How to harmonize business with the GDPR, which are all obligations regarding the collection and processing of personal data and which are specific to the private security sector, was presented at today’s free online interactive workshop organized by the AZOP and the Croatian Chamber of Economy.

On behalf of the director of AZOP, Zdravko Vukic, the participants were welcomed by Mario Milner, Senior Advisor Specialist. He underlined that the workshop is held within the framework of the implementation of the EU project ARC (Awareness Raising Campaign for SMEs) with the aim of supporting small and medium-sized enterprises in harmonizing business processes with the GDPR

The principles of personal data processing are the legality, fairness and transparency, limitation of purposes, reduction of data volume, accuracy, storage restriction, integrity and confidentiality, noting that the controller is responsible for compliance and must be able to prove it.

Participants were more interested in processing personal data through video surveillance (supervision of workspaces, residential buildings and public areas) to which, unless otherwise specified by the law, provisions of the Act on the Implementation of the General Data Protection Regulation apply. Such a video surveillance may include; premises, parts of rooms, external surfaces of the facility, as well as internal space in public transport. On the other hand, the controller/processor is obliged to mark that the object or particular room therein and the external surface of the facility are under video surveillance, and the label should be visible at the latest when entering the recording perimeter. The notification should contain all relevant information under the Regulation, in particular a simple and easily understandable picture accompanied by a text providing data subjects with information that the space is under video surveillance, data on the controller and contact through which the data subject can exercise his rights. Recordings obtained through video surveillance may be kept for a maximum period of six months, unless another law prescribes a longer storage period or where the evidence is in a judicial, administrative, arbitral or other equivalent procedure.




The training also included the processing of biometric data defined as personal data obtained by special technical processing related to the physical or physiological characteristics of an individual which enables or confirms the unique identification of that individual, such as footprints of papillary fingertips, palms and feet, photographs, facial images, DNA profile and eye iris. The legal basis for processing the data subject’s biometric data for the purpose of the safe identification of service users is the explicit consent of such data subject given in accordance with the provisions of the General Data Protection Regulation.




As regards personal data in the context of the civil-19 pandemic, it has been pointed out that controllers engaged in service activities are obliged to take care that, in accordance with the Recommendation of the Croatian Employment Service, personal data relevant for achieving the determined purpose for which they are processed are collected/processed (prevention of the spread of the pandemic – endangerment of public health). The introduction of the General Data Protection Regulation has also been pointed out, saying that the processing of personal data should be designed in such a way as to serve mankind. It also prescribes that the right to the protection of personal data is not an absolute right and must be considered in relation to its function in society and harmonised with other fundamental rights in accordance with the principle of proportionality.