On Friday, 24 May 2024, the Croatian Personal Data Protection Agency organized an international conference to present the results of ARC2 project and to celebrate the 20th anniversary of the establishment of the Croatian Personal Data Protection Agency. The conference titled “Risks and GDPR Compliance in the Age of Artificial Intelligence” was held at the Esplanade Hotel in Zagreb.

At the same time, the conference marked a date that marked an absolute turning point for the Agency – 25 May 2018, i.e. the start of the full application of the General Data Protection Regulation. This gave the Agency new corrective powers, i.e. the possibility to impose high administrative fines, 58 of which have so far been imposed for a total amount of 9,1 million euro.

The protection of personal data in the Republic of Croatia has been a constitutional category since the adoption of the first Constitution of the Republic of Croatia in 1990, and every citizen of the Republic of Croatia is guaranteed the protection of personal data as a fundamental human right. However, the first law regulating the field of personal data protection in the Republic of Croatia was adopted in 2003, when the Personal Data Protection Agency was established, which began its work in 2004. During its twenty years of operation, the Agency has achieved the best results so far last year, including the highest number of supervisory activities, as well as awareness-raising activities on the importance of the right to data protection as a fundamental right.

“The year behind us is particularly significant due to the imposition of the highest number of administrative fines, as well as the imposition of maximum amounts of administrative fines for infringements of the provisions of the GDPR. 28 administrative fines of 8.27 million euro were imposed. This puts us in the top ten in the EU for the total amount of administrative fines imposed in 2023. Considering that in 2020 the Agency was at the very bottom of this scale, our determination and commitment to the effective implementation of the General Data Protection Regulation, and thus the protection of human rights and freedoms, is more than evident”, said Director Zdravko Vukić.

Envoy of the Prime Minister of the Republic of Croatia, Minister of Justice, Administration and Digital Transformation Damir Habijan congratulated on 20 years of work and results achieved by the Agency in recent years. “Given the rapid development of both technology and digitalisation, as well as the development of artificial intelligence, there are certainly many challenges before the Personal Data Protection Agency, but also before the legislative bodies, which will have to change certain strategic documents and the normative legislative framework very soon. I am confident that the Agency will continue to deliver excellent results.”

The Personal Data Protection Agency as our national authority in the exercise of its competence has shown efficiency in the effective implementation of the General Data Protection Regulation. It is important to continue to work on educating and informing citizens in view of the increasingly demanding development of the digital society and artificial intelligence, which increasingly finds space in everyday activities and business processes.” said the envoy of the Croatian Parliament, MEP Nataša Tramišak.

“The unpredictable era of the fourth industrial revolution reminds us, more clearly than ever before, that we also have a global responsibility to protect our fundamental rights. Despite some shortcomings, there are no other global players alongside Europe to make the digital world more human-friendly,” said MEP Karlo Ressler.

Limor Shmerling Magazanik, Head of the OECD Accession Process on Data Governance, Privacy and Digital Security, pointed out the contribution of the DPA in the field of privacy and human rights protection, which ultimately resulted in a positive opinion of the OECD on the actions taken by the Republic of Croatia as a candidate for accession to the OECD.

The video message was also addressed by Ana Talus, Chair of the European Data Protection Board, and Wojciech Wiewiórowski, European Data Protection Supervisor, who pointed out that the Agency has made significant achievements and strong progress since the appointment of Zdravko Vukić as Director in 2020.

“I am pleased to see that this journey of the Data Protection Agency over the past two decades has been extraordinary and an example of adaptation in the new digital age, and your achievements have not only contributed to the protection of personal data in Croatia, but have also affected the wider European data protection environment,” said Wiewiórowski.

“The recent example of the ARCII project helping SMEs on their way to GDPR compliance, and the innovative online tool Olivia, a virtual GDPR compliance assistant, is the result of the director’s and his team’s commitment to raising awareness of the GDPR and helping organisations to become compliant,” Talus said, pointing out that the Agency also enjoys an international reputation.

