The EU General Data Protection Regulation (GDPR), which entered into force on May 25 2016, was enacted to harmonise the legal framework protecting the personal data of EU citizens by introducing stronger individual rights and powerful protections against data breaches. After a two-year transitional period, on May 25 2018 the GDPR will directly apply in 28 EU member states.

Although by definition EU resolutions directly apply across the European Union, member states must adjust local laws to implement the GDPR. Further, the resolution left room for member states to decide on national approaches to certain issues. The GDPR calls for member states' active participation in preparing for its application, which is one of the reasons for the long transition period. Another reason is the preparatory work regarding personal data protection to be undertaken by relevant stakeholders in order to comply with the resolution. This preparatory work is even greater considering that the territorial scope of the GDPR is expanded to every EU citizen, thereby bringing overseas businesses under its scope.

Preparatory work undertaken

With less than 100 days until its application, Croatian authorities, legislative and supervisory, are involved in preparatory work.

Following the meeting on the application of the GDPR held on December 6 2017 in Brussels, where member states reported on their preparatory work for the application of the GDPR and national approaches for specific GDPR articles, Croatian representatives publicly reported that:

  • an intergovernmental group (made up of ministries, the Personal Data Protection Agency and academics) was set up to examine the necessary changes and that this group had finished its work; and
  • a new law would be submitted to Parliament by the end of January 2018.(1)

A draft of a law relating to personal data protection was not submitted to Parliament until February 8 2018.

The Croatian Personal Data Protection Agency – set up in 2003 under the Personal Data Protection Act as an independent supervisory authority – will remain the national supervisory authority under the regulation. In 2017 the agency began actively engaging in promoting awareness of the GDPR. Its activities intensified in the second half of 2017, when it organised numerous educational programmes aimed at public authorities, the private sector and the general public. The head of the agency has repeatedly confirmed that the agency is undertaking extensive reorganisation efforts, including acquiring staff and financial resources in order to meet the obligations and exercise its powers under the GDPR.

Administrative fines

One of the issues that Croatia must address before the May 2018 implementation date is administrative fines.

Penalties under the GDPR – specifically, the administrative fines that may be imposed for any infringement of the regulation – are the centrepiece of stakeholders' interests due to the substantial fines that may be imposed.

Undertakings in breach of the GDPR can be fined up to 4% of their annual global turnover or €20 million for the most serious infringements. The second tier of fines, applicable for the less serious infringements, is up to 2% of an entity's annual global turnover or €10 million.

Although it has so far been focused on its advisory and educational role, the Personal Data Protection Agency has the power to impose administrative fines for personal data protection breaches under the existing legal framework. To implement the GDPR fully, Croatian legislation must set additional procedural requirements on the enforcement procedure to be followed by the agency.

Another important issue is that the resolution enables each member state to lay down the rules on whether, and to what extent, administrative fines may be imposed on its public authorities and bodies. The Croatian legislature should therefore address the issue, considering both normal functioning of public authorities and their compliance with applicable personal data protection requirements.


The European Commission's January 24 2018 communication shows that only two member states, Austria and Germany, have adopted the required national legislation.(2) Others, Croatia included, are at different stages of the process. To meet the May 2018 deadline, Croatia should promptly address its national approach to open issues. Croatian stakeholders are aware of the new rules concerning personal data treatment to a satisfactory level.

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.

For further information on this topic please contact Jelena Zjacic or Miran Macešic at Macešic & Partners by telephone (+385 51 215 010) or email ( or The Macešic & Partners website can be accessed at