Terms of Use and Privacy Policy
The General Terms and Conditions regulate the use of the portal, whereas personal data are collected and processed for the performance of tasks carried out in the public interest, official authority, as well as for compliance with legal obligations in accordance with laws or other regulations
By activating and using the system, Users confirm that they are familiar with the General Terms and Conditions, that they have understood them and that they explicitly agree to them. The General Terms and Conditions and the Privacy Policy shall be published on the system website e-Citizens.By agreeing to the General Terms and Conditions, the Users agree to use the systems, electronic services, and other corresponding components connected with the national information infrastructure, exclusively in accordance with their original and legitimate purpose, in a manner that does not endanger, restrict, or prevent third party operations or use.
Any question or objection regarding the e-services or contents delivered to the User Inbox shall be directed to the specific e-service provider in accordance with the terms of the relevant e-service.
We collect and process personal data for the following purposes:
- processing of personal data in order to enable use of the National Identification and Authentication System (NIAS) and digital credentials
- processing of personal data in order to provide e-services
- processing of personal data in order to answer questions
The collection and processing of personal data are lawful pursuant to:
- Article 6(1)(c) processing is necessary for compliance with legal obligations
- Article 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
These General Terms and Conditions and the Privacy Policy shall apply from 02 August 2021.
Personal Data Protection - Virtual Assistant
1. General Provisions
This notice applies to the processing of personal data via the AI virtual assistant available on the gov.hr website.
The virtual assistant is intended for citizens (hereinafter: users) to provide general information available on the gov.hr portal (e‑Citizens).
The virtual assistant is not an official channel for submitting applications, reports, complaints, or other formal requests to the Ministry of Justice, Public Administration and Digital Transformation or via the gov.hr portal. The responses provided by the system are for informational purposes only and do not constitute an official, legally binding position, official legal advice, an individual decision, or a substitute for official communication with the Ministry of Justice, Public Administration and Digital Transformation, other competent ministries, or live agents in the gov.hr contact service.
The system is not intended for processing users’ personal data, and its use does not require entering personal data. Users are advised not to enter personal data, special categories of personal data (such as racial or ethnic origin, political opinions, religious beliefs, health data, etc.), or other data not necessary for submitting a general informational query.
If a user voluntarily enters personal data in a query, such data may be temporarily processed only to the extent necessary to provide a response, ensure the technical functioning of the system, and maintain system security.
The system is designed so that the processing of personal data, if it occurs, is minimized to the greatest extent possible.
2. Data Controller
Ministry of Justice, Public Administration and Digital Transformation
Ulica grada Vukovara 49
10000 Zagreb
For questions regarding the collection and processing of personal data via the e‑Citizens system or to exercise your rights, you may contact:
- Ministry of Justice, Public Administration and Digital Transformation, Ulica grada Vukovara 49, 10000 Zagreb
- Data Protection Officer:
Email: zastitaosobnihpodataka@pravosudje.hr
3. Purpose of Processing
Personal data may be processed for the following purposes:
- Enabling the operation of the virtual assistant to provide general information about content available on gov.hr
- Responding to user queries within the system’s informational function
- Ensuring the technical functioning, availability, integrity, resilience, and security of the system, including maintaining necessary technical logs, preventing misuse, detecting technical errors, and protecting the information system
- Improving the quality and reliability of the service, strictly without using user queries to train AI models
4. Legal Basis
The processing of personal data is based on the performance of a task carried out in the public interest and the exercise of official authority of the controller, in accordance with Article 6(1)(e) of the General Data Protection Regulation (GDPR).
Regarding technical functioning, security, availability, integrity, and resilience of the system, processing is also based on Article 6(1)(e) GDPR, ensuring the reliable operation of a publicly available information service within the scope of the gov.hr portal.
If specific legal obligations apply to certain security or technical processing, the legal basis may also be Article 6(1)(c) GDPR.
Consent is not used as a legal basis, and legitimate interest is not used as a legal basis for processing.
5. Types of Data
The following data may be processed:
- Content of user queries
- Technical data related to system use (e.g. IP address, logs, session identifier, timestamp, and other technical data required for functioning and security)
- Personal data voluntarily provided by the user
If such data is entered, it is processed only to the extent necessary for responding, system functioning, and security, and efforts are made to prevent or minimize storage and further processing.
6. Location and Technical Processing
The primary infrastructure is located within the Fina data center.
To generate responses, user queries are processed via an external AI service provider solely for that purpose.
User queries are not used to train AI models.
The Ministry contractually and practically defines the roles of parties involved in processing (including processors, sub-processors, support providers, and the AI provider).
If a party processes personal data on behalf of the Ministry, the relationship is governed in accordance with Article 28 GDPR.
7. Data Retention
Conversation records are stored for up to 90 days.
Exceptionally, some records may be retained longer (up to 2 years) if necessary for security analysis, misuse prevention, detection of technical irregularities, or protection of legal interests.
Data processed by the external AI provider may be temporarily retained for up to 90 days under its policies.
Personal data not necessary for purposes listed above is not retained longer than required and may be limited, deleted, masked, anonymized, or pseudonymized where technically feasible.
8. Access to Data
Access may be granted to:
- Authorized employees of the Ministry within their responsibilities
- Technical processors for maintenance, support, and secure system operation
- External AI service provider to the extent necessary to generate responses
9. Data Transfers to Third Countries
Data may be transferred outside the EU/EEA.
Such transfers occur only if GDPR conditions are met (e.g. adequacy decisions, standard contractual clauses, or other safeguards under Article 46 GDPR).
Before transferring, checks are conducted regarding:
- Actual processing location
- Access by providers/sub-processors
- Whether data is used for provider’s own purposes
- Whether used for model training
- Retention periods
- Applied safeguards
10. Security and Data Minimization
The Ministry applies data protection by design and by default principles.
Measures may include:
- Clear notice not to input personal data
- Data filtering, masking, or removal where feasible
- Limited logging
- Short retention periods
- Access restrictions
- Encryption of data transmission
- Administrative interface controls
- Regular security testing
- Oversight of processors/sub-processors
- Incident documentation
- Procedures for data subject rights
- Prohibition of using queries for AI training
11. Automated Decision-Making and AI Transparency
The virtual assistant does not make decisions producing legal effects.
It only provides general information from public sources and does not issue official decisions or legal advice.
Users are clearly informed they are interacting with an AI system.
The Ministry ensures compliance with AI regulations, particularly regarding transparency and user awareness.
12. Data Protection Impact Assessment
Before deployment, a Data Protection Impact Assessment (DPIA) is conducted considering:
- Use of new technology
- Public accessibility with free text input
- Potential accidental input of personal/sensitive data
- Use of external AI providers
- Public service context
13. Data Subject Rights
Due to system design, exercising certain rights may be limited if users cannot be reliably identified.
Users have the right to:
- Access personal data
- Rectify inaccurate or incomplete data
- Erase data (if conditions are met)
- Restrict processing
- Object to processing
The controller will respond without undue delay, within 30 days.
Users may also lodge a complaint with the supervisory authority:
Croatian Personal Data Protection Agency
Ul. Metela Ožegovića 16
10000 Zagreb
Republic of Croatia
Email: azop@azop.hr