The post Data protection day 2025- presentation of GDPR compiance tool Olivia appeared first on Arc Rec Project.

On October 28, 2024, project partners of the ARC II (Awareness Raising Campaign for Small and Medium-sized Enterprises) project held a hybrid wrap-up meeting in Florence, Italy. The event was graciously hosted by the University of Florence.

The ARC II project, co-funded under the European Union’s Citizenship, Equality, Rights and Values (CERV) Programme, has been a collaborative effort spanning two years. The project partners include:

1. Croatian Personal Data Protection Agency (project coordinator)
2. Italian Data Protection Authority (Garante per la protezione dei dati personali)
3. Faculty of Organization and Informatics, University of Zagreb
4. Vrije Universiteit Brussel
5. University of Florence

The primary goal of ARCII was to support Small and Medium-sized Enterprises (SMEs) in their efforts to comply with the General Data Protection Regulation (GDPR) while reducing their administrative burden.

In his keynote speech Mr Zdravko Vukić, director of the Croatian DPA, vice president of the European Data Protection Board and member of the Steering Committee emphasized:

“Why have we dedicated so much time and resources to SMEs? First in ARCI project that we have been implementing with Irish data protection authority, then in ARCII project, for more than 4 years we have been investing a lot of efforts and time to help SMEs to understand and comply with their obligations arising from the GDPR. This is not without a reason.

More than 99% of all enterprises in EU are SMEs.  Small and medium-sized enterprises play a key role in the European economy, and of course in the Croatian economy. These enterprises are often described as the backbone of the economy as they constitute the majority of businesses in Europe. Even after more than 6 years of full implementation of the GDPR, a large number of them consider GDPR as a huge administrative and financial burden.

Thanks to the activities we’ve implemented, small and medium-sized enterprises have not only gained access to valuable information and achieved a higher level of GDPR compliance, but they have also been able to realize significant financial savings”.

The goal of the wrap up meeting was to present main outcome of the ARC2 project- web tool Olivia to stakeholders, take stock of project results, determine actions that need to be taken for the successful completion of the project as well as to exchange experiences and insights regarding GDPR implementation in SMEs with stakeholders. The event was divided in two parts: first one in English and second one in Italian, dedicated to presenting Olivia to Italian SMEs.

The meeting attracted a diverse group of attendees, including representatives from the European Commission, the European Data Protection Board (EDPB), various data protection authorities, small and medium-sized enterprises (SMEs), and legal practitioners.

A highlight of the event was the presentation of the Olivia web tool, developed as part of the ARC II project. Olivia will be permanently available, free of charge to all interested stakeholders: https://olivia-gdpr-arc.eu/hr 

Additionally, Ms Marianna Colonna from the EDPB showcased a practical tool specifically designed for SMEs (EDPB guide for SMEs). This resource, available in 17 languages, can be accessed at https://www.edpb.europa.eu/sme-data-protection-guide/home_en.

Participants also benefited from a presentation by Ms Pavlina Peneva from the European Commission, who detailed the opportunities offered by the Citizenship, Equality, Rights and Values (CERV) programme.

The CERV-2021-Data Call focuses on two main priorities:

1. Facilitating the implementation of General Data Protection Regulation (GDPR) obligations by SMEs.
2. Raising awareness about the GDPR among the general public.

Thanks to the funding provided under the CERV programme, data protection authorities across the European Union will have the opportunity to implement activities targeting SMEs and the general public. These initiatives aim to enhance awareness and knowledge of data protection principles and practices.

This collaborative approach, combining resources from EU institutions, national authorities, and academic partners, demonstrates a concerted effort to strengthen data protection practices across Europe, particularly focusing on the needs of SMEs and increasing public understanding of data protection rights and responsibilities.

Ms Pavlina also highlighted some recommendations from the second report on the GDPR:

• Further support businesses’ compliance efforts, especially SMEs
• Clear and actionable guidance from data protection authorities
• Data protection authorities to actively engage with organisations, especially SMEs
• Uptake the use of GDPR codes of conduct and certifications.

