THE CROATIAN PARLIAMENT

Based on the Article 88 of the Constitution of the Republic Of Croatia, I impose a

DECISION

ON PASSING THE LAW ON PERSONAL DATA PROTECTION

I pronounce the Law on Personal Data Protection, imposed by The Croatian Sabor at the session from

12th June 2003.

Nr.

Zagreb, 18th June 2003.

The President

Of the Republic of Croatia

Stjepan Mesic,

LAW

ON THE PROTECTION OF PERSONAL DATA

GENERAL PROVISIONS

Article 1

This Law refers to the protection of personal data of natural persons, as well as the surveillance over collecting, processing and using personal data in the Republic of Croatia.

The purpose of personal data protection is the protection of private life and other human rights, as well as fundamental freedoms in collecting, processing and using personal data.

Every natural person in the Republic of Croatia is entitled to personal data protection, regardless of his/her citizenship and place of residence, race, skin color, sex, language, religion, political or other beliefs, national or social origin, property, birth, education, social status or other properties.

Article2

Certain definitions employed in this Law have the following meanings:

  1. personal information refers to any information relating to an identified or identifiable natural person (hereinafter: data subject). An identifiable person is the one who can be identified directly or indirectly, particularly by reference to one or more factors specific to his/her physical, psychological, intellectual, economic, cultural or social identity.
  1. personal data processing refers to any operation or set of operations performed upon personal data, whether automatically or not, such as collection, recording, storage, adaptation or alteration retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment and combination, blocking, erasure or destruction, as well as performing logical, mathematical or some other operations over these information.
  1. collection of personal data refers to any collection of personal data available according to special criteria, whether centralized, decentralized or diffused on functional or geographic grounds, regardless whether it is being stored in computer databases or operated with the assistance of some other technical utilities or manually.
  1. Personal data collection operator/controller refers to a natural person or legal entity, state or another body establishing the purpose and manner of data collection processing.
  2. user refers to a natural person or legal entity, state or another body who may be granted access to personal data for the purpose of performing his regular duties prescribed by law.
  1. data subject’s consent refers to the consent for his personal data to be processed for a specific purpose, given at his/her free will.

Specific actions or groups of actions described by the term processing personal data from paragraph 2 of this Article, may be separated and quoted in specific provisions to this Law when these provisions do not refer to the entire processing in the sense stated in paragraph 2 but precisely determined specific actions in processing.

Article 3

The provisions of this Law shall be applied to personal data processing by state bodies, bodies of local and regional self-governance, as well as natural persons and legal entities processing personal data.

The provisions to this law shall not be applied to personal data processing performed by natural persons for personal application or for the needs of household exclusively.

Article 4.

The provisions to this law refer to all personal data collections regardless whether they are being processed automatically or manually.

II. PERSONAL DATA PROCESSING

Article 5

The controller may process personal data according to the provisions of this Law and other applicable laws only.

Article 6

Personal data may be collected for the purpose disclosed to the data subject, which is clearly stated and in accordance to the law and may be further processed only to the purpose of their collecting, that is, the purpose in conformity to the purpose of collecting. Further personal data processing to historical, statistical or scientific purposes shall not be taken as different; on the condition that appropriate protection has been provided.

Personal data must be important for accomplishing the established purpose and must not be collected in the scope larger than is required for the purpose for which those data are stored.

Personal data must be accurate, complete and kept up-to-date.

Personal data must be preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which they are collected and processed further on. Suitable measures of protection of personal data which are being stored for a longer period to the purpose of history, statistics or science shall be provided by separate laws.

The data controller is responsible for acting in accordance to the provisions of this Article.

Article 7

Personal data shall be collected and processed with:

-the data subject’s consent

-in cases as proscribed by law.

If personal data have been collected and processed with the data subject’s consent, personal data may be collected and processed only to the purpose the data subject gave his specific consent for.

Personal data shall be collected and processed without the data subject’s consent to the purposes of:

-performing obligations provided by law by data collector, or

-protection of life and body integrity of data subject or another person if data subject cannot provide his consent either physically or legally, or

-if data protection is necessary to perform tasks executed in the public interest or in performing data collector’s public authorizations, or

-if the data subject published the data by himself.

In cases from paragraph 1, subparagraph 1, and paragraph 3, subparagraph 4 of this Article, the data subject may retrieve previously given consent and request termination of further processing of his data, unless the data are being processed to the purpose of statistics when personal data can no longer be used to identify the person they refer to.

Personal data referring to juvenile persons may be collected and processed in accordance to this Law with special measures of protection proscribed by separate laws.

III. PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

Article 8

Collecting and processing personal data referring to racial or ethnic origin, political opinion, religious or other belief, trade union affiliation, health or sexual life and personal data on criminal and minor offence conviction is forbidden.

Exceptionally, data from paragraph 1 of this Article shall be collected and processed in following cases:

-in cases from Article 7 paragraph 1, subparagraph 1 and Article 3 paragraph 1, 2 and 4 of this Law, or

-if processing is performed within the scope of activities of an institution, society or any other non-profitable body with political, religious or any other purpose, provided that the processing refers to their members only and that data shall not be revealed to the third party without data subject’s consent.

In case from paragraph 2 of this Article, data processing must be specifically marked and protected.

The Government shall make a provision on the manner of data storing and specific measures of technical protection of data from paragraph 2 of this Article, previously consulting the Agency.

Article 9

Before collecting any personal data, the controller or processor shall inform the data subject of the identity of controller, purpose of processing data, of users or categories of users, and whether it is a voluntary or obligatory data provision, and of possible consequences in case of denial of data. In case of obligatory provision of data there is a legal basis for processing personal data.

Before giving personal data to other users, the controller shall inform the data subject thereof.

Exceptionally, information from paragraph 1 and 2 of this Article is given to the data subject regardless whether the personal data are collected directly from the data subject or from other sources.

Exceptionally, information from paragraph 1 and 2 of this Article does not have to be given to the data subject if personal data are given to use or collected from the existing collections of personal data for purposes of statistical processing or purposes of historical or scientific research, or if processing of personal data is explicitly determined by law.

IV ASSIGNMENT OF PERSONAL DATA PROCESSING

Article 10

The controller can on the basis of a contract assign particular tasks with regards to processing of personal data within its scope of action, to another natural person or legal entity (hereinafter: processor).

Tasks related to processing of personal data can be assigned only to a processor who is registered for conducting such activities and who ensures sufficient guarantees with regards to achieving appropriate measures for protection of personal data.

The contract mentioned in paragraph 1 of this Article determines mutual rights and obligations of controller and processor, and processor is particularly bound to:

-perform tasks only on the basis of instruction by controller,

-not give personal data to other users, or process them for any purpose other than agreed,

-ensure implementation of appropriate technical, organizational and personnel measures to protect personal data in accordance with provisions of this Law.

V GIVING DATA TO USERS

Article 11

The controller shall give personal data to other users on the basis of a user’s written request if it is necessary for performance of duties within a framework of legally determined profession of the user.

The written request shall contain purpose and legal basis for use of personal data, and kind of personal data that are requested.

It is forbidden to give other users personal data for the processing, that is, the use of which they are not authorized, as per provisions of Article 7 and Article 8 paragraph 2 of this Law and if the purpose for which personal data are requested is contrary to provision of Article 6 paragraph 1 and 2 of this Law.

Personal data processed for scientific-research purposes must not enable identification of data subject.

In case from paragraph 1 of this Article, controller maintains a separate record on personal data that are given to use, user of personal data and the purpose for which personal data are given.

Article 12

Personal data can be used only in time period which is necessary to achieve a particular purpose, unless a longer time period has been determined by a separate law.

After time specified in paragraph 1 of this Article personal data must be erased, unless something else is determined by a separate law.

The provisions of this Law about giving personal data to other users refer to exchange of personal data among state entities as well, unless determined otherwise by a separate law.

VI TRANSFER OF PERSONAL DATA FROM THE REPUBLIC OF CROATIA

Article 13

Collections of personal data, i.e. personal data contained in collections of personal data can be transferred from the Republic of Croatia for further processing only if the state or international organization that personal data are being transferred to, has appropriately developed protection of personal data, i.e. secured adequate level of protection.

Before the transfer of personal data from the Republic of Croatia, the controller shall, in case when there is a doubt about existence of appropriately developed protection of personal data, ask for an opinion of the Committee for protection of personal data.

VII COLLECTIONS OF PERSONAL DATA, RECORDS AND THE CENTRAL REGISTRAR

Article 14

The controller maintains and keeps records that contain detailed information on the collection of personal data that he keeps, ,especially as follows:

  1. the name of collection,
  2. the name, i.e. personal name of controller and his residence, i.e. address,
  3. the purpose of processing,
  4. the legal basis of establishment of collection of data,
  5. the categories of persons whose data are contained in the collection,
  6. the types of data contained in collection of data,
  7. the ways of collecting and storing data,
  8. the time period of keeping and use of data,
  9. the personal name, i.e. name of thecollection user, his address, i.e. seat,
  10. the indicator of transfer of data into, or out of the Republic of Croatia with the indicator of the state, or international organization and the international user of personal data, and purposes for that transfer into, or out of the country which is determined by international contract, law or other regulation, i.e. by a written consent of data subject,
  11. the indicator of measures taken to protect personal data.

Article 15

The manner of keeping records from Article 14 of this Law and form of these records are determined by a Government bylaw, with the previous opinion of the Committee for protection of personal data.

Article 16

The records for Article 14 of this Law are submitted to the Committee for personal data protection and are unified in the Central registrar which is led by the Committee for personal data protection.

In the Central registrar such records on collections of personal data do not have to be unified, that are kept by the competent state entities within the activities of processing of personal data for the state security, defense and suppression of events that are by the Strategy of national security of the Republic of Croatia determined as a security risk (corruption, organized crime, terrorism).

Article 17

Controllers shall before establishing collection of personal data submit to the Committee for personal data protection, notification on intended establishment of collection of personal data along with data from Article 14 of this Law, and also on every further intended processing of such data, before starting any activities of processing.

The obligation to submit previous notification to the Committee for personal data protection, determined in paragraph 1 of this Article, does not refer to the establishment of collections of personal data in case when a special law determines the purpose of processing, data of categories of data that are being processed, category or categories of data subjects, users or categories of users to whom data will be known, and the time period when data will be stored.

In case of paragraph 2 of this Article, controllers shall submit information on establishment of collections of personal data, as well as on data changes in collection of personal data, to the Committee for personal data protection, 15 days after the day of establishment or change, latest.

Records from the Central registrar are available to the public.

The Committee for personal data protection shall publish in “Narodne novine” or in some other appropriate manner, records from the Central registrar.

Article 18

Personal data in collections of personal data must be appropriately protected from accidental or intended misuse, destruction, loss, unauthorized changes or access.

The controller and the user shall take technical, personnel and organizational measures for protection of personal data that are necessary to protect personal data from an accidental loss or destruction and from unauthorized access, unauthorized change, unauthorized publishing and any other misuse, and determine obligation of persons who are engaged in data processing to safe-keep data.

VIII DATA SUBJECTS’ RIGHTS AND PROTECTION OF RIGHTS

Article 19

The controller shall 30 days upon submitting request, latest, to every data subject upon his request, i.e. upon request of his legal representative or proxies:

  1. deliver a confirmation on whether personal data concerning him are being processed or not,
  2. give an understandable notification about data concerning him that are being processed and about the source of such data,
  3. provide insight into records of collection of personal data and insight into personal data contained in the collection of personal data that concern him, and provide re-writing of data,
  4. deliver extractions, certificates or printouts of personal data contained in collection of personal data which pertain to him, and which shall contain the purpose and legal basis of collection, processing, and use of such data,
  5. deliver records of data about who and for what purposes and on what legal foundation got the permission to use personal data pertaining to him,
  6. give notice on the logic of any automatic processing of data pertaining to him.

Article 20

The controller shall upon the data subject’s requests, i.e. his legal representatives or proxies add, change or delete personal data if the data are incomplete, incorrect, or not up-to-date, and if their processing is not in accordance with the provisions of this Law.

Independently of data subject’s request, if the controller determines that personal data are incomplete, incorrect or not-up-to-date, he shall amend or change them himself.

The controller shall inform the person to whom personal data are related and users of personal data, of the performed addition, change or deletion of personal data, within 30 days latest.

Article 21

The data subject has the right to oppose the processing of personal data for the purposes of marketing, and in that case personal data concerning him shall not be processed for that purposes.

The controller shall inform data subject in advance of the intended processing of personal data for the marketing purposes and of his right to oppose such processing.

Article 22

Expenditure from Article 19, 20 and 21 of this Law shall be paid for by the controller, if it has not been stipulated otherwise by a separate law.

Article 23

Obligation and rights stipulated in provisions of Article 9 and 19 of this Law can be limited in such a way and under such conditions determined by special laws if it is necessary for protection of state security; defense; public security; for prevention, investigation, discovery and persecution of criminal offenders or violation of ethical rules for certain professions; for protection of important economic or financial interest of the state, cultural goods and for protection of data subjects or rights and freedoms of others, within a scope which is necessary for the achievement of purposes for which the limitation is determined.

Obligations and rights determined by the provisions of Article 19 and 20 of this Law can be limited by special laws if personal data are being processed exclusively for the purpose of scientific research or if they are collected exclusively for the purpose of determining statistics and are archived for a longer period of time exclusively for statistical use.

Article 24

Anyone who considers that a right guaranteed by this Law has been violated can file a request for determination of violation of rights to the Committee for personal data protection.