Legal and regulatory framework

Government approach

How can the government’s attitude and approach to internet issues best be described?

The beginnings of the internet in Croatia date back to 1991 when CARNet was established and undertook numerous activities in order to connect Croatian scientists with those all over the globe.

Since the very beginning, the government has shown high awareness of the importance and the role of the internet in relation to all aspects of information exchange, communication and business, and continues to do so.


What legislation governs business on the internet?

E-commerce is generally regulated by the Electronic Commerce Act (which has been fully aligned with EU legislation in Directive 2000/31/EC on Electronic Commerce), the Electronic Money Act, the Trade Act and the Civil Obligations Act.

However, this form of doing business is also subject to many other legal provisions, such as those contained in:

  • the Consumer Protection Act;
  • the Companies Act;
  • the Act on the Implementation of Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC;
  • the Prohibited Advertising Act;
  • Payment System Act;
  • the Act on the Implementation of the General Data Protection Regulation, the Customs Act;
  • the Value Added Tax Act; and
  • the Criminal Code etc.
Regulatory bodies

Which regulatory bodies are responsible for the regulation of e-commerce, data protection and internet access tariffs and charges?

There is no single regulatory body responsible for the entire regulation of e-commerce, but various competent bodies, such as the Ministry of Economy, Entrepreneurship and Crafts as well as the Ministry of Finance, perform that role.

The issues of personal data protection are supervised by the Croatian Personal Data Protection Agency, while the Croatian Regulatory Authority for Network Industries (HAKOM) is the regulatory body responsible for internet access tariffs and charges.


What tests or rules are applied by the courts to determine the jurisdiction for internet-related transactions or disputes in cases where the defendant is resident or provides goods or services from outside the jurisdiction?

The Croatian legislation differentiates the manner in which the applicable law is defined for business-to-business and business-to-customer contracts.

Business-to-business contracts are primarily governed by the law mutually agreed by the parties, in the absence of which the contract will be subject to the law closely connected to the contract. Generally, this will be the legal order spatially connected with the service provider as the party performing an obligation.

Business-to-customer contracts may also be governed by the applicable law agreed upon by the parties but regardless of the chosen law, a consumer with usual residence in Croatia, cannot be deprived of the protection provided under the provisions of the Consumer Protection Act and other regulations protecting consumers. In lack of chosen law, business-to-customer contracts will be governed by the law of the state in which the consumer has usual residence.

Establishing a business

What regulatory and procedural requirements govern the establishment of digital businesses in your jurisdiction? To what extent do these requirements and procedures differ from those governing the establishment of brick-and-mortar businesses?

The establishment of digital businesses in Croatia is regulated by the Electronic Commerce Act and Companies Act.

Croatian legislation does not distinguish the requirements and procedures for the establishment of digital businesses from those governing the establishment of brick-and-mortar businesses, apart that the digital business has to be registered for the performance of the business activity - services of information society - in the court register.

Contracting on the internet

Contract formation

Is it possible to form and conclude contracts electronically? If so, how are contracts formed on the internet? Explain whether ‘click wrap’ contracts are enforceable, and if so, what requirements need to be met?

All contracts can be concluded electronically, except those whose electronic conclusion is explicitly excluded by law (eg, marital contracts, life-maintenance and life-care contracts, donation agreements and agreements on transfer of property rights, etc).

The contract is deemed concluded the moment the offeror (merchant) receives the offer acceptance statement by the offeree. The offer and acceptance are deemed received once the person to whom they are addressed can access them.

The obligation of providing access to and acceptance of the offer cannot be excluded when concluding contracts with consumers. The consumer must be able to read and review the entire contract and be informed of the terms and conditions as well as be informed of the terms and the manner of payment, if applicable. Instructions to consumers have to be clear and provided in easily comprehensible language.

A ‘click-wrap’ contract governed by Croatian law is enforceable as any other contract based on an authentic document (invoice or a similar document). If the debtor claims that the contract was not concluded, the burden of proving conclusion and validity of the contract lies with the creditor.

Applicable laws

Are there any particular laws that govern contracting on the internet? Do these distinguish between business-to-consumer and business-to-business contracts?