In line with the GDPR’s risk-based approach, SMEs carrying out low-risk processing activities do not bear a substantial compliance burden. SMEs carrying out low-risk processing may comply by maintaining simplified records based on templates provided by data protection authorities. Furthermore, such records should be seen as a useful tool for SMEs to take stock of their processing activities.

Olivia is an innovative platform that has been specifically designed to facilitate GDPR compliance for small and medium-sized enterprises in Croatia and Italy. Olivia is currently available in Croatian, Italian, and English, tailored to the needs of Croatian and Italian SMEs.

Olivia is developed in an open-source code, and it allows all data protection authorities to customize it to their national legislation and language. New languages and modules can be easily integrated, meaning Olivia can be useful to SMEs and data controllers across the EU.

What sets Olivia apart is its comprehensive coverage of not only GDPR but also Croatian and Italian data protection legal frameworks, making it particularly valuable for our SMEs.

Olivia is an e-learning platform comprising 15 learning modules that address all GDPR obligations. Each module includes theoretical and practical components:

1. Theoretical Part: SMEs can learn about GDPR basics, data protection impact assessment, lawful basis, data protection principles, technical and organizational measures, privacy policies, and more. Users can watch webinars, take tests, and upon achieving an 80% or higher score, receive a certificate of successful completion.
2. Practical Part: SMEs can create essential documents to demonstrate compliance, including privacy policies, records of processing activities, legitimate interest assessments, data protection impact assessments, video surveillance rulebooks, personal data protection rulebooks, and information security guidelines.

The post Final event in ARC2 project for SMEs: Meet Olivia, your GDPR compliance assistant appeared first on Arc Rec Project.

The principles of personal data processing are at the core of the General Data Protection Regulation (GDPR). Article 5 of the GDPR prescribes seven key principles related to the processing of personal data that data controllers and processors must adhere to:

1. Lawfulness, fairness, and transparency;
2. Purpose limitation;
3. Data minimization;
4. Accuracy;
5. Storage limitation;
6. Integrity and confidentiality;
7. Accountability.

These principles serve as the starting point for compliance with the GDPR, aiming to ensure compliance with data protection regulations and protect the rights of individuals (data subjects).

Understanding the principles of personal data processing is crucial for understanding the obligations under the GDPR. Before processing any personal data, companies (data controllers) must consider if such processing is lawful, fair, transparent, necessary for a specific purpose, if the personal data they hold is accurate, stored only for as long as necessary, and if appropriate measures have been taken to ensure the security of personal data commensurate with the risk.

The Croatian Personal Data Protection Agency invites all craftsmen, micro, small, and medium-sized entrepreneurs, as well as other interested data controllers, to free online education sessions conducted by the Agency within the framework of the EU ARC2 project aimed at providing support for compliance with the General Data Protection Regulation. Although the project is primarily intended for this targeted group, the activities carried out in the ARC2 project and the web tool Olivia can be beneficial to all organizations processing personal data, including all data controllers and processors in the private and public sectors.

The main result of this project is the web tool Olivia, which includes 15 GDPR courses, theoretical and practical modules that can help you understand GDPR obligations and create essential documents to demonstrate compliance with the GDPR. Olivia is also an excellent tool for raising awareness about data protection within an organization, as it includes knowledge tests through which employees can test their knowledge. If they achieve at least 80% correct answers, Olivia generates a certificate of successful module completion. Remember that one of the most important organizational measures for data protection is regular employee training and raising awareness about data protection.

We invite you to register and explore the content offered by the web tool Olivia: https://olivia-gdpr-arc.eu/en.

To access the webinar, registration on Zoom is required. By clicking the link for the specific webinar, a registration window will open where you need to enter your name, surname, and email address. After registration, you will receive a webinar link via email (if you do not receive the link, please check your spam folder or request the link again).

For certain webinars (listed below), no registration is required. By clicking the link, you will directly access the webinar (it is recommended to join 10-15 minutes before the start of the webinar).

