AZOP (Croatia) - UP/I-034-01/24-01/30
From GDPRhub
| AZOP - UP/I-034-01/24-01/30 | |
|---|---|
 | |
| Authority: | AZOP (Croatia) |
| Jurisdiction: | Croatia |
| Relevant Law: | Article 5 GDPR Article 6 GDPR Article 12 GDPR Article 14 GDPR Article 30 GDPR Article 38 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 01.09.2023 |
| Decided: | 19.12.2024 |
| Published: | 23.04.2025 |
| Fine: | 40,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | UP/I-034-01/24-01/30 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Croatian |
| Original Source: | AZOP (in HR) |
| Initial Contributor: | cwa |
The DPA fined a business information publisher €40,000 and held that they erred in failing to regard information about sole proprietors as personal data and found numerous GDPR violations.
English Summary
Facts
A business (controller) published information about businesses on their website and charged a fee for access after some free information was provided. The information published on their website included the names, addresses and tax ID numbers of sole proprietors.
A number of these sole proprietors filed complaints with the Croatian DPA who launched an investigation in September 2023.
During the investigation, it was revealed that the director of the company was also the DPO.
The controller claimed that their primary business activity is the provision of financial and business data to business customers and most of the information they sell comes from public sources, with some being provided by FINA, a Croatian financial service provider. The controller argued that the data relating to sole proprietors is business information, and in any event, they have a legitimate interest in the publication of this data as it allows their customers to perform due diligence on potential business partners.
Holding
The DPA firstly noted that the controller’s erred in their claims about not processing personal data, confirming that the identifiable information about individual sole proprietors did constitute personal data and thus requires a legal basis under Article 6 GDPR.
The DPA found that the controller had inadequately balanced the competing rights in their assessment of their legitimate interest for the processing, failing to take account of the proportionality of the processing.
When examining the privacy policy, the DPA noted the presence of the erroneous distinction between business and personal data in the policy, as well as a failure to specify the lawful relied upon and the inclusion of a non-exhaustive list of personal data being processed. The DPA accordingly found that the controller had infringed their obligations under Article 12 & 14 GDPR to provide information to data subjects where their data has not been obtained from them directly in a transparent manner. The DPA also found that the records of processing activities maintained by the controller were inadequate in violation of Article 30 GDPR.
Finally, the DPA found that the appointment of the director as DPO was a conflict of interest and the controller had thus infringed Article 39 GDPR.
In determining the appropriate sanction, the DPA was influenced by the high degree of negligence on the part of the controller and imposed a fine of €40,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
(567-UP/I-034-01/24-01/30-1AO)
P/224713
REPUBLIC OF CROATIA
AGENCY FOR PROTECTION
OF PERSONAL DATA
CLASS: UP/I-034-01/24-01/30
REG. NUMBER: 567-05-01/01-24-1
Zagreb, 19.12.2024.
The Personal Data Protection Agency, OIB: 28454963989, pursuant to Article 57(1) and
Article 58(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
Official Journal of the European Union L 119, acting ex officio, against the controller
of the company _ d.o.o., represented by the director, _ issues the following
DECISION
1. It is established that the company _ , as the controller, processes personal data
in violation of the provisions of Article 6(1)(f), in conjunction with Article 5(1)(a) and (e) of the General Regulation on data protection.
2. It is established that the company _ , as the controller, did not provide transparent
information to data subjects with regard to the processing of their personal data, which
did not ensure compliance with the requirements of Articles 12 and 14 of the General Data Protection Regulation.
3. It is established that the company _ , as the controller, keeps records of the processing activities for which it is responsible which are not in accordance with the provisions of Article 30 of the General Data Protection Regulation.
4. It is established that the company _ , as the controller, has appointed a data protection officer of the company in violation of the provisions of Article 38(3) and (6) of the General Data Protection Regulation.
1 5. For the violation established in point 1 of the operative part of this decision, in accordance with the provisions of Article
58, paragraph 2, item (i) of the General Data Protection Regulation, the company is imposed an administrative
fine in the amount of:
40,000.00 Euros
(in words: forty thousand Euros)
6. The company is obliged to pay the imposed administrative fine to the state
budget within 15 days from the date of entry into force of this decision to the account number:
HR1210010051863000160, model HR64 and reference to the approval number:
6092-25860-93441573210, with the indication – “administrative fines imposed by
AZOP”.
7. If the company _ , within 15 days from the entry into force of this decision, does not pay
the imposed administrative fine, the Agency shall, in accordance with Article 46, paragraph 2.
of the Act on the Implementation of the General Data Protection Regulation, notify the Regional Office
of the Tax Administration of the Ministry of Finance in whose territory the registered office of the said
company is located, in order to collect the administrative fine by force in accordance with the regulations on
forced tax collection.
8. The company _ is obliged, within 15 days from the payment made, to submit proof of
payment for inspection to this Agency.
R e a n d i n g
I. DETERMINATION OF VIOLATION
The Personal Data Protection Agency (hereinafter referred to as: the Agency) has received several submissions
from citizens, mainly natural persons who are owners of crafts, stating that the controller, the company _ , has violated the provisions of the General Data Protection Regulation by publicly publishing
their personal data on the controller's website.
Based on the allegations and information received, the Agency conducted
indirect supervisory checks and a targeted search of the website of the _ company _ on 15 September 2023, about which an
official note was drawn up, which forms an integral part of the file.
2A review of the aforementioned website of the company _ . found, among other things, documents entitled
"Privacy Statement", "Terms of Use", "Cookies" and documents, i.e. contracts that the company
concluded/agreed with the Financial Agency (FINA) in the period from 2016 to 2023.
Accordingly, the Agency, in accordance with Art. 36 of the Act on the Implementation of the General Data Protection Regulation (Official Gazette, No. 42/2018) by letter CLASS: 042-03/23-01/77, NUMBER:
567-12/09-23-04, dated 20 September 2023, announced the implementation of supervision regarding the collection and processing of personal data by the company _ for 22 September 2023, starting at around 10 am at the premises of the controller in question at the address _ .
Accordingly, the Agency's authorized officials are requested to prepare all information and all relevant documentation necessary for the implementation of the supervision, especially in the part related to the purpose and legal basis for the processing of personal data, the manner of informing the data subjects in accordance with the provisions of Articles 12, 13 and 14 of the General Data Protection Regulation, as well as the regulation of the storage (deletion) time of the same. It was also requested to prepare internal documents relating to the processing of personal data and the obligations of employees, especially regarding organizational, technical and security measures for the protection of personal data, as well as any documentation relating to the processor if engaged, records of processing activities, records of complaints received from respondents, records of recorded personal data breaches and other relevant documentation relating to the processing of personal data. The Agency emphasized that if the controller will be represented by an attorney in the announced supervision, the attorney is required to submit proof of the authority to represent the controller to the authorized officers of the Agency before the start of the supervision. At the same time, if it is necessary to carry out the supervisory activity at another business location due to the purposefulness and availability of the requested data, the Agency was requested to be promptly notified of this and to ensure the presence of an administrator in order to enable access to the personal data contained in the storage system of the controller in question. On September 21, 2023, the Agency received an email from _, from which it follows that the latter is requesting,
as stated, "another date" or to be called by phone "to arrange when we could have a meeting", the reason being that, as stated, it is not possible to travel to Zagreb the next day.
