Tue, Jul
71 New Articles

Data Protection News and Views from Croatia

Data Protection News and Views from Croatia

Issue 9.11
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

So, what has the Croatian Personal Data Protection Agency (AZOP) been up to lately?

Forewarned Is Forearmed

On November 17, 2022, AZOP publicized its recommendations for Croatian football fans traveling to Qatar for the World Cup.

Do not let your privacy be the least important of the most important things when you travel to spectate the most important of the least important things in life. 

Puns aside, apparently, both official mobile apps that all the fans arriving in Qatar are required to install – the World Cup app (Hayya) and the COVID-19 monitoring app (Ehteraz) – contain spyware. The fans have been warned that both apps can access data on cell phones, track user location, read, alter, or even delete content on/from the phone, and prevent the device from going into sleep mode. 

So, AZOP advises going to Qatar with a so-called burner phone. If you have not heard of burner phones so far, you must have seen them in many crime TV shows. The term is used for cheap empty cell phones often used by criminals to cover up their tracks from the authorities. Isn’t it delightfully bizarre that the authorities advise people on using burner phones?! Strictly for privacy reasons, though.

In a nutshell, if you want to go to the World Cup, buy a cheap cell phone, set a strong password for unlocking your phone, keep the phone as empty as possible, and do not keep photos, videos, or other digital content that do not comply with the legislation of the country you are traveling to (read my lips: Q-A-T-A-R). Install the required official apps only upon arrival in Qatar, use the Internet only if it is a matter of life and death, especially do not use any services that require authentication. As soon as you return back home, delete those apps, reset or, even better, destroy the phone, move to another city, and change your name. This article will self-destruct in two months.

Awareness Is the First Step Toward Change 

In September, AZOP announced the beginning of Project ARC II – Awareness Raising Campaign for SMEs. The project is aimed at helping micro, small, and medium businesses to comply with the GDPR. 

The first project ended in August this year. AZOP held numerous GDPR awareness trainings for SMEs in different industries across Croatia. Several practical guides have been published under the project’s name, including on such topics as cookies, video surveillance (CCTV), data protection impact assessments, cloud services, data transfers, and so on.

The Arc II project partners are Garante Privacy, the Italian data protection authority, the Faculty of Organization and Informatics in Varazdin (University of Zagreb), the Free University of Brussels, and the University of Florence. AZOP acts as the coordinator of the project. 

According to the project’s official website, “the main project goal is the development of the digital tool Olivia with knowledge base integrating all the education materials, templates, FAQs already developed within ARC and SMEDATA I project, all at one place and in one digital tool, available to SMEs to use free of charge.”

Administrative Fines

In July, AZOP publicized two fines for GDPR violations. One amounted to HRK 2.15 million (a bit over EUR 285,000), which is the highest known fine in Croatia so far. Although the publication was “anonymized,” AZOP disclosed it was one of Croatia’s three telecoms and the violations related to a recent data breach. So, it was not too hard to deduce what company was fined for failing to implement proper data security measures. 

The other fine was drastically lower, HRK 30,000 (a little under EUR 4,000). Interestingly, AZOP acted on its own initiative and, without prior notice, performed a supervision at a car sales and service center in Zagreb. The company’s video surveillance practices were found incompliant with Article 27 of the Croatian GDPR Implementation Act. Namely, the business premises and outside area under surveillance were not properly marked. 

By Olena Manuilenko, Head of IP & TMT, Divjak Topic Bahtijarevic & Krka

This article was originally published in Issue 9.11 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here

Our Latest Issue