AZOP is Rapidly Preparing for the Implementation of the GDPR Regulation

We continue with our big topic of GDPR regulations, and the answers to this topic were given by the Director of the Data Protection Agency Anto Rajkovača. According to him, AZOP will get some new powers as well, and the Agency continuously undertakes a series of measures and actions focused on organizational and personnel staffing and on providing sufficient resources to be ready to carry out all its tasks.

What will happen to AZOP after the GDPR Regulation enters into force?

The General Regulation brings significant changes to the powers and affairs of the national personal data protection bodies. Regarding supervisory bodies such as the Data Protection Agency, the Regulation confirms the obligation of Member States to establish personal data protection bodies that have to act fully independently in the performance of their duties and the exercise of their powers, and the heads of these bodies must be free from external influence, either direct or indirect, in the performance of their duties and in the exercise of their powers under this Regulation, and may not seek or receive instructions from anyone. Regarding the powers of the Agency, it is necessary to point out its power to advise the national parliament, government and other institutions and bodies, on legislative and administrative measures regarding the protection of the rights and freedoms of individuals with regard to the processing of personal data. Similarly, the supervisory bodies such as the Agency, on their own initiative or upon request, have the power to issue to the national parliament, the government of the Member State or, in accordance with the law of the Member State, other institutions and bodies, and the public, opinion on any matter relating to the protection of personal data. These powers are of particular importance given that one of the legal bases for processing of personal data is the fulfillment of the legal obligations of the processing manager or the performance of tasks of public interest or official authority, whereby the legal basis of such obligations, tasks or powers must be determined by the law of the Member State. Furthermore, the Regulation clearly prescribes the parameters within which the rights of the respondent may be restricted, whereby it is expressly stated that this is possible through a legal measure. In view of the above, it is necessary, within the limits set by the Regulation, to confirm all powers of the Agency which are necessary for it to give its opinion on such legislative or administrative measures which prescribe a certain form of processing of personal data. As far as the Collegiate Body is concerned at the level of the European Union, instead of the existing Working Group from Article 29 of the Directive 95/46/EU, the creation of a new body - the European Data Protection Board - is proposed, which would have legal personality, unlike the existing Working Group from Article 29 of the Directive 95/46/EC (WP29). In addition, explicit rules on compulsory mutual assistance are introduced between the authorities responsible for the protection of personal data and also mechanisms are introduced which prescribe an equal treatment involving more Member States, which also determines the way in which cases are handled with international elements. The Regulation also lays down the obligation of the authorities responsible for the protection of personal data to be authorized to impose fines of administrative fines unless the legal system of the Member States imposes administrative fines (as is the case with Denmark and Estonia). The criteria for determining the punishment as well as the purpose of these penalties have been established. This is an important piece of news in relation to the existing Croatian Personal Data Protection Act and will in that sense have to take the appropriate legislative changes at national level in the first instance regarding the procedural provisions, namely the substantive provisions provided for by the Regulation and cannot be affected.

Is Croatia ready to organizationally start with the implementation of the Regulation? What are the biggest obstacles?

The General Data Protection Regulation is not only a challenge for managers and processors, nor is it just a clearer and greater right for individuals, but it significantly expands the obligations of the Personal Data Protection Agency as a supervisory body. A number of new Agency obligations should be pointed out that derive from the General Data Protection Act, such as participation and ensuring the implementation of joint supervisory operations, handling complaints about personal data violations, participation in the process of prior consultation, evaluation and approval of the code of conduct, development of certification and supervision criteria for compliance with the obligations deriving from the certificate, the imposition of administrative fines and participation in subsequent judicial proceedings by legal remedies. In this regard, the Agency continuously undertakes a series of measures and activities geared towards organization and personnel staffing and to providing sufficient resources to be ready to carry out all its tasks.

What do you think about the EUR 110 million fine imposed by EC on Facebook due to giving false information about a possibility of merging Facebook and WhatsApp account personal information, during acquisition? Is a EUR 3 million fine immediately afterwards charged to WhatsApp by the Italian Competitiveness Body to WhatsApp linked to privacy violation?

The fine imposed on Facebook by the Commission refers to specific regulations on competition, more specifically the penalty for giving inaccurate and fraudulent information during merger. On the other hand, the fine imposed by the Italian competition authority, according to the available information, has touch points in the area of ​​personal data protection. Namely, the Italian authorities have found that Facebook has led users to think that for future use of its services they should accept new business conditions governing certain aspects of data processing. As far as the processing of personal data is concerned, in that specific case this is a secondary issue. Namely, always in case of mergers, and before, in the preparatory actions, especially when conducting due diligence, there is certain personal data processing. In any case, it is essential that any processing of data, including any transfer of data between different companies, is within the framework and under the conditions prescribed by national and European legislation.

The fact is that, regardless of the specific regulation and the formal explanation, both cases were essentially violations of the right to privacy. Boom of data warehousing and big data processing and profiling of citizens has become unstoppable. Can the regulator put an end to this with a mild approach, or will GDPR go full force?

As for access, the only possible approach is to respect what the EU legislator has written in the General Data Protection Regulation. In this regard, it should be pointed out that the General Data Protection Regulation stipulates that an administrative fine will be imposed with or in place of other sanctions. It is to be assumed that a large number of violations will end up by imposing administrative fines in accordance with Article 83 of that regulation, unless there are significant mitigating circumstances. Of course, the Agency has focused primarily on its preventive, educational and advisory role in its work so far.

Do examples of Facebook and WhatsApp show that EC will directly charge fines if the local bodies don't do it? When the fine must be paid, is it not better for it to go to the Croatian budget than to Brussels? Is there any possibility for the EC to directly charge the fine for the violation of the GDPR provisions, as was the case of a violation of the regulations on the acquisition?

The General Data Protection Regulation does not provide such a possibility to the Commission. In terms of determining the amount of financial administrative penalties, the national authorities are completely independent and their decisions can only be overseen by the competent court. So, in this respect, every administrative penalty imposed by the Croatian supervisory body will be paid into the national budget.

Harmonizing with GDPR is a big cost to businesses, but the fine does not leave room for choice. What about the state administration bodies? Germany has, for example, in local application foreseen the imprisonment of up to 3 years. How will our state administration bodies be motivated to protect personal data?

As far as state administration bodies are concerned, each Member State is free to regulate the system of their responsibilities as they wish. In Croatia, this question is adequately analyzed, on one hand to ensure the regular functioning of the central state system, and on the other, to ensure that there are adequate measures to be taken against the violation of the General Data Protection Regulation and, ultimately, that the state system itself would be an example of good practices of personal data protection. In this context, it should be noted that according to the applicable Criminal Code, in Croatia, an individual may, irrespective of their position, be criminally liable for criminal act of unauthorized use of personal data. Thus, if a criminal act is committed by an official or a person performing public authority, a fine of up to five years may be imposed on them.

Is there a possibility for a body of a state or EC to charge a fine to the body of another state if it violates the GDPR provisions in the protection of their citizens' information, for example to tourist boards or the Ministry of Tourism, for violating the rights of German tourists in Croatia?

No, there is no such possibility. Namely, it is clearly defined in the General Data Protection Regulation that if data processing is carried out by public authorities or private bodies with public authority, then a supervisory authority of the Member State concerned has jurisdiction.