The Croatian Personal Data Protection Agency together with the Croatian Chamber of Commerce and the University of the North, on May 5, 2023, organized an event titled “5 years of application of the GDPR: problems, solutions, fines, and examples of good practice”.

In the premises of the Croatian Chamber of Commerce, data controllers/processors and data protection officers had the opportunity to find out more about the latest trends and examples of good practice in the scope of personal data protection, and to share, with the experts from the Agency, some issues they face while implementing the General Data Protection Regulation, which is directly applicable in the European Union from May 25, 2018, and with the support of experts, finding solutions that will raise the level of compliance in their organizations to a higher level.

“It is the last moment for all data controllers/processors to realize that the deadline for adaptation has long passed and that after five years from the start of the full application of the General Data Protection Regulation, that lack of information and ignorance cannot be an excuse and justification for violating the fundamental rights of Croatian citizens. Therefore, by organizing educational activities, like this one, we provide help to data controllers/processors in solving all the doubts they face while trying to comply with the General Data Protection Regulation”, said the Director of the Agency Zdravko Vukić.

“Investing in the protection of personal data is an investment that, especially in the private sector, but also in all other organizations, guarantees sustainability on the market. Protecting information assets and preserving capital is a big and responsible task for all of us”, said Petar Mišević, advisor of the president of the Croatian Chamber of Commerce and vice-chancellor of the University of the North.

Also, as part of its advisory role, the Agency continuously organizes various educational activities addressed at all target groups, especially SMEs and data protection officers. However, the educational and supervisory activities carried out by the Agency have shown that the level of compliance with the legislative framework of data protection in the Republic of Croatia is still not at a satisfactory level. For this reason, this year and also the previous years, the Agency intensified its investigation activities, which resulted in the largest number of imposed administrative fines for violations of legal regulations on the protection of personal data – only this year 13 administrative fines were imposed in the total amount of 2.3 million euros.

During the event, Anamarija Mladinić, project manager of the EU funded project ARC 2 presented the project activities and expected project results. The main results of the ARC 2 project will be web tool Olivia, 20 GDPR workshops for Croatian and Italian SMEs, and 2 international conferences.

The main objective of the Olivia web tool is to provide practical support to Croatian and Italian SMEs in the implementation of the data protection legislation and principles in the day to-day business activities. Users of the Olivia web tool will be provided with templates for GDPR documentation and clear and concise instructions for SMEs on how to align their data processing activities with the Croatian and Italian data protection legal frameworks.  

Olivia web tool will be structured in four sections: theoretical module, practical module, webinars and news. It will be interoperable tool, developed as an open-source product, adaptable to the needs of SMEs from other EEA countries, free to use for all SMEs and all data controllers/processors to whom it might be useful.It will be available in English, Italian and Croatian language.

Both modules (theoretical and practical) will consist of at least 15 courses on following topics:

1) GDPR basics

2) data protection principles

3) lawful basis for processing of personal data

4) privacy policy

5) data protection officer

6) data protection impact assessment

7) records of processing activities

8) contract between data controller and data processor

9) organisational measures

10) technical measures

11) monitoring property and people

12) cookies and other tracking technologies

13) data subject rights

14) data transfers

15) data breaches

All SMEs were invited to participate in the ARC2 workshops in June, and informed that the schedule is available on ARC 2 website:

The fines for the infringements of the GDPR and the Law on the Implementation of the GDPR were one of the topics on this event. Also, the representatives of the Agency talked about harmonizing business processes with the GDPR, especially about the most common mistakes of the SMEs; technical and organizational data protection measures – examples of good practice; how to prepare for the Agency’s supervision and investigative actions and about the European Data Protection Board Coordinated Enforcement  Action on role of data protection officers.