skip to content

Data Protection Laws and Freedom of Expression Report: Croatia File:Flag of Croatia.svg




I. First-Generation Statutory Law

Croatia did not adopt a data protection law during the first-generation period.


II. Second-Generation Statutory Law

The Croatian Parliament adopted the Act on Personal Data Protection (DPA) on 12th June 2003, which inter alia implemented the Data Protection Directive 95/46.

Special Expression Derogation
No specific provision was adopted.

Broad Expression Derogation
No specific provision was adopted.

Personal Exemption
he law did not apply to processing by natural persons exclusively for personal or private purposes (art. 3).

Knowledge Facilitation Framework
It was stated that processing for scientific research or statistical purposes must not allow for the identification of persons to whom the data relates i.e. should be pseudonymous (art. 11(4)).  The processing of personal data for historical, statistical or scientific purposes was not considered to be incompatible, provided that appropriate protection measures were in place (art. 6(1)).  Storage for a longer period than would otherwise be acceptable was also permitted if used only for statistical purposes.  An exemption was provided from the reactive transparency rule (subject access) for scientific research and statistical purposes where a special act so provided (art. 23(2)) and from the indirect transparency rule for statistical purposes or the purposes of historical or scientific research where the processing had been explicitly determined by law (art. 9(4)).  No exemption was provided from the subject access, sensitive data or control provisions.

Parliamentary Debates
The Legislation Committee discussed various comments to the Data Protection Act in 2003.  Committee rejected a derogation for processing for journalistic purposes as unnecessary and conflicting with the protection of personal data. It was argued that the derogation was also in conflict with the constitutional provisions protecting individuals against a use of their personal data for any other purpose than what the respective data have been collected for.[1]

Debating data protection in 2008, the competent Legislative Committee warned that media outlets frequently violated the right to privacy, especially of children and in connection with leaked data. It was suggested that more stringent protections should be introduced. The main concern was thereby the leaking and the publishing of such leaked data.[2]


III.Third-Generation Statutory Law

The Croatian Parliament implemented the GDPR with the Implementing Act of the General Data Protection Regulation on 9 May 2018.

Special Expression Derogation
Croatia has not established any explicit derogation in favour of journalism or other special expression purposes within its Implementing Act.

Broad Expression Derogation
No specific provision adopted.

Personal Exemption – see GDPR, art. 2(2)(c)

Knowledge Facilitation Framework – see also GPDR, art. 5(1)(b) (compatibility), art. 5(1)(e) (time limits) and art. 89(1) (appropriate safeguards)
Art. 33 provides exemptions for official statistics from the right to access personal data, the right to rectification of personal data and the right to object to the processing of personal data to the extent that these rights impede or seriously jeopardise the achievement of this purpose and where such derogations are strictly necessary to achieve it. This provision also provides for an exclusion of the incompatibility principle and absolves those transferring such data from informing data subjects of this.

Parliamentary and Legislative Debates
There were no parliamentary or legislative debates with regard to the relationship between freedom of expression and data protection. Solely in relation to data used for statistical purposes, MP Anka Mrak-Taritas (VOICE) commented without elaborating that ‘here we have to be careful’.[3]


[1] See Archiva 4. Saziva Hrvatskoga sabora (Archives of the 4th convocation of the Croatian Parliament),

[2] See IZVJEŠĆE O RADU AGENCIJE ZA ZAŠTITU OSOBNIH PODATAKA ZA 2008.GODINU (Report of the Work of the Data Protection Agency for 2008) (9th July 2009) (last accessed 26 November 2020).