Contracting on the internet is generally regulated by the Electronic Commerce Act, the Civil Obligations Act and the Consumer Protection Act.

In the case of business-to-customer contracts, the Electronic Commerce Act prescribes the obligation of the information society to confirm the receipt of the email containing the offer or the acceptance of the offer to conclude the contract, while in the case of business-to-business contracts this is prescribed only as a possibility.

In relation to business-to-customer contracts, the Consumer Protection Act prescribes a number of obligations of the information society service provider that have to be fulfilled in the case of the conclusion of a distance contract.

Electronic signatures

How does the law recognise or define digital or e-signatures?

In accordance with Regulation (EU) No. 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC and the Act on the Implementation of Regulation (EU) No. 910/2014, an e-signature is defined as data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.

In order for the advanced electronic signature to be equated to a handwritten signature it needs to meet the following requirements:

  • it is uniquely linked to the signatory;
  • it is capable of identifying the signatory;
  • it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
  • it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
Data retention

Are there any data retention or software legacy requirements in relation to the formation of electronic contracts?

There are no data retention or software legacy requirements regarding the validity of formation of electronic contracts; however, in accordance with the provisions of the Electronic Commerce Act, the provisions of the contract must be available so as to enable their saving, reuse and reproduction.


Are any special remedies available for the breach of electronic contracts?

The consequences of a breach of an electronic contract are generally subject to the rules of contractual obligations.

The Consumer Protection Act entitles the consumer to unilateral termination of the contract, without stating any reasons, with a 14-day notice period starting as of the moment the possession of the subject matter of the contract was handed over, while, in case of concluding a contract related to a digital subject matter (which has not been delivered on a physical medium), the 14-day notice period starts as of the day of concluding the contract.

The Electronic Commerce Act, in case of violation of the rights warranted in relation to conclusion or performance of an electronic contract, provides for court protection in the form of a claim or application for an interim measure of prohibitions, as well as the conduct of inspection supervision.


Security measures

What measures must be taken by companies or ISPs to guarantee the security of internet transactions? Is encryption mandatory?

The Electronic Communications Act prescribes the technical and organisational measures that operators of public communications services and networks have to undertake to safeguard security of the electronic communications network and services.

The measures have to ensure that only authorised persons can have access to personal data for legally allowed purposes and for the data to be protected against destruction, loss, unlawful storage, processing and access. The implementation of the mentioned measures is supervised by the HAKOM and the Croatian Personal Data Protection Agency with regard to the application of the provisions on personal data protection.

As to the safety of electronic payment transactions, the Payment System Act prescribes that the payment service provider is obliged to have adequate security measures in place to protect the confidentiality and integrity of payment service users’ personalised security credentials and to apply strong customer authentication through a remote channel.

Encryption of the data is not mandatory but it is one of the measures employed by the companies or intrusion prevention system.

Government intervention and certification authorities

As regards encrypted communications, can any authorities require private keys to be made available? Are certification authorities permitted? Are they regulated and are there any laws as to their liability?

The explicit obligation to disclose private keys for encrypted communications is not prescribed by law; however, in case of reasonable doubt that the data contains evidence of a criminal offence or has to be confiscated in accordance with law, the state attorney has the right to request for the data to be handed over in their complete original and comprehensible form under the threat of a fine of up to HRK50,000 and imprisonment of up to one month.

The Financial Agency (FINA) is the qualified trust service provider in Croatia. FINA performs digital certificate issuing services in accordance with the Electronic Signature Act and Regulation (EU) No. 910/2014 on electronic identification and trust services for electronic transactions in the internal market. The rights and obligations and the manner of providing certification services are prescribed by FINA’s general rules on providing certification services and FINA’s total liability for certificates issued and for transactions performed on the basis of trusting such certificates amounts up to HRK3.5 billion.

Electronic payments

Are there any rules, restrictions or other relevant considerations regarding the use of electronic payment systems in your jurisdiction?

Generally, in Croatia, there are no explicit regulations on the use of electronic payment systems but only on the provision of electronic payment services.

The restriction to access the internet may be imposed on a perpetrator of a criminal offence via the internet, if a risk of repeating the criminal offence by abuse of the internet exists.

Are there any rules or restrictions on the use of digital currencies?

