Starting May 25, 2018 the General Data Protection Regulation will come into effect. Although it will apply directly in all EU Member States, Member States have the option to add additional regulations to certain specific situations. This article sets out a brief overview of the key provisions of the draft of the relevant Croatian law, which is in procedure before the Croatian Parliament at the moment of writing of this article.
Genetic Data: Processing genetic data in order to calculate the likelihood of disease and other health aspects of the data subject for the purpose of entering into or implementing life insurance agreements and agreements with a survivorship clause is prohibited. This prohibition applies when data subjects enter into such agreements in Croatia if the controller has permanent establishment or provides services in Croatia. The consent of the data subject cannot override this prohibition.
Biometric Data: Specific rules on biometric data apply to data subjects in Croatia when the processing is carried out by controllers having permanent establishment or providing services in Croatia, or when the processing is carried out by public authorities. The controllers from the private sector may process biometric data if the law prescribes it, or if it is necessary for the protection of persons, property, classified information, or business secrets. Also, the processing may be necessary for identification of the service user, in which case the explicit consent of data subject must be obtained. In any case, it is important that the interests of data subjects not be overridden by the need for processing (i.e., data subjects’ interests should be protected to a sufficient extent and balanced with the legitimate interest of the controller who processes biometric data in accordance with the law).
Special rules are prescribed for the processing of biometric data of employees. Processing may be permitted to record working hours and entry and exit from work premises, but it must be either prescribed by law or carried out as an alternative to another solution. In the latter case, explicit consent of the employee must be obtained.
The law explicitly states that these provisions do not affect the provisions of the GDPR regulating the data protection impact assessment (DPIA), meaning that the DPIA may still be necessary.
Video Surveillance: Processing data through video surveillance is allowed if necessary and justified for the protection of persons and property, under the condition that the interests of data subjects are not overridden (i.e., that data subjects’ interests are protected to a sufficient extent and balanced with the legitimate interest of the controller who uses video surveillance in accordance with the law).
The surveillance must be limited to those premises and areas, or parts of thereof, which need to be monitored for achieving its purposes.
In case of recordings of video surveillance of work premises, additional requirements need to be met: the recording must be in line with occupational safety regulations, employees must be individually notified about the recording, and relevant information must be given to them before the employer decides to employ the video surveillance. In any case, it is prohibited to record video of work premises used for rest, changing clothes, or personal hygiene. There is a separate set of rules for recording residential buildings and public areas as well.
Video surveillance imposes additional obligations on controllers and processors, including the obligation to visibly mark that a certain object or area is under video surveillance and to provide other necessary information to data subjects through such notice. Another obligation is to establish an automated system to record all access to recordings. Controllers and processors that do not fulfill these two obligations may be fined up to HRK 50,000 (approximately EUR 6,750).
The recordings may only be accessed by the responsible person of the controller or processor, or another person authorized by the responsible person, and only for purposes such as the protection of persons and property. In cases of unauthorized use, the responsible and authorized persons may be fined up to HRK 50,000 (approximately EUR 6,750).
Sanctions and Other Provisions: Companies should bear in mind that a final decision about a data protection breach may be published in a non-anonymized form in many cases (especially for repeated offenses or where the fine exceeds HRK 100,000 (approximately EUR 13,500).
It is interesting to note that, apart from the monetary fines related to video surveillance, the law does not prescribe specific fines that can be imposed on responsible persons of the controllers or processors. Such specific fines were initially envisaged by the law, but those provisions were removed from the final draft.
Apart from a few additional specific provisions (e.g. provisions regulating processing of data for statistical purposes carried out by official authorities), further provisions of the new law mostly relate to the functioning and operations of the Croatian Data Protection Agency.
By Marija Zrno, Attorney-at-Law, Gregor Famira, Partner, CMS
This Article was originally published in Issue 5.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.