Croatia - Data Breach Guide

Croatia

1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?

In case of a personal data breach, the undertaking acting as a controller, should notify the DPA without undue delay, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where feasible, the notification should be provided not later than 72 hours after the controller became aware of the breach. Where the breach was not notified to the DPA within the 72-hour period, the controller is obliged to provide reasons for the delay.

When it comes to communicating the breach to the data subjects, the controller is obliged to do so without undue delay when the data breach is likely to result in a high risk to the rights and freedoms of natural persons. The law (General Data Protection Regulation; the "GDPR") also prescribes the cases when the communication to the data subjects is not required.

Personal data breaches occurring in relation with publicly available electronic communications service (the "PECS"), must be notified by the PECS provider not only to the DPA but also to the Croatian Regulatory Agency for Networks Activities (the "HAKOM"). Additionally, if it is probable that the breach will adversely affect service user’s or other individual’s personal data or privacy, such respective individual must also be notified without undue delay. The Electronic Communications Act (the "ECA") provides exceptions to this rule.

1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

The GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. Thus, it may be concluded that an obligation to notify the DPA arises whenever such breach involves personal data as defined under the GDPR (i.e. any information relating to an identified or identifiable natural person). In order to decide whether to report a breach, the undertakings are obliged to assess whether certain information represents personal data on a case-by-case basis. The exemption applies if the breach is unlikely to result in a risk to the rights and freedoms of natural persons, i.e. in such case it is not mandatory to notify the DPA.

When the personal data breach is likely to result in high risk to the rights and freedoms of natural persons, this should be communicated to data subjects as well. In accordance with the GDPR, the communication to the data subject is not required if any of the following conditions are met: (a) the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it; (b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize; (c) it would involve disproportionate effort (in such a case, a public communication or similar measure whereby the data subjects are informed in an equally effective manner should be ensured). If the controller has not already communicated the personal data breach to the data subjects, the DPA, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that the situation falls under one of the cases when the communication to the data subjects is not required.

The notification obligation towards the DPA and the data subjects applies to controllers, while the processors must notify a controller without undue delay after becoming aware of a breach (i.e. the controller further decides on notification to the DPA and the data subjects).

The PECS providers must notify HAKOM of a personal data breach regardless if they are acting as a controller or processor in a certain case. Relevant personal data breach is the one occurred in relation to provision of PECS in the EU. It is defined similarly as under the GDPR (a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed).

If the breach is likely to harm the personal data or privacy of service user or other natural person, the affected individual, being a service user or other natural person, must be notified without undue delay. However, PECS providers can be exempted from the obligation to notify the affected individual if HAKOM issues an opinion establishing that appropriate technological measures were applied in a satisfactory manner to make personal data unintelligible to any person attempting unauthorized access. Regardless of such opinion, the DPA may request from the PECS providers to notify the user or another individual on the breach if the breach could have a negative effect on the user or another individual.

1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?

The answers depend on the type of notifications, namely:

1.3.1 Notification to the DPA

The minimum set of information to be included in the notification is prescribed by the GDPR. Accordingly, the DPA published a template for data breach notifications, which lists all information that should be provided (information about controller (name, seat, Croatian ID-No (OIB)); details of a data protection officer / other contact person (name and surname, work address, function, phone no. and email address); description of the breach (incl. when it happened (assessment)), categories and approx. number of individuals and data records affected; when the controller became aware of the breach (incl. reasons for delay, if applicable); details on the potential consequences of the breach and any measures taken / suggested to address the issue.

As mentioned under clause 1.1 above, the notification should be provided without undue delay and, where feasible, not later than 72 hours after having become aware of the breach.

The notification should be delivered to the DPA’s address: Agencija za zaštitu osobnih podataka, Selska cesta 136, 10000 Zagreb and a scanned copy of the sent notification should be sent to the DPAs email: incidenti@azop.hr.

1.3.2 Notification to HAKOM

When a breach is being reported to HAKOM, apart from the breach description, the notification must contain a description of the consequences of the breach and information on suggested or undertaken measures for eliminating the cause of the breach.

The breach should be reported without delay, as soon as the information on the breach is available. There is a relevant bylaw in place regulating specific deadlines for the notification to HAKOM (depending on the type of breach) and including relevant notification templates – By-law on manners and deadlines for implementing the security and network and service integrity measures (in Croatian: Pravilnik o načinu i rokovima provedbe mjera zaštite sigurnosti i cjelovitosti mreža i usluga; Official Gazette No. 109/2012, 33/2013, 126/2013, 67/2016, 66/2019).

