Welcome to Croatian version of GDPR - Introduction
Firstly, I must point out two characteristics inherent in us Croatians when it comes to doing business. This is not so evident in the private sector, but when it comes to the government and government institutions, unfortunately this is something that pops up everywhere you look. The first characteristic is one that is best explained with a saying often heard from the mouths of people from Croatia – “Croatians are greater Catholics than the Pope”. My apologies to readers who are not of this religious denomination, but there is just no better way of portraying this worldview than by quoting this saying. As I have also heard this said in other contexts, outside Croatia (with reference to other nations), I guess it is not only attributed to Croatians and their own self-criticism, but to other peoples as well.
Another trait of ours is the unfortunate habit of doing everything last minute. At writing this sentence, I cannot help but laugh, as it has occurred to me that I am myself writing this article in the exact same circumstances. This trait will become evident in the main features of the Annual Reports on Activities Performed by the Croatian Personal Data Protection Agency (“Agency”). According to the Act on Implementation of the General Data Protection Regulation, this Agency is the supervisory authority competent for implementation of the Act, i.e. implementation of the GDPR.
Considering that this is my first article, I should point out that in my practice as an attorney so far, I have been focused only on commercial law, company law and labour law. In the context of my clients’ employment relations, personal data protection was an issue that needed to be considered even before the entering into effect of the GDPR. This was because there had already been an Act on Personal Data Protection in force in the Republic of Croatia, which came into effect on 3 July 2003 and had several subsequent amendments (in 2006, 2008, 2011 and 2012). That Act on Personal Data Protection was nowhere near as detailed or complex as the GDPR. It should be noted also that the fines that the Act prescribed ranged from a minimum of HRK 20,000.00 to a maximum of HRK 40,000.00. It is important to point out that mandatory penalties are quite often imposed in Croatia, on which occasions the misdemeanour court judge has the power to mitigate a legally prescribed penalty so that it amounts to only one third of the legally prescribed minimum, if the judge finds that there were some mitigating circumstances. Unfortunately (or luckily to some), courts are often inclined to apply such mitigated penalties, “taking pity” on the defendants due to their submitted leniency-seeking defence. In such cases, mandatory fine for a misdemeanour under the Act on Personal Data Protection would amount to HRK 6,666.66. However, it should be taken into consideration that misdemeanour courts vested with the power to impose these penalties have greatly lacked proper knowledge in personal data protection and had no resources to perform expert examinations (mostly IT analyses), which are required to be able to determine all the facts necessary for a court to find that there has been a violation of the Act on Personal Data Protection and to identify persons responsible for such violation.
Now that I am writing this I cannot help remembering the hysteria that existed in Croatia (and probably elsewhere in Europe, to a larger or smaller extent) when the GDPR compliance deadline was getting nearer and nearer. This hysteria was caused by fear of penalization for violating the GDPR because the fines that the GDPR brought were extraordinarily high (for Croatian standard). Another reason was the complexity of the Regulation and the fact that an average Croatian person had never before had contact with a piece of European legislation, owing to the fact that Croatia is the youngest EU member. When I say contact, I mean the actual act of reading a piece of legislation (regulation, directive or other) because people in Croatia had dealt with EU law primarily through national legislation implementing EU law. This was really the first time that somebody whose normal course of work did not involve reading European legislation found themselves reading through an EU regulation. The vast majority (or should I say - all) of those average citizens were in awe at the detailed nature and the form of this Regulation (because national acts and subordinate legislation do not have the same form as the Regulation). This only exacerbated the hysteria. On top of everything, this situation was exploited by numerous quasi-experts in personal data protection. Amongst us lawyers there were stories circling for months about many people who were opening law firms specializing in personal data protection, with new ones popping up practically every week or month. The problem was that people who were starting these firms were individuals from all walks of life who not only lacked proper legal or IT qualifications, but had probably never heard about personal data protection until they heard people talk about it in the daily news on public television, and probably no sooner than on the day when the GDPR came into effect. At the moment, more than a year after the event, the hysteria has died down and there is no more talk of it (except among persons who actually deal with personal data protection). This is probably for the best.
In the text that follows, I will present some of the more important characteristics of the personal data protection system in Croatia, which are best reflected in the Agency’s Annual Reports.
Below are some of the tasks and powers vested in the Agency.