At the moment, there are no laws regulating the use of cryptocurrency in Croatia, which will change once the EU’s Fifth Anti-Money Laundering Directive is transposed into national legislation.

Domain names

Registration procedures

What procedures are in place to regulate the licensing of domain names? Is it possible to register a country-specific domain name without being a resident in the country?

One free of charge .hr domain can be registered by Croatian natural persons, legal entities established according to Croatian law as well as by natural persons who perform a registered independent business activity in the Republic of Croatia.

A paid .hr domain can be registered by legal entities having their seat in one of the EU member states and non-EU legal entities which have a registered representative office, branch office or another permanent form of organisation in Croatia. There is no limit to the number of registrations of the paid Domains.


Do domain names confer any additional rights beyond the rights that naturally vest in the domain name?

Except the rights naturally vested in the domain name (ie, the exclusive right to use the domain under registered name), the domain name does not confer any additional rights.

Trademark ownership

Will ownership of a trademark assist in challenging a ‘pirate’ registration of a similar domain name?

The trademark registration provides the holder of registration with special protection in the field of domain names.

CARNet must not allow the domain user false representation or usurpation of the identity of a third party, nor may it be identical or misleadingly similar to a registered name or trademark that the user is not entitled to use and has no legitimate interest to.

CARNet is obliged to deny the registration or disable the use of such domains, and the person who believes that the name of the domain is identical or to a large extent similar to a certain name on which it has a trademark, is entitled to initiate arbitration proceedings in accordance with the provision of the arbitration rules contained in the Ordinance on the Organisation and Management of the National Top-Level Domain.

Dispute resolution

How are domain name disputes resolved in your jurisdiction?

Disputes on the right to use a certain domain within the top-level domain are resolved in accordance with the arbitration rules contained in the Ordinance on the Organisation and Management of the National Top-Level Domain.

When the violation of a third-party right is established, the user of the domain which is the subject-matter of the dispute will be deprived of the right to use this domain.



What rules govern advertising on the internet?

Advertising on the internet is governed by the legislation regulating product and service advertising in general.

There are also some self-regulating acts containing practicable guidelines applicable to online marketing.


How is online advertising defined? Could online editorial content be caught by the rules governing advertising?

Regardless of the medium, advertising is defined as any announcement in any form, given by anybody in the field of their profession or business, which is focused on advertising with the intention of enhancing the sale of a product or service.

Pursuant to the Media Act, an advertisement is defined as paid information the publication of which is ordered by a legal or natural person with the intention to promote turnover, attract business partners or create a good reputation or a good name in the public. An advertisement may not be such as to create an impression with the viewers, listeners or readers that it is about the programme contents of the media.

Misleading advertising

Are there rules against misleading online advertising?

Misleading advertising is explicitly prohibited by the provisions of the Inadmissible Advertising Act, regardless of the media through which such advertising is performed.

The Consumer Protection Act also prohibits misleading advertising, and defined such activities as misleading business practice.

The law envisages the possibility for the persons bearing a justified interest to initiate court proceedings against the natural or legal person acting on the market within the framework of its activity due to doubt of unfair business practice.


Are there any products or services that may not be advertised on the internet?

Special legislation and subordinate legislation prohibit advertising certain products. Among others, it is prohibited to advertise tobacco products, prescription drugs and drugs which have not been approved on the market of the Republic of Croatia, narcotics and new psychoactive substances and their manufacturing, prescription-only veterinary and medicinal products, weapons and ammunition, pyrotechnics, alcohol and alcoholic drinks except the advertising of beer and wine with protected designation of origin or protected geographical indication, fruit wines etc.

Hosting liability

What is the liability of content providers and parties that merely host the content, such as ISPs? Can any other parties be liable?

If advertising regulations are violated, primarily content providers are liable.

Internet service providers (ISPs) will not be considered liable for the content of a sent email that has been submitted to them or its sending provided that:

  • they did not initiate the transmission;
  • they did not choose the data or documents that are being transmitted;
  • they did not exclude or change the data contained in the message or document; and
  • they did not choose the transmission user.

In matters governed by the Media Act, exclusively the advertiser is responsible for the content of advertising messages in electronic publications.