Considering that _ did not present herself in the aforementioned email as an authorized representative of the company _ d.o.o., nor is she listed in the court register as a person authorized to represent the controller in question, and considering that she mentions in her email a request for a meeting, the representatives of the
Agency began conducting supervision on September 22, 2023, of which a record was drawn up,
which forms an integral part of the file.
As a representative of the company _, Ms. _ participated, who introduced herself as a manager in the company, and who was handed an order to carry out the supervision, which she accepted but refused to confirm receipt with her signature. Ms. _ states that she is unable to provide information regarding the processing of personal data within the company, since this is the responsibility of Mr. _, the company's director, and Ms. _, who are currently abroad. The authorized officers of the Agency warned Ms. _ that the controller is obliged to provide the supervisory authority with all information regarding the processing of personal data and to provide access to it, however, she reiterates that she is unable to comply with the request and instructs the Agency's representatives to contact Mr. _.
3Subsequently, on 4 October 2023 at the address _ , representatives of the Agency conducted a supervision at the head of the company _'s data processing, on which a Record of the supervision was drawn up
CLASS: 042-03/23-01/77, REGISTRATION NUMBER: 567-12/09-23-08, dated 4 October 2023, which
forms an integral part of the file.
The director of the company _ was present at the supervision proceedings via video link due to
the fact that, according to his statements, he was in _ where he resides. During the supervision proceedings, Ms. _ attached the Decision on the appointment of Mr. _ as the personal data protection officer in the company _ dated 25.2.2022. The Agency's representatives Mr. _ immediately became aware of the fact that arises from the General Data Protection Regulation itself regarding the provisions according to which the designated data protection officer may also fulfill other tasks and duties, however, such tasks and duties should not lead to a conflict of interest, which is very likely in the case where the owner or director of the company is also the designated officer. Mr. _ did not comment on the above during the supervisory procedure. When asked by the authorized officers of the Agency regarding the operations of the company _ d.o.o. Mr. _ states that the said company has been operating in the Republic of Croatia since 2013, and that its primary business activity is offering basic and financial data on business entities to other business entities, notes that it does not have any natural person subscribers, or that through the business platform _ , available on the company's website _ it offers annual subscriptions for access to data for business entities, which data they have collected from publicly available sources, such as public registers, court e-announcements, telephone directories, as well as an additional part of the data relating to the financial operations of business entities, which data they receive on the basis of a contract signed with FINA.
In relation to the access to data contained in the storage system of the company _ d.o.o. g. _
It states that on the company's website it is possible to search for business entities and crafts by
parameters, first and last name and OIB, without a subscription, and that it is possible to get three complete checks, after which further searches for the specified IP address (device) from which access is made are blocked if the person accessing is not a subscriber. It states that the company has published General Terms and Conditions of Business and if an interested legal entity requests the opening of a user account through the information available on the website, a pro forma invoice will be sent to it and that after payment and acceptance of the General Terms and Conditions of Business, a user account will be opened and access data will be provided. It also states that when accessing data by a subscriber, the subscriber has access to the company's creditworthiness, or financial, data that are not publicly available when viewing and searching on the website, and to the contact details, or telephone number.
Regarding the availability of data on crafts processed by the company in question, Mr. _ states that
in addition to trading companies, the service also offers data on crafts and their business operations if crafts are required to submit financial reports to FINA, and that since the Crafts Act stipulates that this is an economic activity, they consider this to be business data as well. He also notes that only data on crafts that are publicly available in the
craft register have been published, along with creditworthiness data provided to them by FINA under the contract, and additionally
announcements from e-bulletin boards of courts and public telephone directories.
When asked since when the company _ d.o.o. has been processing data on crafts, Mr. _ states that he is not sure of the
exact year of offering this service, but that in preparing the documentation for supervisory action
he found Contracts with FINA based on which he receives data on the financial operations of crafts, and that he will provide the exact data on the same after additional verification.
4Furthermore, upon inquiry by authorized officers of the Agency, in relation to the allegations of Mr. _ that the data controller in question does not process the personal data of the respondents, although the data on the ownership of the craft includes the name and surname of the owner of the craft, a natural person, the OIB (Tax Identification Number) as well as the address of residence of the owner of the craft, which is often also the address of the registered office of the craft, and which data is personal data and which is used for the performance of economic activity in accordance with special regulations, Mr. _ states that the Craft Act states that it concerns data related to the performance of business activities, and in relation to the contracts concluded with FINA, it is evident that it concerns the processing of business data.
Furthermore, at the request of authorized officials of the Agency, in relation to the necessity of publishing data on trades
in the specified scope of the published data, states that an essential element of their offer is also from
it is important for business entities in order to prevent misuse, i.e. entry into business
cooperation with trades that have negative business references or are blocked, that they are
transparently reported on all important circumstances for their business, and to base the same on
legitimate interest.
Furthermore, at the request of authorized officers of the Agency, if the processing is based on legitimate
interest, how its existence was proven, i.e. whether a proportionality test was carried out
legitimate interest, Mr. _ states that the test of legitimate interest was carried out, but that the document
there are none prepared, and he is abroad, the same is not available to him at the moment, and that he will
subsequently deliver to the Agency.
Furthermore, when asked by the authorized officials of the Agency regarding the manner of transparent reporting to the respondents on the processing of their personal data, as personal data was not collected directly from them, Mr. _ states that a document entitled "Privacy Policy" has been published on the website of the controller in question and that the respondents have been informed of all circumstances relating to the processing of personal data. When asked by the authorized officials of the Agency to explain in detail in which part of the said document it is located, given that the verification by the authorized officials of the Agency has determined that the documents available on the website of the controller in question on 15.09.2023, which were printed out and provided for inspection to those present during the supervisory procedure, are not located, Mr. _ indicates that it is located in the document entitled "Privacy Policy" which is currently publicly available on the website of the controller in question, and Ms. _ attaches a printout of the document in question.
After reviewing the attached document, it is clear that it is a document that is different from the one that the Agency determined to be available on the website of the controller in question from the inspection of the company's website carried out by the Agency on 15.09.2023., and upon inquiry from the Agency's representative, Mr. _ states that it cannot be stated that the correct document is the one attached during the supervisory procedure, and that it is possible that it was an old link, and that it cannot be stated about the time of public publication of the attached document. Furthermore, upon inquiry from the Agency's representative, it does not follow from the attached document that the respondents were adequately informed about the processing of personal data in accordance with the provisions of Article 14 of the General Data Protection Regulation, and that it is necessary to clarify how he believes that they were provided with all the information from the article in question, Mr. _ states that since they process business data, a notification was given in this regard.
