Appointment of director of Croatian supervisory authority


As everyone already knows, Article 53(2) of the General Data Protection Regulation prescribes the criteria that the director of a supervisory authority should fulfil. The above provision reads: “Each member shall have the qualifications, experience and skills, in particular in the area of the protection of personal data, required to perform its duties and exercise its powers.”

The General Data Protection Regulation likewise stipulates that the general conditions will be laid down by law in each Member State and that the Member States should provide that the director is to be appointed by means of a transparent procedure, either by the parliament, government, or the head of State of the Member State. Article 8 of the Act on Implementation of the General Data Protection Regulation stipulates the following:

“A person who fulfils the following criteria may be appointed as director or deputy director:


  • Has Croatian citizenship and permanent residence in the territory of the Republic of Croatia;
  • Has completed an undergraduate and graduate university study programme or an integrated undergraduate and graduate study programme or an undergraduate and graduate specialist study programme;
  • Has at least ten years of professional experience in the field;
  • Is a distinguished expert with recognized reputation, expertise and experience in the area of personal data protection;
  • Has not been convicted and there are no pending criminal proceedings initiated against said person, which proceedings are instituted ex officio;
  • Is not a member of any political party.

In the Republic of Croatia, the director of the supervisory authority is appointed by the Parliament. In the case of the current director of the Croatian Personal Data Protection Agency (hereinafter: supervisory authority), the above procedure was followed and the director was appointed following a public debate in the Croatian Parliament. The proposed (and later appointed) director managed to unite the entire opposition in an attempt to prevent said appointment. You may conclude why this was so based on the facts that I will now list.

The incumbent director was born in 1974 and has been active in Croatian politics since 1997. He has been so active in politics that he has so far been a member of 4 (four) political parties. It should be mentioned that he was an active member of all 4 parties and that he has held numerous positions thanks to his party-related activities. All of this would not concern us if it were not for the fact that the public call for appointment of director of the supervisory authority was published in May 2019, and the appointed person responded to it in June 2019. It is a known fact that he had been a member of the then ruling political party, in the best-case scenario, until just before the public call was published. However, since the many requests that were sent to his latest political party in regard to proof of termination of the appointed director’s party membership went unanswered, there is reason to believe that the appointed director was still a member of the political party at the moment of his appointment by the Parliament. However, even if this were not the case, there is reason to doubt his impartiality in his future work since he was appointed as director by the parliamentary majority consisting of the political party of which he was a member (in the best-case scenario) until just before the public call was published.

However, perhaps an even bigger issue concerning the appointed director is the fact that he does not fulfil the second criterion stipulated in the provisions cited above. The director should be “a distinguished expert with recognized reputation, expertise and experience in the area of personal data protection”. The appointed director’s CV contains no references that would explain how he fulfils this criterion.

Before he was appointed as director of the supervisory authority, he served as Assistant Minister in the Ministry of Construction and was in charge of the Directorate for Supervision, Development of Physical Planning Information System and Proceeding with Illegally Built Infrastructure.

Before his appointment as Assistant Minister, he worked in a construction company for maintenance and preserving of public roads, as well as other construction works.

In that company, he performed activities in regard to personnel, as well as general and legal tasks.

He states in his CV that he held the position of authorized person for personal data protection until 2016. He explains that as part of that position, he “supervised the collection, processing and use of employees’ personal data in accordance with legal regulations”. He emphasizes that “no mistakes were made” in that regard during that entire period. Having in mind the above, we conclude that the appointed director gained experience in personal data protection by having been appointed as the authorized person for personal data protection by his employer, a construction company. We have no doubts that the above person gained at least basic knowledge of personal data protection during the performance of such activities, but that still does not prove that he is “a distinguished expert with recognized reputation” in the area of personal data protection. The above cited provisions make it clear that this is one of the stipulated criteria for appointment of director of the supervisory authority.

Since it remains unclear based on the above information how the currently appointed director fulfilled two (essential) criteria for appointment, we can only conclude that the criteria were fulfilled by the director’s “prominent” literary output. The appointed director has authored 3 novels. All three novels are part of a series about the “hero” Borna Vitez, who (according to the author) is meant to be the Croatian version of the popular movie character James Bond. In the hopes that my personal data are being watched over by the Croatian James Bond, I extend my sincere greetings until my next article.


Article provided by: Boris Guljaš (Joint Law Office Guljaš & Lamza, Croatia)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.