﻿I. GENERAL PROVISIONS
Subject of the Law
Article 1
(1) This Act ensures the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) (Text with EEA relevance) (OJ L 119, 4.5.2016) (hereinafter: the General Data Protection Regulation).
(2) This Act does not apply to the processing of personal data performed by competent authorities for the purpose of prevention, investigation, detection or prosecution of criminal offenses or execution of criminal sanctions, including protection against threats to public security and their prevention, nor to national security and defense. .
Gender neutrality
Article 2
Terms used in this Act, which have a gender meaning, regardless of whether they are used in the masculine or feminine gender, encompass the masculine and feminine genders in the same way.
Terms
Article 3
(1) Terms in the sense of this Act have the same meaning as terms used in the General Regulation on Data Protection.
(2) "Public authorities" in the sense of this Act are: state administration bodies and other state bodies, units of local and regional self-government.
 
II. COMPETENT AUTHORITIES
Supervisory body
Article 4
(1) The supervisory body within the meaning of the provision of Article 51 of the General Regulation on Data Protection is the Agency for Personal Data Protection (hereinafter: the Agency).
(2) The Agency is an independent state body. The Agency is independent in its work and is accountable to the Croatian Parliament for its work.
(3) The seat of the Agency is in Zagreb.
Accreditation body
Article 5
National accreditation body designated in accordance with Regulation (EC) No Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 laying down requirements for accreditation and market surveillance as regards the placing on the market and repealing Regulation (EEC) No 2454/93 339/93 is the competent authority for the accreditation of certification bodies in accordance with Article 43 (1) of the General Data Protection Regulation.
Powers of the Agency
Article 6
(1) In addition to the powers established by the General Regulation on Data Protection, the Agency shall perform the following tasks:
- when prescribed by a special law, may initiate and have the right to participate in criminal, misdemeanor, administrative and other judicial and extrajudicial proceedings for violation of the General Regulation on Data Protection and this Act
- adopts the Criteria for determining the amount of compensation for administrative costs referred to in Article 43, paragraph 2 of this Act and the Criteria for determining the amount of compensation referred to in Article 43, paragraph 3 of this Act
- publishes individual decisions in accordance with Articles 18 and 48 of this Act on the Agency's website
- initiates and conducts appropriate proceedings against responsible persons for violation of the General Regulation on Data Protection and this Act
- performs the tasks of an independent supervisory body for monitoring the application of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data by competent authorities for the prevention, investigation, detection or prosecution of criminal offenses or the enforcement of criminal sanctions and on the free movement of such data and on the repeal of Council Framework Decision 2008/977 / JHA, unless otherwise provided by special regulations
- performs other tasks prescribed by law.
(2) If the Agency doubts the validity of the European Commission's implementing decision on adequacy and standard contractual clauses, it shall suspend the administrative procedure and refer the case to the High Administrative Court of the Republic of Croatia to resolve the administrative matter.
(3) In the procedure referred to in paragraph 2 of this Article, the High Administrative Court of the Republic of Croatia, if it considers that the decision of the European Commission is invalid, shall send a request for assessment of the validity of the decision to the Court of Justice.
(4) The Agency shall supervise the implementation of this Act.
 
III. PERSONAL DATA PROTECTION AGENCY
Agency management
Article 7
(1) The work of the Agency is managed by the Director (hereinafter: the Director).
(2) The director has a deputy.
(3) The Director and Deputy Director shall be appointed by the Croatian Parliament at the proposal of the Government of the Republic of Croatia, on the basis of a public call for nominations.
(4) The director and deputy director shall be appointed for a period of four years and may be appointed to this position no more than twice.
(5) The central state administration body responsible for the state administration system shall publish a public invitation for submission of candidacies for director and deputy director no later than six months before the expiration of the term of office of the director and deputy director, or no later than 30 days after termination of office. The central state administration body responsible for the state administration system submits the submitted candidacies to the Government of the Republic of Croatia, indicating the candidates who have submitted a timely and complete candidacy.