The maximum number of participants for each webinar is 100. Reserve your spot on time.

AUGUST

August 22, 2024 – webinar “Principles relating to processing of personal data,” https://us02web.zoom.us/j/89755373014?pwd=HTFqKxqy4NCPAb716rf0hluWidPaaR.1 – no registration required, the link leads directly to the webinar

August 26, 2024 – webinar “Organizational and Technical Measures for Personal Data Protection”

ALL SPOTS ARE FILLED. NO MORE REGISTRATIONS POSSIBLE.

August 28, 2024 – webinar “Legal Bases for Personal Data Processing,” https://us02web.zoom.us/meeting/register/tZUldOuuqjspE9LkOURtyUSt5VLsVG5aF5T6

ALL SPOTS ARE FILLED. NO MORE REGISTRATIONS POSSIBLE.

SEPTEMBER

September 10, 2024 – webinar “Data Protection Officer,” https://us02web.zoom.us/meeting/register/tZItdu6srTwtHdc0VA1ve87zXnc64zPogo7W

September 12, 2024 – webinar “How to Process Personal Data in accordance with the new Regulation on the Content and Manner of Keeping Records of Employees Employed by the Employer,” https://us02web.zoom.us/meeting/register/tZclf-CrqDkrG9cxxgBy3wIGwJG6_Db

2.10.2024. webinar “Transfers of personal data to third countries”, https://us02web.zoom.us/j/88327000962?pwd=V9GD77f5xzcrwpzKz22aRRpcwWWo0Z.1 – no registration required, the link directly leads to the webinar

You can find the list of webinars n the website of the ARC2 project: https://arc-rec-project.eu/olivia-gdpr-2/.

The post Invitation to a free webinar “Principles of personal data processing”, August 22, 2024. appeared first on Arc Rec Project.

At the same time, the conference marked a date that marked an absolute turning point for the Agency – 25 May 2018, i.e. the start of the full application of the General Data Protection Regulation. This gave the Agency new corrective powers, i.e. the possibility to impose high administrative fines, 58 of which have so far been imposed for a total amount of 9,1 million euro.

The protection of personal data in the Republic of Croatia has been a constitutional category since the adoption of the first Constitution of the Republic of Croatia in 1990, and every citizen of the Republic of Croatia is guaranteed the protection of personal data as a fundamental human right. However, the first law regulating the field of personal data protection in the Republic of Croatia was adopted in 2003, when the Personal Data Protection Agency was established, which began its work in 2004. During its twenty years of operation, the Agency has achieved the best results so far last year, including the highest number of supervisory activities, as well as awareness-raising activities on the importance of the right to data protection as a fundamental right.

“The year behind us is particularly significant due to the imposition of the highest number of administrative fines, as well as the imposition of maximum amounts of administrative fines for infringements of the provisions of the GDPR. 28 administrative fines of 8.27 million euro were imposed. This puts us in the top ten in the EU for the total amount of administrative fines imposed in 2023. Considering that in 2020 the Agency was at the very bottom of this scale, our determination and commitment to the effective implementation of the General Data Protection Regulation, and thus the protection of human rights and freedoms, is more than evident”, said Director Zdravko Vukić.

Envoy of the Prime Minister of the Republic of Croatia, Minister of Justice, Administration and Digital Transformation Damir Habijan congratulated on 20 years of work and results achieved by the Agency in recent years. “Given the rapid development of both technology and digitalisation, as well as the development of artificial intelligence, there are certainly many challenges before the Personal Data Protection Agency, but also before the legislative bodies, which will have to change certain strategic documents and the normative legislative framework very soon. I am confident that the Agency will continue to deliver excellent results.”

The Personal Data Protection Agency as our national authority in the exercise of its competence has shown efficiency in the effective implementation of the General Data Protection Regulation. It is important to continue to work on educating and informing citizens in view of the increasingly demanding development of the digital society and artificial intelligence, which increasingly finds space in everyday activities and business processes.” said the envoy of the Croatian Parliament, MEP Nataša Tramišak.

