AZOP (Croatia) - Decision 14-09-2023: Difference between revisions

From GDPRhub
No edit summary
Tags: Manual revert Reverted Visual edit
Line 7: Line 7:
|DPA_With_Country=AZOP (Croatia)
|DPA_With_Country=AZOP (Croatia)


|Case_Number_Name=Decision 14-9-2023
|Case_Number_Name=/
|ECLI=
|ECLI=


|Original_Source_Name_1=AZOP
|Original_Source_Name_1=AZOP
|Original_Source_Link_1=https://azop.hr/upravne-novcane-kazne-zbog-neovlastene-obrade-osobnih-podataka-putem-kolacica/
|Original_Source_Link_1=https://azop.hr/wp-content/uploads/2023/08/24012022_Otkrivanje-osobnih-podataka-trecoj-osobi.pdf
|Original_Source_Language_1=Croatian
|Original_Source_Language_1=Croatian
|Original_Source_Language__Code_1=HR
|Original_Source_Language__Code_1=HR
Line 19: Line 19:
|Original_Source_Language__Code_2=
|Original_Source_Language__Code_2=


|Type=Investigation
|Type=Complaint
|Outcome=Violation Found
|Outcome=Rejected
|Date_Started=
|Date_Started=
|Date_Decided=01.09.2023
|Date_Decided=24.01.2022
|Date_Published=14.09.2023
|Date_Published=24.01.2022
|Year=2023
|Year=2022
|Fine=20000
|Fine=
|Currency=EUR
|Currency=


|GDPR_Article_1=Article 6(1) GDPR
|GDPR_Article_1=Article 4 GDPR
|GDPR_Article_Link_1=Article 6 GDPR#1
|GDPR_Article_Link_1=Article 4 GDPR
|GDPR_Article_2=Article 7 GDPR
|GDPR_Article_2=Article 5 GDPR
|GDPR_Article_Link_2=Article 7 GDPR
|GDPR_Article_Link_2=Article 5 GDPR
|GDPR_Article_3=Article 13(1) GDPR
|GDPR_Article_3=Article 6 GDPR
|GDPR_Article_Link_3=Article 13 GDPR#1
|GDPR_Article_Link_3=Article 6 GDPR
|GDPR_Article_4=Article 13(2) GDPR
|GDPR_Article_4=
|GDPR_Article_Link_4=Article 13 GDPR#2
|GDPR_Article_Link_4=
|GDPR_Article_5=
|GDPR_Article_5=
|GDPR_Article_Link_5=
|GDPR_Article_Link_5=
|GDPR_Article_6=
|GDPR_Article_Link_6=


|EU_Law_Name_1=ePrivacy Directive
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Name_2=
|EU_Law_Link_2=
|EU_Law_Link_2=
|EU_Law_Name_3=
|EU_Law_Link_3=


|National_Law_Name_1=
|National_Law_Name_1=Postal Service Act
|National_Law_Link_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Name_2=
|National_Law_Link_2=
|National_Law_Link_2=
|National_Law_Name_3=
|National_Law_Link_3=


|Party_Name_1=Unknown
|Party_Name_1=Center for Social Welfare
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=
|Party_Name_2=
Line 62: Line 60:
|Appeal_To_Body=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Status=Not appealed
|Appeal_To_Link=
|Appeal_To_Link=


Line 69: Line 67:
}}
}}


Croatian personal data protection agency imposed fine to gambling and betting company due to illegal data processing via cookies on its website.
The DPA rejected complaint of the data subject who had stated that his rights were violated because data controller sent compensation via postal service.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Agency imposed administrative fine on data controller (gambling and betting company) in the amount of EUR 20,000.00 due to three identified violations GDPR regarding cookies installation.
The DPA received a request for determination of violation of the right in which data subject states that the Center for Social Welfare brought Decision by which the data subject is recognized with a guaranteed minimum of compensation. In this regard, the data subject points out how his compensation for the September was not paid through a current account, but the employee of the Croatian Post has brought him compensation. On that occasion employee asked him for his ID card.
Therefore, the data subject considers that data controller disclosed his personal data about him as a user of the social benefit without his authorization.


=== Holding ===
=== Holding ===
The data controller collected and processed the data of website visitors through cookies without a legal basis, which violated Art. 6, paragraph 1 of the GDPR.  
The DPA rejected the complaint.  