(6) The Government of the Republic of Croatia shall determine the proposal of the candidate for director or deputy director and send it to the Croatian Parliament.
(7)


In the event of termination of the director's term before the expiration of the term for which the director was appointed, the deputy director shall hold office until the appointment of the director in proceedings initiated in accordance with paragraph 5 of this Article, for a maximum of six months.
Criteria for installment payment and conditions for termination of installment payment of the administrative fine of the Agency for Personal Data Protection
Conditions for the appointment of the Director and Deputy Director
Article 8
(1) A person who meets the following conditions may be appointed director and deputy director:
- has Croatian citizenship and residence in the territory of the Republic of Croatia
- has completed undergraduate and graduate university study or integrated undergraduate and graduate university study or specialist undergraduate and graduate professional study
- has at least ten years of work experience in the profession
- is a prominent expert with a recognized professional reputation and professional knowledge and experience in the field of personal data protection
- has not been convicted and no criminal proceedings have been instituted against her for criminal offenses for which proceedings are initiated ex officio
- is not a member of a political party.
(2) The provisions of regulations governing the obligations and rights of state officials and regulations governing the prevention of conflicts of interest shall apply to the director and deputy director.
(3) The coefficient for calculating the salary of the director is 5.50.
(4) The coefficient for calculating the salary of the deputy director is 4.26.
Dismissal of the director and deputy director
Article 9
(1) The Croatian Parliament shall dismiss the director and deputy director before the expiration of the term for which he was elected:
- if he asks for it himself
- if circumstances arise due to which he no longer meets the conditions for selection
- if he has committed a serious breach of duty. It is considered that the director or deputy director has committed a serious breach of duty if he does not perform his duty in accordance with the law.
(2) The procedure for dismissal of the director and deputy director shall be initiated at the proposal of the Government of the Republic of Croatia.
Expert service
Article 10
(1) The Agency has a professional service.
(2) The provisions of regulations governing the rights and obligations of civil servants shall apply to employees in the professional service of the Agency.
(3) The manner of work, the manner of planning and performing activities, the internal organization and other issues important for the performance of the Agency's activities shall be regulated by the Rulebook on the work of the Agency issued by the Director.
(4) The Rules of Procedure of the Agency shall be confirmed by the Croatian Parliament. The Ordinance shall be published in the Official Gazette.
(5) The decree prescribing the principles for the internal organization of state administration bodies shall apply to the internal organization of the professional service of the Agency, in the part relating to state administrative organizations.
(6) The Director shall issue the Ordinance on Internal Order regulating the number of civil servants required to perform tasks with an indication of their basic tasks and duties and professional conditions required for their performance, their powers and responsibilities and other issues relevant to the Agency's work.
Article 11
The Director, Deputy Director and employees of the Agency may not perform the duties of a data protection officer for another controller or processor.
Article 12
(1) The Director, Deputy Director and employees of the Agency who perform supervision activities shall have an official identity card proving their official capacity, identity and authority.
(2) The form and content of the official identity card shall be determined by the Ordinance on work referred to in Article 10 of this Act.
Article 13
(1) The Director, Deputy Director and employees of the Agency are obliged to keep all personal and other confidential information they learn in the performance of their duties as a professional secret or as another appropriate type of secret, in accordance with the law governing data secrecy.
(2) The obligation referred to in paragraph 1 of this Article shall continue after the termination of the duties of the director, deputy director or after the termination of service in the Agency.
Cooperation with state administration bodies and other bodies
Article 14
Central state administration bodies and other state bodies are obliged to submit to the Agency draft draft laws and proposals for other regulations governing issues related to the processing of personal data for the purpose of providing expert opinions in the field of personal data protection.
Cooperation with supervisory authorities for data protection of other countries
Article 15
(1) Representatives of the visiting supervisory authority shall have the authority to conduct joint operations, including investigations and joint enforcement measures, in accordance with the provisions of this Act and the General Data Protection Regulation.
