Aim: The aim of the paper is to analyse relevant provisions of the General Data Protection Regulation and the relevant Croatian legislation from the perspective of data controllersconducting institutional research, to present the status and limitations of data subject rights concerning reuse of personal data for research purposes, give perspective on potential application of the new administrative fines, personal liability and potentially damaging collective actions and to offer suggestions de lege ferenda and comment on the institutional readiness to implement data protection adequately on the local and EU level.
Methods: The paper is based on comparative and historical legal analysis, interpretation of relevant legislation including EU regulations and directives, national laws and implementation acts as well as existing European and national case law and supervisory body decisions.
Results and Discussion: The new EU legal framework for protection of personal data allows, if conditions are met, reuse of personal data obtained for purposes different from research. Legal systems of Member States should adopt specific provisions clarifying obligations of data controllers.
Conclusion: Member States of the EU including Croatia, working through EDPB should coordinate to adopt specific national measures ensuring the safeguarding of data subject rights in line with data protection principles set by the General Data Protection Regulation.