In relation to the attached document, upon inquiry by the Agency representative that there is no information on the storage period or data retention periods, Mr. _ states that he cannot confirm with certainty where the said information is located, but that data on business entities and crafts
5 is stored while they are active, and after they are closed for another 3 to 5 years from the date of their closure or from the date of deletion from the trade register.
During the supervisory procedure, the Agency representatives asked the representatives of the company _ d.o.o. whether any additional internal company acts related to personal data processing issues had been adopted and requested that the Records of Processing Activities be provided for inspection. Mr. _ states that at that
moment he is not aware whether the company has compiled Records of Processing Activities, and that the legal advisor has this information, but that since it is at the hearing in Koprivnica, it is not possible to verify the same information or provide the document for inspection to the authorized officials of the Agency. In relation to internal acts relating to the protection of personal data, Ms. _ encloses
a document entitled "Internal act on technical and information security".
Furthermore, in relation to the question of the number of trades currently contained in the storage systems of the controller in question, Mr. _ states that none of the employees has the authority to ask
questions in the database or generate reports by individual parameters, but that
employees only have the authority to access and view the database, which authorities are the same as those for user insight of business entities that pay for access to data, and that therefore, at this
moment, there is no technical possibility to enable the Agency's representatives to do the same, but that the aforementioned
data will be subsequently submitted to the Agency.
After the completion of the supervisory procedure, as indicated in the minutes, the Agency requested
from the company _ d.o.o. to submit, upon receipt of the report on the supervision carried out: a test of legitimate interest in relation to the processing of personal data of the respondents contained within the data on crafts, additional information on the purpose and legal basis for the processing of personal data within the set of data on crafts, especially in the part after their deletion from the crafts register, to submit additional information and internal acts from which the determination of the storage time and public availability of data on crafts, including the storage time and public publication of data after their deletion from the crafts register, to submit data on the current number of crafts contained within the storage system with data (evidence) on the start of processing, data on the number of crafts that are inactive with data on their closure, to submit other internal acts relating to the regulation of personal data protection, including records of processing activities, additional information on the use of the services of the processor, additional statement on the update of the privacy policy on the company's website, i.e., a statement on the fact that the Agency on 15 September 2023, i.e. before announcement of supervisory activities, determined that a document is available on the website of the company in question in the same link, which is significantly different in content from the one attached by the representative of the company _ d.o.o. during the supervisory procedure and currently available on the company's website.
The company _ d.o.o. submitted its response and the requested clarifications and documents to the Agency
by letter dated 03 November 2023.
In this regard, a document entitled "Assessment of proportionality in the case of legitimate interest" was submitted,
dated 20.09.2018., Internal act on business data management, internal act on personal data protection, Records of data processing activities, kept by the processor, Records of data processing activities, kept by the processor, contract between the company _ d.o.o. as the processor and the processor, the company _ .
In addition to the above documentation, additional information was provided on the purpose and legal basis for the processing of personal data, especially in relation to personal data contained within business data, i.e. after their deletion from the register, stating that the purpose of the processing, as already
6emphasized in the submitted document on the assessment of legitimate interest, is to prevent business fraud, abuse in business, check the business habits of companies, etc. Furthermore, they state that the legal basis for data processing is the Act on the Right to Access Information, the Act on Crafts and other laws that regulate the free flow of information. Based on these, they state that the company does not need the consent of the data subject and that, as a rule, they keep/store the data permanently. Furthermore, they state that it is in the interest of the company to keep data on businesses/companies even though they were deleted due to certain bad business practices, so they explain the example of poor payment discipline that can be seen in the recorded blockages of business accounts, the closure of businesses with bad business practices, and the opening of new ones, in which way, they believe in the company, they help their clients to see the history of the business of a certain business or owner with bad business practices and thus be able to make better business decisions. They also submit information according to which at the time of submitting their response, they keep a total of (active and passive) 170,782 businesses in their records with the beginning of processing as indicated in the submitted contracts with FINA. Company_ d.o.o. submits its statement on the update of the privacy policy on the website, i.e. the fact that the document currently available on the company's website, i.e. document
presented by the representative of the company _ d.o.o., differs significantly in content from that whose content the Agency established before the announcement of the supervisory procedure, where they state that the circumstance that the Agency
during the supervision noticed a partial discrepancy between certain parts of the content of the publicly available
privacy policy and the one attached during the direct supervision is attributed exclusively to the operation of the software system, which is vital and logical. Namely, as they further state, it happens every day in business that versions of certain content in the internet system are not corrected
in a timely manner, or that when activating the latest texts, a disruption occurs in the operation of the
internet system, which cannot even be attributed to human error, but to an error in the software system, and it is necessary to update/refresh the content being displayed, or that
in this specific case it was necessary to request support in the system and determine why the aforementioned
happened, and immediately, as soon as possible, reactivate the current version of the program.
The Agency points out that since 25 May 2018, Regulation (EU) 2016/679
of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive
95/46/EC (General Data Protection Regulation) has been directly and bindingly applicable in all Member States of the European Union,
including the Republic of Croatia.
In accordance with Article 4(1) of the General Data Protection Regulation, for the purposes of this Regulation, the term
"personal data" means any information relating to an identified or identifiable natural person (the "data subject"); An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. In accordance with Article 4(2) of the General Data Protection Regulation, for the purposes of this Regulation, the term "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In accordance with Article 5(1) of the General Data Protection Regulation, the term "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 1(a) of the General Data Protection Regulation, personal data must be
processed lawfully, fairly and transparently in relation to the data subject ("lawfulness, fairness and
transparency").
In accordance with Article 5(1)(e) of the General Data Protection Regulation, personal data must
be
stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer
periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89
1, subject to the implementation of appropriate technical and organisational measures laid down in
this Regulation to safeguard the rights and freedoms of data subjects ("storage limitation");
In accordance with Article 5(2) of the General Data Protection Regulation, the controller shall be responsible for
compliance with paragraph 1 and shall be able to demonstrate it ("reliability").
According to Art. 6, paragraph 1 of the General Data Protection Regulation, processing is lawful only if and to the extent that at least one of the following is met: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) the processing is necessary for compliance with a legal obligation to which the controller is subject; (d) the processing is necessary to protect the vital interests of the data subject or of another natural person; (e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
According to Art. 12(1) of the General Data Protection Regulation, the controller shall take appropriate measures to provide the data subject with all information referred to in Articles 13 and 14 and any communication referred to in Articles 15 to 22 and Article 34 relating to the processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information specifically addressed to a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. If the data subject so requests, the information may be provided orally, provided that the identity of the data subject is established by other means. In accordance with Article 14(1) of the General Data Protection Regulation, where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information: (a) the identity and contact details of the controller and, where applicable, the controller's representative; (b) the contact details of the data protection officer, where applicable; (c) the purposes of the processing for which the personal data are intended and the legal basis for the processing; (d) the categories of personal data concerned; (e) the recipients or categories of recipients of the personal data, where applicable; (f) where applicable, the controller's intention to transfer the personal data to a recipient in a third country or an international organisation and the existence or absence of a Commission decision on adequacy, or, in the case of transfers referred to in Article 46 or 47, or in the second subparagraph of Article 49(1), a reference to the appropriate or appropriate safeguards and the means of obtaining a copy of them or the place where they are made available; 8In accordance with Article 14(2) of the General Data Protection Regulation, in addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in relation to the data subject: (a) the period for which the personal data will be stored or, where that is not possible, the criteria used to determine that period; (b) where the processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or by a third party; (c) the existence of the right to obtain from the controller access to and rectification or erasure of personal data concerning the data subject or restriction of processing, and the right to object to processing and the right to data portability; (d) where the processing is based on
Article 6(1)(a) or Article 9(2)(a), the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; (e) the right to lodge a complaint with a supervisory authority; (f) the source of the personal data and, where applicable, whether they come from publicly available sources; (g) the existence of
automated decision-making, including profiling referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
In accordance with Article 14 Paragraph 3 of the General Data Protection Regulation, the controller shall provide the information referred to in paragraphs 1 and 2: (a) within a reasonable time after obtaining the personal data, and at the latest within one month, taking into account the specific circumstances of the processing of the personal data; (b) where the personal data are to be used for communication with the data subject, at the latest at the time of the first communication with that data subject; or (c) where disclosure to another recipient is envisaged, at the latest at the time when the personal data are first disclosed.
In accordance with Article 14(4) of the General Data Protection Regulation, if the controller intends to further process personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject with information on that other purpose and any other relevant information referred to in paragraph 2 prior to such further processing.
In accordance with Article 30(1) of the General Data Protection Regulation, each controller and, where applicable, the controller's representative, shall keep records of the processing activities for which he is responsible. That record shall contain all of the following information: (a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer; (b) the purposes of the processing; (c) a description of the categories of data subjects and the categories of personal data; (d) the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations; (e) where applicable, transfers of personal data to a third country or international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), documentation of the appropriate safeguards; (f) where possible, the time limits envisaged for the erasure of the different categories of data; (g) if
possible, a general description of the technical and organisational security measures referred to in Article 32(1).
In accordance with Article 38(3) of the GDPR, the controller and the processor
shall ensure that the data protection officer does not receive any instructions with regard to the performance of those
tasks. The controller or processor shall not dismiss him or her from his or her duties or penalise him or her for the performance of his or her tasks. The data protection officer shall be directly responsible to the highest management level of the controller or processor.
9In accordance with Article 38(6) of the GDPR, the data protection officer may also perform other tasks and duties. The controller or processor shall ensure that
such tasks and duties do not give rise to a conflict of interest.
In this administrative matter, the Personal Data Protection Agency has analyzed the allegations made during the supervisory proceedings, the allegations in the documents submitted by the company _ d.o.o., in particular the document "Assessment of proportionality in the case of legitimate interest" and the allegations of the company and the subsequently received letter relating to additional information on the purpose and legal basis for the processing of personal data, in particular in relation to personal data contained within the trade data, i.e. after their deletion from the register, as well as the submitted document, where clear inconsistencies or non-compliance with the obligations arising from the General Data Protection Regulation have been established. Article 6, paragraph 1 of the General Data Protection Regulation stipulates that processing shall be lawful only if and to the extent that one of the six legal bases listed in Article 6, paragraph 1, points (a) to (f) applies. Consequently, before starting the processing, the controller must identify the applicable legal basis and ensure that all the requirements of at least one of the legal bases referred to in Article 6(1) are met. In this regard, it is important to emphasise that the General Data Protection Regulation does not establish any hierarchy between the different legal bases set out in Article 6(1) and the controller must base his assessment on a case-by-case basis, taking into account the specific circumstances of the individual personal data processing activity.
Article 6(1)(f) of the General Data Protection Regulation provides a legal basis for the processing of personal data to the extent that “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child”.
The legal basis for a particular processing of personal data needs to be considered in the context of the General Data Protection Regulation as a whole, including the objectives set out in Article 1, and the controller’s obligation to comply with the data protection principles set out in Article 5 of the Regulation, such as the principle of ‘data minimisation’ and the principle of ‘storage limitation’. In this regard, it should also be noted that, in accordance with Article 5, the controller bears the burden of proving that the data were collected, inter alia, for specified, explicit and legitimate purposes and that they are processed lawfully, fairly and in a transparent manner in relation to the data subject. In order for processing to be based on the legal basis of legitimate interest, three cumulative conditions must be met: first, the pursuit of a legitimate interest by the controller or a third party; second, the need for the processing of personal data for the pursuit of the legitimate interests, i.e. the processing of personal data must be "necessary" for those purposes; and third, the interests or fundamental freedoms and rights of the data subject must not override the legitimate interest(s) of the controller or the third party. With regard to the third condition, the controller must balance its own legitimate interests or those of a third party against the interests and freedoms of the data subject. This "balancing test" between the fundamental rights, freedoms and interests at stake must be carried out for any processing based on a legitimate interest and must be carried out before the processing itself is carried out.
The above condition implies a balancing of the competing rights and interests at stake,
which in principle depends on the circumstances of the specific case. Following the assessment of the legitimate nature
of the interests of the controller or a third party and the analysis of the necessity of the processing, the controller must
identify and describe: (a) the interests, fundamental rights and freedoms of the data subjects through the impact of the processing on the data subjects, including the nature of the data processed, the context of the processing and any further
consequences of the processing;(b) the reasonable expectations of the data subjects and finally (c) the balancing of the competing rights and interests, including the possibility of using measures to mitigate the competing interests.
It is important to emphasize that the Agency has published on its website a copy of the "proportionality test" form that can be used by all controllers or processors.
