Following the adoption of the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC („GDPR“) on April 27, 2016, the Croatian GDPR Implementing Act („GDPR Act“) entered into force on May 25, 2018, simultaneously with the start of application of the GDPR.
Specific processing operations
GDPR Act has made use of a number of GDPR's opening clauses. Most notably, the GDPR Act has set out further conditions and limitations with regard to the processing of genetic and biometric data based upon Article 9(4) of the GDPR. In this regard, the GDPR Act has essentially introduced a prohibition on the processing of genetic data in the context of life insurance agreements or endowment clauses and has set out specific rules for the processing of biometric data, which apply differently depending on whether biometric data is processed by public or private sector entities. Furthermore, the GDPR Act has introduced specific conditions for the processing of biometric data in the context of employment.
The GDPR Act also set out detailed conditions applicable to the processing of personal data by means of video surveillance, including rules governing specific types of surveillance, notably of residential buildings, working premises, and public areas. Following the start of the application of the GDPR and the GDPR Act, the Croatian Personal Data Protection Agency („DPA“) issued several opinions dealing with video surveillance. In these opinions, the DPA clarified the distinction between video surveillance and live streaming in public areas where the data does not constitute a part of the filing system as well as the transparency requirements related to video surveillance in residential buildings.
Data Protection Impact Assessment (DPIA)
As required by Article 35(4) of the GDPR, in December 2018 DPA adopted a resolution on the list of processing operations kinds that are subject to the DPIA requirement from Article 35(1) of the GDPR. The list published by the DPA essentially follows the principles set out in the Article 29 Working Party Guidelines on Data Protection Impact Assessment by specifying 13 kinds of processing operations that require a DPIA (in addition to the activities that require a DPIA under the GDPR), including systematic and large-scale profiling, processing sensitive data, use of new technologies, processing data on criminal convictions and offenses, processing geolocation data, etc.
Enforcement activities of the DPA
Based on the publicly available decisions of the DPA, no administrative fines for violations of either the GDPR or the GDPR Act have been imposed in Croatia by 31 December 2019. Instead, the DPA has exercised its other corrective powers from Article 58 of the GDPR in cases where the DPA established that processing operations concerned infringe the provision of the GDPR and GDPR Act. In addition, following the start of application of the GDPR and the GDPR Act, DPA has published a number of opinions dealing with specific processing operations in different sectors, including banking and anti-money laundering activities, debt collection activities, processing operations in an employment context and other areas.
Based on the European Data Protection Board's Information Note on data transfers under the GDPR in the event of a no-deal Brexit, the DPA has published a note on the post-Brexit data transfers from Croatia to the UK in the event of a no-deal Brexit. Considering that in the no-deal Brexit scenario, the UK would become a third country within the meaning of GDPR, any data transfers from Croatia to the UK would have to be based on either standard clauses, binding corporate rules, approved codes of conduct and certification mechanisms, or specific derogations which should be interpreted restrictively.
By Marija Gregoric, Partner, and Lovro Klepac, Associate, Babic & Partners Law Firm