Croatia Data Privacy Laws: GDPR Implementation Guide (2026)

Croatia has emerged as one of the more aggressive GDPR enforcers among smaller EU member states. The Croatian Personal Data Protection Agency (AZOP) made headlines in 2025 with a series of penalties totaling nearly EUR 7 million, targeting sectors from telecommunications and banking to energy and insurance.

For a country that joined the EU only in 2013, Croatia's data protection enforcement track record is impressive. This guide covers the full scope of Croatian data privacy law and what the recent enforcement surge means for organizations operating in the country.

Legal Framework and GDPR Implementation

Croatia's data protection framework operates under the GDPR as supplemented by the Act on Implementation of the General Data Protection Regulation. This national legislation prescribes additional rules in areas where the GDPR grants member states flexibility.

The Act addresses several specific topics including data processing in the context of employment, the processing of genetic and biometric data, and the use of video surveillance. It entered into force alongside the GDPR on 25 May 2018, reflecting Croatia's commitment to having implementing legislation ready from day one.

Constitutional Foundation

The Croatian Constitution protects the right to privacy through Article 35 (right to respect for and legal protection of personal and family life and dignity and reputation) and Article 37 (safety and secrecy of personal data). These constitutional provisions provide a foundation that courts reference when interpreting data protection requirements.

AZOP: Croatia's Data Protection Authority

AZOP (Agencija za zastitu osobnih podataka) is Croatia's sole independent public supervisory authority for data protection. Based in Zagreb, AZOP is responsible for monitoring and enforcing compliance with the GDPR and national data protection legislation.

AZOP operates with full independence from the government and other state bodies. The agency handles complaints, conducts investigations, issues guidance, and imposes administrative sanctions.

Powers and Functions

AZOP holds the complete range of GDPR enforcement powers. It can conduct audits and investigations, issue orders requiring compliance, impose temporary or permanent processing bans, order data erasure, and levy administrative fines. The agency can investigate on its own initiative or in response to complaints, including anonymous complaints as several recent cases have demonstrated.

AZOP also maintains advisory functions, providing opinions on draft legislation and issuing guidelines for organizations working toward compliance.

2025 Enforcement: A Landmark Year

Croatia's GDPR enforcement reached new heights in 2025, with AZOP imposing nearly EUR 7 million in total fines across multiple sectors.

Telecommunications Operator (EUR 4.5 Million)

The largest fine in Croatian GDPR history was the EUR 4.5 million penalty against a telecommunications operator. AZOP found multiple violations including the transfer of personal data to third countries without a valid transfer instrument, failure to provide transparent information to data subjects about international transfers, processing copies of employees' identity cards and criminal background certificates without a legal basis, and failure to conduct appropriate prior checks of a data processor.

This case demonstrated AZOP's willingness to impose substantial fines for cross-border transfer compliance failures, a growing enforcement priority across the EU.

Bank Mobile App (EUR 1.5 Million)

AZOP imposed a EUR 1.5 million fine on a bank for processing personal data of 433,922 users without a valid legal basis through software embedded in mobile banking applications for Android and Huawei devices. The case highlighted the data protection risks of third-party software components integrated into consumer-facing applications.

B2 Kapital Debt Collection (EUR 2.26 Million)

AZOP imposed a EUR 2.26 million fine on debt collection agency B2 Kapital following an anonymous complaint alleging unauthorized processing of personal data. The investigation revealed that the agency had processed first names, last names, dates of birth, and personal identification numbers (OIB) of 77,317 individuals without proper authorization.

Croatian Insurance Bureau (EUR 101,000)

The Croatian Insurance Bureau (HUO) was fined EUR 101,000 following an investigation prompted by an anonymous report alleging a leak of personal data related to more than one million vehicle owners from the national Register of Registered Vehicles.

OIB Personal Identification Number

Croatia's Personal Identification Number (Osobni identifikacijski broj, or OIB) is an 11-digit unique identifier permanently assigned to all natural persons who are Croatian citizens or establish residence in Croatia. The OIB serves as the primary means of identification across public administration, taxation, healthcare, and official records.

Because of its universal nature, the OIB receives elevated protection under Croatian data protection law. AZOP has taken enforcement action against organizations that publish or process OIB numbers without a proper legal basis, recognizing the heightened privacy risk when a universal identifier is exposed.

The prize game case, where a controller published OIB numbers and home addresses of prize winners on its website, demonstrated that even seemingly minor data exposures involving the OIB will attract AZOP enforcement attention.

Video Surveillance Rules

Croatia's implementing legislation includes specific provisions on video surveillance. The Act on Implementation of the GDPR establishes requirements for organizations deploying CCTV systems.

Surveillance must serve a legitimate purpose, typically security and property protection. Organizations must post clear signage informing individuals about the surveillance, conduct data protection impact assessments for large-scale systems, and establish proportionate retention periods.

AZOP has issued guidance on acceptable camera placement, retention periods, and access controls, and has pursued enforcement actions against organizations that fail to comply with these requirements.

Employment Data Processing

The Act on Implementation of GDPR includes specific provisions on data processing in the employment context. These provisions supplement the GDPR's general framework with Croatian-specific rules on what employee data may be processed, under what conditions, and with what safeguards.

Employers must ensure that any employee data processing is strictly necessary for the performance of the employment contract or compliance with legal obligations. The processing of genetic and biometric data of employees requires specific justification beyond the general employment relationship.

Data Breach Notification

Standard GDPR breach notification requirements apply in Croatia. Data controllers must notify AZOP within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals' rights and freedoms. AZOP provides notification procedures on its official website.

The Insurance Bureau case demonstrated that data leaks involving large numbers of individuals will trigger thorough AZOP investigations, even when identified through anonymous reports.

International Data Transfers

The telecommunications operator fine made international data transfers a high-profile enforcement area in Croatia. Organizations transferring data outside the EEA must ensure they have valid transfer instruments in place and provide transparent information to data subjects about such transfers.

Standard GDPR transfer mechanisms apply: adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules, or applicable derogations. The EUR 4.5 million telecom fine makes clear that AZOP will impose significant penalties for transfer mechanism failures.

Age of Digital Consent

Croatia set the age of digital consent at 16 years old, maintaining the GDPR's default threshold. Children under 16 require parental authorization to consent to information society services.

Practical Compliance Tips

Organizations operating in Croatia should take AZOP enforcement seriously. The agency's 2025 fine total of nearly EUR 7 million demonstrates a supervisory authority that is willing and able to impose substantial penalties.

Review international data transfer practices carefully. The telecom fine showed that AZOP will examine transfer mechanisms, processor due diligence, and transparency obligations together. Ensure you have valid legal instruments for any transfers outside the EEA and that your privacy notices clearly explain these transfers.

Audit any third-party software embedded in your applications. The bank mobile app case highlighted the risk of processing personal data through integrated software components without proper legal basis or user transparency.

Protect OIB numbers with the same care you would give to sensitive personal data. Any unnecessary exposure or processing of OIB numbers is likely to attract AZOP attention.

Anonymous complaints can trigger investigations. AZOP has demonstrated willingness to investigate thoroughly based on anonymous tips, so organizations should not assume that data protection issues will go unnoticed simply because affected individuals do not formally complain.

Disclaimer: This article provides general information about Croatia's data privacy laws and is not legal advice. Data protection laws change frequently. Consult a qualified attorney licensed in Croatia for guidance on your specific situation.