Financial services


Is the advertising or selling of financial services products to consumers or to businesses via the internet regulated, and, if so, by whom and how?

Each financial service is regulated by the specific act or bylaw which prescribe detailed conditions for providing such service (ie, Payment System Act, Electronic Money Act and Leasing Act, etc). Online advertising and online sale of financial services to consumers is additionally regulated by the Consumers Protection Act.

The supervisory and regulatory bodies in the domain of financial services are the Croatian National Bank (HNB) and Croatian Financial Services Supervisory Agency (HANFA). The HNB is the supervisory body for:

  • credit institutions;
  • credit unions;
  • payment services institutions; and
  • electronic money.

HANFA is the supervisory body for:

  • the capital market;
  • takeover of joint-stock companies;
  • pension funds;
  • insurance market;
  • leasing; and
  • factoring.


ISP liability

Are ISPs liable for content displayed on their sites? How can ISPs limit or exclude liability?

If an ISP is considered to be a publisher of a website, the ISP will only be liable if it contributes to the displaying of the actual content or has clear knowledge of illegal content being displayed on its sites.

The Electronic Commerce Act makes distinction between limitation of liability of the ISP for caching or hosting content.

If caching the content, the ISP will not be liable if it does not modify the information; complies with conditions on access to the information, complies with rules regarding the updating of the information, lawfully uses technology for data collection, and expeditiously removes or disables access to the information immediately upon becoming aware of fulfilment of the conditions prescribed by law.

If hosting, the ISP will not be liable for the information stored at the request of a service recipient if it does not have actual knowledge of illegal activity or information and if immediately upon becoming aware of illegal activity, expeditiously removes or disables access to the information.

This will not be applicable if the service recipient is acting under the authority or the control of the provider.

Shutdown and takedown

Can an ISP shut down a web page containing defamatory material without court authorisation?

Croatian laws do not foresee an explicit possibility for an ISP to shut down an internet site without prior court decision in that respect. However, if such ISP authorisation was contracted, there is, in principle, no legal impediment to the application of such a provision.

Intellectual property

Third-party links, content and licences

Can a website owner link to third-party websites without permission?

Without prior permission, a website owner can post links only to freely accessible websites. If a website is not freely accessible, prior permission must be sought.

Can a website owner use third-party content on its website without permission from the third-party content provider? Could the potential consequences be civil in nature as well as criminal or regulatory?

The content protected by copyright cannot be used without permission of the author and, in case of infringement, the author can use extensive legal protection.

In civil proceedings, an author may seek compensation for damages, return or reimbursement of all benefits acquired by the unauthorised use of copyright, the establishment of committed breach, a prohibitory injunction, as well as publication of final judgment.

The copyright is also protected by criminal law, and depending on the type and intensity of breach, penalties are prescribed of up to three years of prison.

In addition to criminal, there is also misdemeanour liability, which prescribes penalties for legal entities up to the amount of HRK100,000, and for natural persons up to the amount of HRK10,000.

Can a website owner exploit the software used for a website by licensing the software to third parties?

The website owner could license software to third parties only in case he is also the owner of the software or if such right of licensing has been granted by the owner of the software.

Are any liabilities incurred by links to third-party websites?

There are different types of liability depending on the content of the linked website such as criminal liability in case the linked website contains data prohibited by law (eg, violent or pornographic content made available to minors) or civil liability (in case of links to protected content).

Video content

Is video content online regulated in the same way as TV content or is there a separate regime?

Video online content (ie, electronic publication) falls under the same regime as television (TV) and regulated by the Electronic Communications Act. This Act obliges internet publications providers to register, like TV publishers, at the register controlled by the Agency for Electronic Media that promotes public interest and pluralism of the media, and amongst others, focuses on the protection of minors and the prevention of the promotion of programmes spreading hate or discrimination.

Significant changes in this filed are expected with the implementation of Directive 2019/790 on Copyright in the Digital Single Market.

IP rights enforcement and remedies

Do authorities have the power to carry out dawn raids and issue freezing injunctions in connection with IP infringement?

The person claiming that the service provider is infringing any of his rights can submit a request for injunction to the competent court.