(2) By agreement between the Agency and the visiting supervisory authority, the Agency authorizes the representatives of the visiting supervisory authority to monitor and participate in the implementation of supervisory activities in accordance with Article 62 of the General Data Protection Regulation.
(3) The agreement referred to in paragraph 2 of this Article shall determine the investigative powers referred to in Article 58 (1) of the General Data Protection Regulation to be assigned to the visiting supervisory authority and the personal name and position of the guest supervisory authority participating in the joint operation. .
(4) When Representatives of the guest supervisory body participate in joint operations in the Republic of Croatia, the processing manager, processor and respondent and all other parties directly involved in the specific action must be informed before the start of the joint operation that representatives of the guest supervisory body also participate in the operation.
Funds for the work of the Agency
Article 16
Funds for the work of the Agency are provided in the state budget of the Republic of Croatia.
Annual work report
Article 17
(1) The Agency is obliged to submit an annual report on its work to the Croatian Parliament, no later than March 31 of the current year for the previous year. The annual report must contain:
- number of respondents' inquiries and number of complaints
- the number of decisions rendered upon the respondent's complaint and ex officio, including the number of supervisory activities carried out
- the number of reports received by the controller on the personal data breach referred to in Article 33 of the General Data Protection Regulation and on the supervisory activities carried out in connection with such reports
- number of previous consultations carried out in accordance with Article 36 of the General Data Protection Regulation
- number of code of conduct and certification procedures in accordance with Articles 40-43 of the General Data Protection Regulation
- the number of contractual clauses and provisions of administrative arrangements approved in accordance with Article 46 (3) of the General Data Protection Regulation
- the number and type of infringements found, warnings issued, official reprimands and administrative fines imposed and other types of measures taken pursuant to Article 58 (2) of the General Data Protection Regulation
- number and description of international agreements, laws and bylaws on which he has given an opinion in the field of personal data protection, with an indication of when the opinion was given at the request of the competent authority, and when ex officio
- description of activities within the European Data Protection Board and other umbrella organizations in the field of personal data protection
- description of activities of cooperation with state and other bodies in the Republic of Croatia
- description of awareness activities of individuals, processing managers, processing executors and other target groups
- analysis and assessment of the exercise of the right to protection of personal data.
(2) The annual report must also contain data on realized revenues and expenditures for the reporting period for which the report is submitted, as well as data on the number of employees and the structure of employees according to education.
(3) The annual report shall be published on the Agency's website.
Publication of opinions and decisions of the Agency
Article 18
(1) Decisions and opinions of the Agency relating to the types of processing which, taking into account the nature, scope, context and purpose of processing, may cause a high risk to the rights and freedoms of individuals shall be published on the Agency's website.
(2) The opinions and decisions referred to in paragraph 1 of this Article shall be anonymised or pseudonymized.
(3) As an exception to paragraph 2 of this Article, when the opinions and decisions of the Agency referred to in paragraph 1 of this Article relate to minors, the technique of anonymisation of information relating to them shall be applied to ensure a high level of protection of their privacy.
 
IV. PROCESSING OF PERSONAL DATA IN SPECIAL CASES
Child consent in relation to information society services
Article 19
(1) In the application of Article 6, paragraph 1, item (a) of the General Regulation on Data Protection, in relation to the provision of information society services directly to the child, the processing of personal data of a child is lawful if the child is at least 16 years old.
(2) The provision of paragraph 1 of this Article shall apply to a child whose residence is in the Republic of Croatia.
(3) Acting contrary to the provisions of this Article shall be considered a violation of Article 8 of the General Data Protection Regulation and shall be subject to sanctions in accordance with Article 83 of the General Data Protection Regulation.
Genetic data processing
Article 20
(1) The processing of genetic data for the purpose of calculating the appearance of the disease and other health aspects of the respondents within the activities for concluding or executing life insurance contracts and contracts with survival clauses is prohibited.
