The Croatian data protection authority (‘AZOP’) announced, on 10 May 2018, that the Act on Implementation of the General Data Protection Regulation (NN 42/2018) had been published in the Official Gazette (‘the Act’), repealing the Personal Data Protection Act of 2003 in order to transpose the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).
The Act includes provisions on processing special categories of data and prohibits the processing of genetic data in order to assess the physiology or health of an individual for the purposes of entering into a life insurance contract, even if the individual has consented to the use of their data for such purposes. Furthermore, the processing of biometric data, in general, is only allowed where it is required by law and it is necessary for the protection of persons, property, classified information or trade secrets. However, the Act permits the processing of employees’ biometric data for the purposes of recording working hours and for controlling access to premises where the employees have provided their consent. In addition, the Act sets the age at which information society services may be offered directly to a child at 16.
In addition to the powers provided under the GDPR, the Act confers additional competencies on AZOP
AZOP is reaffirmed by the Act as the supervisory authority responsible for monitoring and protecting the fundamental rights and freedoms of natural persons in relation to processing, as well as for facilitating the free flow of personal data. In addition to the powers provided under the GDPR, the Act confers additional competencies on AZOP to initiate and participate in court proceedings and out of court procedures; issue criteria for determining the amount of administrative compensation; publish decisions relating to processing operations that may cause high risk to the rights and freedoms of individuals; and monitor the application of the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680).
Moreover, violations of the Act may be sanctioned by AZOP through the imposition of an official decision. In addition to the administrative fines prescribed by the GDPR, the Act sets a fine up to HRK 50,000 (approx. €6,800) for data controllers or processors who process data via video surveillance without it being necessary or justified, or fail to notify that premises are under video surveillance.
The Act will enter into force on 25 May 2018.
NIKOS PAPAGEORGIOU | Junior Privacy Analyst