However, the company _ d.o.o. submitted its document "Assessment of proportionality in the case of legitimate interest" stating that the primary activity of the company _ d.o.o. is the collection of all business data that are essential for transparent business operations in the Republic of Croatia and that the basic framework on which the information is collected is the Law on the Right to Access to Information, the Crafts Act and other laws that regulate the free flow of information that is in the public interest, i.e. that the collection of this information is a legitimate interest of the company, its clients and the public of the Republic of Croatia. Furthermore, the aforementioned document states that the data that the company
collects are related exclusively to data related to business operations and that they are already publicly published everywhere, i.e. that without this data the company _ d.o.o. would not be able to provide its services to its users, which means that they would not be able to operate and offer their services. Therefore, the company _ d.o.o. considers/concludes that the processing of this data is necessary, especially since it does not concern the personal data of natural persons. Finally, the submitted document considers, as they state, "The impact on the interests, rights and freedoms of the respondents and whether they override our legitimate interest" and once again states that the company publishes and processes exclusively data that are related to business entities such as companies, crafts and are already a subject of public interest and already publicly published in publicly available registers, which, as they state, are mentioned in the Crafts Act, the Right to Access Information Act and other laws that regulate the free flow of information. They also state that this is data that does not require the consent of the respondents because it falls under business data and from this they conclude that the interests, rights and freedoms of the respondents do not override the legitimate interest of the company. Finally, they state that the company _ d.o.o. always enables communication with the respondents and considers each requested inquiry, whether it is justified for modification, deletion or the like, and if they determine that some of the data is not necessary for the provision of their service, they meet the request of the respondent. From the above, taking into account the additional information provided on the purpose and legal basis for the processing of personal data, where it incorrectly indicates that the legal basis for data processing is the Right to Access Information Act, the Crafts Act and other laws regulating the free flow of information, it is primarily clear that the company _ d.o.o. essentially misrecognizes the meaning of the legal basis for the processing of personal data, and in particular legitimate interest as the legal basis for processing. Furthermore, the document itself explicitly states that the case in question does not concern the personal data of natural persons, and in considering the impact of the processing on the interests of the rights and freedoms of the respondents and whether they outweigh the interests of the company, it generally and generally reiterates that it publishes and processes only data related to business entities such as companies and crafts, and that they are the subject of public interest (therefore, it does not take into account the interests of its clients but the interests of the public) and have already been publicly published in publicly available registers. Of significance is the expression in which the company _ d.o.o. states that it always enables communication with respondents and considers each one
the requested query, whether it is justified to change, delete or similar, and if the company determines that some
11 of the data are not necessary for the performance of their service, they meet the respondent. More is listed
one indicator that in the case in question the data controller did not adequately conduct the test
proportionality because, from the above, it follows that he essentially does not have clear findings and conclusions
exactly which personal data is necessary for the specific purpose of processing.
The controller can rely on legitimate interest as a legal basis only if it has assessed
and concluded that the intended processing is strictly necessary to achieve such legitimate interest and that
the interests or fundamental rights and freedoms of the person(s) to whom data processing does not take precedence over
legitimate interest pursued by the data controller.
Furthermore, the interests of third parties, as referred to in Article 6(1)(f) of the GDPR, should not be confused with the interests of the wider community (general public interests).
The interests of the wider community are generally subject to processing on the basis of Article 6(1)(e) or (c) if the controllers (in principle public authorities) are entrusted or legally obliged to safeguard or pursue such interests. Where the controller carries out further activities which do not fall under such specific legal obligations laid down in national law, it must demonstrate that it does so for the purpose of pursuing the legitimate interests of the controller or the interests of specific third parties.
A blanket statement by which the company _ d.o.o. indicates that without the disclosure of certain data the company would not be able to provide its services or would not be able to operate and offer its services is not appropriate in the context of the proportionality test.
The Crafts Act (Official Gazette No. 143/2013, 127/2019, 41/2020) in Article 4, paragraph 1, expressly stipulates that a craftsman, within the meaning of this Act, is a natural person who performs one or more activities referred to in Article 2, paragraph 1 of this Act in his own name and for his own account, and may also use the work of other persons. In accordance with Article 15 of the same Act, a craft is entered in the Crafts Register on the basis of a decision issued by the competent administrative body. The Crafts Register is public. The form and manner of keeping the Crafts Register referred to in paragraph 1 of this Article and the possibility of its use shall be prescribed by the minister responsible for crafts. By the Ordinance on the Form and Method of Keeping the Trade Register ("Official Gazette", No. 58/09)
the method of registering natural persons in the Trade Register and the method of keeping the Trade Register in
state administration offices in the counties and their branches and in the Office of the City of Zagreb (d
hereinafter: registration body), form and content of application forms for registration in the Trade Register,
the form and content of the cover of the registration insert, the form of the overview sheet of registration in the registration insert,
the form of the book of serial numbers of the cover of the registration inserts, the form of the extract from the Trade Register.
Among other things, in Article 11, paragraphs 1 and 2 of the aforementioned Ordinance, it is stipulated that for each
registration in the Trade Register submits an application form for registration in the Trade Register with information for
registration of the trade and other data important for the performance of the trade, on the basis of which the decision is made.
The Application for Entry into the Trades Register form (Annex No. 1) contains information on the registration authority, the owner of the trade, date and place of birth, MBG, OIB, information on the type of entry in the register, the trade, activities at the seat of the trade and professionals for performing activities at the seat of the trade and membership in the Croatian Chamber of Trades. Furthermore, the company _ d.o.o. in its document entitled "Assessment of proportionality in the case of legitimate interest" fails to take into account an extremely important factor, which is that the company keeps data on the trades permanently. In this regard, a very important part of conducting the proportionality test is to take into account, in an objective manner, the consequences that the intended processing may have and additionally affect the rights, freedoms and interests of the data subject. Factors that the controller should take into account, depending on the nature of the data being processed, may include: possible future decisions or actions of third parties that may be based on the processing; possible creation of legal effects in relation to
respondents, exclusion or discrimination of individuals; possible situations in which it exists
the risk of damage to the reputation, bargaining power or autonomy of the respondent, financial
losses that may be suffered by the respondent and the like.
In accordance with Article 45 of the Crafts Act, a craft shall cease to exist upon deregistration or by operation of law. The cessation of a craft
from paragraph 1 of this Article shall apply accordingly to the cessation of one or more activities carried out in a craft. The competent administrative body shall determine the cessation of a craft by a decision and, upon the enforcement of the decision, shall delete the craft from the Register of Crafts.
In this administrative matter, the Agency has determined that the company _ d.o.o., as the controller, has not proved the legal basis for permanently storing data on craftsmen, even though they have been deleted from the official
public register kept by the competent state body in accordance with the powers and tasks established in a special national regulation. In this regard, the controller in question indicated in the information provided that it maintains a total of 170,782
crafts in its records, of which 122,079 are active and 48,703 are inactive.
Additionally, the introductory statement47 of the General Data Protection Regulation clearly states that "legitimate interests
processing manager, among others, the interests of the processing manager to whom personal data can be provided
disclose or third parties, may constitute a legal basis for processing provided that the interests or
the fundamental rights and freedoms of the data subject do not take precedence, taking into account reasonable expectations
of respondents based on their relationship with the data controller". In that introductory statement further
it is stated that "in any case, the existence of a legitimate interest would require a careful assessment,
among others, whether the respondent can at the time and in the context of the collection of personal data
it is reasonable to expect processing for the purpose in question. The interests and fundamental rights of the respondents in particular could
overcome the interest of the controller if personal data is processed in circumstances where
respondents do not reasonably expect further processing". In the present case, the company _ d.o.o. usvom
the document entitled "Assessment of proportionality in legitimate interest", completely misses this one
an important factor to take into account when conducting the proportionality test of legitimate interest as a basis
for processing personal data.
