Selected aspects of proposed new EU general data protection legal framework and the Croatian perspective

Author:Nina Gumzej
Position:Faculty of Law, University of Zagreb
Selected aspects of proposed new EU general data protection legal
framework and the Croatian perspective
Senior assistant lecturer PhD Nina GUMZEJ
Proposed new EU general data protection legal fra mework pro foundly a ffects a
large number of day-to-day business opera tions of organizations processing persona l data
and calls for significa nt effort on their part toward the nec essar y legal-regu latory
compliance. In this paper the a uthor examines key legisla tive developments towards this
new EU fra me a nd impact for the Republic of Cr oatia a s the youngest EU Member Sta te.
Following introductor y overview, legal analysis of dra ft EU Genera l Data Pr otection
Regulation as pr oposed by the European Commission and recently a dopted amendments by
the European Pa rliament mainly focuses on selected solutions impacting na tional data
protection super visory author ities. This is complemented with examination of relevant
sources of EU law, including the case law of the Court of Justice of the Eur opean Union.
Assessment of r esults of this resea rch is next made with respect to prospects of the data
protection legal framework of th e Republic of Croatia. The pa per is concluded with the
author’s critical overview of analyzed EU proposals impacting national data protection
supervisory author ities in light of EU pivotal goa ls, and de lege ferenda prop osals to timely
address identified obstacles towards more adequate enforcement of data protection
legislation in Cr oatia.
Keywords: right to persona l data pro tection, independent super visory authority,
General Da ta Protection Regulation, Croa tian Persona l Data Pr otection Act.
JEL Classification: K20
1. Introduction
Many organizations EU-wide nowadays invest considerable effort towards
meeting compliance with the personal data protection legislation. The overreaching
material scope of application of relevant rules is one reason for this, given that a
large number of day-to-day activities will entail the so-called processing of
personal data of individuals. Namely, according to the legal framework of the
European Union personal data (further also referred to as data) entail any
information relating to identified or identifiable natural person, i.e. data subject.2
Processing personal data denotes a broad range of operations that can be performed
1 Nina Gumzej - Faculty of Law, University of Zagreb,
2 ‘Personal data’ shall mean any information relating to an identified or identifiable natural person
('data subject'); an identifiable person is one who can be identified, directly or indirectly, in
particular by reference to an identification number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity. Article 2(a) of Directive 95/46/EC of
the European Parliament and of the Council of 24 October 1995 on the protection of individuals
with regard to the processing of personal data and on the free movement of such data, Official
Journal of the European Union L 281, 23. 11. 1995, pp. 3150 (General Data Protection Directive).
Additionally see recital 26 of the General Data Protection Directive.
Juridical Tribune Volume 3, Issue 2, December 2013
on them, which include but are not limited to collection, storage and erasure of
personal data.
3 These concepts subsist also in the online environment.4
Furthermore, an organization such as, for example, a multinational sportswear
company with an EU-wide retail market typically must ensure compliance of data
processing operations with the data protection legislation of each respective
Member State. Harmonization of national laws has to some extent already been
achieved with implementation of Directive 95/46/EC on the protection of
individuals with regard to the processing of persona l data and on the free
movement of such data (further: General Data Protection Directive).5 However,
better consistency in harmonizing relevant rules in all EU Member States is set to
take place with the currently ongoing revision of this directive. In fact, according to
current draft text6, the new EU legal framework on general personal data protection
is to be adopted in form of a regulation (General Data Protection Regulation).7
This means that the new rules would apply, unlike the General Data Protection
Directive, directly and entirely in all Member States of the European Union,
including its youngest member the Republic of Croatia.
Independent authorities supervising personal data processing and ensuring
the protection of rights of individuals are key actors in the EU-wide effective frame
mentioned above. This is the reason why I chose to focus main research in this
paper, following an introductory overview with respect to developments of the
relevant new framework, to selected rules impacting data protection supervisory
authorities in European Union Member States. The rules are examined on the basis
of current draft text of Regulation8, which in addition to the initial draft proposal
3 'Processing of personal data' ('processing') shall mean any operation or set of operations which is
performed upon personal data, whether or not by automatic means, such as collection, recording,
organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, b locking,
erasure or destruction. Article 2(b) of the General Data Protection Directive, ibid. For more details
on scope of application, see Article 3 of this directive.
4 This is acknowledged also in the relevant case law of the Court of Justice of the European Union,
see: C-70/10 Scarlet Extended SA v Société Belge des auteurs, compositeurs et éditeurs (SABAM),
(2011) European Court Reports, I-11959, paragraph 51; C-360/10 Belgische Vereniging van
Auteurs, Componisten en Uitgevers (Sabam) v Netlog NV, (2012) European Court Reports,
paragraph 49.
5 Directive 95/46/EC, op. cit. at note 1.
6 European Commission, P roposal for a Regulation of the European P arliament a nd of the Council
on the protection of individuals with r egard to the processing of persona l da ta a nd on the free
movement of such data (Genera l Data Pr otection Regulation), COM (2012) 11 final, 2012/0011
(COD), Brussels, 25.1.2012; European Parliament, Committee on Civil Liberties, Justice and Home
Affairs, Background documents and Compromise amendments (October 2 1, 2013 - meeting),
Compromise amendments 01 29; 30 91,
2009_2014/organes/libe/libe_20131021_1830.htm (last accessed 28.10.2013).
7 Article 288 of the Treaty on the Functioning of the European Union.
8 Original Commission's Proposal (2012) and compromise text - adop ted amendments by the
European Parliament (2013), op. cit. at note 5. In the analysis I shall in most cases refer to both th e
Proposal and amended d raft text as constituting current (amended) draft text. However, where
amendments by the Parliament are prevailing (e.g. newly added articles and/or new solutions
proposed), reference may only be made to its amendments in the current draft text of Regulation.

To continue reading

Request your trial