Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
The Family Act (OG 103/15, 98/19, 47/20, 49/23 and 156/23) envisages that a person who turns 18 years of age is an adult, which means that they have acquired full legal capacity.
A child, is also interpreted by the Ombudsman for Children Act (OG 73/17) as being any person under the age of 18.
Please also note that general requirement in respect to legal capacity is envisaged in the Code of Obligations (OG 35/05, 41/08, 125/11, 78/15, 29/18, 126/21, 114/22, 156/22, 155/23) i.e. full legal capacity for entering into a legal relationship is acquired according to the Code of Obligations at the age of 18.
It is exceptionally possible for a child to acquire full legal capacity before turning 18 by entering into a marriage (minimum of age 16) effectively making them adult for legal purposes.
Also, exceptionally a child, minimum of age 15, may acquire limited legal capacity in case of employment, for the purpose of that employment and can enter into legal relationships and assume obligations within the earning amount as well as dispose of his/her earnings subject to non-jeopardising his/her existence.
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
The Family Act (OG 103/15, 98/19, 47/20, 49/23 and 156/23) envisages that a person who turns 18 years of age is an adult, which means that they have acquired full legal capacity.
A child, is also interpreted by the Ombudsman for Children Act (OG 73/17) as being any person under the age of 18.
Please also note that general requirement in respect to legal capacity is envisaged in the Code of Obligations (OG 35/05, 41/08, 125/11, 78/15, 29/18, 126/21, 114/22, 156/22, 155/23) i.e. full legal capacity for entering into a legal relationship is acquired according to the Code of Obligations at the age of 18.
It is exceptionally possible for a child to acquire full legal capacity before turning 18 by entering into a marriage (minimum of age 16) effectively making them adult for legal purposes.
Also, exceptionally a child, minimum of age 15, may acquire limited legal capacity in case of employment, for the purpose of that employment and can enter into legal relationships and assume obligations within the earning amount as well as dispose of his/her earnings subject to non-jeopardising his/her existence.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
No.
Croatia ratified the UNCRC in 1992; however, its text has not been directly incorporated into national law.
Nevertheless, Croatia is committed to protecting children’s rights prescribed by the UNCRC and advocating its principles.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
Yes.
The office of the Ombudsman for Children was established in 2003 and is currently enforced and upheld through the Ombudsman for Children Act (OG 73/17).
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
Yes.
The Ombudsman for Children is tasked with protecting and promoting the rights and interests of children on the basis of the Croatian Constitution, international treaties and laws.
As such, it is responsible for monitoring the conformity of all domestic regulations with legislation which concerns the protection of children.
Moreover, the Ombudsman for Children may propose measures to ensure an all-encompassing system for protection of children’s rights and interests, which includes protection of children in digital surroundings. The Ombudsman can, amongst other things, participate in the process of drafting regulations that relate to children's rights or regulate issues important to children. It can also encourage the adoption and changes of laws and other regulations related to the rights and protection of children.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
No.
No national law requirements in this regard; see more information on the GDPR-level requirements here.
The requirement to collect parental consent under Article 8(1) of the GDPR only applies where the service provider is relying on consent as the legal basis under the GDPR for processing a child’s personal data.
If another legal basis is relied on for processing, there is no requirement to collect parental consent for processing the child’s data.
Entirely separate to the requirement to collect parental consent under Article 8(1) is that a digital service provider (controller) may decide to seek parental permissions for a child to access different settings/ features/ functionalities etc. as part of the measures it implements under Articles 24 and 25 of the GDPR to ensure a high level of protection for child users.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
In relation to the Article 8(1) GDPR, Article 19(1) of the Croatian Law on Implementation of GDPR (OG 42/18) prescribes that in connection with the offering of information society services directly to a child, the processing of the child's personal data is lawful if the child is at least 16 years old.
Similar, the Guidance of the Croatian Personal Data Protection Agency (AZOP) on application of the general regulation on data protection in school institutions envisages that - regarding the consent of the child in the case of offering information society services - any processing comprised in a service that is usually provided for a fee at a distance, by electronic means and at the personal request of the recipient (Directive EU 2015/1535 of the European Parliament and of the Council), such as, for example, online sales of goods and services, offering data on the Internet, access to social networks, etc. is lawful if the child is at least 16 years old. If the child is under the age of 16 years, such processing is legal only if and to the extent that the consent was given or approved by the holder of parental responsibility over the child (legal representative of the child).
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here. According to Art 8(2) GDPR, controllers are required to make reasonable efforts to verify that consent has been given or authorised by parents. Similarly, the Croatian Personal Data Protection Agency’s Guidance on application of the general regulation on data protection in school institutions envisages that all organisations that process personal data of children must make reasonable efforts, taking into account the available technology, in order to assess whether the given consent is actually in accordance with the legal framework. This may include the implementation of age verification measures such as a question that the average child would not be able to answer or a request that the minor provide the email address of the parent in order to obtain written consent, etc.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
There are no national-specific laws in this regard see more information on the GDPR-level requirements here In addition, the Guidance of Croatian Personal Data Protection Agency on application of the general regulation on data protection in school institutions envisages that all information that is specifically intended for children should be adapted to be easily accessible, using clear and simple language.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
Yes.
