Croatia Data Privacy Laws: GDPR, AZOP Enforcement & Compliance Guide (2026)

Croatia protects personal data through the EU General Data Protection Regulation, supplemented by the Act on Implementation of the GDPR (NN 42/2018) and constitutional guarantees in Articles 35 and 37. The Croatian Personal Data Protection Agency (AZOP) enforces the law and imposed nearly EUR 7 million in fines in 2025.

Croatia has built one of the more assertive GDPR enforcement records among newer EU member states. The Croatian Personal Data Protection Agency (AZOP) imposed nearly EUR 7 million in fines during 2025 alone, following a record EUR 10.5 million across 97 decisions in 2024. The country's constitutional protections, a detailed national implementing act, and a supervisory authority whose director now sits on the European Data Protection Board combine to create a rigorous data protection environment.

This guide covers the full framework: from constitutional foundations and the national implementing act to specific enforcement cases, the OIB identifier regime, EU AI Act interaction, and practical compliance guidance for organizations active in Croatia.

Quick Answer: How Does Croatia Protect Personal Data?

Croatia applies the EU General Data Protection Regulation directly as binding law and supplements it with the Act on Implementation of the General Data Protection Regulation (Official Gazette NN 42/2018). The supervisory authority is AZOP, which holds full investigative, corrective, and advisory powers. Constitutional protections under Articles 35 and 37 of the Croatian Constitution underpin the entire framework. GDPR maximum penalties of up to 4% of global annual turnover or EUR 20 million apply, and AZOP has demonstrated the willingness to impose large fines across multiple sectors.

Internal links: For broader EU context, see our EU data privacy laws guide. For Croatia's recording consent rules, see Croatia recording laws.

Constitutional Foundations

Croatian data protection law is grounded in two constitutional provisions.

Article 35 guarantees all citizens the right to respect for and legal protection of their personal and family life, dignity, reputation, and honor. This general privacy right shapes how Croatian courts interpret data protection obligations.

Article 37 goes further and specifically addresses personal data. It guarantees everyone the safety and secrecy of personal data. Without consent from the person concerned, personal data may be collected, processed, and used only under conditions specified by law. Critically, Article 37 also prohibits use of personal data contrary to the purpose of their collection, embedding a purpose limitation principle at the constitutional level. Protection of data and supervision of information systems are to be regulated by law.

These provisions predate the GDPR and reflect Croatia's own legal tradition of treating personal data as a fundamental right, not merely a regulatory compliance obligation.

The Legal Framework: GDPR Plus National Implementing Act

Croatia joined the EU on 1 July 2013, making it subject to EU data protection law. When the GDPR took effect on 25 May 2018, the Croatian Parliament had already enacted the Act on Implementation of the General Data Protection Regulation (Zakon o provedbi Opce uredbe o zastiti podataka), which entered into force on the same day.

The Act operates as a complement to the directly applicable GDPR. It does not replace the GDPR but fills in areas where the regulation expressly permits member states to adopt additional national rules.

What the National Act Adds

The implementing act addresses several specific areas that the GDPR leaves to national discretion.

Employment data processing receives detailed treatment. The Act defines the conditions under which employers may process employee personal data, restricting processing to what is strictly necessary for the employment relationship, legal obligations, or collective agreements.

Genetic data in life insurance is addressed specifically. The Act prohibits insurers from using genetic data to calculate premiums or make coverage decisions, going beyond the GDPR's general sensitive-data protections.

Biometric data processing receives heightened scrutiny requirements, particularly in the employment and public sector contexts.

Video surveillance is regulated in detail (discussed in its own section below).

The Act also sets Croatia's digital consent age at 16 years for information society services, adopting the GDPR's default rather than exercising the option to lower it to 13.

Legal entities performing public functions receive a modified fining regime under Article 44 of the Act: fines against such entities must not jeopardize the performance of their public duties, which explains why the Croatian Insurance Bureau received a EUR 101,000 fine rather than a larger penalty despite a data breach affecting over one million vehicle owners.

Repeal of Prior Law

The Act repealed the former Personal Data Protection Act (Official Gazette NN 103/03 and subsequent amendments), which had governed Croatian data protection since 2003, along with associated subordinate regulations.

AZOP: Croatia's Supervisory Authority

AZOP (Agencija za zastitu osobnih podataka), the Croatian Personal Data Protection Agency, is the sole independent public supervisory authority under GDPR Article 51. AZOP has operated since 2004, making it one of the older data protection authorities in the region.

AZOP is accountable to the Croatian Parliament rather than to the executive branch, preserving its operational independence from government.

Leadership and European Role

Zdravko Vukic has served as AZOP Director since 2020 and was re-elected for a further four-year term in February 2024. In June 2024, the members of the European Data Protection Board elected Vukic as Deputy Chair of the EDPB, giving Croatia a significant role in shaping pan-European data protection policy.

Anamarija Mladinic, Head of AZOP's Sector for EU and International Cooperation, was simultaneously elected Vice-Chair of the Convention 108 Committee in 2024, reinforcing Croatia's profile in international data protection governance.

AZOP's Powers

AZOP holds the full set of GDPR supervisory authority powers.

Investigative powers include: demanding information from controllers and processors, conducting data protection audits, accessing premises and processing equipment, and reviewing certifications and approved codes of conduct.

Corrective powers include: issuing warnings and reprimands, ordering controllers to comply with data subject requests, imposing temporary or permanent processing limitations or bans, ordering data rectification or erasure, withdrawing certifications and approvals, and imposing administrative fines under GDPR Article 83.

Advisory powers include: providing opinions to the Croatian Parliament and government on proposed legislation, issuing guidance and guidelines for organizations, approving codes of conduct, authorizing standard contractual clauses for international data transfers, and handling prior consultation requests for high-risk processing.

AZOP investigates both on the basis of formal complaints and on its own initiative. The agency has demonstrated that anonymous complaints can trigger full investigations resulting in multi-million-euro fines.

Legal Bases and Consent

All six GDPR legal bases apply in Croatia: consent (Article 6(1)(a)), contract performance (Article 6(1)(b)), legal obligation (Article 6(1)(c)), vital interests (Article 6(1)(d)), public task (Article 6(1)(e)), and legitimate interests (Article 6(1)(f)).

Consent must be freely given, specific, informed, and unambiguous. AZOP has scrutinized consent practices closely, particularly in digital contexts. The Erste Bank case demonstrated that embedding data collection within an app without a transparent, app-specific privacy notice does not constitute valid legal basis for processing.

The legitimate interests basis requires a balancing test. AZOP expects documented assessments showing that legitimate interests are not overridden by the data subject's rights and freedoms.

Special categories of data (health, genetic, biometric, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation) require an Article 9 condition in addition to an Article 6 legal basis.

Data Subject Rights

Croatian residents hold all GDPR data subject rights: access (Article 15), rectification (Article 16), erasure (Article 17), restriction of processing (Article 18), data portability (Article 20), objection (Article 21), and rights related to automated decision-making (Article 22).

Controllers must respond to rights requests within one month, with a possible two-month extension for complex or numerous requests. AZOP enforces response obligations actively. Failure to respond appropriately to a data subject's request for access to video surveillance footage was the basis for a fine against an energy company in a documented 2022 case.

AZOP provides accessible information on data subject rights on its official website, and residents can file complaints with AZOP directly if a controller fails to honor their rights.

Data Breach Notification

The standard GDPR breach notification regime applies. Controllers must notify AZOP within 72 hours of becoming aware of a personal data breach likely to result in risk to individuals' rights and freedoms. Where the risk is high, affected data subjects must also be notified without undue delay.

The notice to AZOP must describe the nature of the breach, the approximate number of individuals and records affected, likely consequences, and measures taken or proposed to address the breach.

AZOP has confirmed it investigates data leaks thoroughly even when notified through indirect channels such as anonymous reports. The Croatian Insurance Bureau case, where a USB stick containing data on over one million vehicle owners was submitted anonymously, resulted in a EUR 101,000 fine focused on inadequate organizational and technical security measures and the absence of defined retention periods.

Processors must notify controllers without undue delay upon becoming aware of a breach.

Data Protection Officers

Most mid-to-large organizations operating in Croatia will require a Data Protection Officer under GDPR Article 37. The mandatory DPO categories are public authorities and bodies (excluding courts acting in a judicial capacity), controllers or processors whose core activities require large-scale systematic monitoring of individuals, and controllers or processors whose core activities involve large-scale processing of special category data.

The DPO must be registered with AZOP. Contact details must be published and communicated to AZOP. The DPO must have expert knowledge of data protection law and practice.

The telecom operator enforcement case illustrates the importance of genuinely heeding DPO advice. AZOP's investigation found that the operator had disregarded its own DPO's recommendation that collecting copies of employee identity documents was excessive, which contributed to the severity of the penalty.

