Selected aspects of proposed new EU general data protection legal framework and the Croatian perspective

• Author: Nina Gumzej
• Position: Faculty of Law, University of Zagreb
• Pages: 178-201

Selected aspects of proposed new EU general data protection legal

framework and the Croatian perspective

Senior assistant – lecturer PhD Nina GUMZEJ

1

Abstract

Proposed new EU general data protection legal fra mework pro foundly a ffects a

large number of day-to-day business opera tions of organizations processing persona l data

and calls for significa nt effort on their part toward the nec essar y legal-regu latory

compliance. In this paper the a uthor examines key legisla tive developments towards this

new EU fra me a nd impact for the Republic of Cr oatia a s the youngest EU Member Sta te.

Following introductor y overview, legal analysis of dra ft EU Genera l Data Pr otection

Regulation as pr oposed by the European Commission and recently a dopted amendments by

the European Pa rliament mainly focuses on selected solutions impacting na tional data

protection super visory author ities. This is complemented with examination of relevant

sources of EU law, including the case law of the Court of Justice of the Eur opean Union.

Assessment of r esults of this resea rch is next made with respect to prospects of the data

protection legal framework of th e Republic of Croatia. The pa per is concluded with the

author’s critical overview of analyzed EU proposals impacting national data protection

supervisory author ities in light of EU pivotal goa ls, and de lege ferenda prop osals to timely

address identified obstacles towards more adequate enforcement of data protection

legislation in Cr oatia.

Keywords: right to persona l data pro tection, independent super visory authority,

General Da ta Protection Regulation, Croa tian Persona l Data Pr otection Act.

JEL Classification: K20

1. Introduction

Many organizations EU-wide nowadays invest considerable effort towards

meeting compliance with the personal data protection legislation. The overreaching

material scope of application of relevant rules is one reason for this, given that a

large number of day-to-day activities will entail the so-called processing of

personal data of individuals. Namely, according to the legal framework of the

European Union personal data (further also referred to as data) entail any

information relating to identified or identifiable natural person, i.e. data subject.2

Processing personal data denotes a broad range of operations that can be performed

1 Nina Gumzej - Faculty of Law, University of Zagreb, nina.gumzej@pravo.hr

2 ‘Personal data’ shall mean any information relating to an identified or identifiable natural person

('data subject'); an identifiable person is one who can be identified, directly or indirectly, in

particular by reference to an identification number or to one or more factors specific to his physical,

physiological, mental, economic, cultural or social identity. Article 2(a) of Directive 95/46/EC of

the European Parliament and of the Council of 24 October 1995 on the protection of individuals

with regard to the processing of personal data and on the free movement of such data, Official

Journal of the European Union L 281, 23. 11. 1995, pp. 31–50 (General Data Protection Directive).

Additionally see recital 26 of the General Data Protection Directive.

Juridical Tribune Volume 3, Issue 2, December 2013

179

on them, which include but are not limited to collection, storage and erasure of

personal data.

3 These concepts subsist also in the online environment.4

Furthermore, an organization such as, for example, a multinational sportswear

company with an EU-wide retail market typically must ensure compliance of data

processing operations with the data protection legislation of each respective

Member State. Harmonization of national laws has to some extent already been

achieved with implementation of Directive 95/46/EC on the protection of

individuals with regard to the processing of persona l data and on the free

movement of such data (further: General Data Protection Directive).5 However,

better consistency in harmonizing relevant rules in all EU Member States is set to

take place with the currently ongoing revision of this directive. In fact, according to

current draft text6, the new EU legal framework on general personal data protection

is to be adopted in form of a regulation (General Data Protection Regulation).7

This means that the new rules would apply, unlike the General Data Protection

Directive, directly and entirely in all Member States of the European Union,

including its youngest member – the Republic of Croatia.

Independent authorities supervising personal data processing and ensuring

the protection of rights of individuals are key actors in the EU-wide effective frame

mentioned above. This is the reason why I chose to focus main research in this

paper, following an introductory overview with respect to developments of the

relevant new framework, to selected rules impacting data protection supervisory

authorities in European Union Member States. The rules are examined on the basis

of current draft text of Regulation8, which in addition to the initial draft proposal

3 'Processing of personal data' ('processing') shall mean any operation or set of operations which is

performed upon personal data, whether or not by automatic means, such as collection, recording,

organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by

transmission, dissemination or otherwise making available, alignment or combination, b locking,

erasure or destruction. Article 2(b) of the General Data Protection Directive, ibid. For more details

on scope of application, see Article 3 of this directive.

4 This is acknowledged also in the relevant case law of the Court of Justice of the European Union,

see: C-70/10 Scarlet Extended SA v Société Belge des auteurs, compositeurs et éditeurs (SABAM),

(2011) European Court Reports, I-11959, paragraph 51; C-360/10 Belgische Vereniging van

Auteurs, Componisten en Uitgevers (Sabam) v Netlog NV, (2012) European Court Reports,

paragraph 49.

5 Directive 95/46/EC, op. cit. at note 1.

6 European Commission, P roposal for a Regulation of the European P arliament a nd of the Council

on the protection of individuals with r egard to the processing of persona l da ta a nd on the free

movement of such data (Genera l Data Pr otection Regulation), COM (2012) 11 final, 2012/0011

(COD), Brussels, 25.1.2012; European Parliament, Committee on Civil Liberties, Justice and Home

Affairs, Background documents and Compromise amendments (October 2 1, 2013 - meeting),

Compromise amendments 01 – 29; 30 – 91, http://www.europarl.europa.eu/meetdocs/

2009_2014/organes/libe/libe_20131021_1830.htm (last accessed 28.10.2013).

7 Article 288 of the Treaty on the Functioning of the European Union.

8 Original Commission's Proposal (2012) and compromise text - adop ted amendments by the

European Parliament (2013), op. cit. at note 5. In the analysis I shall in most cases refer to both th e

Proposal and amended d raft text as constituting current (amended) draft text. However, where

amendments by the Parliament are prevailing (e.g. newly added articles and/or new solutions

proposed), reference may only be made to its amendments in the current draft text of Regulation.