(2) With the consent of the respondent, the prohibition referred to in paragraph 1 of this Article may not be lifted.
(3) The provision of paragraph 1 of this Article shall apply to respondents who conclude life insurance contracts and contracts with experience clauses in the Republic of Croatia if the processing is performed by a processing manager established in the Republic of Croatia or who provides services in the Republic of Croatia.
(4) Acting contrary to the provisions of this Article shall be considered a violation of Article 9 of the General Data Protection Regulation and shall be subject to sanctions in accordance with Article 83, paragraph 5 of the General Data Protection Regulation.
Biometric data processing
Article 21
(1) The processing of biometric data in public authorities may be carried out only if it is determined by law and if it is necessary for the protection of persons, property, classified data or business secrets, taking into account that the interests of respondents contrary to biometric data processing do not prevail. from this article.
(2) The processing of biometric data shall be deemed to be in accordance with the law if it is necessary for the fulfillment of obligations from international agreements regarding the identification of an individual crossing the state border.
Article 22
(1) The processing of biometric data in the private sector may be carried out only if prescribed by law or if it is necessary for the protection of persons, property, classified data, business secrets or for individual and secure identification of service users, taking into account that the interests of respondents are contrary to the processing of biometric data referred to in this Article.
(2) The legal basis for the processing of biometric data of respondents for the purpose of secure identification of service users is the explicit consent of such respondent given in accordance with the provisions of the General Regulation on Data Protection.
Article 23
It is allowed to process employee biometric data for the purpose of recording working hours and for entering and leaving official premises, if prescribed by law or if such processing is carried out as an alternative to another solution for recording working hours or entering and leaving official premises, provided that the employee has given explicit consent to such processing of biometric data in accordance with the provisions of the General Data Protection Regulation.
Article 24
(1) The provisions of this Act on the processing of biometric data shall apply to respondents in the Republic of Croatia if the processing is carried out by:
- a processing manager established in the Republic of Croatia or who provides services in the Republic of Croatia
- a public authority.
(2) The provisions of this Act on the processing of biometric data do not affect the obligation to conduct an impact assessment in accordance with Article 35 of the General Regulation on Data Protection.
(3) The provisions of this Act on the processing of biometric data shall not apply to the field of defense, national security and security-intelligence system.
Processing of personal data via video surveillance
Article 25
(1) Video surveillance in the sense of the provisions of this Act refers to the collection and further processing of personal data which includes the creation of a recording which makes or is intended to form part of a storage system.
(2) Unless otherwise provided by another law, the provisions of this Act shall apply to the processing of personal data via the video surveillance system.
Article 26
(1) The processing of personal data through video surveillance may be carried out only for the purpose necessary and justified for the protection of persons and property, if the interests of the respondents who are in conflict with the processing of data through video surveillance do not prevail.
(2) Video surveillance may cover premises, parts of premises, the external surface of a building, as well as the internal space in public transport, and whose supervision is necessary in order to achieve the purpose referred to in paragraph 1 of this Article.
Article 27
(1) The processing manager or processor is obliged to indicate that the object or individual room in it and the outer surface of the object are under video surveillance, and the marking should be visible no later than when entering the perimeter of the recording.
(2) The notification referred to in paragraph 1 of this Article shall contain all relevant information in accordance with the provisions of Article 13 of the General Data Protection Regulation, and in particular a simple and easily understandable picture with the text providing the following information to respondents:
- that the space is under video surveillance
- data on the processing manager
- contact details through which the respondent can exercise his rights.
Article 28
(1) The right to access personal data collected through video surveillance has the responsible person of the controller or processor and / or a person authorized by him.
(2) Persons referred to in paragraph 1 of this Article may not use recordings from the video surveillance system contrary to the purpose determined in Article 26, paragraph 1 of this Act.
(3) The video surveillance system must be protected from access by unauthorized persons.