The Agency monitors and supervises:
- Compliance with and implementation of the Act on Implementation of the General Personal Data Protection Regulation;
- Compliance with and implementation of requirements and provisions of the GDPR;
- Agency issues decisions and expert opinions pertaining to types of processing that are likely to result in a high risk to the rights and freedoms of individuals;
- Publishes its decisions and opinions (when these decisions and opinions are publicly posted on the website, they are anonymized or pseudonymized);
- Issues decisions on imposed measures, which decisions cannot be appealed against but an administrative dispute can be initiated;
- Performs inspection supervision after its decisions become final;
- Notifies competent judicial bodies of any violations of the Act;
- Instigates and handles proceedings against persons responsible for violating the Act or the GDPR;
- Suspends administrative procedures and forwards them to the High Administrative Court of the Republic of Croatia in cases where the Agency doubts the validity of a Commission Implementing Decision with regard to adequacy and standard contractual clauses;
- Has the power to impose administrative fines and measures.
In 2017, there were a total of 1374 applications to the Agency where protection of rights was sought in connection with personal data protection violation, including citizens’ applications seeking provision of legal opinions and answers to queries. Of this, 139 were administrative procedures, 385 were petitions, 841 were legal opinions and 9 were answers to queries.
Of the 139 administrative procedures, 136 applications were processed, of which 71 were accepted, 6 were partly accepted, 43 were denied, 6 were suspended and 10 were resolved ex officio.
The largest number of applications that were resolved to the benefit of the applicant pertained to:
- Procedures involving personal data processing by video surveillance systems,
- Procedures involving personal data processing for the purpose of concluding subscription contracts with telecommunication service providers,
- Procedures involving processing of employees’ personal data by employers or former employers,
- Personal data processing in tendering procedures.
After the Agency issued 136 decisions, there were 13 administrative disputes instigated by dissatisfied applicants.
Budget for 2017, following rebalance, amounted to HRK 6,368,446.00.
Number of employees in 2017 was 26, of whom 22 were holders of a university degree.
In 2018, the Agency received 3829 applications with regard to personal data protection. This was a 17% increase in comparison with 2017.
Out of that number, there were 356 complaints/applications seeking determination of violation of rights, and 3464 cases of legal opinions/queries.
The largest number of queries were made about the following areas:
- Public administration;
- Employment relations;
- Video surveillance ;
- GDPR application.
There were 133 decisions issued, of which 126 were issued in response to a complaint or application, and 7 were issued ex officio.
With regard to the Agency’s supervision activities, there were a total of 1515 activities performed, of which 150 were performed at the request of data subjects, 7 at the request of third parties, and 1358 were performed ex officio. This represents an increase by 157 supervision activities in comparison with 2017, with the number of supervision activities requested by data subjects dropping and the number of activities performed ex officio increasing (by 206).
Out of the 356 complaints, 133 were resolved. The number of complaints increased by 176%.
This involved 43 decisions accepting the application, 10 decisions partly accepting the application, 61 decisions denying the application, 9 decisions suspending the application and 1 decision dismissing the application.
The largest number of applications that were accepted pertained to personal data processing for the purpose of concluding subscription contracts with telecommunication service providers and personal data processing by video surveillance systems.
In this reporting period, out of the total of 133 decisions issued by the Agency, 18 of them were followed by administrative disputes instigated by dissatisfied applicants. Decisions followed by administrative disputes accounted for 13.5 % of the total number of issued decisions.
Overall in 2018, the Agency had 54% more employees than in 2017.
In the second half of 2018 the plan to hire experts, mostly specializing in law and in information security and IT, was realized. In 2018, in comparison with 2017, in the employee structure of the Agency the number of legal professionals increased from 11 (in 2017) to 21 (in 2018), which represents a 91% increase in the number of staff with legal qualifications. Percentage share of employees with specific qualifications in information security, IT and technology increased by 50 percent in comparison with the previous year.
This has resulted in 82% of the Agency’s employees being individuals with university qualifications.
Budget approved for the Agency for 2018 amounted to HRK 6,570,802.00.
All of the above goes to show that one of our nation’s characteristics I mentioned earlier, specifically that Croatians do everything last minute, is really true. GDPR entered into effect on 25 May 2018, and, as evident from the above information, the only entity responsible for personal data protection did not start hiring additional experts until several months after the event which was such an important one. In the context of personal data protection, this event may not be tantamount to, say, Gutenberg’s invention of the printing press or to the invention of the internet, but is definitely tantamount to the invention of cloud technology, for instance. Even more ironically, this was an event in the preparation of which Croatia participated, and was represented by persons none other than Agency staff).
In the next article I will try to explain the basic differences between the previous personal data protection system in the Republic of Croatia and the current one, which is regulated primarily by the GDPR.
Article provided by: Boris Guljaš (Boris Guljaš I Ranko Lamza, Croatia)