The notification should be sent by email – if related to unauthorized network connection, it should be sent to the address incidenti@hakom.hr and if it occurred as a computer security incident to racunalni.incidenti@hakom.hr.

1.3.3 Notification to affected individual(s)

Pursuant to the GDPR, the communication to the data subjects must describe in clear and plain language the nature of the personal data breach and contain at least: (a) the name and contact details of the data protection officer or other contact point where more information can be obtained; (b) the likely consequences of the breach; (c) the measures taken or proposed to be taken by the controller to address the breach.

In accordance with the available (EU) guidelines, communication with the affected persons should be direct (e.g. via email, SMS, direct message, postal communications), unless this would involve disproportionate effort (in such a case, a public communication or similar measure whereby the data subjects are informed in an equally effective manner should apply).

If the affected individual is being informed about the breach under the Electronic Communications Act, the notification must (at least) contain a description of the nature of the breach, contact for additional information and suggested measures the individual can take to minimize the harmful effects of the breach.

The communication should be made without undue delay in each case.

1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?

The DPA may impose a fine of up to EUR 10,000,000 or up to 2 % of their annual worldwide turnover, whichever is higher, for infringements of obligations related to data breach reporting. Also, the DPA may order the controller to communicate a personal data breach to the data subject.

Based on the ECA in force at the moment hereof, a failure of a PECS provider to notify a breach related to personal data either to the relevant authority or the affected individual(s) may result in a fine from HRK 100,000 (approx. EUR 13,500) to HRK 1,000,000 (approx. EUR 135,000) for the legal entity and a fine from HRK 20,000 (approx. EUR 2,650) to HRK 100,000 (approx. EUR 13,500) for the authorized representative of the legal entity. The ECA also envisages a general possibility of imposing certain measures against an undertaking / its authorized representative (such as temporary prohibition of operations), although it is not highly likely they would apply to the failure to notify the breach.

We are not aware of any specific provision on compensation claims for failure to notify. Nevertheless, based on general provisions regulating compensation claims, it may be concluded that data subjects may bring compensation claims if they suffered material or non-material damage as a result of failure to notify (e.g. because due notification would enable them to take all the necessary precautions / prevent further damage, etc.).

1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?

It should be highlighted that the GDPR applies not only to undertakings established within the EU but also to the ones processing personal data of individuals who are in the EU where the processing is related to the offering of goods or services, or monitoring of individuals’ behavior taking place within the EU.

As for the non-local undertakings, the undertaking should assess whether the personal data breach falls under the scope of the GDPR. If so, the notification to individuals is obligatory in accordance with the GDPR (for the requirements and exemptions of the obligation to communicate the breach to data subjects, please see clauses 1.1 – 1.3 above).

Generally, even in case where there would be no explicit legal requirement for notifying affected individuals, we would recommend such notification, especially because by doing so you comply with internationally recognized data privacy and standards.

1.6 What are the applicable (data protection) laws or guidelines within your country?

The main general data protection laws applicable in Croatia are:

• the General Data Protection Regulation; and
• the Act on Implementation of General Data Protection Regulation (in Croatian: Zakon o provedbi Opće uredbe o zaštiti podataka; Official Gazette No. 42/18).

In the electronic communications area, the main laws and regulations are:

• the Electronic Communications Act (in Croatian: Zakon o elektroničkim komunikacijama; Official Gazette No. 73/2008, 90/2011, 133/2012, 80/2013, 71/2014, 72/2017), implementing the so-called e-Privacy Directive (Directive 2002/58/EC Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector);
• By-law on manners and deadlines for implementing the security and network and service integrity measures (in Croatian: Pravilnik o načinu i rokovima provedbe mjera zaštite sigurnosti i cjelovitosti mreža i usluga; Official Gazette No. 109/2012, 33/2013, 126/2013, 67/2016, 66/2019).

Of course, the above is not a complete list of laws and regulations regulating data protection and privacy in Croatia, but the list of main laws and regulations regulating the questions answered herein. Depending on other specific questions or the relevant sector/ industry of the interested party, other specific laws and regulation should be consulted as well.

1.7 Contact information for the local Data Protection Authority:

Data Protection Authority:

Croatian Regulatory Authority for Network Industries (HAKOM):

For more information, contact: