GDPR news from Croatia at the beginning of 2020

03.02.2020

The topic discussed here is the difference between personal data protection before the GDPR entered into effect and the current data protection legislation.

The most important Facts

"I am not familiar with data protection systems in all EU countries, but I presume that most of them adopted special acts to facilitate the implementation of the GDPR." - Boris Guljaš

This is what Croatia did. In the previous article I mentioned that personal data protection system used to be regulated by the Personal Data Protection Act (hereinafter: PDPA). It was adopted in 2003 and amended in 2006, 2008 and 2011.

On 9 May 2018, the Official Gazette of the Republic of Croatia published the Act on Implementation of the General Data Protection Regulation (hereinafter: GDPR IA). It was precisely by virtue of this Implementation Act that the Republic of Croatia regulated all the areas that it was allowed to regulate independently according to the GDPR.

The essential difference between these two acts, apart from the fact that the majority of personal data protection issues is now regulated through a separate piece of legislation (the GDPR), is the following:

The previous PDPA specified that the Personal Data Protection Agency (hereinafter: Agency), following a supervision inspection during the course ofwhich it found certain irregularities, may issue an administrative act instructing, for instance:

  • that such irregularities be eliminated within a specified time
  • that personal data protection collected without proper legal grounds be deleted.

Where an administrative decision issued by the Agency imposed any (or all) of the above-mentioned measures, the person to whom the decision pertained had the possibility to challenge the decision before an Administrative Court. Moreover, the Agency could not issue a decision (or any other type of document) that would impose payment of a fine for any of the irregularities identified. In events when the Agency found that an offence had been committed, it had a duty to submit an Information to the Misdemeanour Court of local jurisdiction. Under the PDPA, only a Misdemeanour Court could issue Judgments imposing the payment of a fine to the offender. Naturally, the offender had the right to appeal against the Judgment so received, upon which the matter would have been referred to the High Misdemeanour Court of the Republic of Croatia for final judgment.

As regards the currently applicable GDPR IA, the situation is significantly different. The GDPR IA granted the power to the Agency (among other powers) to impose fines in cases where it finds that an offence has been committed. The document imposing such fine has the power of an administrative act. Such an act may not be appealed against but the instigation of an administrative procedure is allowed.

Is this a great difference or not? It actually is, particularly owing to the fact that under the old PDPA, after the submission of an Information before a Misdemeanour Court of local jurisdiction, the Agency acted as the plaintiff in the proceedings, and based on the principles applying at the time when the PDPA was in effect, which in fact still apply, the burden of proof before the court lay on the plaintiff. Consequently, this meant that the Agency had to prove to the court that the offence actually existed.

The present situation is significantly different.  If the Agency issues an administrative decision imposing upon the offender an obligation to pay a fine, as explained above, the offender does not have the right to appeal against such decision. The only remedy is to instigate an administrative dispute before a competent Administrative Court.  That type of procedure begins with filing an Administrative Complaint. Hence, the offender himself would be the plaintiff in that case. As a result,  the burden of proof of the allegations made would lie on the plaintiff, i.e. the offender in such case. As you can see, this is an essential difference, one that may in some cases completely change the outcome of the proceedings (payment or no payment of fine) in the context of identical state of facts and evidence presented in the process.

In my opinion, there is one other very important difference in the personal data protection system (between the PDPA and the GDPR IA), one that arises from the following Articles:

Article 3 of the PDPA, which reads:

Article 3

Provisions of this Act apply to personal data processing by government bodies, local and regional self-government bodies, legal and natural persons, branch offices and subsidiaries of foreign legal persons and representatives of foreign legal and natural persons who process personal data.

Article 44 of the GDPR IA, which reads:

Article 44

2) Where an administrative fine is imposed on a legal person with public authority or on a legal person holding a public office, the pronounced fine must not threaten the performance of such public authority or public office.”

and what may be the most important article:

Article 47 of the GDPR IA, which reads:

Article 47

Without prejudice to the exercise of the Agency’s powers under the provision of Article 58 of the General Data Protection Regulation, in proceedings against a public authority, such public authority may not be imposed an administrative fine for violating the provisions of this Act or the General Data Protection Regulation.“ 

As you can see for yourself, under the “old” personal data protection law, any natural or legal person could be fined for an offence, including all legal persons that are part of the public sector. This is no longer the case. I honestly doubt that, when it adopted the GDPR, the European Parliament considered the fact that an EU member state might adopt an act restricting the sanctioning of GDPR offences only to offenders from the private sector, with the public sector being excluded from any such sanctions. Naturally, a public sector offender may be prohibited to continue with any actions that have been found to represent an offence, but knowing the mentality of Croatian nationals (which I believe I do) and being familiar with the way the public sector functions, nothing can be achieved without imposing fines. 
Whether this situation is in compliance with the EU acquis, the spirit of the General Data Protection Regulation and ultimately with the Constitution of the Republic of Croatia, is an issue that I leave to the reader’s own judgment.

 

Article provided by: Boris Guljaš (Boris Guljaš I Ranko Lamza, Croatia)

 

 

 

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.