(4) The processing manager and the processing executor are obliged to establish an automated record system for recording access to video surveillance recordings, which will contain the time and place of access, as well as the designation of persons who accessed data collected through video surveillance.
(5) The competent state bodies shall have access to the data referred to in paragraph 1 of this Article within the scope of performing activities within their scope determined by law.
Article 29
Recordings obtained through video surveillance may be kept for a maximum of six months, unless another law prescribes a longer retention period or if the evidence is in court, administrative, arbitration or other equivalent proceedings.
Video surveillance of work rooms
Article 30
(1) The processing of personal data of employees through the video surveillance system may be carried out only if, in addition to the conditions established by this Act, the conditions established by regulations governing occupational safety are met and if employees have been duly notified in advance of such a measure. employees before making a decision on setting up a video surveillance system.
(2) Video surveillance of work rooms must not include rooms for rest, personal hygiene and changing.
Video surveillance of residential buildings
Article 31
(1) The establishment of video surveillance in residential or business-residential buildings requires the consent of the co-owners who make up at least 2/3 of the co-owners parts.
(2) Video surveillance may cover only access to entrances and exits from residential buildings and common rooms in residential buildings.
(3) It is prohibited to use video surveillance to monitor the work efficiency of janitors, cleaners and other persons working in a residential building.
Video surveillance of public areas
Article 32
(1) Monitoring of public areas through video surveillance is allowed only to public authorities, legal entities with public authorities and legal entities performing public service, only if prescribed by law, if necessary for the performance of tasks and tasks of public authorities or for the protection of life and human health of that property.
(2) The provisions of this Article shall not preclude the application of Article 35 of the General Data Protection Regulation to the systematic monitoring of a publicly accessible area to a large extent.
Processing of personal data for statistical purposes
Article 33
(1) Within the processing of personal data for the purpose of producing official statistics in accordance with special regulations in the field of official statistics, bodies producing official statistics are not obliged to provide respondents with the right to access personal data, the right to correct personal data, the right to limit personal data processing. the right to object to the processing of personal data, in order to ensure the conditions necessary to achieve the purpose of official statistics to the extent that such rights are likely to impede or seriously jeopardize the achievement of those purposes and where such derogations are essential to achieve those purposes. purpose.
(2) The bodies responsible for the production of official statistics shall apply technical and organizational measures for the protection of data collected for the purposes of official statistics.
(3) The heads of personal data processing during the transfer of personal data to the bodies responsible for official statistics shall not be obliged to inform the respondents about the transfer of personal data for statistical purposes.
(4) The processing of personal data for statistical purposes shall be deemed to correspond to the purpose for which the data were collected, provided that appropriate protective measures are taken.
(5) Personal data processed for statistical purposes must not enable the identification of the person to whom the data relate.
 
V. PROCEDURE WITHIN THE COMPETENCE OF THE AGENCY AND REMEDIES
Article 34
(1) Anyone who considers that a right guaranteed by this Act and the General Regulation on Data Protection has been violated may submit to the Agency a request for establishing a violation of the right.
(2) The Agency shall decide on the violation of rights by a decision.
(3) The decision of the Agency is an administrative act.
(4) An appeal against the decision of the Agency is not allowed, but an administrative dispute may be initiated before the competent administrative court.
Article 35
(1) If the decision orders the deletion or other irreversible removal of personal data, the dissatisfied party may request the competent administrative court to postpone the deletion or other irreversible removal of personal data if it proves that it would disproportionately collect personal data whose deletion or irreversible removal is requested.
(2) If the competent administrative court accepts the request referred to in paragraph 1 of this Article, the party ordered to delete or otherwise irreversibly remove personal data shall block any processing of disputed personal data, except for their storage, until a final court decision.
Implementation of control
Article 36
(1) Authorized officials of the Agency may independently, and in certain cases with the participation of representatives of the visiting supervisory body (hereinafter: authorized persons), conduct announced or unannounced supervision. The supervised person, ie the processing manager or the processing executor, will be informed about the implementation of unannounced supervision on the spot and at the time of the supervision.
