Data & Privacy · Croatia
Data protection & GDPR compliance in Croatia (2026)
Croatia shaded by its data & privacy status
Data protection in Croatia: comprehensive law, under EU General Data Protection Regulation (GDPR, Regulation 2016/679) directly applicable; national implementation via Act on the Implementation of the General Data Protection Regulation (Zakon o provedbi Opće uredbe o zaštiti podataka, Official Gazette No. 42/2018); supervisory authority: Agencija za zaštitu osobnih podataka (AZOP).
Croatia applies GDPR directly as an EU member state, supplemented by its 2018 national implementation act that establishes AZOP as the sole independent supervisory authority and sets out procedural rules, sector-specific carve-outs, and administrative-fine procedures. AZOP is an active enforcer, by 2025 it had issued 58 administrative fines totalling €9.1 million, placing Croatia among the EU's top-ten sanctioning authorities in 2023, and it imposed a record €4.5 million fine on a telecom operator in November 2025. The agency is also designated to supervise compliance with the EU AI Act under Article 70 thereof.
GDPR & data protection in Croatia
In Croatia, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Personal Data Protection Agency (AZOP).
- Framework
- the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
- Supervisory authority
- the Personal Data Protection Agency (AZOP)
- Applies to
- any organisation processing the personal data of people in Croatia, wherever the organisation is based
- Maximum fine
- €20 million or 4% of global annual turnover, whichever is higher
- Breach notification
- within 72 hours of becoming aware, to the supervisory authority
- DPO
- required for large-scale monitoring or large-scale special-category processing
The GDPR is bloc-wide; Croatia supplements it with a national data-protection act and its own supervisory authority.
GDPR in Croatia: FAQ
Yes. As an EU/EEA member, Croatia applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Personal Data Protection Agency (AZOP).
The Personal Data Protection Agency (AZOP).
Up to €20 million or 4% of global annual turnover, whichever is higher.
A DPO is required where you carry out large-scale monitoring or process special-category data at scale.
Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.
Key points
GDPR (Regulation 2016/679) has direct effect across Croatia; the national Act on the Implementation of the GDPR (Official Gazette No. 42/2018, in force 25 May 2018) fills Member-State derogations, regulates AZOP's composition and powers, and sets procedural rules for administrative-fine proceedings before AZOP and administrative courts.
AZOP (Agencija za zaštitu osobnih podataka) is Croatia's sole independent supervisory authority under Article 51 GDPR. Its Director Zdravko Vukić was elected Vice-Chair of the European Data Protection Board in 2024. AZOP is also designated as the national market-surveillance authority for the EU AI Act.
As of 2025 AZOP had issued 58 administrative fines totalling €9.1 million. A landmark €4.5 million fine was imposed on a telecommunications operator in November 2025 for unlawful cross-border data transfers, processing identity-document copies without legal basis, and inadequate processor oversight.
The 2018 implementation act includes tailored rules for biometric data of employees (permitted only with consent and with a non-biometric alternative), video surveillance, children's data, and statistical processing. These national derogations operate within the GDPR's Article 9 and 88 flexibilities.
All GDPR Chapter III rights (access, rectification, erasure, restriction, portability, objection, rights regarding automated decisions) are enforceable against Croatian controllers. AZOP publishes guidance and handles individual complaints as the competent supervisory authority.
Croatia transposed the NIS2 Directive via the Cybersecurity Act (Zakon o kibernetičkoj sigurnosti, Official Gazette No. 14/2024, February 2024). AZOP is actively preparing to supervise EU AI Act obligations, having run FRIA workshops and AI-risk webinars in mid-2025.
Timeline - major decisions & events
AZOP launched the EDPB's 2026 Coordinated Enforcement Framework action, requiring higher-education data controllers to complete a mandatory questionnaire on GDPR compliance, AI systems, and Articles 12–14 transparency obligations by 15 July 2026. The exercise marks Croatia's integration into EU-wide supervisory priorities and signals an upcoming focus on AI governance.
DataGuidance ↗AZOP imposed Croatia's largest 2025 fine on telecoms operator Telemach for transferring personal data to a Serbian processor without a valid transfer instrument or risk assessment, processing employee identity documents without legal basis, and failing to consult its DPO — the first major Croatian enforcement action targeting third-country data transfers.
AZOP ↗An anonymous complaint led AZOP to confirm that a USB stick containing data on over one million vehicle owners from the national Register of Registered Vehicles originated from the Croatian Insurance Bureau's database; AZOP found failures in technical and organisational security measures and the absence of defined data retention periods.
CMS Law Now ↗The Croatian DPA concluded 97 enforcement decisions in 2024 totalling €10.5 million, establishing Croatia as one of the most active GDPR enforcers among newer EU member states and signalling a structural shift toward high-volume, multi-sector supervision.
CMS GDPR Enforcement Tracker ↗Debt-collection agency EOS Matrix d.o.o. was fined for processing data of 181,641 individuals — including non-debtors and minors — without legal basis, unlawfully recording health data under Article 9 GDPR, and failing to implement adequate technical security measures; the fine set a national record and prompted scrutiny of debt-collection sector practices across the region.
DataGuidance ↗AZOP found that a sports betting company collected copies of 2,078 players' bank cards — with full card data visible on 655 copies — as a purported AML measure, without a valid legal basis; the decision reinforced that GDPR data-minimisation requirements apply even where anti-money-laundering obligations exist.
AZOP ↗Croatia adopted a revised Electronic Communications Act implementing the EU ePrivacy Directive framework, requiring prior informed consent for cookies and imposing fines up to €132,720 for breaches of confidentiality, cookie consent, and electronic direct-marketing rules — closing a significant gap in the GDPR-era framework.
CMS Expert Guide ↗Croatia enacted the Act on the Implementation of the General Data Protection Regulation (Zakon o provedbi Opće uredbe o zaštiti podataka, NN 42/2018), setting national supplementing rules for employment data processing, genetic and biometric data, and video surveillance — replacing the 2003 Personal Data Protection Act and repositioning AZOP as the Article 51 supervisory authority.
AZOP ↗Upon EU accession, the full data protection acquis including Directive 95/46/EC became directly applicable in Croatia; AZOP formally joined the EU network of data protection authorities, and cross-border enforcement cooperation and consistency obligations took effect immediately.
Hunton Andrews Kurth Privacy Blog ↗The Croatian Personal Data Protection Agency (AZOP — Agencija za zaštitu osobnih podataka) was established under the 2003 Act as the independent supervisory authority for personal data protection, modelled on Directive 95/46/EC's requirement for an independent national DPA.
AZOP ↗Croatia - other topics
Data & Privacy in other countries
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →