Protection of personal data

When is processing of personal data legal?

Learn when personal data processing is legal 

Processing shall be lawful only if and to the extent that at least one of the following is fulfilled:
  • if the data subject has given consent to the processing of his or her personal data for one or more specific purposes. The Regulation establishes, inter alia, that the voluntary condition is not met where the data subject does not have a genuine or free choice or is unable to refuse or withdraw consent without consequences (e.g. consent is given to include the consumer in a loyalty scheme, while in the vast majority of labour law relationships it is impossible to use consent as the legal basis for processing workers' data).
  • processing is necessary for the performance of the contract to which the data subject is a party or to take action at the request of the data subject prior to the conclusion of the contract (e.g. processing of data of the job seeker to call for testing, processing of data of the insured person for the performance of the insurance contract or processing of data of workers in the work of maintenance of installations to send to the field)
  • processing is necessary to comply with the legal obligations of the controller (e.g. sending data on employees of the Croatian Health Insurance Fund or the Croatian Pension Insurance Fund or sending data of parties by a notary public to the tax Administration in accordance with special regulations)
  • processing is necessary to protect the vital interests of the data subject or another natural person; processing is necessary for the performance of a task in the public interest or in the exercise of official authority by the controller (e.g. disclosure by the competent authorities of one parent's data to another to support the child)
  • processing is necessary for the legitimate interests of the controller or a third party, except where those interests outweigh the interests or fundamental rights and freedoms of data subjects who require the protection of personal data, especially if the data subject is a child. (e.g. legitimate interest of the owner of the property to set up a video surveillance system to protect its assets).