The court can issue an injunction:

  • prohibiting actions and procedures which can cause the infringement of rights or continuance of already started infringement; or
  • limiting the provision of information society services so that the service provider is ordered to remove or disable the access to data.

What civil remedies are available to IP owners? Do they include search orders and freezing injunctions?

In the civil proceedings, apart from filing a law suit, an injunction can be requested.

Search orders as such cannot be requested; however, the claimant can request from the court to order the respondent to provide information which he or she unlawfully refuses to provide and which are necessary for the filing of the claim.

Data protection and privacy

Definition of ‘personal data’

How does the law in your jurisdiction define ‘personal data’?

Under the General Data Protection Regulation (GDPR) any information relating to an identified or identifiable natural person is considered personal data.

The GDPR prohibits the processing of special categories of data such as ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, etc. Special categories of data may be used if GDPR exemptions are met (eg, there is explicit consent, the data is needed for fulfilling requirements under employment and social security and social protection law, etc)

Anonymous information is neither under GDPR protection nor under the protection of the Act on the implementation of the GDPR provided that GDPR conditions on anonymity are met.

Registration requirements

Do parties involved in the processing of personal data, such as website owners, have to register with any regulator to process personal data?

The website owners and all other data controllers do not need to register with a regulator but must perform self-regulation.

A data protection officer has to be appointed if:

  • the data processing is performed by a public authority or public body, except for courts that act within their jurisdiction;
  • the core activities of the controller or processor consist of processing operations that, owing to their nature, scope and/or purpose, require regular and systematic monitoring of data subjects to a significant extent; or
  • the core activities of the controller or processor consist of an extensive processing of special categories of data in accordance with the GDPR.
Cross-border issues

Could data protection laws and regulatory powers apply to organisations or individuals resident outside of the jurisdiction?

The protection offered by the GDPR is applied to citizens of EU member states as well as foreign citizens whose personal data are processed in EU countries.

The personal data can be transferred among EU countries and to the third countries for which the Commission has established that they provide an adequate level of protection (adequacy decision).

In the absence of an adequacy decision, the transfer can take place if appropriate safeguards are provided and under the condition that data subjects have at their disposal enforceable rights and efficient judicial redress (such as binding corporate rules, standard contractual clauses approved by the European Commission, adherence to the codes of conduct or certification mechanisms).

Customer consent

Is personal data processed on the basis of customer consent or other grounds? What is the commonly adopted mechanism for obtaining customer consent or establishing the other grounds for processing?

Personal data are generally processed based on customer consent. The consent is given by clear affirmative action in a form of a written statement, including electronic, etc; however, the burden of proof that the consent has been explicitly given always lies with the controller. Silence or pre-ticked boxes do not constitute consent.

Sale of data to third parties

May a party involved in the processing of personal data, such as a website provider, sell personal data to third parties, such as personal data about website users?

Provision or sale of data to third parties can be done only with consent of the person to which the data refers. The seller is liable that the personal data is collected in a legal manner and the buyer must undertake to perform all needed measures for protection of the personal data.

Customer profiling

If a website owner is intending to profile its customer base to carry out targeted advertising on its website or other websites visited by its customers, is this regulated in your jurisdiction?

All profiling based on the data collected from a website visitor is regulated by the GDPR. Only opt-in approaches to profiling and to cookie policies are allowed. The list of the exact data points that will be collected from a website visitor must be made public and clear, as a part of the website’s cookie policy statement.

Data breach and cybersecurity

Does your jurisdiction have data breach notification or other cybersecurity laws specific to e-commerce?

Public electronic communications network service providers must notify the HAKOM and the Personal Data Protection Agency without delay of any personal data breaches as well as the affected individuals, if such breach shall negatively affect the security of personal data and occurrence of damage may be expected.

What precautionary measures should be taken to avoid data breaches and ensure cybersecurity?

Under the Electronic Communications Act, operators of public communications services must take appropriate technical and organisational measures that correspond to the existing level of threat to network security, taking into account the available technical and technological solutions and the costs of these measures.

Under the GDPR, all data controllers and data processors must undertake appropriate technical and organisational measures to ensure a level of security appropriate to the risk (eg, the pseudonymisation and encryption of personal data, ensuring on-going confidentiality, integrity and resilience of processing systems and services etc).