(2) Prior to the commencement of the supervision referred to in paragraph 1 of this Article, the authorized persons shall present themselves by presenting an official identity card and a supervision order.
(3) If the implementation of supervision is expected to be obstructed by the provision of resistance, the Agency shall send a written request to the ministry competent for internal affairs to provide assistance in the implementation of these supervision activities.
(4) Based on the request of the Agency, the ministry competent for internal affairs shall, in accordance with special regulations, provide assistance in the implementation of the supervision referred to in paragraph 2 of this Article.
(5) The order for the implementation of supervision referred to in paragraph 1 of this Article shall be issued by the Director of the Agency.
Copies, sealing and temporary taking of storage systems and equipment
Article 37
(1) Authorized persons may, if necessary, make copies of available documents, copy all contents of the storage system and collect other relevant information.
(2) If for technical reasons it is not possible to make copies of the necessary documentation during the inspection, authorized persons shall, if necessary, confiscate the necessary storage systems and equipment containing other relevant information and keep it as long as necessary to make copies of that documentation. days from the date of seizure of the storage system and equipment.
(3) Authorized persons may seal storage systems or equipment during supervision and to the extent strictly necessary for control activities if there is a risk of destruction or alteration of evidence, and no later than 15 days from the date of sealing of the storage system or equipment.
(4) The authorized person shall compile an official note on copying, sealing and temporary taking of the storage system and equipment with all relevant information on the data or equipment covered by the action and hand over a copy to the supervised entity.
Suspicion of a crime
Article 38
If, during the supervision, information is found or cases are found that indicate the commission of a criminal offense for which he is prosecuted ex officio, the authorized persons will inform the competent police station or the state attorney as soon as possible.
Classified data
Article 39
(1) Any access, copying and any other processing of data classified with the established level of secrecy on the basis of a special regulation shall be carried out in accordance with the regulations governing the protection of data secrecy.
(2) Any access, copying and any other processing of data classified with the established level of secrecy on the basis of a special regulation shall be carried out by officials who have a valid certificate for access to classified data in accordance with regulations governing data protection.
Record of performed supervision
Article 40
(1) A report shall be drawn up on the performed supervision. The minutes shall contain in particular:
1. place and date of supervision
2. an indication of whether supervision was announced or unannounced
3. personal names and signatures of authorized persons who participated in the supervision and representatives of the supervised person
4. a description of the course and content of each action taken during the inspection and the statements made
5. list of documents and other items used, copied, sealed and / or temporarily seized during the supervisory activity
6. instruction on the right to file objections to the minutes.
(2) If the record referred to in paragraph 1 of this Article is drawn up directly at the place of supervision, the supervised person may file objections to the record which the authorized person shall enter in it.
(3) If the record referred to in paragraph 1 of this Article is drawn up after the implementation of supervision, it shall be delivered to the supervised person.
(4) The supervised person has the right to submit remarks in writing on the minutes referred to in paragraphs 2 and 3 of this Article within 15 days from the day of its receipt. Within 15 days from the day of receipt of the objections, the supervised person shall be provided with a written response on the acceptance or non-acceptance of the objections.
(5) If the supervised person does not submit objections to the minutes within the time limit referred to in paragraph 4 of this Article, it shall be deemed that there are no objections to them.
Representation of respondents
Article 41
The respondent has the right to authorize a non-profit body, organization or association established in accordance with the law, whose statute states the objectives of public interest and is active in the field of protection of the rights and freedoms of the respondent with regard to the protection of his personal data. name and to exercise on his behalf the rights referred to in Articles 77, 78 and 79 of the General Data Protection Regulation and the right to compensation referred to in Article 82 of the General Data Protection Regulation.
Giving expert opinions
Article 42
(1) At the written request of a natural or legal person, the Agency shall issue an expert opinion in the field of personal data protection, no later than 30 days from the day of submitting the request, depending on the complexity of the request.