In the same way, the data controller did not adequately provide information to the data subjects, i.e. voluntarily give and/or withdraw their consent, which violated Article 7. Namely, the visitor must give separate consent for each type of cookie according to their functionality, that is, consent cannot be combined for all types of cookies, and in specific cases there was no option to give/withdraw consent separately for each type of cookie.
It emphasized that the right to protection of personal data is not absolute right, and it should be considered in relation to its function in society and harmonized with other fundamental rights in accordance with the principle of proportionality.
Also, DPA noted that Postal Service Act prescribe the conditions for performance of its services. In connection, GTC of Croatian Post prescribe in article 47 that the sender, receiver or other authorized person proves his identity, between
among other things, with an identity card, and the type and number of the identification document that established the identity
it is entered in the corresponding place of the postal document.


It was established that the data controller did not adequately inform the website visitors about the processing of personal data, i.e. about the processing of data through cookies, which violated Art. 13, paragraphs 1 and 2.
Namely, in the specific case there was a legitimate purpose and legal basis from Articles 5 and 6 of the GDPR for forwarding certain personal data to Croatian Post.
When deciding on the imposition of administrative fines and their amounts, attention is paid to the provisions specified in Article 83 paragraph 2, such as the nature, severity and duration of the violation; whether the violation is intentional or negligent; the degree of responsibility of the data controller, etc.
 
DPA pointed out that the method of delivery/payment of the user's minimum fee is not in jurisdiction of this Agency, but it is the decision of the data controller himself in accordance with the special regulation.


== Comment ==
== Comment ==
Line 94: Line 97:


<pre>
<pre>
The Agency for the Protection of Personal Data imposed two administrative fines on data processors, gambling and betting companies in the amount of EUR 20,000.00 (HRK 150,690.00) and EUR 30,000.00 (HRK 226,035.00), due to three identified violations General regulations on data protection in both cases:
1
 
REPUBLIC OF CROATIA
The processing managers collected and processed the personal data of respondents or website visitors through cookies without a legal basis, which violated Art. 6, paragraph 1 of the General Data Protection Regulation. Namely, in order for the processing of personal data to be legal, the existence of at least one of the legal bases from the article in question is necessary, which in this particular case the processing managers did not fulfill, that is, they did not prove the existence of a legal basis for the processing of personal data through cookies (cookies - small files that The Internet browser stores on the computer, mobile device or other device with which the respondent visited the Internet pages, and in this way they remember and monitor his further actions on the Internet pages, and which processing is also related to aspects of personal data).
PROTECTION AGENCY
PERSONAL DATA
 
CLASS:
In the same way, the data controllers did not adequately provide information to the respondents, i.e. enable the respondents to be sufficiently informed, i.e. voluntarily give and/or withdraw their consent, which violated Article 7 of the General Data Protection Regulation. Namely, the visitor must give separate consent for each type of cookie according to their functionality, that is, consent cannot be combined for all types of cookies, and in specific cases there was no option to give/withdraw consent separately for each type of cookie.
NUMBER:
Zagreb, January 24, 2022.
 
Personal Data Protection Agency, OIB: 28454963989 based on Article 57 paragraph
It was established that the data controllers did not adequately inform the respondents (website visitors) about the processing of personal data, i.e. about the processing of data through cookies, which violated Art. 13, paragraphs 1 and 2 of the General Data Protection Regulation. Namely, the processing managers did not inform the respondents about the subject processing in accordance with the principle of transparency, and thus the respondents (website visitors) were deprived of information about data processing such as the legal basis, the function of each cookie and the cookie storage period.
1 and Article 58 paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27
When deciding on the imposition of administrative fines and their amounts, attention is paid to the provisions specified in Article 83 paragraph 2 of the General Data Protection Regulation, such as the nature, severity and duration of the violation; whether the violation is intentional or negligent; the degree of responsibility of the data controller, etc.
2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data
data and repealing Directive 95/46/EC (hereinafter referred to as the General Protection Regulation
data) SL EU 119, Article 34 of the Law on the Implementation of the General Regulation on Data Protection ("People's
novine" no. 42/18) and Article 96 of the Act on General Administrative Procedure ("Narodne novine" no.
47/09 and 110/21), and regarding the request to determine the violation of the right to the protection of personal data
x yields the following
SOLUTION
Request x to establish a violation of the right to personal data protection is rejected as
ungrounded.
Form layout
The Agency for the Protection of Personal Data (hereinafter: the Agency) received a request for
determination of violation of the right to protection of personal data x (hereinafter: the applicant)
in which he states that the Center for Social Welfare y (hereinafter referred to as the processing manager) brought
Decision, CLASS..., NUMBER: ... by which the applicant is recognized with a guaranteed minimum
compensation and in which it is determined that the same will be paid to the applicant as a beneficiary on a monthly basis,
through the competent center for social welfare to a current account. In this regard, the applicant points out how
his compensation for the month of September was not paid through a current account, but through the company of Croatia
pošte d.d. and points out that an employee of the said company visited him when he arrived at his home
address, asked for an identity card and the signing of the receipt. Therefore, the applicant considers it as it is
the processing manager disclosed personal data about him as a user of the Social Center without authorization
care and society Hrvatska pošta d.d.
2
Along with his request, the applicant submitted the Decision of the Center for Social Welfare y, CLASS:
.., NUMBER: ... from ... year; Decision of the Center for Social Welfare y, CLASS: .., NUMBER: .. of
... years; Complaint sent to the Center for Social Welfare y and the response from the Center for Social Welfare y,
CLASS: .., NUMBER: .... years.
The request is not founded.
First of all, it should be noted that from May 25, 2018, in the Republic of
In Croatia, Regulation (EU) 2016/679 of the European Parliament is directly and bindingly applied
of the Council of April 27, 2016 on the protection of individuals in connection with the processing of personal data and on
free movement of such data and repealing Directive 95/46/EC (General
data protection regulation) SL EU L119.
The General Data Protection Regulation in Article 4, Paragraph 1, Point 1 stipulates that they are personal
data all data relating to an individual whose identity has been determined or can be determined, a
an individual whose identity can be established is a person who can be identified directly or
indirectly, especially with the help of identifiers such as name, identification number, information about
location, network identifier or with the help of one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that individual.
Pursuant to Article 5 of the General Data Protection Regulation, personal data must be: (a)
lawfully, fairly and transparently processed with respect to the data subject ("lawfulness, fairness,
transparency"); (b) collected for specific, express and lawful purposes and may not be further
process in a way that is inconsistent with those purposes ("purpose limitation"); (c) appropriate,
relevant and limited to what is necessary in relation to the purposes for which they are processed ("reduction
amount of data"); (d) accurate and as necessary up-to-date; every reasonable measure must be taken
in order to ensure that personal data that are not accurate, taking into account the purposes for which
process, delete or correct without delay ("accuracy"); (e) stored in a form that enables
identification of the respondent only for as long as is necessary for the purposes for which it is personal
data processing ("storage limitation"); (f) processed in the manner in which it is secured
adequate security of personal data, including protection against unauthorized or illegal access
processing and from accidental loss, destruction or damage by applying appropriate technical or
organizational measures ("integrity and confidentiality").
Furthermore, in accordance with Article 6 of the General Data Protection Regulation, processing is only lawful
if and to the extent that at least one of the following is met: (a) the subject has given consent
to process your personal data for one or more specific purposes; (b) processing is necessary for
execution of a contract to which the respondent is a party or to take action upon request
of the respondent before the conclusion of the contract; (c) processing is necessary to comply with the controller's legal obligations
processing; (d) processing is necessary to protect the key interests of the data subject or other natural person;
(e) processing is necessary for the performance of a task of public interest or in the exercise of official authority
processing manager; (f) the processing is necessary for the legitimate interests of the controller or a third party
parties, except when those interests are stronger than the interests or fundamental rights and freedoms of the respondents who
require the protection of personal data.
3
Also, it should be emphasized that the right to protection of personal data is not absolute
the law itself must be considered in relation to its function in society and should be harmonized
with other fundamental rights in accordance with the principle of proportionality.
As a separate law, we cite the Postal Services Act ("Narodne novine", number:
144/12, 153/13, 78/15 and 110/19) regulating postal services, prescribe the conditions for
performance of these services and for the provision and financing of universal service, govern the rights,
obligations and responsibilities of providers and users of postal services, conditions of access to the postal network,
issuance of postage stamps of the Republic of Croatia and surcharge stamps is determined by jobs
Croatian regulatory agencies for network activities in the part related to regulatory
tasks in the field of postal services, performing inspection supervision in the field of postal services
services, and regulate other issues related to the performance of postal services.
Also, Article 44 of the aforementioned Act stipulates that the provider of postal services
obliged to adopt general conditions for the performance of postal services in domestic and/or international
traffic. Based on the quoted article, Hrvatska pošta d.d. is on July 1, 2021.
passed the General Terms and Conditions for the provision of universal services, which regulate the manner and conditions
performance of the universal service provided by HP-Hrvatska pošta d.d., delivery deadlines,
method and conditions of payment for postal services, method of marking payment for postal services on
to the postal shipment, the responsibility of HP d.d. and compensation for damage and the submission and settlement procedure
complaints of users of postal services.
In this connection, it is necessary to point out article 47 of the aforementioned General Terms and Conditions, in which
stipulated that the sender, receiver or other authorized person proves his identity, between
among other things, with an identity card, and the type and number of the identification document that established the identity
it is entered in the corresponding place of the postal document.
Furthermore, by looking at the Answer, CLASS: .., CODE: .. from ... which is the Center for
social care y as a processing manager delivered to the applicant, it is clear that the manager
processing, informed the applicant that he had sent the amounts through the mail.
As a result of the above, on the basis of the submitted evidence in this administrative matter it was established
that the Center for Social Welfare, as the processing manager, did not provide personal data for use
of the applicant for this to an unauthorized recipient/third party and in this sense the request
rejects the applicant as unfounded.
Namely, in the specific case there was a legitimate purpose and legal basis from Article 5 i
6. General regulations on data protection for forwarding certain personal data to a third party
(company Hrvatska pošta d.d.), and all so that the applicant could realize the right that belongs to him
in accordance with the adopted Decision, CLASS: .., NUMBER: .. from the year ... or the right to
guaranteed minimum compensation.
4
In this regard, it should be emphasized that in the conducted procedure it was not determined that
personal data of the applicant were forwarded by the processing manager to the company
Hrvatska pošta d.d. to a greater extent than is necessary for the specific purpose of guaranteed delivery
minimum fees and that the applicant has not proven in any way that the information about him is as
to the user of the Center for Social Care, disclosed to a third party without authorization.
Likewise, in the specific case it was established that the company Hrvatska pošta d.d.
during the delivery/payment of the guaranteed minimum compensation, it complied with the prescribed procedures and
in accordance with Article 47 of the General Terms and Conditions for the provision of universal services, identity verification
of the applicant as the payee.
Additionally, and further to the applicant's statement that he is guaranteed a minimum compensation
should have been paid to the current account as determined by the Decision, CLASS: .., NUMBER: ...
from ... year, we point out that the method of delivery/payment of the user's minimum fee is not in
jurisdiction of this Agency, but it is the decision of the processing manager himself in accordance with the special
regulation.
In conclusion, and taking into account all the circumstances of the specific case, there is no evidence that
indicate that the applicant's personal data were processed contrary to the General provisions
regulations on data protection.
Due to the aforementioned circumstances, it was decided as in the Proclamation of the Decision.
LEGAL REMEDY
No appeal is allowed against this decision, but an administrative dispute can be initiated before the Administrative Court
by the court in Zagreb within 30 days from the date of delivery of the decision.
DEPUTY DIRECTOR
Igor Vulje
Deliver:
1.
2.
3. Stationery, here.
</pre>
</pre>

Revision as of 13:35, 23 October 2023

AZOP - /
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 4 GDPR
Article 5 GDPR
Article 6 GDPR
Postal Service Act
Type: Complaint
Outcome: Rejected
Started:
Decided: 24.01.2022
Published: 24.01.2022
Fine: n/a
Parties: Center for Social Welfare
National Case Number/Name: /
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: Karlo Paljug

The DPA rejected complaint of the data subject who had stated that his rights were violated because data controller sent compensation via postal service.

English Summary

Facts

The DPA received a request for determination of violation of the right in which data subject states that the Center for Social Welfare brought Decision by which the data subject is recognized with a guaranteed minimum of compensation. In this regard, the data subject points out how his compensation for the September was not paid through a current account, but the employee of the Croatian Post has brought him compensation. On that occasion employee asked him for his ID card. Therefore, the data subject considers that data controller disclosed his personal data about him as a user of the social benefit without his authorization.

Holding

The DPA rejected the complaint.

It emphasized that the right to protection of personal data is not absolute right, and it should be considered in relation to its function in society and harmonized with other fundamental rights in accordance with the principle of proportionality. Also, DPA noted that Postal Service Act prescribe the conditions for performance of its services. In connection, GTC of Croatian Post prescribe in article 47 that the sender, receiver or other authorized person proves his identity, between among other things, with an identity card, and the type and number of the identification document that established the identity it is entered in the corresponding place of the postal document.

