GDPR and employees


1.1. Key legislation and regulations

As a general act on personal data processing, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR) applies from 25th May 2018.

In the Article 6, the GDPR prescribes six legal grounds for personal data processing. The Article 9 of the GDPR prescribes exemption from prohibition of processing of special categories of personal data if processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.

The Act on Implementation of the General Data Protection Regulation (“Zakon o provedbi Opće uredbe o zaštiti podataka – Official Gazette, No. 42/18” – available only in Croatian – the Act), prescribes specific provisions regarding biometric data of employees for the purpose of records of working hours and security reasons. Such kind of personal data processing is allowed only upon consent of an employee and alternative technical solution shall be provided for employees who do not provide their consent.

The Act also includes provisions regarding video surveillance and defines that such processing shall be in accordance with the Law on Occupational Health and Safety (“Zakon o zaštiti na radu – Official Gazette, No. 71/14, 118/14, 154/14, 94/18, 96/18” – available only in Croatian – the Safety Law) and only upon prior privacy notice. Video surveillance must not include rooms for rest and hygiene of employees.

The main law regarding employees is the Labour Law (with recent changes from December 2022, only available in Croatian here) (‘the Labour Law’).

The Labour Law has a special provision on the privacy of employees and recommends that any data processing and/or transfers of personal data shall be described in the labour regulation of an employer. An employer which hires at least 20 employees must appoint a person in charge for supervision of processing employees’ personal data.

Recent changes, that will be on force from 1 January 2024, introduce new rules regarding platform workers (e.g., via website or an app). In case using automatic systems for organizing platform work, employer must be transparent and introduce an employee with the organization of the digital platform and decision making via automated system. An authorised person shall be appointed for the security and examination of the decisions.

Digital platform shall not process data on private conversation and on emotional and physiological condition of an employee. Health data also shall not be processed, unless in accordance with data protection laws. Additionally, personal data shall not be collected during the time of inactivity of an employee.

The Labour Law prescribes two modalities of teleworking, work from distance and work from a distant place. In case of work from home, an employer has the right to enter employee’s home for the maintenance of business equipment or to perform anticipated audit, but only if such is agreed between the employer and the employee and only in time agreed with the employee. An employer is obliged to preserve employee’s privacy.

1.2. Official guidelines

Croatian Personal Data Protection Authority, as a national data protection authority in accordance with the GDPR, has issued several guidelines regarding personal data processing of employees (available only in Croatian):

1.3. Supervisory authorities

Alongside the Croatian Personal Data Protection Authority, the Ministry of the Government of the Republic of Croatia is also in charge for compliance for labour law. The Ministry also issues guidelines and performs inspections.

1.4. Applicable case law

Croatian legal system does not recognise case law institute, rather case law can be examined as an argument for certain reasoning. The case law often concerns medical data and absence of an employee from work. There is a certain case law on legality of video footage of an employee.

The Supreme Court of the Republic of Croatia regularly publishes the Selection of Decisions. The Supreme Court of the Republic of Croatia also publishes court practice on its web site ( – available only in Croatian) and legally binding conclusions from legal assemblies. The access to the web site is free of charge.

The latest report from AZOP, from 2021, published four enforcement decisions (only available in Croatian here). Decisions concerned video surveillance and improper technical and organizational measures.


2.1. General requirements for collection, processing, and disclosure of data

In accordance with the GDPR, personal data shall be processed for performing contract-labour agreement and performing pre-contractual activities. Certain personal data can be processed in accordance with legitimate interest of an employer, provided that the interests or the fundamental rights and freedoms of the data subject are not overridden.

Consent should be appropriate legal basis for keeping personal data after certain recruitment process, and, generally speaking, CVs of applicants should not be kept for a long time, since there are no longer valid after few years.

2.2. Advertising a position and requirements for data collection regarding CVs, tests, evaluations

When advertising a position, employers shall keep in mind that companies that employers engage for advertising, recruitment, and selection purposes are usually considered as data processors or joint controllers. Thus, agreements and checks should be in place, in accordance with Article 26 and 28 of the GDPR.

Regarding psychological test, there is a special Law on Psychological Activities (available only in Croatian), which prescribes that only licenced persons are allowed to performs such tests. There are no special provisions on retention periods of data.

2.3. Requirements and restrictions in relation to background checks

Regarding requirement and restrictions in relation to background checks, employers should be aware on provisions in special laws and comply with those provisions. For example, there are special provisions on recruitment, selection, and background checks activities in special laws regarding public bodies, local municipalities, politicians, and certain professional activities (such as, lawyers, doctors etc.).

Croatian Personal Data Protection Agency published opinion that employers should analyse their legitimate interest in case accessing data about employees/candidates that are publicly available.

2.4. Obligations of the employer to protect candidates’ right to privacy during interview process

Employers should comply with the GDPR and applicable special laws. Each candidate should receive all the necessary information, in accordance with the Article 13 and Article 14 of the GDPR.

Employers should refer from asking prohibited questions and collecting excessive personal data. The processing activities shall have in mind basic principles of personal data protection (minimisation, lawfulness, accuracy, confidentiality).