There are no national-specific laws which specify the age at which children have the legal right to exercise their data subject rights under the GDPR.
In relation to the above, further to the Croatian Personal Data Protection Agency’s Guidance on application of the general regulation on data protection in school institutions, children have the right to protection of their personal data, which includes the right to be heard in all matters affecting them in accordance with their individual developmental capacities.
In addition, all decisions made regarding the processing of children's personal data must first and foremost take into account what is in the best interest of the child ("principle of best interests").
If a child does not have the ability to exercise his/her rights to data protection independently or together with a representative, then his/her legal representative (parents, custodians, foster parents etc.) can exercise the right to personal data protection on behalf of the child. Exercising this right should be undertaken by parents/legal representatives in the best interests of the child and for the benefit of the child, and not to achieve their own personal goals.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Yes.
Pursuant to Article 87 of the Family Act, a child who turns 14 has the right to independently initiate proceedings before competent authorities regarding the exercising of their rights and interests.
Namely, in matters where the personal rights and interests of the child are decided upon, the court shall, at the child's request, issue a decision to allow a child who has reached the age of 14 to present facts, propose evidence, submit legal remedies and take other actions in the process if he/she is capable of understanding the meaning and legal consequences of those actions.
Before passing any decision, the court is obliged to request the opinion of the Croatian Institute for Social Work, which decides on the recognition of rights and social services in the administrative area of social welfare.
Any such complaint may be submitted to the Croatian Personal Data Protection Agency (AZOP), i.e., the national data privacy regulator. In accordance with Article 34 of the Croatian Law on Implementation of GDPR, anyone who considers that a right guaranteed by the law or the GDPR has been infringed may submit a request to AZOP for the determination of an infringement of rights. Requests for determination of an infringement of rights may be submitted to AZOP personally, by post, by fax or via e-mail.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
There are no specific national legislation provisions covering the mentioned matters. However, the Croatian Personal Data Protection Agency (AZOP) has issued recommendations when it comes to processing children’s personal data in the context of school and pre-school educational sectors (AZOP’s Guidance on application of the general regulation on data protection in school institutions and preschool):
a) processing specific types of children’s personal data;
These consist of special protection when handling personal data of children, as they may be less aware of the risks, consequences and protective measures in relation to data protection. In principle, the best interests of children as prescribed through the UNCRC must always take precedence when processing and/or using children’s personal data.
b) using children’s personal data for specific purposes.
See response at a. above.
c) carrying out specific processing activities involving children’s personal data; and/ or
AZOP has issued Decision on the basis of Article 35(4) GDPR, whereby processing of children’s personal data for the purposes of profiling, automated decision making, marketing purposes or for the direct offer of services intended for them is subject to a mandatory prior data processing impact assessment (DPIA).
Additionally, see more information on the EU-level requirements here.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
No.
According to publicly available information, the Croatian Personal Data Protection Agency has not to date imposed any sanctions against processors/controllers of personal data when it comes to the matter of protecting children’s personal data.
Are there specific rules concerning electronic direct marketing to children?
Yes.
According to the Croatian Electronic Communications Act (OG 14/24), the use of automated calling and communication systems without human intervention, facsimile machines or electronic mail, including short messaging system (SMS) and multimedia messaging services (MMS), for the purposes of direct marketing and sale may only be allowed in respect of end users who have given their prior consent.
These provision/requirements are not specifically directed at communications made to children but regardless of whether the communication is sent to an adult or a child, the general rule is that the consent of the individual recipient is required (which must be GDPR-standard consent) although there are certain strictly applied exemptions which can be relied upon in limited circumstances.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here. However, further to the Croatian Data Protection Agency’s Decision issued on the basis of Article 35(4) GDPR, processing of children’s personal data for the purposes of profiling, automated decision making, marketing purposes or for the direct offer of services intended for them is subject to a mandatory prior data processing impact assessment (DPIA).
Further to Croatian Electronic Communications Act (OG 14/24), the use of electronic communication networks to store data or to access already stored data in the terminal equipment of the end user or users is allowed only in the case when that end user or users has given their consent, after receiving clear and complete information in accordance with the personal data protection regulations, and especially about the purposes of data processing. This cannot prevent the technical storage of data or access to data solely for the purpose of carrying out the transmission of communications via an electronic communication network, or, if necessary, for the purpose of providing information society services at the express request of the end user or users.
These provision/requirements are not specifically directed at children but applies regardless to an adult or a child. The general rule is that prior consent of the individual is required (which must be GDPR-standard consent).
Additionally, see more information on the EU-level requirements here.
Are there specific rules concerning online contextual advertising to children?
