5 years of the GDPR – is Croatia finally making its first steps towards effective implementation?

The GDPR recently celebrated 5 years of its existence. And while many European countries are busy shaping the standards of data protection, this is far from a universal phenomenon. True, it may be hard to discuss matters such as data protection, when the country still holds the 57th place on the global corruption rank and is above average when it comes to unemployment and inflation. However, this cannot justify the Croatian Agency for the Protection of Personal Data (AZOP) making the issues worse.

So where does one start the analysis? Maybe from the fact that up until very recently the website of the Agency itself was not GDPR compliant? Namely, when accessing the website, users were informed that the website uses technically necessary cookies. Subsequently, they had one option. Clicking the big red button ‘I understand’. On the other hand, a short scan of the website using Webbkoll, already identified 5 requests to third parties. Three of those to Google. Meaning the data was leaking from the Agency’s website, without the users being informed of the fact, let alone consenting to it. Although the website is now updated and seems compliant, already this should be enough to question the competencies of an Agency tasked with protecting the data of Croatian citizens.

However, one may argue that the work of the Agency is more important. But there as well, one is to find little consolation. For instance, GDPRHub identified only 22 decisions made by the Agency, since the GDPR is in force. While the Croatian portal Ius-Info, on the other hand, counted at least 32 decisions. Then again, maybe this can come as no surprise since, according to its reports to the Croatian Parliament, the Agency receives only around 100 incident reports yearly.  Maybe it is in fact the citizens that do not complain enough? Just one look at the blog posts of this consumer will, however, paint a different and again rather depressing picture. In her posts the author writes of unsuccessful reports to the Agency, as well as complete unprofessionalism of its employees.[1] So it appears that even when citizens try to complain, they are being silenced before making it to the annual report. The last nail in the coffin comes, however, when reading the decisions, with cases ranging from ridiculous over to blatantly wrong. Starting with Raiffeisen Bank, fined by AZOP for demanding a 197HRK (30€) fee to send documentation regarding a loan. Following the decision, the bank publicly announced that they will continue with the practice as it is their right to do so. No further discussion on the matter can be found online. Over the AI virtual assistant of the Croatian Government, Andrija, which came with no privacy policy.[2] And finally culminating with decisions such as the one regarding a photo of a person posted online, despite the person objecting to this via email. The Agency concluded that the photo in question wasn’t personal data at all, as the person was unrecognizable to an ‘average person’. And so, it appears that while the rest of the EU is posing ever higher standards for anonymization and falling out of scope of the GDPR, as well as upholding the high standards for consent. In Croatia, all it takes is a jacket and a medical mask and the photo is fully anonymous, whereas consent is a matter of accidentally stepping into the picture frame.

All of this of course, didn’t appear out of thin air. The Agency was already called out on numerous occasions by, for instance, Politiscope. In an analysis of the Agency’s work from 2021, they criticized the procedure through which the current president of the Agency was appointed. The president, besides from being in a conflict of interest, apparently also had no qualification for his position, which can be confirmed when glancing his CV (conveniently published online). Furthermore, the organization quoted a sever understaffing of the Agency in technology experts, which may, however, explain why up until recently their website was not GDPR compliant. Finally, when only one law faculty in the country even offers courses on the GDPR, not much else can be expected. If law graduates have to pay to learn the basics of the GDPR, how can the country have a functioning Agency or citizens aware of their rights? But not all is lost, and one has to count the blessings too. At least now the website is GDPR compliant, there is more enforcement against the violations, and the Agency regularly publishes guidelines and educational materials to help instigate effective implementation. Moreover, the companies finally started hiring privacy professionals, and we are all starting to discuss that this may actually be important. Maybe there is hope after all.

[1] https://iskustvapotrosaca.com/agencija-za-zastitu-osobnih-podataka-azop/ , https://iskustvapotrosaca.com/ministarstvo-pravosuda-i-uprave/

[2] Sadly, Andrija is now unavailable and its previous website hosts a health advice portal.

Photo by Etienne Girardet on Unsplash

About the author


Tea Mustać

Tea Mustać is an associate at Spirit Legal in Leipzig.