Personal data—personal data protection

Your personal data has to be processed lawfully, fairly and in a transparent manner

Personal data means any information relating to an identified or identifiable natural person; i.e. which can identify a person (directly or indirectly) by reference to an identifier such as name and surname, an identification number (PIN (OIB)), home address, data on education, workplace, bank account, loan debt, location data, online identifiers, etc.

Collection and processing

Your personal data may be collected for the purposes you have been made aware of, which is explicit, specific and lawful and may not be further processed in a way which is not in line with these purposes. Each set of personal data such as, for example, human resources records in a company, represents a filing system, and the data controller (company, bank, school, etc.) is responsible for lawful processing of such personal data.  

Personal data may be collected and processed when:

• You have given your consent to the processing of data for one or more specific purposes 
• Processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract
• Processing is necessary for compliance with a legal obligation to which the controller is subject
• Processing is necessary in order to protect your vital interests or interests of another natural person
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular if these are interests or fundamental rights and freedoms of a child.

Rights and protection

Under the General Data Protection Regulation you are entitled to:

• Be informed about the processing of your data—who is processing them and using, for what purpose and on what legal ground
• Exercise your right of access to your personal data 
• Request rectification and erasure of your personal data 
• Request restriction of processing of your personal data from the data controller
• Exercise your right to data portability (to receive the data pertaining to you and the right to transmit it to another controller)
• Object to processing of your personal data
• Request not to be subject to a decision based solely on automated processing of personal data, including profiling.

Special categories of personal data

(so-called “sensitive data”) means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

These data may be collected and processed provided that: 

• You have given your explicit consent to the processing of those personal data for one or more specified purposes
• Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of your rights in the field of employment and social security and social protection law 
• Processing is necessary to protect your vital interests or of vital interests of another natural person where you are physically or legally incapable of giving consent 
• Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without your consent         
• Processing relates to personal data which are manifestly made public by you 
• Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity 
• Processing is necessary for reasons of substantial public interest
• Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services,
• Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices
• Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

To seek protection of your rights, you can contact the data controller processing your data.

If you believe that the data controller has breached your right to personal data protection by processing your personal data, you can contact the Croatian Personal Data Protection Agency.

You can exercise your right to receive compensation from the controller for the damage suffered before the court of general jurisdiction.