OIB: Croatia's Personal Identification Number

Croatia's Personal Identification Number (Osobni identifikacijski broj, OIB) is an 11-digit unique identifier permanently assigned to all natural persons who are Croatian citizens or who establish residence or other legal connections in Croatia. The OIB is used across public administration, taxation, healthcare, notarial records, banking, and most official transactions.

Because the OIB functions as a universal identifier, its exposure creates significant risk. If an OIB is combined with even basic personal information (name, date of birth), the combined profile becomes highly useful for identity fraud or unauthorized profiling.

AZOP treats unauthorized processing or publication of OIB numbers as a serious violation. Enforcement has been consistent:

In the B2 Kapital case, the debt collection agency processed OIB numbers of 77,317 individuals without authorization. The anonymous complaint included a USB stick containing the data. AZOP found violations of transparency obligations (Article 13), processor agreement requirements (Article 28), and security obligations (Article 32), resulting in a EUR 2.26 million fine. The company had not updated its privacy policy since the date the GDPR entered into force in 2018.

AZOP has also taken action against a prize game organizer that published OIB numbers and home addresses of winners on its public website. Enforcement action followed even though the disclosure was incidental to a promotional campaign.

Organizations that collect OIB numbers for one purpose (such as tax reporting) must not use them for other purposes, must store them securely, and must not disclose them without a valid legal basis.

Video Surveillance Rules

Croatia's implementing act establishes specific rules for video surveillance that supplement the GDPR's general framework.

Surveillance must serve a clearly defined, legitimate purpose. The most commonly accepted purposes are protection of property and personal safety. General monitoring without a specific purpose is not lawful.

Organizations must display clear, prominent signage before any surveilled area. The signage must indicate who operates the surveillance, for what purpose, and how individuals can exercise their rights.

Retention periods must be defined and proportionate. The implementing act sets a general retention limit for surveillance footage, and organizations must establish internal policies that comply with it.

Data protection impact assessments (DPIAs) are required before deploying large-scale video surveillance systems, particularly in public or semi-public spaces.

Footage may only be accessed by authorized personnel for defined purposes. The energy company case, where AZOP fined an organization for failing to provide surveillance footage to a data subject who requested it under Article 15, illustrates that access controls must not prevent legitimate rights requests from being honored.

Employment Data Processing

The national implementing act specifically addresses employment data. Employers may process employee personal data where strictly necessary for:

Performance of the employment contract or pre-contractual steps at the employee's request. Compliance with legal obligations applicable to the employer. Collective agreements that comply with data protection law.

The telecom operator case demonstrated the risks of over-collection in employment contexts. AZOP found that the operator collected copies of employee identity documents and criminal background certificates without a valid legal basis and without proper proportionality assessment. The DPO had flagged these practices as excessive, but the company continued them. This specific violation contributed materially to the total EUR 4.5 million penalty.

Employers intending to monitor employees, collect health or background data, or share employee information with service providers outside Croatia must conduct careful legal basis analysis and, where required, DPIAs.

International Data Transfers

Croatia's most consequential enforcement development was the November 2025 telecom fine, which put cross-border data transfers at the center of GDPR compliance.

The standard GDPR transfer framework applies. Data may only be transferred outside the European Economic Area if one of the following applies: the destination country has received an EU adequacy decision, the parties have executed Standard Contractual Clauses (SCCs) approved by the European Commission, the organization operates under Binding Corporate Rules, or an applicable derogation under GDPR Article 49 applies.

The telecom case involved a specific failure mode: the company had contracted with a processor in Serbia (not an EEA member and without an EU adequacy decision) and initially relied on SCCs, but after 27 December 2022, it continued transferring data after the SCC arrangement expired without executing new clauses. The processor had access to 847,862 user records with unrestricted administrative privileges. AZOP found violations of Articles 44, 46(1), 12(1), and 13(1)(f).

Key lessons from this case: organizations must conduct Transfer Risk Assessments before initiating transfers to third countries; SCC arrangements must be maintained and renewed when they expire; privacy notices must clearly and specifically describe international transfers rather than using vague permissive language; and processor due diligence must include verification of actual security measures before data sharing begins.

Serbia remains a third country for EU data transfer purposes as of 2026. The EU has not issued an adequacy decision for Serbia. Organizations routing Croatian personal data through Serbian processors must maintain valid SCCs and conduct periodic transfer risk assessments.

For EEA-to-EEA transfers (including to other EU member states), no transfer mechanism is required. Croatia's eurozone and Schengen membership facilitates cross-border commerce, but GDPR obligations remain fully applicable to personal data wherever it travels within the EEA.

