With respect to information notices related to personal data processing in Croatia are directly applicable the rules set out in Art.13 and 14 of the GDPR.
When collecting personal data, the data controller must provide the data subject, in advance or at the time of collection at latest, if data are collected directly from him (or when personal data are collected from third party -within a reasonable period of time and in any case within one month from the date of receipt) with the information provided for in the above GDPR provisions, in a clear manner, including among others:
- The type of personal data that will be collected
- Purposes of processing and legal basis for processing (e.g., controller’s legitimate interest in case of direct marketing)
- With whom is the data subject’s personal data shared
- How the personal data is collected and stored
- Whether the personal data is shared outside Croatia and the EU
- The period for which the personal data is being kept
- How and to what extent the data subject’s personal data is secured
- The data subject’s rights (including the right to object to direct marketing)
- How the data subject will be informed in case of change of circumstances regarding their collected personal data
- Ways to contact the data controller
When collecting personal information for the purpose of direct marketing, marketeers should at the time of the collection or as soon as possible after the collection, inform the data subject that they have the right to access the file, name and address of the person responsible, to get information about the purpose of the processing, and to deny consent for the use of their personal data.
In Croatia, controllers in certain sectors may be required to inform sectoral regulators of any breach, pursuant to special regulations governing their operation. For example, pursuant to the ZEK electronic communication operators must inform the Croatian Regulatory Authority for Network Industries of any breach of personal data regulations.