Namely, in the specific case there was a legitimate purpose and legal basis from Articles 5 and 6 of the GDPR for forwarding certain personal data to Croatian Post.

DPA pointed out that the method of delivery/payment of the user's minimum fee is not in jurisdiction of this Agency, but it is the decision of the data controller himself in accordance with the special regulation.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

1
REPUBLIC OF CROATIA
PROTECTION AGENCY
 PERSONAL DATA
CLASS:
NUMBER:
Zagreb, January 24, 2022.
Personal Data Protection Agency, OIB: 28454963989 based on Article 57 paragraph
1 and Article 58 paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27
2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data
data and repealing Directive 95/46/EC (hereinafter referred to as the General Protection Regulation
data) SL EU 119, Article 34 of the Law on the Implementation of the General Regulation on Data Protection ("People's
novine" no. 42/18) and Article 96 of the Act on General Administrative Procedure ("Narodne novine" no.
47/09 and 110/21), and regarding the request to determine the violation of the right to the protection of personal data
x yields the following
SOLUTION
Request x to establish a violation of the right to personal data protection is rejected as
ungrounded.
Form layout
The Agency for the Protection of Personal Data (hereinafter: the Agency) received a request for
determination of violation of the right to protection of personal data x (hereinafter: the applicant)
in which he states that the Center for Social Welfare y (hereinafter referred to as the processing manager) brought
Decision, CLASS..., NUMBER: ... by which the applicant is recognized with a guaranteed minimum
compensation and in which it is determined that the same will be paid to the applicant as a beneficiary on a monthly basis,
through the competent center for social welfare to a current account. In this regard, the applicant points out how
his compensation for the month of September was not paid through a current account, but through the company of Croatia
pošte d.d. and points out that an employee of the said company visited him when he arrived at his home
address, asked for an identity card and the signing of the receipt. Therefore, the applicant considers it as it is
the processing manager disclosed personal data about him as a user of the Social Center without authorization
care and society Hrvatska pošta d.d.
2
Along with his request, the applicant submitted the Decision of the Center for Social Welfare y, CLASS:
.., NUMBER: ... from ... year; Decision of the Center for Social Welfare y, CLASS: .., NUMBER: .. of
... years; Complaint sent to the Center for Social Welfare y and the response from the Center for Social Welfare y,
CLASS: .., NUMBER: .... years.
The request is not founded.
First of all, it should be noted that from May 25, 2018, in the Republic of
In Croatia, Regulation (EU) 2016/679 of the European Parliament is directly and bindingly applied
of the Council of April 27, 2016 on the protection of individuals in connection with the processing of personal data and on
free movement of such data and repealing Directive 95/46/EC (General
data protection regulation) SL EU L119.
The General Data Protection Regulation in Article 4, Paragraph 1, Point 1 stipulates that they are personal
data all data relating to an individual whose identity has been determined or can be determined, a
an individual whose identity can be established is a person who can be identified directly or
indirectly, especially with the help of identifiers such as name, identification number, information about
location, network identifier or with the help of one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that individual.
Pursuant to Article 5 of the General Data Protection Regulation, personal data must be: (a)
lawfully, fairly and transparently processed with respect to the data subject ("lawfulness, fairness,
transparency"); (b) collected for specific, express and lawful purposes and may not be further
process in a way that is inconsistent with those purposes ("purpose limitation"); (c) appropriate,
relevant and limited to what is necessary in relation to the purposes for which they are processed ("reduction
amount of data"); (d) accurate and as necessary up-to-date; every reasonable measure must be taken
in order to ensure that personal data that are not accurate, taking into account the purposes for which
process, delete or correct without delay ("accuracy"); (e) stored in a form that enables
identification of the respondent only for as long as is necessary for the purposes for which it is personal
data processing ("storage limitation"); (f) processed in the manner in which it is secured
adequate security of personal data, including protection against unauthorized or illegal access
processing and from accidental loss, destruction or damage by applying appropriate technical or
organizational measures ("integrity and confidentiality").
Furthermore, in accordance with Article 6 of the General Data Protection Regulation, processing is only lawful
if and to the extent that at least one of the following is met: (a) the subject has given consent
to process your personal data for one or more specific purposes; (b) processing is necessary for
execution of a contract to which the respondent is a party or to take action upon request
of the respondent before the conclusion of the contract; (c) processing is necessary to comply with the controller's legal obligations
processing; (d) processing is necessary to protect the key interests of the data subject or other natural person;
(e) processing is necessary for the performance of a task of public interest or in the exercise of official authority
processing manager; (f) the processing is necessary for the legitimate interests of the controller or a third party
parties, except when those interests are stronger than the interests or fundamental rights and freedoms of the respondents who
require the protection of personal data.
3
Also, it should be emphasized that the right to protection of personal data is not absolute
the law itself must be considered in relation to its function in society and should be harmonized
with other fundamental rights in accordance with the principle of proportionality.
As a separate law, we cite the Postal Services Act ("Narodne novine", number:
144/12, 153/13, 78/15 and 110/19) regulating postal services, prescribe the conditions for
performance of these services and for the provision and financing of universal service, govern the rights,
obligations and responsibilities of providers and users of postal services, conditions of access to the postal network,
issuance of postage stamps of the Republic of Croatia and surcharge stamps is determined by jobs
Croatian regulatory agencies for network activities in the part related to regulatory
tasks in the field of postal services, performing inspection supervision in the field of postal services
services, and regulate other issues related to the performance of postal services.
Also, Article 44 of the aforementioned Act stipulates that the provider of postal services
obliged to adopt general conditions for the performance of postal services in domestic and/or international
traffic. Based on the quoted article, Hrvatska pošta d.d. is on July 1, 2021.
passed the General Terms and Conditions for the provision of universal services, which regulate the manner and conditions
performance of the universal service provided by HP-Hrvatska pošta d.d., delivery deadlines,
method and conditions of payment for postal services, method of marking payment for postal services on
to the postal shipment, the responsibility of HP d.d. and compensation for damage and the submission and settlement procedure
complaints of users of postal services.
In this connection, it is necessary to point out article 47 of the aforementioned General Terms and Conditions, in which
stipulated that the sender, receiver or other authorized person proves his identity, between
among other things, with an identity card, and the type and number of the identification document that established the identity
it is entered in the corresponding place of the postal document.
Furthermore, by looking at the Answer, CLASS: .., CODE: .. from ... which is the Center for
social care y as a processing manager delivered to the applicant, it is clear that the manager
processing, informed the applicant that he had sent the amounts through the mail.
As a result of the above, on the basis of the submitted evidence in this administrative matter it was established
that the Center for Social Welfare, as the processing manager, did not provide personal data for use
of the applicant for this to an unauthorized recipient/third party and in this sense the request
rejects the applicant as unfounded.
Namely, in the specific case there was a legitimate purpose and legal basis from Article 5 i
6. General regulations on data protection for forwarding certain personal data to a third party
(company Hrvatska pošta d.d.), and all so that the applicant could realize the right that belongs to him
in accordance with the adopted Decision, CLASS: .., NUMBER: .. from the year ... or the right to
guaranteed minimum compensation.
4
In this regard, it should be emphasized that in the conducted procedure it was not determined that
personal data of the applicant were forwarded by the processing manager to the company
Hrvatska pošta d.d. to a greater extent than is necessary for the specific purpose of guaranteed delivery
minimum fees and that the applicant has not proven in any way that the information about him is as
to the user of the Center for Social Care, disclosed to a third party without authorization.
Likewise, in the specific case it was established that the company Hrvatska pošta d.d.
during the delivery/payment of the guaranteed minimum compensation, it complied with the prescribed procedures and
in accordance with Article 47 of the General Terms and Conditions for the provision of universal services, identity verification
of the applicant as the payee.
Additionally, and further to the applicant's statement that he is guaranteed a minimum compensation
should have been paid to the current account as determined by the Decision, CLASS: .., NUMBER: ...
from ... year, we point out that the method of delivery/payment of the user's minimum fee is not in
jurisdiction of this Agency, but it is the decision of the processing manager himself in accordance with the special
regulation.
In conclusion, and taking into account all the circumstances of the specific case, there is no evidence that
indicate that the applicant's personal data were processed contrary to the General provisions
regulations on data protection.
Due to the aforementioned circumstances, it was decided as in the Proclamation of the Decision.
LEGAL REMEDY
No appeal is allowed against this decision, but an administrative dispute can be initiated before the Administrative Court
by the court in Zagreb within 30 days from the date of delivery of the decision.
 DEPUTY DIRECTOR
 Igor Vulje
Deliver:
1.
2.
3. Stationery, here.