Personal Data

According to Art. 4 (1) of the GDPR, personal data is information relating to an identified or identifiable natural person. Personal data include an individual’s name, a picture, a phone number, even a professional phone number, a code, a bank account number, an e-mail address, a fingerprint, etc.

Please visit:

Special Category of personal data

According to Art. 9 of the GDPR special category data includes:

  • personal data revealing racial or ethnic origin,
  • personal data revealing political opinions, religious or philosophical beliefs, or trade union membership
  • genetic data
  • biometric data
  • data concerning health
  • data concerning a natural person’s sex life or sexual orientation.

The processing of this type of data is prohibited unless one of the conditions in Art. 9 (2) applies:

  • Processing is necessary for the protection of human life, but to which the data subject is unable to give their consent because of a legal incapacity or physical impossibility;
  • processing is carried out by an association or any other non-profit-seeking religious, philosophical, political or trade union body, under certain conditions;
  • processing relates to personal data that the data subject has made public;
  • processing is necessary for the establishment, exercise or defence of a legal claim;
  • processing is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare or treatment, or for the management of healthcare services and carried out by a member of a medical profession, or by any other person who, due to their functions, is bound by a duty of confidentiality;
  • statistical processing is carried out by the National Institute of Statistics and Economic Studies (INSEE) or one of the statistical services of Ministries;
  • processing is necessary for medical research according to the Data Protection Act.

Pursuant to the AIGDPR, the processing of genetic data for the purpose of medical diagnosis in relation to life insurance contracts or similar, is prohibited (including on the basis of consent).

Biometric data may be processed if it is prescribed by law or if necessary for the protection of persons, property, classified information, business secrets or for individual and secure identification of services users, and this processing is not overridden by the data subjects’ interests.

The biometric data of employees may be processed for the purpose of recording working hours and for entry into/exit from the business premises, if such processing is prescribed by the law or is carried out as an alternative solution for recording working hours or entry into/exit from the business premises, under the condition that the employee has provided explicit consent.

In either case, a data protection impact assessment is likely and the restriction on biometrics does not apply in matters of defence, national security and security-intelligence system.

Furthermore, the AIGDPR contains special provisions concerning video surveillance.


Art. 4 (11) of the GDPR states that “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Please visit:

Children’s age

In Croatia, the age limit will remain at 16 for valid consent from a child in relation to online services. This restriction only applies to a child with permanent residence in Croatia.