Yes
No national restrictions nor age limits are set regarding online contextual advertising to children. See more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
No.
We are not aware of any regulatory enforcement action concerning advertising to children.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
The general requirement in respect of legal capacity is envisaged in the Code of Obligations (OG 35/05, 41/08, 125/11, 78/15, 29/18, 126/21, 114/22, 156/22, 155/23), i.e. full legal capacity for entering into a legal relationship is acquired according to the Code of Obligations at the age of 18.
It is exceptionally possible for a child to acquire full legal capacity before turning 18 by entering into marriage (minimum of age 16) effectively making them an adult for legal purposes.
Also, exceptionally a child, minimum of age 15, may acquire limited legal capacity in case of employment, for the purpose of that employment and can enter into legal relationships and assume obligations within the earning amount as well as dispose of his/her earnings subject to non-jeopardising his/her existence.
Do consumer protection rules apply to children?
Yes.
The Croatian Consumer Protection Act (OG 59/2023) protects the fundamental rights of all natural persons who conclude agreements or act on the market outside of their trade, business or professional activity. This may include children.
Aside from general consumer protection provisions, the Croatian Consumer Protection Act generally prohibits unfair commercial practices, which also includes aggressive commercial practices. Aggressive commercial practices, amongst other things, include advertising that directly induces children to buy the advertised product or to persuade their parents or other adults to buy the advertised product for them.
Additionally, see more information on the EU-level requirements here.
Are there any consumer protection rules which are specific to children only?
Yes.
The Croatian Consumer Protection Act (OG 59/2023) generally prohibits unfair commercial practices, which also includes aggressive commercial practices. Aggressive commercial practices, amongst other things, include advertising that directly induces children to buy the advertised product or to persuade their parents or other adults to buy the advertised product for them.
A commercial practice is unfair if, among other things, in terms of a specific product, it significantly affects or is likely to significantly affect the economic behaviour of the average consumer to whom such a practice is intended or to whom it reaches, i.e. the average member of a certain group of consumers to whom this practice is directed.
Furthermore, age and carelessness of specific consumer groups which make them especially exposed should be taken into account by the trader in their commercial practice.
A monetary fine is envisaged for traders, as well as the responsible person within a trader, that uses practices that are considered unfair.
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
According to publicly available data, Croatian authorities have not to date imposed any fines enforcing consumer protection specifically related to children’s use of digital services.
Are there any age-related restrictions on when children can legally access online/ digital services?
Yes.
National laws imposing age-related restrictions for specific categories may apply in the context of children accessing online/digital services.
These include, amongst other things, prohibition of sale and/or advertisement of alcoholic beverages, tobacco products, pornographic content and gambling services aimed at minors.
Are there any specific requirements relating to online/ digital safety for children?
Yes.
The Croatian Electronic Media Act ( OG 111/2021, 114/2022) contains provisions regulating the online safety and the content moderation of certain types of platforms. In particular, the Act establishes a legal framework for the protection of users and the public from harmful audiovisual commercial communications. The Act specifically provides for an enhanced protection of minors in the online environment.
Additionally, see more information on the EU-level requirements here.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes
There are no national-specific laws in this regard; see more information on the EU-level requirements here.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
Yes
There are no national-specific laws in this regard; see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
No.
Not that we are aware of.
The Croatian Regulatory Authority for Network Industries (HAKOM) has been appointed as the Digital Services Coordinator in Croatia for the purposes of the Digital Services Act. Therefore, its daily tasks should consist of enforcing regulation of online/digital safety for children in Croatia going forward.
Are there any existing requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific laws in this regard; the AI Act (Regulation 2024/1689) applies in this context. See EU-level response here.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific laws in this regard; see EU-level response here.
Note, however, that the Croatian law implementing the AI Act is currently in public consultation phase and it is expected to be brought into the procedure before the Government of the Republic of Croatia in the 2nd quarter of 2025.
Bearing in mind that the draft proposal has not yet been published, it remains to be seen whether there will be any additional obligations imposed regarding AI and children other than those envisaged by the AI Act once the national legislative framework and strategy has been set out.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
There is no other regulatory enforcement activity relevant to this matter that we are aware of.
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
Yes.
Planned amendments to the Games of Chance Act (OG 87/09, 35/13, 158/13, 41/14, 143/14 and 114/22) foresee that the existing ban on advertising of gambling will be extended to prohibit advertising in all print media, while advertising on the internet, TV and radio programs will be further restricted, so as to minimise the risk of harm to the development of minors.
Furthermore, the Croatian Regulatory Authority for Network Industries (HAKOM)has been appointed as the Digital Services Coordinator in Croatia for the purposes of the Digital Services Act and its activities may serve to provide further requirements relevant to children in online/digital environments.
Additionally, see more information on the upcoming EU-level requirements here.
Contributors
Luka Gubic
Vukmir & Associates
Andrea Kožul Pedišić
Vukmir & Associates