Schengen and Eurozone Membership: Data Implications

Croatia joined both the Schengen Area and the eurozone on 1 January 2023, completing its integration into the EU's core frameworks after joining the Union in 2013.

Schengen Data Systems

Schengen membership brings Croatia into several shared EU law enforcement data systems:

The Schengen Information System (SIS II) is a shared database of wanted persons, missing persons, stolen property, and entry bans accessible to Croatian police, border control, and law enforcement officers. SIS II data is governed by Regulation (EU) 2018/1861 for law enforcement use and separate data protection rules.

The EURODAC biometric fingerprint database for asylum applications, the Visa Information System (VIS), and the Entry/Exit System (EES) became operational in December 2023. Croatia underwent its first periodic Schengen evaluation between December 2023 and February 2024.

Processing of personal data within these systems is governed by Directive 2016/680 (the Law Enforcement Directive) rather than the GDPR, with AZOP maintaining oversight responsibilities for Croatian national authorities' use of these systems.

Eurozone and Financial Data

Adoption of the euro eliminated the kuna as legal tender and brought Croatia fully within the ECB's monetary framework. Financial institutions operating in Croatia process payment data subject to both GDPR requirements and applicable EU financial regulations including PSD2, which has its own data sharing provisions.

EU AI Act Overlay

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and applies progressively across EU member states. As an EU member state, Croatia is subject to its provisions on the same timeline as all other members.

The AI Act introduces risk categories for AI systems. Prohibited AI practices (such as real-time remote biometric identification in public spaces without specified exceptions) became applicable from 2 February 2025. High-risk AI systems used in employment decisions, credit scoring, law enforcement, education, and critical infrastructure are subject to conformity assessment and ongoing oversight requirements.

Croatia is developing national measures to designate a national competent authority for AI market surveillance. AZOP has already issued guidance on conducting Fundamental Rights Impact Assessments (FRIAs), which are required for certain high-risk AI deployments in the public sector.

AZOP and Germany's Federal Commissioner for Data Protection published a joint consultation on the protection of personal data used in LLM (large language model) training, signaling AZOP's intent to engage with generative AI data protection questions at the European level.

Organizations using AI systems in Croatia that process personal data must ensure GDPR compliance and AI Act conformity simultaneously. Where an AI system performs profiling, automated decision-making, or large-scale processing of special category data, both frameworks apply.

EU Data Act and Data Governance

The EU Data Act (Regulation (EU) 2023/2854) became applicable on 12 September 2025. It creates new rights and obligations around data generated by connected devices and data-sharing obligations for data holders.

Separately, Croatia enacted the Act on Implementation of the Data Governance Act (NN 126/2025, in force October 2025) to implement the EU Data Governance Act (Regulation (EU) 2022/868). These are two distinct EU instruments: the Data Governance Act governs data intermediation services and data altruism organizations, while the Data Act addresses data sharing from connected products and related services.

Both instruments interact with GDPR where data sharing involves personal data: neither overrides GDPR requirements, and organizations sharing data under Data Act or Data Governance Act obligations must satisfy applicable GDPR legal bases.

Penalties and Enforcement History

The GDPR's two-tier fine structure applies in Croatia. The lower tier (up to EUR 10 million or 2% of global annual turnover, whichever is higher) covers violations of obligations such as data security, breach notification, DPO requirements, and processor contracts. The upper tier (up to EUR 20 million or 4% of global turnover, whichever is higher) covers violations of processing principles, legal bases, data subject rights, and international transfer rules.

2025 Enforcement

AZOP imposed nearly EUR 7 million across 13 or more decisions in 2025, targeting telecommunications, banking, debt collection, insurance, and other sectors.

The telecom operator (EUR 4.5 million, November 2025) received the largest single GDPR fine issued in Croatia in 2025 for unlawful data transfers to Serbia, transparency failures, excessive employee data collection, and failure to verify processor security. The Serbian processor had unlimited administrative access to 847,862 user records.

Erste Bank (EUR 1.5 million, December 2025) was fined for processing personal data of 433,922 users through software embedded in Android and Huawei mobile banking applications without a valid legal basis. The software collected complete lists of all applications installed on users' devices. AZOP found the bank's privacy notices failed to mention the mobile app processing, effectively keeping users uninformed about a substantial and intrusive data collection practice.

The Croatian Insurance Bureau (EUR 101,000, February 2025) was fined after a USB stick containing data on over one million vehicle owners from the national Register of Registered Vehicles was submitted in an anonymous complaint. AZOP confirmed the data matched HUO's database and found failures in organizational and technical security measures and absence of defined data retention periods. The reduced fine reflects the statutory protection for legal entities performing public functions under Article 44 of the national implementing act.