(2) If it is necessary to include other bodies in the country or abroad when giving an expert opinion for the purpose of obtaining data or information relevant to the expert opinion, the deadline for giving an opinion referred to in paragraph 1 of this Article may be extended by another 30 days.
Fee for acting on request
Article 43
(1) The performance of the tasks of the Agency shall be carried out free of charge in relation to the respondents, personal data protection officers, journalists and public authorities.
(2) The Agency shall charge a reasonable fee on the basis of administrative costs or refuse to act upon the request if the requests of the respondents are obviously unfounded or excessive, and especially due to their frequency.
(3) The Agency shall charge a fee for giving opinions to business entities (law firms, consultants, etc.) requested by business entities for the purpose of performing their regular activities or providing services.
(4) The criteria for determining the amount of the fee referred to in paragraphs 2 and 3 of this Article shall be determined by the Agency. The criteria are published in the Official Gazette and on the Agency's website.
(5) The amount of compensation referred to in paragraphs 2 and 3 of this Article shall be paid to the benefit of the state budget.
 
VI. IMPOSITION OF AN ADMINISTRATIVE FINE
Article 44
(1) The Agency shall impose administrative fines for violations of the provisions of this Act and the General Regulation on Data Protection, in accordance with Article 83 of the General Regulation on Data Protection.
(2) If an administrative fine is imposed against a legal person with public authority or against a legal person performing public service, the imposed administrative fine may not jeopardize the exercise of such public authority or public service.
Article 45
(1) Administrative fines shall be imposed by a decision.
(2) The decision referred to in paragraph 1 of this Article shall determine the amount and manner of payment ate administrative fines. The decision may stipulate that the administrative fine shall be paid in installments.
(3) Where, pursuant to Article 83 of the General Regulation, administrative fines are imposed in addition to the measures referred to in Article 58 (2) (a) to (h) and point (j) of the General Regulation, the decision on the administrative fine shall be taken. upon the finality of the decision imposing the measure.
(4) No appeal shall be allowed against the decision referred to in paragraph 1 of this Article, but an administrative dispute may be initiated before the competent administrative court.
(5) The criteria for installment payment and conditions for termination of installment payment of an administrative fine shall be determined by the Agency according to the amount of the administrative fine. The criteria shall be published in the Official Gazette and on the Agency's website.
Criteria for installment payment and conditions for termination of installment payment of the administrative fine of the Agency for Personal Data Protection
Article 46
(1) An administrative fine shall be paid within 15 days from the day the decision by which it was pronounced becomes final.
(2) If the party fails to pay the administrative fine within the prescribed period, ie upon the due date if the installment payment is approved, the Agency shall notify the Regional Office of the Tax Administration of the Ministry of Finance in whose territory the party or seat of the party to which the administrative fine was imposed. administrative fines by force according to the regulations on forced tax collection.
(3) Administrative fines shall be paid in favor of the state budget.
(4) As an exception to paragraph 2 of this Article, no interest shall be charged on a due but unpaid administrative fine.
Exclusion of the application of administrative fines to public authorities
Article 47
Without prejudice to the exercise of the Agency's powers under Article 58 of the General Data Protection Regulation, no administrative fine may be imposed on a public authority for infringements of this Act or the General Data Protection Regulation in proceedings against a public authority.
Article 48
A final decision shall be published on the Agency's website without anonymising the data on the perpetrator, if this decision violates this Act or the General Regulation on Data Protection in connection with the processing of personal data of minors, special categories of personal data, automated individual decision making, profiling, if the violation was committed by the controller or processor who had already violated the provisions of this Act or the General Regulation on Data Protection or if a decision on an administrative fine in the amount of at least HRK 100,000.00 was made in connection with the decision.
Statute of limitations for the execution of an administrative fine
Article 49
(1) The provisions of the general law prescribing the tax procedure shall apply to the limitation period for the right to collection of an administrative fine.