“The unpredictable era of the fourth industrial revolution reminds us, more clearly than ever before, that we also have a global responsibility to protect our fundamental rights. Despite some shortcomings, there are no other global players alongside Europe to make the digital world more human-friendly,” said MEP Karlo Ressler.

Limor Shmerling Magazanik, Head of the OECD Accession Process on Data Governance, Privacy and Digital Security, pointed out the contribution of the DPA in the field of privacy and human rights protection, which ultimately resulted in a positive opinion of the OECD on the actions taken by the Republic of Croatia as a candidate for accession to the OECD.

The video message was also addressed by Ana Talus, Chair of the European Data Protection Board, and Wojciech Wiewiórowski, European Data Protection Supervisor, who pointed out that the Agency has made significant achievements and strong progress since the appointment of Zdravko Vukić as Director in 2020.

“I am pleased to see that this journey of the Data Protection Agency over the past two decades has been extraordinary and an example of adaptation in the new digital age, and your achievements have not only contributed to the protection of personal data in Croatia, but have also affected the wider European data protection environment,” said Wiewiórowski.

“The recent example of the ARCII project helping SMEs on their way to GDPR compliance, and the innovative online tool Olivia, a virtual GDPR compliance assistant, is the result of the director’s and his team’s commitment to raising awareness of the GDPR and helping organisations to become compliant,” Talus said, pointing out that the Agency also enjoys an international reputation.

Thematic presentations entitled “The right to data protection: The cornerstone of the rule of law in the digital age” was held by Matthias Schmidl, Commissioner of the Austrian Data Protection Supervisory Authority, Guido Scorza, Garante Privacy – Italian Supervisory Authority, Krenare Sogojeva Dermaku, Commissioner of the Information and Privacy Protection Agency, Republic of Kosovo, Ventsislav Karadjov, Chair of the Bulgarian Data Protection Supervisory Authority, and Mirosław Wróblewski, Chair of the Polish Data Protection Supervisory Authority, who inter alia thanked the Agency for their cooperation with each other and congratulated the successes achieved so far.

The successful implementation of the European project ARC II was the topic of the panel discussion “Untangling the GDPR Maze: project ARC II and Olivia’s Tailored Approach to Croatian and Italian SMEs Compliance”.  Within the project, which the Agency implements as a coordinator together with partners, the focus is on micro, small and medium-sized enterprises for which numerous trainings for entrepreneurs have been held. However, the main objective of the project is to create a digital tool “Olivia” – a tool that helps to draft internal acts by which entrepreneurs can prove their compliance and reliability and offers a number of learning modules to help entrepreneurs improve their knowledge in the field of personal data protection. The panel, moderated by Anamarija Mladinić, ARC II Project Manager and Head of the Agency, was an opportunity for panelists Luigi Montuori, the Italian Data Protection Supervisory Authority; Natalia Parlov Una, ACCREDI CERT; Marija Bošković Batarelo, Parser Compliance; Vlatka Vuković, Compliance Buro; Nikolina Staničić, Ericsson Nikola Tesla share their experiences during the implementation of the ARC II project. The Agency, as the coordinator, implements this project with partners Garante Privacy (Italian Data Protection Supervisory Authority), Faculty of Organization and Informatics in Varaždin, University of Florence, University of Brussels (Vrije). Mr Stephen Ryan, Assistant Commissioner in Data Protection Commision Ireland and Cong Yao from Vrije University of Brussels held the keynote speeches about their experiences in implementation of ARC1 and ARC2 projects.