Following all of the above, the Agency determined in the specific case that the company _ d.o.o.
inadequate handling during the assessment, i.e. conducting the proportionality test,
failed to prove that there is an adequate legal basis for the processing of personal data.
Furthermore, as regards any processing of personal data that is covered by the General Regulation on
data protection, processing managers who base their processing activities on Article 6 paragraph 1.
point (f) must comply with its transparency obligations under Articles 12, 13 and 14
General regulations on data protection. Transparency is essentially related to the principle of honesty,
as prescribed in Article 5 of this Regulation. The latter principle requires, for example, that personal
data is not processed in a way that is unjustifiably harmful, discriminatory, unexpected or which
it misleads the respondent.
Transparency is also an essential element to ensure the effective exercise of rights
of respondents. Pursuant to Article 12, Paragraph 1 of the General Data Protection Regulation, all information and
communications related to the processing of personal data must be easily accessible and easy to understand.
According to Article 14 paragraph 1 point (c) of the General Data Protection Regulation, information that must
to provide respondents should specifically include the legal basis for processing. Therefore, the respondents would
should be informed that the processing is based on Article 6 paragraph 1 point (f). Furthermore, when
13 processing is based on Article 6, paragraph 1, point (f), specific legitimate interests that must be
be precisely identified and communicated to the respondent in accordance with Article 14 paragraph 2 point (b)
General regulations on data protection.
Transparency is a comprehensive obligation based on the General Data Protection Regulation i
it is applied in three central areas: 1. providing information to respondents who are
related to fair processing; 2. the way data processing managers communicate with
respondents regarding their rights based on the General Data Protection Regulation and the 3rd method
to which data processing managers facilitate the exercise of their rights by respondents.
Therefore, in principle, transparency is also an expression of the principle of fairness that refers to the processing of personal data
data, which is established in Article 8 of the Charter of Fundamental Rights of the European Union. On
on the basis of the General Data Protection Regulation (Article 5, Paragraph 1, Point (a)), except for the requirement to
data is processed lawfully and fairly, transparency is now included as a fundamental aspect of that
principles. It follows from Article 5, Paragraph 2 that the controller must always be able to prove
that the processing of personal data is transparent for the respondent.
Key articles from the General Data Protection Regulation relating to transparency, how
relating to the rights of respondents, are found in chapter III. (Rights of respondents). In Article 12, established
are general rules that apply to: providing information to respondents (from articles 13 to
14.), informing respondents about exercising their rights (from Articles 15 to 22) and
notifications related to data breach (Article 34). In particular, Article 12 requires
that the information or notifications in question must comply with the following rules: must be
concise, transparent, comprehensible and easily accessible (Article 12, paragraph 1); the language that
used must be clear and simple (Article 12, paragraph 1); usage requirement
clear and simple language is especially important when providing information to children (Article 12.
paragraph 1.); information they must be provided in writing "or by other means, inter
others, if appropriate, by electronic means" (Article 12, paragraph 1) if requested by the respondent,
information can be provided orally (Article 12, paragraph 1) and information is generally required
provide free of charge (Article 12, paragraph 5).
In this case, the Agency established that the company _ d.o.o. on their websites,
at least until the moment of implementation of direct supervision on October 4, 2023, had
published document called "Privacy Statement", which in its introduction contains statements according to
the aim of the same document is to inform respondents that the company _ d.o.o. cares about the privacy of its own
users and about the methods of collecting and processing data about individuals on this website,
at the same time referring to the fact that the company complies with the Law on the Protection of Personal Data of the Republic
of Croatia registered the collection of personal data at its disposal in Central
to the register maintained by the Commissioner for Information of Public Importance and Personal Protection
data. In principle, it follows from the same that it is an outdated document related to
application of art. 16, paragraph 1 of the Personal Data Protection Act ("Official Gazette", No. 103/03,
118/06., 41/08., 130/11. and 106/12. - consolidated text), which in accordance with Article 56 of the Act on
implementation of the General Regulation on Data Protection ("Official Gazette" No. 42/18) ceased to be valid
upon entry into force of this Act.
Furthermore, the same document contains provisions under the headings "Purpose of personal data processing",
"Information about the processing of personal data". Furthermore, in the part of the text "Processing of personal
data is not allowed if:", the following is expressly stated: "there is no valid consent
for processing or the processing is carried out without legal authorization". Also, further on in the text are contained
14 parts of the document entitled "Your right - transparency", which essentially stipulates that
company _ d.o.o. transparent and open for communication towards the data subjects
which deals with relationships and contains a list of certain rights of respondents, "rights to correction", rights to
transfer" "right to be forgotten" and "restriction of erasure" with a brief description of the same, and which ones are essential
are not the same as those prescribed in Chapter III: General Regulations on Data Protection.
Following the above, the Agency determined that the company _ d.o.o., as a processing manager, on its
website at least until November 4, 2023, had published the document "Statement
of privacy", which essentially does not comply with the requirements relating to data controllers in
part of their obligation of transparency of personal data processing based on the General Regulation on
data protection.
In this administrative matter, it is important to point out that the company _ d.o.o. during the implementation of the subject
procedure changes the content of the document "Privacy Statement", the last insight into the same Agency is
performed on December 19, 2024, which is documented and forms an integral part of the file, and which is also
confirmed by the company in their letter dated November 3, 2023.
However, the company _ d.o.o. still in the mentioned document it retains the expression which is essential
deviates from the principle of transparency, i.e. the related principle of honesty established by the General
regulation on data protection, and for which the Agency determined that it does not comply with the provisions of the article
12 and 14 of the General Data Protection Regulation.
Among other things, the document essentially uses an ambiguous expression through emphasis
on the term "business data" and not personal data. Furthermore, in the document entitled "Privacy Statement" the company's compliance with the provisions of "Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union", which according to the company, allows the free flow of non-personal data to all EU countries for the purposes of business transparency and security, is explicitly stated and called for. In addition, the text further states the following: "_d.o.o. respects your privacy. The aim of this privacy statement is to inform you that we care about the privacy of our users and about the methods of collecting and processing data about business entities on this website".
Furthermore, the following statement is included in the continuation of the document: "_ d.o.o. appointed the Officer for
protection of business data: _ . For all questions regarding the processing of your business data i
exercising the rights provided for in the General Data Protection Regulation, you can contact
to the Business Data Protection Officer".
Also, especially in the context of the established violation from point 1 of this decision, the company _ d.o.o. in
mentioned document, under the title "Data protection" - legal basis for business processing
data", expressly fails to indicate the legal basis for the processing of personal data from the article
6, paragraph 1, point (f) of the General Data Protection Regulation, already uses an expression that is not recognized in
to the aforementioned Regulation.
