Looking back on the first five months of 2020, three data processing topics in Croatia deserve attention, if for nothing else than their historical value. Data Protection – particularly finalizing the EU’s e-Privacy Regulation – has been identified as among the priorities of the Croatian Presidency of the Council of the European Union. The Croatian Personal Data Protection Agency (AZOP) publicized its first administrative fine against a bank for denying its clients the right of access to their personal data. And, if you were hoping this article would skip the ubiquitous COVID-19, no such luck: data processing issues and guidance amid the pandemic is the winner of our mini chart.
1. Croatian Presidency of the Council of the European Union
This is Croatia’s first time presiding over the Council of the European Union since the country’s accession in July 2013. The motto of the Presidency is “A Strong Europe in a World of Challenges.” No one can deny the abundance of challenges the world has faced so far in 2020. One of the priorities identified by the Croatian Presidency also proved to be a challenge, as its e-Privacy Regulation proposal of February 21, 2020 that the processing of metadata and collection of information from terminal equipment be allowed based on legitimate interests rather than consent raised many eyebrows. The proposal is clearly contrary to the position of the European Data Protection Board (EDPB), as expressed in its May 25, 2018 Statement on the Revision of the ePrivacy Regulation and its Impact on the Protection of Individuals with regard to the Privacy and Confidentiality of their Communications. The EDPB supported an approach based on “broad prohibitions” and “narrow exceptions” and ruled out the option of processing “…electronic communications content and metadata based on open-ended grounds, such as ‘legitimate interests’, that go beyond what is necessary for the provision of an electronic communications service.”
2. First Fine for Data Processing Violations
In March, the AZOP announced on its website that it had imposed the first administrative fine for a GDPR violation in Croatia, against a Zagreb-based bank that had denied its clients access to their personal data in violation of Article 15(3) of the GDPR.
Since October 2018, the AZOP had received frequent complaints from the bank’s clients that they had repeatedly been denied access to requested documentation. The AZOP rendered 34 orders instructing the bank to provide its clients access to their personal data. Apparently, the violation affected more than 2,500 of the bank’s clients.
Under the national GDPR Implementation Act, the AZOP must publish on its website a final and binding decision without anonymizing the perpetrator data if the imposed fine amounts to at least HRK 100,000 (approximately EUR 13,195). Since the identity of the bank and the amount of the fine remain undisclosed, we assume the AZOP’s decision has not become final and binding yet. Presumably, the bank has contested it before the competent administrative court.
3. Data Protection amid Covid-19
In view of the anti-pandemic measures imposed by the Civil Protection Headquarters of the Republic of Croatia, the AZOP provided guidance on the GDPR-compliant processing of health-related personal data in the context of the state of emergency caused by the novel coronavirus.
In March, advice on the processing of employee health data by employers was published. In the beginning of May, as the preventive measures were relaxed, the AZOP reflected on the processing of client personal data by service providers where services require physical contact (such as beauticians, hairdressers, and barbers). The AZOP’s recommendations boil down to the importance of (a) abiding by the GDPR’s data processing principles; and (b) determining the proper legal basis for the processing of health-related data under Articles 6 and 9 of the GDPR. Specifically, the AZOP emphasized that often consent will not be a valid legal basis for data processing in the subject-matter context.
In April, with the support of local businesses, the Croatian Government launched a digital assistant based on the WhatsApp Business API, to help educate people about the symptoms of coronavirus infection through assisted self-assessment, direct them to the competent institutions, and report relevant information about their household to facilitate real-time data sourcing for epidemiologists. It was named Andrija, after Professor Andrija Stampar, a distinguished Croatian scholar in the field of epidemiology and preventive medicine, who was one of the founders of the World Health Organization. In May, the Government revived the idea of developing a contact tracing app on iOS and Android platforms. According to recent media publications, the app is intended to be GDPR-compliant and follow EDPB guidelines.
By Olena Manuilenko, Head of IP & TMT, Divjak, Topic Bahtijarevic & Krka
This Article was originally published in Issue 7.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.