(2) The limitation period shall begin to run from the day the decision becomes final.
(3) During the installment payment of the administrative fine, the limitation period shall not run.
 
VII. MISDEMEANOR PROVISIONS
Article 50
(1) A fine for a misdemeanor in the amount of HRK 5,000.00 to 50,000.00 shall be imposed on:
- a person performing the duty of the Director and Deputy Director of the Agency if he discloses to an unauthorized person confidential information that he learned in the performance of his duty, in accordance with Article 13 of this Act
- an official of the Agency who discloses to an unauthorized person confidential information which he / she has learned in the course of performing the duties of the job, in accordance with Article 13 of this Act.
(2) The authorized prosecutor for the misdemeanor referred to in this Article is the State Attorney.
 
VIII. ADMINISTRATIVE FINES
Article 51
An administrative fine in the amount of up to HRK 50,000.00 shall be imposed on:
- processing manager and processing executor who do not mark the facility, premises, parts of the premises and the external surface of the facility in the manner prescribed by Article 27 of this Act
- the processing manager and the processing executor who do not establish an automated record system for recording access to video surveillance recordings, in accordance with Article 28, paragraph 4 of this Act
- persons referred to in Article 28, paragraph 1 of this Act who use recordings from the video surveillance system contrary to Article 28, paragraph 2 of this Act.
 
IX. TRANSITIONAL AND FINAL PROVISIONS
Article 52
(1) On the day this Act enters into force:
- Agency for Personal Data Protection established by the Personal Data Protection Act (Official Gazette 103/03, 118/06, 41/08, 130/11 and 106/12) - consolidated text; text: Agency for Personal Data Protection) as a legal entity with public authority, becomes a state body and continues to operate under the same name
- The Agency, as the legal successor of the Agency for Personal Data Protection, takes over its affairs, archives and other documentation, funds for work, financial resources, rights and obligations, as well as employees
- employees of the Personal Data Protection Agency become civil servants or employees.
(2) Until the enactment of the Rulebook on Internal Order referred to in Article 54 of this Act and the assignment to positions in accordance with the regulations on civil servants, employees of the Personal Data Protection Agency shall continue to perform their duties on the day this Act enters into force. working one with.
Article 53
(1) Within eight days from the day this Act enters into force, the central state administration body responsible for the state administration system shall initiate the procedure of appointing the director and deputy director.
(2) A person caught on the duty of the Director of the Personal Data Protection Agency on the day this Act enters into force shall continue to perform the duty of the Director until the appointment of the Director of the Agency in accordance with this Act.
Article 54
(1) The Director is obliged to submit the Rules of Procedure of the Agency to the Croatian Parliament for confirmation within 60 days from the day of appointment.
(2) The director is obliged to adopt the Ordinance on internal order within 30 days from the day of entry into force of the Ordinance referred to in paragraph 1 of this Article.
(3) Until the entry into force of the Rules of Procedure of the Agency, the Statute of the Agency for Personal Data Protection shall apply.
Article 55
Proceedings initiated before the entry into force of this Act shall continue and be completed in accordance with the provisions of the Personal Data Protection Act (Official Gazette 103/03, 118/06, 41/08, 130/11 and 106 / 12. - consolidated text).
Termination of regulations
Article 56
With the entry into force of this Act, the Personal Data Protection Act (Official Gazette 103/03, 118/06, 41/08, 130/11 and 106/12 - consolidated text) shall cease to be valid. on the manner of keeping and form of records on personal data collections (Official Gazette 105/04) and the Decree on the manner of storage and special technical protection measures for special categories of personal data (Official Gazette 139/04) .
Entry into force
Article 57
This Act shall be published in the Official Gazette and shall enter into force on 25 May 2018.
Class: 022-03 / 18-01 / 55
Zagreb, 27 April 2018
CROATIAN PARLIAMENT
 
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation)