Data protection & privacy laws in Croatia (2026)

GDPR (Regulation 2016/679) has direct effect across Croatia; the national Act on the Implementation of the GDPR (Official Gazette No. 42/2018, in force 25 May 2018) fills Member-State derogations, regulates AZOP's composition and powers, and sets procedural rules for administrative-fine proceedings before AZOP and administrative courts.

AZOP (Agencija za zaštitu osobnih podataka) is Croatia's sole independent supervisory authority under Article 51 GDPR. Its Director Zdravko Vukić was elected Vice-Chair of the European Data Protection Board in 2024. AZOP is also designated as the national market-surveillance authority for the EU AI Act.

As of 2025 AZOP had issued 58 administrative fines totalling €9.1 million. A landmark €4.5 million fine was imposed on a telecommunications operator in November 2025 for unlawful cross-border data transfers, processing identity-document copies without legal basis, and inadequate processor oversight.

The 2018 implementation act includes tailored rules for biometric data of employees (permitted only with consent and with a non-biometric alternative), video surveillance, children's data, and statistical processing. These national derogations operate within the GDPR's Article 9 and 88 flexibilities.

All GDPR Chapter III rights (access, rectification, erasure, restriction, portability, objection, rights regarding automated decisions) are enforceable against Croatian controllers. AZOP publishes guidance and handles individual complaints as the competent supervisory authority.

Croatia transposed the NIS2 Directive via the Cybersecurity Act (Zakon o kibernetičkoj sigurnosti, Official Gazette No. 14/2024, February 2024). AZOP is actively preparing to supervise EU AI Act obligations, having run FRIA workshops and AI-risk webinars in mid-2025.