Furthermore, the aforementioned document states that the company _ d.o.o., as the controller, collects
business data that includes the following: name and surname of the owner of the craft / company / business entity, address of the headquarters of the craft / company, OIB of the craft / company / business entity,
registration number of the craft / company / business entity, business bank account number of the craft / company
/ business entity, E-mail address of the craft / company / business entity, telephone number of the craft / company / business entity, but, as it is emphasized, is not limited to the same. The aforementioned expression is
15therefore speculative and unclear, or completely contrary to the obligation under Article 12 of the General Data Protection Regulation
that information to respondents should be clear and precise.
In its letter dated November 3, 2023, the company _ d.o.o. has submitted to the Agency a document, among other things, entitled "Record of data processing activities, which
contains a chapter entitled "Database of business entities published on _. Below
the stated text, the following information is provided: name and contact details of the controller,
name and contact details of the personal data protection officer, processor, method of processing and
legal basis for processing. The Agency has determined that the aforementioned is not in compliance with the provisions of
Article 30 of the General Data Protection Regulation.
In this administrative matter, the Agency has also analyzed the submitted document "decision on
appointment of personal data protection officer" in order to determine how the tasks of the position of "director" of the company do not conflict with the role of the appointed data protection officer, or how the role of "director" can be harmonized/combined with
the function of the data protection officer who must be able to independently and independently perform his tasks set out in Article 39 of the General Data Protection Regulation, with the possibility of
supervision activities carried out by the head of the department and that the tasks and duties of the position of "director" do not affect the determination of the purposes and means of the processing of personal data for the personal data processing activities carried out by the company _ d.o.o.
In accordance with the Guidelines of the Article 29 Working Party on Data Protection Officers of 13 December 2016, as last revised and adopted on 5 April 2017 (WP 243 rev.01),
and endorsed by the European Data Protection Board at its first plenary session on 25 May 2018, the absence of a conflict of interest is closely linked to the obligation to act in an independent manner. Although data protection officers are allowed to perform other duties, these other tasks and duties may only be entrusted to them provided that they do not give rise to a conflict of interest.
In particular, this means that the data protection officer cannot be an employee of the organisation whose purposes and means of processing personal data he or she has to determine. Due to the specific organizational structure of each organization, this must be decided on a case-by-case basis.
As an unwritten rule, positions that may present a conflict of interest within an organization may include senior management positions such as the CEO, COO, CFO, CMO, Head of Marketing, HR or IT, but also lower-level roles in the organizational hierarchy if such positions or roles involve determining the purpose and manner of processing personal data. In addition, a conflict of interest may arise, for example, if an external data protection officer is asked to represent the controller or processor in court in cases involving data protection issues.
In its judgment C-453/21 of 9 February 2023, in relation to conflict of interest, the Court of Justice of the EU stated that
Article 38(6) of the General Data Protection Regulation should be interpreted as meaning that a "conflict of interest"
within the meaning of that provision may exist where the data protection officer is entrusted with other tasks
or duties which would lead him to determine the purposes and means of the processing of personal data
within the controller or its processor, which must be verified in each individual
case on the basis of an assessment of all the relevant circumstances, in particular the organisational structure of the controller or its processor and taking into account all applicable legislation, including their
possible internal rules.
16From the above, the Agency concludes that a conflict of interest will not generally arise if the Data Protection Officer, in addition to his/her tasks, also performs other tasks and duties that are exclusively of an advisory or supervisory nature, or if this other role that the Data Protection Officer performs cannot influence the purposes and means of processing personal data. In this administrative matter, the Agency determined that the controller in question had not proven that the data protection officer, who is also the "director" of the company and the person authorised to represent the company according to the court register and, in this regard, the person who assumes the most responsible position in the company hierarchically, and which position by its nature places emphasis on the organisation and management of overall work processes in a manner that ensures maximum efficiency and business and financial success of the company, thereby directly putting the business and financial interests of the company in conflict with the effective performance of the tasks of the data protection officer, affecting the ability to perform his tasks in implementing the essential elements of the General Data Protection Regulation, does not perform tasks and duties that lead to a conflict of interest.
II. DETERMINATION OF ADMINISTRATIVE FINES
Article 44 of the Act on the Implementation of the General Data Protection Regulation stipulates that the Agency shall impose administrative fines for violations of the provisions of this Act and the General Data Protection Regulation, in accordance with Article 83 of the General Data Protection Regulation.
Article 45, paragraph 1 of the aforementioned Act stipulates that administrative fines shall be imposed by decision. Pursuant to paragraph 2 of the same Article, the decision shall determine the amount and method of payment of the administrative fine. The decision may determine that the administrative fine shall be paid in installments.
Pursuant to paragraph 4 of the same Article, no appeal is permitted against the decision, but an administrative dispute may be initiated before the competent administrative court.
Pursuant to Article 46 of the same Act, the administrative fine shall be paid within 15 days from the date of entry into force of the decision imposing it. If the party fails to pay the administrative fine within the prescribed period, or upon the maturity of the last installment if payment by installments has been approved, the Agency shall notify the Regional Tax Administration Office of the Ministry of Finance in whose area the party to whom the administrative fine was imposed has its residence or registered office, in order to collect the administrative fine by force in accordance with the regulations on forced tax collection. Administrative fines shall be paid to the state budget. By way of exception to paragraph 2 of this Article, no interest shall be calculated on the due but unpaid administrative fine. Given the established circumstances in this specific case, the Agency, in accordance with its powers
under Article 58, paragraph 2, item (i) of the General Data Protection Regulation, imposed an administrative fine
instead of other corrective measures under the relevant Article, all in accordance with the conditions for its
imposition from Article 83 of the General Data Protection Regulation and Articles 44, 45 and 46 of the Act on the Implementation of the General Data Protection Regulation. After a detailed examination of the available remedies referred to in Article 58(2) of the General Data Protection Regulation, which the supervisory authority is empowered to impose on the controller and/or processor in the event of an infringement of the provisions of the General Data Protection Regulation, and having assessed all the circumstances of the case, in particular that the chosen remedy must be effective, proportionate and dissuasive in each individual case, the Agency has decided to impose an administrative fine, paying due regard to the criteria laid down in Article 83(2) of the General Data Protection Regulation. Namely, Article 83(1) of the General Data Protection Regulation requires each supervisory authority to ensure that the imposition of administrative fines in accordance with this Article in respect of infringements of paragraphs 4, 5 and 6 of this Regulation is effective, proportionate and dissuasive in each individual case. The Agency considers that the amount of the administrative fine imposed cannot be effective if it does not have a significant impact on the controller's income, the principle of proportionality cannot be maintained if the infringement and the administrative fine imposed in respect of it are considered in the abstract, regardless of the impact on the controller or processor, and it should also be a deterrent to future infringements. Therefore, the administrative fine imposed cannot be a deterrent if it does not have a financial impact on the controller in question. Pursuant to Article 83(2) of the General Data Protection Regulation, administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and Article 58(2)(j), depending on the circumstances of each individual case. When deciding whether to impose an administrative fine and when determining the amount of the administrative fine in each case, due regard shall be paid to the following:
(a) the nature, gravity and duration of the infringement, taking into account the nature, scope and purposes of the processing concerned as well as the number of data subjects and the level of damage suffered by them;
(b) whether the infringement was intentional or negligent;
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the level of responsibility of the controller or processor, taking into account the technical and organisational measures implemented by them in accordance with Articles 25 and 32;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority to remedy the infringement and mitigate the potential harmful effects of that infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority became aware of the infringement, in particular whether and to what extent the controller or processor reported the infringement;
(i) where measures referred to in Article 58(2) have previously been imposed on the controller or processor concerned in relation to the same matter, compliance with those measures;
(j) compliance with approved codes of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42; and
(k) any other aggravating or mitigating factors applicable to the circumstances of the case,
such as the financial gain gained from the infringement or the losses avoided, directly or indirectly, by the infringement.
