All data, including personal data, are becoming increasingly more important for business operations in Croatia as well. Consequently, it is necessary to conduct a quality and continuous education of employees in order to familiarize them with rules for protection of all data, including personal data, as stipulated by GDPR
All EU members, to some extent, were unprepared for application of GDPR. According to research conducted in Germany in December of 2017 by Zentrum für Europäische Wirtschaftsforschung (ZEW), Mannheim, on a sample of 700 enterprises, 40% of surveyed enterprises had only heard about GDPR by then, but they didn’t start the adjustment. “As an expert in this field, I can say that only few serious enterprises may implement complete harmonization with GDPR rules in such a short period, unless a high level of harmonization existed previously,” stated Aleksandar Crnkovic, attorney-at-law from Zagreb and expert in GDPR matters. “Situation was far worse in Croatia, because many did not even hear about GDPR before the numerous media reports in April of 2018.”
Our interlocutor says that in average, large enterprises were much more prepared for application of GDPR than micro companies, small and medium enterprises (SMEs) were. GDPR is a complex interdisciplinary matter, which requires experts in the field of IT and law, which is something that SMEs most often do not have. The situation is the same in all EU members and therefore GDPR itself provides certain advantages for SMEs. Unfortunately, the necessary measures for SMEs that were supposed to be taken into consideration by the European Commission according to recital 167 of GDPR, have not been adopted until today. Responding to the question on the consequences which Croatia would bear for lack of preparation, Crnković states that it is difficult to talk about this subject at this point. “ It is important to emphasize that after the initial storm in the media at the onset of GDPR application, we now have a calm before an even bigger storm, and this is certainly to be expected once the supervisory bodies really start to conduct their supervision”, states D&C interlocutor.
In a public debate in which you participated personally, there were many motions for changes and amendments to the Law on the Implementation of the General Data Protection Regulation. What kind of legal text did we ultimately get?
I am currently cooperating with NOYB – European Center for Digital Rights on a project of analysis of GDPR implementation laws in all EU members and I have to point out that Croatian implementation law is not the worst one. Of course, the law could have been more detailed and could have clarified a series of issues that GDPR leaves unresolved. The law ensures independence of the Personal Data Protection Agency (AZOP) as a supervisory body, it stipulates its organization, legal procedure in front of AZOP and supervision thereof. On the other hand, possibilities to define rules for personal data protection more clearly have been exercised only to a limited extent. For example, processing of genetic data is prohibited, while processing of biometric data is limited. A positive element of this law is certainly the respondents’ possibility to exercise their rights to personal data protection. Taking into consideration the success of Association Franak, it is certainly commendable that the Croatian legislator allowed for possibility of organization of citizens in associations in the field of personal data protection.
From the onset of implementation, it was a known fact that General Regulation is a major challenge for public administration. How to discipline the public administration when – if sanctioned – it would be paying fines to itself, i.e. to the state budget?
Implementation of GDPR must be viewed much more extensively than merely through imposition of monetary sanctions. Namely, by applying GDPR, new rules were introduced for personal data management for the purpose of protection of citizens’ personal rights and privacy. This way, for example, GDPR includes the right to be forgotten, right to verification of accuracy of personal data, as well correction and transfer thereof. Also, GDPR expands the obligations to inform and undertake actions in relation to violation of personal data and the respondent must be informed immediately and comprehensively about the violation of personal data in case of a hacking attack. GDPR rules apply equally to physical persons and legal entities and to public authorities (state administration bodies and other state bodies, local and regional government units, persons with public authorizations or legal entities performing public service). The regulation does not stipulate separate rules for public administration, however certain provisions allow of exceptions. For example, GDPR rules do not apply to data processing conducted by the competent authorities for the purpose of prevention, investigation, revealing or prosecuting criminal offenses or the execution of criminal sanctions, including protection against threats to public safety and prevention thereof.