In the part of the conference entitled Convention 108 + of the Council of Europe as the global privacy standard”, Marija Pejčinović Burić, addressed the public through the video message, announcing that last week the Council of Europe adopted the first international legally binding treaty aimed at ensuring respect for human rights, the rule of law and democratic legal standards in the use of artificial intelligence systems. The Treaty, which is also open to non-European countries, sets out a legal framework that covers the entire lifecycle of AI systems and addresses the risks they may pose, while promoting responsible innovation. “The Global Agreement is designed to ensure that artificial intelligence supports common standards in the democracy of human rights and the rule of law and does not undermine them and recognizes the inherent link between the protection of personal data and regulating their use for the development of training and management of artificial intelligence systems.”, said Pejčinović Burić, adding that “The constant success of the Agency is proof of the country’s commitment to the protection of personal data, and we can see this important commitment at the international level. Croatia was among the first States to accede to a new protocol designed to ensure that the Council of Europe Convention on Data Protection remains fit for the future.”

Elsa Mein, Chair of the Committee of Convention 108 of the Council of Europe, spoke about Convention 108+, congratulating the Croatian Personal Data Protection Agency, and pointing out that she appreciates the efforts made by the Agency in the Consultative Committee of Convention 108 of the Council of Europe.

The conference concluded with a panel discussion entitled “Interplay between the Artificial Intelligence Act and the GDPR: How to develop human-centered AI” moderated by Martin de Moor from the Belgian Data Protection Authority. The panelists Isabelle Vereecken, Head of the Secretariat of the European Data Protection Board, Limor Shmerling Magazanik from the OECD, Matthias Schmidl, Commissioner of the Austrian Data Protection Authority; Brendan Van Alsenoy, Deputy Head of Unit “Policy and Consultation”, European Data Protection Supervisor,  and Andries Küter, representative of the Federal Commissioner for Data Protection and Freedom of Information (BfDI discussed the potential new roles and tasks of data protection supervisory authorities in relation to the application of the AI Act. Participants of the conference  had the opportunity to deepen their understanding of legal and ethical aspects related to the development and use of artificial intelligence and the protection of fundamental rights and freedoms.

The post ARC 2 international conference”Risks and GDPR Compliance in the Age of Artificial Intelligence” appeared first on Arc Rec Project.

The post Data Protection Day 2024: presenting ARC2 Olivia web tool and discussing AI appeared first on Arc Rec Project.

The University of Florence conducted a validation workshop for Italian SMEs on December 14, 2023, with approximately 50 participants in attendance. The workshop had three main objectives:

• Evaluate how effective Olivia is in enhancing SMEs’ understanding of GDPR.
• Assess Olivia’s capability in assisting with the creation of compliance documents.
• Gather feedback from SME representatives and data protection experts on the tool’s functionality and user experience.

To engage SMEs and scholars, invitations were sent via email to representatives of associations in Italy, and a specific call was made during the meetings organized by the Garante Privacy in December.

Based on the workshop findings, the following recommendations are proposed:

• Content Expansion: Enrich the learning modules with more industry-specific content and scenarios.
• Template Diversification: Increase the variety of templates and document examples available in Olivia to cover a wider range of data protection situations.
• Enhanced Guidance: Implement more comprehensive tutorials or guides to support SMEs with limited prior knowledge of GDPR.

The online validation workshop for the Olivia Tool has highlighted its potential as a valuable asset for SMEs striving for GDPR compliance. The feedback received offers valuable insights for further refining the tool to ensure it meets the diverse needs of SMEs in Croatia and Italy. Continuous development and iteration, guided by user feedback, will be crucial in maximizing the effectiveness and accessibility of Olivia in the field of data protection compliance.

The post Olivia web tool-validation workshop for Italian SMEs on December 14, 2023 appeared first on Arc Rec Project.

“OLIVIA” is a virtual teacher and assistant for GDPR compliance, allowing entrepreneurs to learn about their basic obligations, test their knowledge, and create essential documents to prove compliance with personal data protection regulations.