2.5. Employer’s right to ask questions/request references

Labour Law forbids collection of certain type of data.  When concluding a labour agreement, an employer must not request from an employee the information that is not directly related to his or her employment, such as, data about pregnancy, number of children, religion etc.

2.6. Candidate’s obligation to reveal information

The questions not to be asked, in accordance with the Labour Law, need not be answered. A candidate has an obligation to reveal only information that is necessary for the performance of labour agreement. For example, a candidate has to inform employer on any obstacle which is significant for performing labour agreement.

2.7. Retention of recruitment records

Retention of recruitment records is prescribed with special laws. In case of no special law, employers decide to keep the data until completion of recruitment process and until expiration of deadline for filing complaints by the candidates.


DPO - službenik za zaštitu podataka GDPR

3.1. General requirements for collection, processing and disclosure of data

Employment records are prescribed by Law and Bylaws as an legal obligation. Employments records consist of records of working hours, records in accordance with Safety Law, and general data about an employee, such as, previous working experience, date of birth, citizenship, ID number, Personal Identification Number. Data can be disclosed to public authorities, in accordance with law.

3.2. Notification to the employee on collection, processing, access and disclosure

Employees should receive necessary information from Article 13 of the GDPR (data controller, data retention periods, purpose of processing, data transfer etc.). Also, if an employer has at least 20 employees, employer needs to publish Labour Regulation, in which all the personal data processing activities and transfers related to employees should be described.

3.3. Retention of employment records

Employment records must be kept permanently. Records of working hours must be kept for at least six years.

3.4. Employee rights to information

Employees, as data subjects, have all the rights in accordance with the GDPR (access data, rectify, delete, object and file comply to data processing authority). Also, in accordance with Labour Law, employees have right to file a request for protection of their rights and to file a complaint to a person appointed by employer, who is in charge for supervision of processing personal data of employees.

3.5. Disclosure to works councils, state authorities, arbitration courts, etc.

In accordance with Labour Law and Safety Law, work council should be consulted in case of constant surveillance of employees, appointment of person appointed by employer, who is in charge for supervision of processing personal data of employees, and in any significant transfer of personal data of employees.

State authorities can receive personal data in accordance with their authorities prescribed by law.


4.1. General rules on processing of workers’ health information and exceptions

In accordance with Labour Law and Safety Law, employment records must contain data about injuries at work and professional sickness, sick leave, maternity leave, and data necessary for exercising rights of an employee, such as special conditions of working and special working hours or leaves.


5.1. Legal grounds

Employees’ data should be transferred in accordance with the GDPR, and certain special conditions should be respected in certain situation. For example, work council should be consulted in case of transfer of data of employees and transfer of data should be described in Labour Regulation.

5.2. Mechanisms for the transfers of data

A group of undertakings, or a group of enterprises engaged in a joint economic activity, within the European Union can rely on legitimate interest for necessary personal data transfer.

Transfers of data outside the European Union are allowed in accordance with the GDPR (adequacy decision, standard contractual clauses, codes of conduct, consent).

Employers should be able to make use of approved binding corporate rules for its international transfers from the European Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.

5.3. Sensitive data

Employers shall always check if the law requires processing special categories of personal data and refrain from processing and transferring data that is necessary for fulfilling the purpose.

Allowed sensitive data processing can be, for example, data necessary for fulfilment of legal obligation of keeping employment of records, records of working hours, records in accordance with Safety Law (data about injuries at work and professional sickness). This type of data can be transferred in case of legal obligation prescribed by law or based on a data processing agreement with service provider.

In case of using biometric data for entrance to business premises and records of working hours, employers should ask for consent from employees.

5.4. Information provision requirements

Employees should receive necessary information from Article 13 of the GDPR (data controller, data retention periods, information about data protection officer, purpose of processing, data transfer, information on data subject’s rights, etc.).

5.5. Notification requirements

If an employer has at least 20 employees, employer needs to publish Labour Regulation, in which all the data transfer activities related to employees should be described.

In case of existence of work council, employer should consult with the work council regarding processing and transferring the data of employees.


6.1. Criminal and civil liabilities

In addition to administrative fines prescribed by the GDPR, Labour Law has provisions on violation committed by employers.

A fine in the amount ranging from 4,110.00 to 7,960.00 EUR shall be imposed on an employer:

  1. for requesting from an employee, on the occasion of concluding a labour agreement, the information which is not directly related to his or her employment;
  2. for unlawfully collecting, processing, using and sending to third parties personal information about employees;
  3. for failing to appoint a person who authorised to receive and deal with the complaints related to the protection of workers’ dignity or for disclosing information obtained in the complaint procedure;
  4. for asking information on a woman’s pregnancy, or ordering another person to ask such information, except when the woman personally requests a specific right envisaged under law or another regulation for the protection of pregnant women.

For any enquiries regarding employment law and GDPR in Croatia, do not hesitate to contact us.

Marija Boskovic Batarelo LL.M. Law and Technology