Personal Data Protection, and has responsibility for monitoring the application of the GDPR and the Law on the Implementation of the GDPR, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the EU.