By implementation of the General Regulation (GDPR), personal data protection has aroused a great deal of interest, whether among privacy professionals, data protection officers or among individuals who are interested in gaining more information about the above mentioned topic.
For those purposes, penalties imposed for breaches of the General Regulation (GDPR) are often monitored and analyzed.
Given a fact that one is presented frequently by the media with information about the imposed fines with high amounts throughout the EU, whose scenarios do not necessarily have to be reflected in the same way on business entities in Croatia, this could provoke unjustified unrestlesness and misunderstanding, which may eventually mislead the business entities.
Namely, the GDPR cannot be considered without observing the regulations of national legislation.
For example, although the Dutch Data Protection Supervisor recently fined the Ministry of Finance € 3.7 million for violating the GDPR, it will not be possible to impose the same fine in Croatia for an identical violation of the GDPR. Namely, the General Regulation takes into account the fact that (Article 83 (7)) each Member State may lay down rules as to whether and to what extent administrative fines may be imposed on public authorities or bodies established in that Member State. The Croatian Act on the Implementation of the General Data Protection Regulation (Article 47) stipulates that in proceedings against public authorities, an administrative fine may not be imposed on a public authority for violations of that Act or the General Regulation.
Another example is the storage period of video surveillance recordings. Namely, our Law on the Implementation of the General Regulation stipulates that video surveillance recordings may be stored for up to six months unless another law prescribes a longer retention period or if the evidence is in court, administrative, arbitration or other equivalent proceedings. In another EU member state, the storage of recordings will be regulated by the national regulations of that EU member state, and deadlines may be set for longer or shorter periods. For this reason, an administrative fine imposed in Croatia for non-compliance with the deadline for storing personal data contained in video surveillance recordings will not be applicable in that Member State.
Therefore, for experts in the field of privacy and personal data protection, in addition to a good knowledge of specific details concerning certain types of business, the specific way in which it operates and the technology it uses, excellent knowledge of the legal system and regular monitoring of regulations is the key factor to avoid wrong instructions and guidelines and, eventually, wrong actions.
In conclusion, every individual should be aware of the fact that the GDPR is indivisible from the national legislative framework and that it cannot be viewed as a so-called “Independent regulation” without observing national regulations and direcly “copy” the penalties and actions of one EU member state to Croatia or other EU member states.
Authors: Ines & Marko Krečak, Feralis Center