EU parliament adopted the GDPR (General Data Protection Regulation) on April 27, 2016. The two-year preparation period ended on May 25, 2018, when the GDPR went into effect.
What is the GDPR?
This legislation represents the most revolutionizing and sweeping changes to data protection laws since 1998. Personal data is easily accessible in the social media age we’re living in, harming our personal security.
The main goal of the new policy is to protect the personal data of EU citizens. Since many global companies deal with EU citizens, citizens outside of the European Union will also be affected and protected as a result.
Why do I need to know what the GDPR is?
From May 25, 2018, all companies serving or interacting with EU citizens must comply with the GDPR requirements. As an EU citizen, it is important that you understand what is considered to be personal data so that you are protected.
What is considered to be “personal data”?
- Phone number
- Email address
- Personal identification number (Example: OIB in Croatia)
- IP and MAC addresses
- GPS location
- RFID tags automatically included on personal photographs and video footage
- Cookies on websites
- Biometric data including fingerprints, eye scans, and your voice
- Genetic data
- Education and academic achievement data
- Payment data
What are my rights as an EU citizen?
EU citizens are afforded several new rights under GDPR including:
- Right to refuse to become a data subject, which means, you can refuse to have your personal data processed. But, considering the fact that a vast majority of people have bank accounts and official employment, it’s highly unlikely that avoiding sharing all data across the board is even possible unless you live in the woods.
- Right to be informed about what happens with the personal data you choose to share. You have the right to know how your data is used. Any company you deal with is required to publish this information publicly, and depending on the type of data, is required to get your explicit consent to obtain it.
- Right to data portability and data removal. As an EU citizen, you can request to see all the data a company holds on you and request that they delete everything they have on you as well. With regards to data removal, there are exceptions when it pertains to legal responsibilities, public health issues, and scientific research.
- Data profiling is allowed by the GDPR but certain measures must be taken for safety like the rights of the profiling subjects.
What else do I need to know?
- Companies are required to inform you of:
- What data they collect and why they collect it
- What they are doing with your data
- How they protect your data
- What measures are in place in case your data is affected due to a data breach
- How and when they will contact you if your data is affected due to a data breach
- How long they keep your data
- How you can contact them to see what data they have and how you can request for it to be deleted
Here are Frequently Asked Questions regarding the GDPR. If you are a Croatian citizen, you are protected under this policy.
Please note: Information provided by Expat in Croatia is only for the purposes of guidance. It does not constitute legal or financial advice in any form. Croatian laws and bureaucratic rules often change, and each personal case is individual, so different rules may apply. For legal advice, contact us to consult with a licensed Croatian lawyer. For financial advice, contact us to consult with a licensed Croatian tax advisor or accountant.