During the introductory address, director Zdravko Vukić expressed satisfaction that the Agency, along with its partners, has the opportunity to develop a tool for entrepreneurs that will be free and accessible to everyone. “We are aware that micro, small, and medium-sized enterprises, as well as craftsmen, often lack the financial resources and human resources needed for compliance with data protection regulations. However, within the European project ARC2, we conduct numerous educations to help them resolve uncertainties they continue to face, but the internet tool ‘OLIVIA’ is certainly a significant step forward. The goal is to provide entrepreneurs with a concrete tool that will be available to them at all times and provide them with all the necessary information in one place,” said director Vukić.

Namely, “OLIVIA,” which will consist of 15 modules in the final phase, simplifies access to knowledge frameworks, rules, and procedures.

The project leader of ARC2, Anamarija Mladinić, presented the project and the internet tool “OLIVIA,” emphasizing that the majority of micro, small entrepreneurs, and craftsmen in Croatia have not taken even the basic steps to comply with GDPR. Still, they will now have access to a tool that will assist them in this process. This was confirmed by entrepreneurs who tested “OLIVIA” yesterday.

You can test Olivia at the link https://olivia-gdpr-arc.eu/hr.

The post Presentation of GDPR compliance webtool “Olivia” appeared first on Arc Rec Project.

On Thursday, 12 October 2023, as part of the ARC2 project, GDPR consultant at Horvath Wolf d.o.o. Vlatka Vuković held a free for micro, small and medium-sized enterprises and craftsmen.

All data controllers and data processors, regardless of activity, process personal data of their employees and associates. The processing of workers’ data begins with the publication of a vacancy notice or the collection of open requests from interested candidates, and continues after the termination of the employment relationship. Throughout this time, it is necessary to ensure the lawfulness of the processing and to adequately protect the data, as well as the privacy of workers.

This online workshop covers the obligations of employers under the General Data Protection Regulation in all the most important processes of processing personal data in an employment relationship with a multitude of practical examples and an overview of the case law and decisions of supervisory authorities. Thus, participants had the opportunity to hear about the appropriate legal bases for the processing of workers’ data, including consent in employment relationships, i.e. that for most data processing at the workplace, the consent of the worker cannot and should not be a legal basis due to the nature of the relationship between the employer and the employee.

Vlatka Vuković shared her rich and useful practical experience with the participants of the workshop, providing advice to the controllers/processors and expertly responding to numerous questions from the workshop participants. Inspired by the enormous (maximum) interest in this workshop, we decided to develop guidelines on the topic of personal data processing in employment relationships.

All educational materials, guidelines, footage of the workshop will be part of Olivia web tool on which we work diligently and that will be soon online.

About the processing of data in the employment relationship, the supervision of workers and their rights, as well as many other useful information can be found in the presentation used at the workshop at the link: https://arc-rec-project.eu/wp-content/uploads/2023/10/ARC2-GDPR-U-HR.pdf

The post ARC2 workshop for SMEs online workshop “Processing and protection of personal data in employment relationships” appeared first on Arc Rec Project.

Using the “http” network protocol, which is not encrypted and not secure, to access the “online services” of a website does not give adequate protection to the data of customers registered in the reserved area.

The use of a non-encrypted protocol violates important principles established by the European GDPR Regulation, such as that of “integrity and confidentiality” of the data processed. The data controller must implement technical and organizational measures suitable to guarantee a level of security appropriate to the risk (e.g. encryption of personal data) and adopt adequate systems to protect personal data right from the design phase (privacy by design), subsequently carrying out periodic reviews of the safety measures in place.

It is also good to know that these obligations also apply to systems pre-existing on the date of entry into force of the GDPR (25^th May 2018).

More information available at:

The post Online services, the use of secure protocols is required appeared first on Arc Rec Project.

Given their nature, biometric data is particularly sensitive and warrants specific protection due to its potential risks to fundamental rights and freedoms if mishandled.

In general, the processing of special data is prohibited. However, the General Data Protection Regulation (GDPR) allows for exceptions outlined in Article 9.

It is important to note that photographs do not fall into the category of special data unless they are processed through technical devices specifically designed for the unique identification of individuals.

The post VERY SPECIAL PERSONAL DATA/2 appeared first on Arc Rec Project.