Aleksandar Crnković, Attorney : Liability of civil servants and state employees for unlawful processing of personal data

The General Data Protection Regulation (EU) 2016/679 provides for administrative fines up to 20 million EUR or 4% of the total revenue for controllers of personal data.

Sometimes, whether justified or not, we feel that the personal information we were obliged by legal obligations to give to officials will find its way into the public or at least to our neighbours. Such fear exists mostly in small communities where everybody knows everybody. The awareness of the need to protect our personal information is just emerging.

Public authorities in the Republic of Croatia are exempt from these fines under the Act of implementing the General Data Protection Regulation.

The Croatian Personal Data Protection Agency (AZOP) is obliged to supervise the processing of personal data by public authorities and to determine the violation of the rules of processing of personal data. Every injured party is entitled to compensation. Civil servants and state employees, employed in public authorities, have access to personal data of citizens, and to some particularly sensitive information (eg. data on racial or ethnic origin, political views, religious or other beliefs, trade union membership, health or sex life). Public authorities process personal data on the basis of their public authority and legal obligations, to which data subjects have no influence.

Therefore, if civil servants and state employees illegally perform the processing of the personal data of the data subjects, public authorities will not be subjects to high administrative fines, and data subjects will have to prove beyond a doubt in the court proceedings the personal damage they suffered through such illegal processing of the data and the compensation amount.

Are civil servants and state employees liable for the unlawful processing of personal data? Yes, they are, and primarily through disciplinary and criminal liability.

An official who illegally processes personal data commits a breach of official duty, as well as a criminal offense. An official can thus be held liable for both – breach of the official duty and the commission of a criminal offense.

The criminal offense of unauthorized use of personal data is regulated by Art. 146 of the Criminal Code, so whoever, contrary to the conditions specified in the law, collects, processes or uses personal data of physical person shall be sentenced to a term of imprisonment for up to one year. In addition to this basic criminal offense, the legislator also provided qualified forms, punishable with of up to three years imprisonment, in case personal data are transferred from the Republic of Croatia for the purpose of further processing or disclosure, if otherwise made available to another, to acquire substantial financial gain or cause substantial harm if the offense is committed against a child or if it involves the unlawful processing of specific categories of personal information (racial or ethnic origin, political views, religious or other beliefs, trade union membership, health or sex life, criminal or misdemeanor proceedings). If these offenses are committed by an official in the exercise of his / her authority, he / she shall be sentenced to a term of imprisonment between six months and five years, which makes the offense more serious.

If you have reason to believe that an official has illegally collected, processed or forwarded personal data, you have the right to raise this doubt in a complaint against that official, primarily to the public authority at which that official is employed (the head of the authority), in the manner prescribed by this body, and to the Ministry of Public Administration by telephone 0800 0304, free of charge, by e-mail: or by post to the Ministry of Public Administration at Maksimirska 63, Zagreb. In addition, you can file a complaint about the processing of the data with the public authority itself, and with the data protection officer, as well as a complaint with the Croatian Personal Data Protection Agency.

You can file a report based on reasonable doubt that a criminal offence under Art. 146 of the Criminal Code has been committed at any police station or public attorney’s office.

Special protection by complaint is also provided in accordance with the General Administrative Procedure Act, under which you can file a complaint to the head of the authority against other forms of actions of public bodies (Article 156 of the General Administrative Procedure Act), to which the head of the authority is obliged to respond by a decision within 8 days of receiving the complaint.

Although public authorities are not obliged to pay fines under the General Data Protection Regulation (EU 2016/679), they have every reason to harmonize the processing of personal data with the applicable regulations and to ensure the highest level of protection of citizens’ data, so as not to be supervised by the AZOP, and in order not to cause any damages they will be obliged to compensate, which is certainly necessary in order to reduce the misuse of such processing by public officials.

Leave a Reply

Your email address will not be published. Required fields are marked *