2024 Enforcement

AZOP imposed a record EUR 10.5 million across 97 decisions in 2024, a significant escalation demonstrating consistent multi-year enforcement growth. This total reflects both large individual fines and a high volume of smaller enforcement actions across numerous sectors.

Earlier Significant Fines

EOS Matrix d.o.o. (EUR 5.47 million, October 2023) is the largest individual GDPR fine AZOP has imposed to date, surpassing all subsequent 2025 fines including the telecom case. The debt collection agency processed personal data of 181,641 individuals -- including non-debtors and minors -- without a legal basis under Article 6(1), recorded health data (including terminal illness notations) of debtors without satisfying Article 9(2), and failed to implement adequate technical security measures under Article 32. The investigation was triggered by an anonymous complaint accompanied by a USB stick. AZOP found violations of Articles 5, 6, 9, 12, 13 and 32 of the GDPR. The company indicated it would challenge the penalty.

B2 Kapital (EUR 2.26 million, May 2023) was the first Croatian GDPR fine to exceed seven figures at the time of its imposition. The debt collector processed OIB numbers and personal data of 77,317 individuals without authorization, lacked a data processing agreement with its processor, and had an outdated privacy policy unchanged since the GDPR's effective date in 2018.

An energy company received approximately EUR 120,000 for failing to honor a data subject's Article 15 request for access to video surveillance recordings.

A prize game organizer was fined for publishing OIB numbers and home addresses of winners on its public website without a valid legal basis.

Sector-Specific Observations

Telecommunications: The EUR 4.5 million fine demonstrates that telecom operators face heightened scrutiny on international data transfers and processor oversight.

Banking and financial services: The Erste Bank mobile app case shows AZOP's willingness to investigate consumer-facing digital products in detail. Third-party software components embedded in banking apps will be examined against GDPR transparency and legal basis requirements.

Debt collection: B2 Kapital established that debt collectors processing OIB numbers and financial data of large populations face material GDPR exposure. Anonymous complaints can be the trigger.

Insurance: HUO's fine demonstrates that even public-function entities face enforcement, though the special fining regime limits the maximum penalty to avoid disrupting essential services.

Energy: Video surveillance and data subject rights are documented enforcement areas in the energy sector.

Business Compliance: Practical Steps

Organizations active in Croatia should treat the 2024-2025 enforcement record as direct evidence of AZOP's priorities and capabilities.

Audit international data transfers immediately. The telecom fine showed that expired SCCs, absent Transfer Risk Assessments, and vague privacy notice language around international transfers will each attract separate findings. Map all data flows outside the EEA, confirm valid transfer mechanisms are in place, and verify they have not lapsed.

Examine third-party software components. The Erste Bank case focused on SDK-level data collection embedded in a banking app. Any mobile application, website plugin, or integrated service that may collect user data needs its own legal basis analysis and must be disclosed in app-specific privacy notices.

Protect OIB numbers as sensitive identifiers. Treat OIB numbers with the same controls you would apply to financial account numbers. Do not publish them, do not share them without legal basis, and review whether your processing of OIB numbers has a documented lawful purpose.

Establish and document data retention schedules. Both the HUO insurance case and the B2 Kapital case involved failures to define maximum retention periods. A documented retention schedule with enforcement mechanisms is a baseline GDPR obligation.

Take DPO recommendations seriously. The telecom fine explicitly noted that the company ignored its DPO's advice. Documented DPO recommendations that go unheeded will be treated as an aggravating factor in enforcement proceedings.

Prepare for AI Act compliance. Organizations deploying AI systems that use personal data in Croatia must assess whether those systems are high-risk under the AI Act and conduct FRIAs where required. AZOP has signaled engagement with AI governance as a priority.

Update privacy notices comprehensively. Multiple 2025 enforcement cases involved privacy notices that were generic, outdated, or failed to address specific processing activities. App-specific notices, workforce processing notices, and international transfer disclosures all require regular review.

Anonymous complaints are a real enforcement trigger. AZOP has imposed some of its largest fines based on anonymous reports, including USB sticks submitted by anonymous parties. Organizations should not rely on the absence of identified complainants as protection from investigation.

Disclaimer: This article provides general legal information about Croatia's data protection framework and is not legal advice. Data protection laws and enforcement practices change frequently. Consult a qualified attorney licensed in Croatia for guidance specific to your situation.