Interview with Zdravko Vukić, Director of the Croatian Personal Data Protection Agency (AZOP)

• Can you, please, share your experience in implementation of the GDPR in Croatian legal framework. How would you assess this process?

The General Data Protection Regulation (GDPR) is a comprehensive data protection regulation that applies uniformly since 25th May 2018 to all European Union member states, including Croatia. On the same date, the Republic of Croatia enacted the Act on the Implementation of the GDPR, which not only ensures the implementation of the GDPR but also establishes additional rules for handling personal data under specific circumstances. These circumstances encompass activities such as the processing of personal data through video devices, the processing of children’s personal data in relation to information society services, the processing of biometric and genetic data, and the processing of personal data for statistical purposes.

While the majority of provisions for safeguarding individuals' data in Croatia are outlined in the GDPR and the Act on the Implementation of the GDPR, in Croatia exists a multitude of other regulations that define specific rules for the handling of individuals' personal data. Such regulations encompass a range of legal frameworks, including the Consumer Protection Law, Act on Prevention of Money Laundering and Funding of Terrorism, Credit Institution Act, Accounting Act, Electronic Communications Act, Labor Law, Family Act, and Rulebook on the e-visitor system, among others.

Within this context, it's crucial to emphasize that Article 14 of the Act on the Implementation of the GDPR stipulates a requirement for central state administration bodies and other public authorities to provide the Agency with preliminary versions of proposed laws and other regulations concerning matters connected to the processing of personal data. This provision allows the Agency to offer informed assessments on data protection in relation to these proposals. This obligation has been in place for administrative bodies and public authorities even prior to the GDPR's implementation, as established by the 2012 Law on Personal Data Protection, through which Directive 95/46/EC was incorporated into the Croatian legal framework. Hence, administrative and public entities possessed an understanding of the fundamental tenets of personal data management and recognized the significance of aligning laws and regulations with the data protection regulatory framework.

The process of incorporating the GDPR into the national legal system entailed harmonizing Croatian national legislation with the stipulations and requirements of the GDPR. This endeavor can be deemed as having been accomplished effectively. Nevertheless, it's important to acknowledge that there is perpetually room for enhancements, and this process remains ongoing.

When discussing the implementation process of the GDPR within organizations, both in the private and public sectors, adhering to the data protection legal framework encompasses more than just comprehending the GDPR's provisions. It extends to understanding all pertinent national regulations and laws specific to the particular industry. Within Croatia, organizations are grappling with comprehending the complete set of applicable laws and keeping track of legislative modifications. Given the overarching nature of the GDPR (termed lex generalis), it is imperative yet occasionally intricate to differentiate the appropriate interaction with specialized laws (referred to as lex specialis) and to strike the right equilibrium.

Consequently, the Croatian Personal Data Protection Authority devotes substantial time and effort to raising awareness and conducting educational initiatives for data controllers and processors from all sectors. At present, we are in the process of implementing the EU-funded ARC II project in collaboration with our Italian counterparts. This endeavor aims to assist small and medium-sized enterprises, as well as all data controllers in both Croatia and Italy, in enhancing their grasp of GDPR provisions and other pertinent data protection legislation. The overarching goal is to elevate the compliance level within their respective organizations.

•  In your opinion, what role do you see Data Protection Authorities playing in shaping the future of data protection policies and regulations?

Data Protection Authorities, along with the European Data Protection Board serving as the overarching body that unites national data protection authorities, assume a central and dynamic role in shaping the trajectory of future data protection policies and regulations. The European Data Protection Board (EDPB) is actively consulted when new legislation is being planned to be adopted. Although its opinion is not legally binding, its influence holds considerable weight.

The EDPB's expertise has been sought on various new pieces of legislation, notably including the Artificial Intelligence Act (AIA), Data Governance Act (DGA), Digital Markets Act (DMA), and the Digital Services Act (DSA). Consistently, the EDPB has advocated for the integration of robust data protection safeguards into these legislations, and its perspective has been instrumental in molding their ultimate form.

We find ourselves in an era defined by the pervasive impact of AI and emerging technologies that are poised to indelibly reshape our lives. AI systems frequently process extensive volumes of personal data, with the GDPR already assuming a significant role in overseeing AI applications involving personal data. The forthcoming Act on AI, currently undergoing negotiations among the European Parliament, European Council, and European Commission, and expected to be adopted in 2024, recognizes the imperative of addressing data protection concerns in the realm of AI. It imposes specific requirements on high-risk AI systems that process personal data, and these requirements align with the principles of data protection.

• How do you ensure that your authority stays current with emerging technologies and their impact on data privacy?

Staying abreast of emerging technologies and their implications for data privacy is of paramount importance for the Croatian Personal Data Protection Agency in its mission to effectively regulate and safeguard individuals' rights. To ensure that the Croatian Personal Data Protection Agency remains up-to-date we have invested in continuous learning, trainings and professional development for the staff. This includes attending courses and workshops focused on emerging technologies and data privacy implications. To better understand the technical aspects of emerging technologies and their implications for data protection, we are partnering with technology experts, researchers, and industry professionals to gain insights into the development and deployment of new technologies. We believe that regular dialogues can provide early awareness of potential privacy challenges. Furthermore, we are monitoring technology trends and innovations, collaborating with other data protection authorities to share insights, knowledge, and experiences related to the impact of emerging technologies on data privacy.

• Can you describe your vision for the future of data protection and what steps your authority is taking to realize that vision?

I envision a future for data protection characterized by utmost respect for individuals' personal data, underscored by transparency and security, fostering a sense of trust within the digital ecosystem. This vision is founded upon three cardinal principles: empowerment, accountability, and innovation. In shaping the future of data protection, transparency, and accountability stand as essential pillars. These principles ensure that individuals are equipped to make informed decisions concerning handling their personal data and the exercise of their data protection rights, while also holding organizations responsible for their data handling practices. As time progresses, organizations will develop a deeper understanding of the importance of establishing robust data protection measures and adhering to the principles of privacy by design and default. My vision encompasses cultivating an environment wherein organizations can nurture innovation without infringing upon individuals' privacy rights. Collaboration with technology experts and industry stakeholders is essential to strike a harmonious equilibrium between innovation and privacy.

To materialize this vision, the Croatian Personal Data Protection Authority is undertaking proactive measures, which include:

• Displaying an unwavering commitment to steadfast and more assertive enforcement of data protection regulations. Rigorous investigations into reported breaches, complaints, and violations will be conducted, with imposing fines when necessary to maintain a strong deterrent against non-compliance.
• Elevating awareness about individuals' rights and organizations' obligations under data protection laws. Through workshops, seminars, and online resources, both individuals and organizations will gain the tools to navigate the intricate terrain of data privacy.
• Cultivating crucial collaborations with fellow data protection authorities across the EU; within the European Data Protection Board and worldwide. This collaborative framework facilitates the exchange of best practices, the alignment of approaches, and the collective tackling of cross-border data protection challenges, augmenting the efficacy of our endeavors.
• Active participation in policy dialogues on both national and international levels, contributing substantively to the evolution of data protection laws that remain germane and efficacious in the face of AI and newly arising challenges.
• Engagement in research initiatives exploring the ethical, legal, and societal ramifications of emerging technologies. This engagement ensures that data protection advances in tandem with technological progress, preserving its relevance and effectiveness.