Article 83(4) of the GDPR provides that administrative fines of up to EUR 20,000,000 may be imposed for infringements of the obligations of the controller and processor in accordance with Articles 5, 6, 12 and 14 of the GDPR
18, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is the higher.
Article 83(4) of the GDPR provides that administrative fines of up to EUR 10,000,000 may be imposed for infringements of the obligations of the controller and processor in accordance with Articles 30 and 38 of the GDPR, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is the higher.
Recital 150 of the General Data Protection Regulation states that where administrative fines are imposed on an undertaking, the undertaking should be interpreted for these purposes in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union. In accordance with the Guidelines of the Article 29 Working Party on the application and setting of administrative fines for the purposes of Regulation 2016/679 of 3 October 2017 (WP 253), which the European Data Protection Board endorsed at its first plenary session on 25 May 2018. In order for the supervisory authority to impose a fine that is effective, proportionate and dissuasive, it shall apply the definition of the term ‘undertaking’ as given by the Court of Justice of the European Union for the purposes of applying Articles 101 and 102 TFEU, i.e. the concept of ‘undertaking’ shall be understood as meaning an economic unit which may be set up by a parent company and any subsidiaries involved. In accordance with EU law and case-law, the concept of ‘undertaking’ should be understood as an economic unit which carries out commercial/economic activities, regardless of the legal person involved. The aforementioned Guidelines also provide definitions of the term ‘undertaking’ from the judgments of the Court of Justice of the European Union: The term ‘undertaking’ shall cover any entity ‘which carries out an economic activity, whatever its legal status and the way in which it is financed’ (Höfner and Elsner case, paragraph 21, ECLI:EU:C:1991:161). The term "entrepreneur" "must be considered as a term designating an economic unit even if in law that economic unit consists of several persons, whether natural or legal." (Confederación Española de Empresarios de
Estaciones de Servicio case, paragraph 40, ECLI:EU:C:2006:784).
Upon review of the financial report for 2023, it was determined that the total revenue of the company _
d.o.o. amounted to 1,432,995.77 Euros, and 4% of that amount is 57,319.83 Euros, and in this regard, the upper limit for imposing an administrative fine in the specific case is EUR 20,000,000.00.
For the violation of Articles 5, 6, 12, 14, 30 and 38, paragraph 6 of the General Data Protection Regulation, the Agency imposed an administrative fine on the controller _ d.o.o. in the amount of
40,000.00 Euros, which is 0.2% of the maximum amount of the administrative fine that the Agency could or was authorized to impose in the specific case.
19 Pursuant to the provision of Article 83, paragraph 2 of the General Data Protection Regulation, when deciding on the imposition of an administrative fine and deciding on the amount of that administrative fine, the Agency paid due attention to the following in this case:
- The nature, gravity and duration of the violation in question (Article 83, paragraph 2, point a);
In the case at hand, it was established that the controller had infringed the provisions of Articles 12 and 14 of the General Data Protection Regulation until 15 September 2023, but still in this document. Furthermore, the Agency established that the controller had not proven the existence of a legal basis for the processing of personal data, and that the infringement had been ongoing since 25 May 2018. Also, the controller in question kept records of processing during the said period in breach of the obligations under Article 30 of the General Data Protection Regulation. The Agency established that the controller in question had appointed a person as a data protection officer who, in the performance of his duties and responsibilities at the workplace, was a "director" of the company with a conflict of interest. - Whether the infringement was intentional or negligent (Article 83(2)(b); In relation to the above-mentioned violations referred to in point 2 of the operative part of this decision, taking into account
the circumstances or actions taken by the controller or processor after conducting the
supervisory activities, direct intent to violate the provisions of the General Data Protection Regulation by the controller has been established. In relation to the violations of the General Data Protection Regulation
established in other points of the operative part of the decision, direct intent has not been established but rather gross negligence has been established.
- Any action taken by the controller or processor to mitigate the damage suffered by the data subjects (Article 83, paragraph 2, point c);
Given that in the case at hand it has not been established that the data subjects have suffered damage, the same circumstance
is not assessed as either mitigating or aggravating.
- Relevant previous violations by the controller or processor (Article 83, paragraph 2, point
e);
The Agency has established in its records the existence of two decisions relating to previous violations of the provisions of Article 5(1)(b) and Article 6(1) of the General Data Protection Regulation by the company _ d.o.o., specifically in relation to the excessive disclosure of personal data.
- The degree of cooperation with the supervisory authority in order to eliminate the violation and mitigate the possible harmful effects of that violation (Article 83(2)(f);
During this administrative procedure, the company _ d.o.o. generally responded appropriately to the requests of the supervisory authority, however, in the announcement and attempt to carry out the first direct supervision by the Agency, which was announced for 22 September 2023, the representatives of the company _ d.o.o. did not
demonstrate a serious intention to cooperate.
20- Any other aggravating or mitigating factors applicable to the circumstances of the case, such as
the financial gain gained from the infringement or the losses avoided, directly or indirectly, by that infringement
(Article 83(2)(k);
There were no other factors of influence when determining the amount of the administrative fine in
this administrative matter.
Taking into account all the above-mentioned allegations and established facts, in particular the assessment of all relevant circumstances relating to the organizational structure of the controller in question and after a detailed consideration of the available corrective measures under Article 58(2) of the General Data Protection Regulation, which the supervisory authority has the authority to impose on the controller and/or processor in the event of a breach of the provisions of the General Data Protection Regulation, and considering all the circumstances of the case in question, and in particular that the selected corrective measure must be effective, proportionate and dissuasive in each individual case, the Agency has decided, pursuant to Article 96 of the General Administrative Procedure Act (Official Gazette, No. 47/09, 110/21), as set out in the operative part of the Decision.
INSTRUCTIONS ON LEGAL REMEDY
No appeal is permitted against this Decision, but an administrative dispute may be initiated before the Administrative Court in Zagreb within 30 days from the date of delivery of the Decision.
DEPUTY DIRECTOR
Igor Vulje
Submit to:
1. _ d.o.o.
2. Pismohrana, here
21