The GDPR implementation law prevented sanctioning of state administration bodies and other state bodies by administrative monetary fines, while imposing of such administrative fines may not jeopardize exercise of public authority or public service by persons with public authority or legal entities performing public service. However, GDPR clearly raised the bar of personal data protection for public administration as well, which has to protect personal data from loss, changes and manipulations. Clear rules have been determined about the purpose and methods necessary to facilitate such protection. Therefore, public administration will inevitably have to invest more effort and funds in the stipulated risk analyses, documenting of proceedings, assessments of effects of data processing and techniques for personal data processing. At the same time, public administration bodies are under obligation to submit evidence to the regulatory bodies that they fulfilled their obligations from the Regulation, as well as under obligation to submit reports in cases of personal data violation. Certainly, each person who sustained material or non-material damage due to personal data violation is entitled to receive compensation of such damages from the controller or the processor, which includes public authorities. Regardless of GDPR, Criminal Code of the Republic of Croatia stipulates criminal offense of unauthorized use of personal data, punishable with imprisonment up to one year and in case this criminal offence was committed by an official in the performance of service or a responsible person while exercising public authority, with imprisonment between six months and five years.
Which actors in the business sector may be identified as ones who really and completely understood what this Regulation brings?
There are certain sectors in the economy that process more personal data than others, for example, marketing agencies, banks, telecoms and internet service providers, online stores, hospitals, private polyclinics are certainly more vulnerable in case of violation of the Regulation than for example a purely manufacturing enterprise that processes only the data of its employees. Some enterprises that are more vulnerable in case of violation of GDPR indeed seriously understood the “threat” from these new rules and invested a lot of effort and assets in adjustment of their operations. I am intentionally saying some enterprises, because I daily notice that some, even large enterprises, continue to blatantly violate the Regulation because they failed to implement the harmonization with the Regulation at all or they failed do it adequately.
Are the citizens, for whose protection of rights this Regulation is actually intended, aware of the means that GDPR bestowed on them? Do they exercise it?
It is precisely transferring the obligation to educate the citizens about their rights that GDPR transfers to those who process their personal data. We are increasingly observing the increase of citizens’ concern about protection of their rights, including protection of personal data. This proves that the level of trust in power of citizens to protect their rights is increasing and that a critical mass of responsible citizens aware of their rights, without which a responsible civil society or control of functioning of a legal state cannot exist, is slowly forming. Awareness of the value of personal data and the need for their protection in the society is increasingly growing and this Regulation precisely contributes to such development. Of course, there are certain groups that do not consider protection of their personal data as being currently important. We especially see this among the younger population prone to give up on their privacy entirely for the purpose of personalized marketing, for example, or greater popularity on social networks. Citizens’ personal data have long been an important resource in operations of many companies and it is up to each citizen to decide how they will dispose of their personal information and up to the state to enable effective protection thereof.
In this case, it is not only the supervisory body of the Republic of Croatia that may impose sanctions, but they may be imposed also by a supervisory body of any EU member where a company is performing its business activities, or in case of more serious violations, even by the EC directly, like in the recent Facebook case. Do you expect such drastic moves in Croatia?
Personal Data Protection Agency (AZOP) is now an independent state body, it has far greater competences than prior to adoption of the Law and we have to wait to see the results of its work. If necessary, supervisory bodies may conduct joint investigations and joint implementation measures with participation of members or staff of supervisory bodies of other member countries. There is a possibility, for example, for members of the Austrian supervisory body to conduct an investigation together with AZOP members on the territory of Croatia and vice versa. Considering that a number of enterprises founded by enterprises from other EU countries are currently operating in Croatia and that stipulated sanctions may amount up to 4% of company’s total annual turnover on an international level, it is realistic to expect that investigations and measures imposed against companies in other EU members will affect their affiliated companies in Croatia. However, a reverse scenario is also possible, where supervision of a company in Croatia would result in supervision and sanctioning of affiliated companies in other EU members.