Is cybersecurity insurance available and commonly purchased?

There are number of insurance companies that offer cyber security insurance, and cyber security insurance is expected to face a growth in the following years, especially considering the rising threats to cyber security.

Right to be forgotten

Does your jurisdiction recognise or regulate the ‘right to be forgotten’?

The ‘right to be forgotten’ is prescribed under the GDPR and personal data must be erased upon the request of the data subject if one of the prescribed GDPR grounds exists (the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, the personal data have been unlawfully processed etc.).

Email marketing

What regulations and guidance are there for email and other distance marketing?

Customer consent is a general rule for email and other distance marketing; however, the GDPR acknowledges legitimate interest as a basis for unsolicited marketing. Such legitimate interest could exist (eg, where there is a relevant and appropriate relationship between the data subject and the controller).

The Electronic Communications Act permits such marketing in a manner that the merchant may use the already consensually obtained consumer emails also for unsolicited marketing but only for their own similar products or services. The consumers must be granted, in a clear and unambiguous way, the opportunity to object to such unsolicited marketing in advance, when their email address is collected for the first time and at the receipt of each future electronic message.

Consumer rights

What rights and remedies do individuals have in relation to the processing of their personal data? Are these rights limited to citizens or do they extend to foreign individuals?

The GDPR provides for extensive rights for individuals such as:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object; and
  • the rights in relation to automated decision making and profiling.

A data subject under the GDPR is anyone within the borders of the European Union at the time of processing their personal data, regardless if such data subject is an EU citizen or not.

In Croatia, any individual claiming violation of their personal data in the territory of Croatia, may file a request for the protection of their rights to the Croatian Personal Data Protection Agency.


Online sales

Is the sale of online products subject to taxation?

In relation to business-to-business sale of online products from suppliers in other EU countries, the ‘reverse charge’ applies that moves the responsibility for the recording of a value added tax (VAT) transaction from the seller to the buyer for that good or service.

In relation to business-to-customer transactions, foreign undertakings are obliged to register in Croatia for VAT purposes and calculate VAT in accordance with Croatian law.

Server placement

What tax liabilities ensue from placing servers outside operators’ home jurisdictions? Does the placing of servers within a jurisdiction by a company incorporated outside the jurisdiction expose that company to local taxes?

The fact that the server is located outside Croatia does not, by itself, liberate the company from local taxes. The foreign company will be obliged to pay tax in Croatia if it is actually preforming its business in Croatia.

Company registration

When and where should companies register for VAT or other sales taxes? How are domestic internet sales taxed?

The VAT registration has to be mandatorily performed after the company exceeds the prescribed limit for entering the VAT system (ie, HRK300,000 of annual revenue), but it can be also done voluntarily. The VAT registration is made at the tax authority office competent for the area of company’s business seat. There is no difference in taxation of online or the sale in stores.


If an offshore company is used to supply goods over the internet, how will returns be treated for tax purposes? What transfer-pricing problems might arise from customers returning goods to an onshore retail outlet of an offshore company set up to supply the goods?

The buyer who returned the goods may qualify for repayment of the customs debt (comprised from customs, special taxes and VAT). Repayment can be requested for goods initially received by post, which are returned unused to offshore company owing to damage or because the goods did not correspond to the terms of the contract on which they were purchased. The repayment of the customs debt may be requested within 12 months of the date of import, provided that the goods have not been used and that they are exported from the customs territory of the European Union.

Transfer-pricing in relation to returning goods to an onshore retail outlet of an offshore company should be regulated by a sale agreement, where prices of the goods between the offshore and onshore company should be set on an ‘arm’s length principle’.



Is it permissible to operate an online betting or gaming business from the jurisdiction?

Other than by the national lottery company, Hrvatska lutrije d.o.o., betting and on-line casino games can be operated by a restricted number of other companies having their seat in Croatia, which, under the decision of Croatian government, acquired the right to operate such games and, in accordance with the law, concluded an agreement on operating betting.

Are residents permitted to use online casinos and betting websites? Is any regulatory consent or age, credit or other verification required?