Thematic presentations entitled “The right to data protection: The cornerstone of the rule of law in the digital age” was held by Matthias Schmidl, Commissioner of the Austrian Data Protection Supervisory Authority, Guido Scorza, Garante Privacy – Italian Supervisory Authority, Krenare Sogojeva Dermaku, Commissioner of the Information and Privacy Protection Agency, Republic of Kosovo, Ventsislav Karadjov, Chair of the Bulgarian Data Protection Supervisory Authority, and Mirosław Wróblewski, Chair of the Polish Data Protection Supervisory Authority, who inter alia thanked the Agency for their cooperation with each other and congratulated the successes achieved so far.

The successful implementation of the European project ARC II was the topic of the panel discussion “Untangling the GDPR Maze: project ARC II and Olivia’s Tailored Approach to Croatian and Italian SMEs Compliance”.  Within the project, which the Agency implements as a coordinator together with partners, the focus is on micro, small and medium-sized enterprises for which numerous trainings for entrepreneurs have been held. However, the main objective of the project is to create a digital tool “Olivia” – a tool that helps to draft internal acts by which entrepreneurs can prove their compliance and reliability and offers a number of learning modules to help entrepreneurs improve their knowledge in the field of personal data protection. The panel, moderated by Anamarija Mladinić, ARC II Project Manager and Head of the Agency, was an opportunity for panelists Luigi Montuori, the Italian Data Protection Supervisory Authority; Natalia Parlov Una, ACCREDI CERT; Marija Bošković Batarelo, Parser Compliance; Vlatka Vuković, Compliance Buro; Nikolina Staničić, Ericsson Nikola Tesla share their experiences during the implementation of the ARC II project. The Agency, as the coordinator, implements this project with partners Garante Privacy (Italian Data Protection Supervisory Authority), Faculty of Organization and Informatics in Varaždin, University of Florence, University of Brussels (Vrije). Mr Stephen Ryan, Assistant Commissioner in Data Protection Commision Ireland and Cong Yao from Vrije University of Brussels held the keynote speeches about their experiences in implementation of ARC1 and ARC2 projects.

In the part of the conference entitled Convention 108 + of the Council of Europe as the global privacy standard”, Marija Pejčinović Burić, addressed the public through the video message, announcing that last week the Council of Europe adopted the first international legally binding treaty aimed at ensuring respect for human rights, the rule of law and democratic legal standards in the use of artificial intelligence systems. The Treaty, which is also open to non-European countries, sets out a legal framework that covers the entire lifecycle of AI systems and addresses the risks they may pose, while promoting responsible innovation. “The Global Agreement is designed to ensure that artificial intelligence supports common standards in the democracy of human rights and the rule of law and does not undermine them and recognizes the inherent link between the protection of personal data and regulating their use for the development of training and management of artificial intelligence systems.”, said Pejčinović Burić, adding that “The constant success of the Agency is proof of the country’s commitment to the protection of personal data, and we can see this important commitment at the international level. Croatia was among the first States to accede to a new protocol designed to ensure that the Council of Europe Convention on Data Protection remains fit for the future.”

Elsa Mein, Chair of the Committee of Convention 108 of the Council of Europe, spoke about Convention 108+, congratulating the Croatian Personal Data Protection Agency, and pointing out that she appreciates the efforts made by the Agency in the Consultative Committee of Convention 108 of the Council of Europe.

The conference concluded with a panel discussion entitled “Interplay between the Artificial Intelligence Act and the GDPR: How to develop human-centered AI” moderated by Martin de Moor from the Belgian Data Protection Authority. The panelists Isabelle Vereecken, Head of the Secretariat of the European Data Protection Board, Limor Shmerling Magazanik from the OECD, Matthias Schmidl, Commissioner of the Austrian Data Protection Authority; Brendan Van Alsenoy, Deputy Head of Unit “Policy and Consultation”, European Data Protection Supervisor,  and Andries Küter, representative of the Federal Commissioner for Data Protection and Freedom of Information (BfDI discussed the potential new roles and tasks of data protection supervisory authorities in relation to the application of the AI Act. Participants of the conference  had the opportunity to deepen their understanding of legal and ethical aspects related to the development and use of artificial intelligence and the protection of fundamental rights and freedoms.