Adult residents are permitted to use online casinos and betting websites of authorised organisations. Before the use of online casinos and betting websites, users must provide prescribed personal data, verification of which is performed by the inspection of the Personal Identification Number (OIB) Register through electronic services of the Tax Authority (e-Porezna).


Key legal and tax issues

What are the key legal and tax issues relevant in considering the provision of services on an outsourced basis?

The key legal issue to take into considerations in relation to outsourcing is associated with labour-law matters. Since outsourcing diminishes the need for own employees, the employer must strictly adhere to rules and procedures relating to the termination of employment agreements (eg, when laying off more employees owing to business reasons from the same work function, the social factors of each affected employee such as years of service, age of the employee, maintenance obligations, etc, must be taken into consideration).

In relation to tax issues connected with the outsourcing, the importance of the use of the right to deduct the input tax has to be taken into consideration since only an external supplier in the VAT system, shall be allowed to charge VAT to its invoice.

Employee rights

What are the rights of employees who previously carried out services that have been outsourced? Is there any right to consultation or compensation, and do the rules apply to all employees within the jurisdiction?

Outsourcing is generally considered a justified reason for the termination of an employment agreement owing to business reasons. In such cases, the affected employee is entitled to claim from the employer:

  • severance pay (if employed longer than two years at the same employer); and
  • notice period and compensation for unused annual leave.

Furthermore, such an employee may qualify for unemployment benefits from the Croatian Employment Service (if previously employed for at least nine months).

Online publishing

Content liability

When would a website provider be liable for mistakes in information that it provides online? Can it avoid liability? Is it required or advised to post any notices in this regard?

Under Croatian law, a website provider shall not be responsible for mistakes in information provided on-line, as long as he or she does not decide on the content of the website.

The publisher is responsible for damages incurred by published information but the affected person has to request the correction of the mistake from the chief editor within 30 days from the publishing, in order to be able to claim damages.


If a website provider includes databases on its site, can it stop other people from using or reproducing data from those databases?

If a database qualifies as an original intellectual creation it shall be protected by copyright, and the author may exclude others from using such database.

Croatian law also provides for special protection of databases even if they do not qualify for copyright.

Dispute resolution


Are there any specialist courts or other venues in your jurisdiction that deal with online/digital issues and disputes?

In Croatia, there is no specialist court which deals only with online/digital issues and disputes.


What alternative dispute resolution (ADR) methods are available for online/digital disputes? How common is ADR for online/digital disputes in your jurisdiction?

Disputes between traders and online customers can be resolved on the online dispute resolution (ODR) platform provided by the European Commission.

Online traders are not obliged to engage in the ODR process and may refuse to accept consumer’s complaint through the ODR platform, but nevertheless, they have to:

  • clearly provide their email address on their website; and
  • provide a link to the ODR platform (

In Croatia, this system is still not widely used, and there are still some online traders who have not yet complied with their obligation of positing a link to the ODR.

Update and trends

Key developments of the past year

Are there any emerging trends or hot topics in e-Commerce regulation in the jurisdiction? Is there any pending legislation that is likely to have consequences for e-Commerce and internet-related business?(EU JURISDICTIONS ONLY: How do you anticipate the General Data Protection Regulation and the e-Privacy Regulation will impact e-commerce?)

Key developments of the past year58 Are there any emerging trends or hot topics in e-commerce regulation in the jurisdiction? Is there any pending legislation that is likely to have consequences for e-commerce and internet-related business?

The entering into force of the GDPR in May 2018 was the most important development in e-Commerce and probably in business regulation in general. Companies in Croatia have used significant resources in order to align their business with the GDPR, although there are still many ambiguous questions in relation to the GDPR, which we expect to be clarified by new case law and official opinions of the Croatian protection agency.

The impact of the proposal of the e-Privacy Regulation is yet to be seen but it can be anticipated that digital advertising and the media industry as a whole, will face new operational challenges.

The EU Copyright Directive, which was heavily debated prior to its adoption in March 2019 and whose implementation in EU member states shall proceed in the next two years, will surely bring a major change in video-on-demand platforms and user-uploaded-content platforms. While it is expected to provide copyright holders with more power over distribution of their content, the fear remains that it will excessively restrict freedom of the internet and online content sharing.