AZOP (Croatia) - UP/I-034-01/24-01/33
From GDPRhub
| AZOP - UP/I-034-01/24-01/33 | |
|---|---|
 | |
| Authority: | AZOP (Croatia) |
| Jurisdiction: | Croatia |
| Relevant Law: | Article 37(7) GDPR Article 38(6) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 20.03.2023 |
| Decided: | 23.12.2024 |
| Published: | 15.04.2025 |
| Fine: | 12,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | UP/I-034-01/24-01/33 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Croatian |
| Original Source: | AZOP (in HR) |
| Initial Contributor: | tjk |
The DPA held that appointing a procurator of a company as a DPO constitutes a conflict of interest and thus a violation of Article 38(6) GDPR. For this and the failure to name the DPO in accordance with Article 37(6) GDPR on the company's website the DPA fined the company €12,000.
English Summary
Facts
As part of the implementation of the coordinated activity of the European Data Protection Board (EDPB), the DPA assessed whether DPOs have an adequate role as well as adequate resources necessary to perform their tasks implementing a survey among DPOs in Croatia.
Following that questionnaire, the DPA requested a statement and documentation from the controller (a company) on the role of the DPO within the controllers organisational framework.
The appointed DPO is also the controller's procurator. The contact details of the DPO were not visible, therefore, with a second request for comment, the DPA requested a comment on the reasons for not publishing the contact details of the DPO on the controller's website.
Thus, the DPA also requested a statement on how the powers of the procurator do not affect the determination of the purpose and means of processing in the organization of the controller.
The controller submitted that the powers of the procurator are completely separate from the tasks of the DPO. Regarding the contact details on the controller's official website, the controller stated that they were missing due to an oversight by the developer of the page.
Holding
The DPA concluded from Article 37(5), (6), (7) GDPR in conjunction with Article 38 GDPR and Article 39(1) GDPR that a conflict of interest will not generally arise if the DPO, in addition to his tasks, also performs other tasks and duties which are exclusively advisory or supervisory in nature, or if this other role performed by the DPO cannot influence the purposes and means of the processing of personal data.
The DPA stated that Article 38(6) GDPR establishes a safeguard mechanism that prevents the DPO from finding himself in a conflict of interest while performing his tasks prescribed by the GDPR. The DPA interpreted this as meaning that the DPO cannot be an employee of the controller who determines the reason (purpose) and the manner (means) of the processing of personal data, or who can have a direct influence on the determination.
The DPA found that, the role of the procurator in a company is one of the most important roles within a company. In accordance with national law a procurator may conclude all contracts and undertake all legal actions in the name and on behalf of the company and represent it in proceedings before administrative and other state bodies, institutions with public law powers, and state and elected courts. Thus, the DPA considered that when the procurator also performs the tasks of the DPO, he can inevitably influence the determination of the purpose and means of the processing of personal data within the controller and is therefore in a conflict of interest.
The DPA emphasized that representing the company in the broadest possible form for the DPO means a conflict of interest in performing his/her tasks, since taking care of risks and informing about possible violations GDPR is incompatible with making business decisions that may be profitable for the controller, and negatively affects the right to the protection of personal data as one of the fundamental constitutional rights of the Republic of Croatia.
Therefore the DPA determined that the role of the procurator is incompatible with the role of the DPO due to a conflict of interest and its appointment violated Article 38(6) GDPR.
Furthermore the DPA established that the controller did not publish the contact details of the DPO on the company's official website, thus violating the provisions of Article 37(7) GDPR.
Pursuant to Article 83(2) GDPR, when deciding on the imposition of an administrative fine and deciding on the amount of the administrative fine, the DPA considered the following:
- The unlimited number of data subjects concerned
- the existence of negligent conduct on the part of the controller
- the controller subsequently published the contact details of the DPO, which was taken into account as a mitigating circumstance.
- the controller did not respond adequately to the requests of the DPA and the aforementioned circumstance was taken into account as an aggravating circumstance.
- that the DPA became aware of the GDPR infringement in the framework of the coordinated activity and not by reporting of the controller
Due to the violation of Article 37(7) GDPR and Article 38(6) GDPR, the DPA imposed an administrative fine of €12,000 on the controller.
Comment
The DPA's questions in the survey more specifically encompassed the following:
- how the DPO was enabled to independently perform their tasks.
- how the controller provides active support to the function of the DPO; a hierarchical chart of the controller, reports and correspondence with the highest level of management.
- how the tasks and duties of the compliance manager position do not affect the determination of the purpose and means of personal data processing within the controller's organization
- the actions and protective measures taken by the controller to avoid conflicts of interest in situations where the DPO fulfills other tasks and duties.
- the submission of acts regulating the internal organization of the controller with regards to its DPO.
- The submission of the employment contract of the appointed DPO
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
(567-UP/I-034-01/24-01/33-1J&) P/224793 REPUBLIC OF CROATIA AGENCY FOR PROTECTION OF PERSONAL DATA CLASS: UP/I-034-01/24-01/33 REG. NUMBER: 567-05-01/01-24-1 Zagreb, 23.12.2024. The Personal Data Protection Agency, OIB: 28454963989, pursuant to Article 34, paragraph 1 of the Act on the Implementation of the General Data Protection Regulation (Official Gazette, No. 42/18), acting ex officio against the controller _____from Zagreb, issues the following DECISION 1. It is established that the company ____ from Zagreb, as the controller, appointed a data protection officer of the company contrary to the provisions of Article 38, paragraph 6 of the General Data Protection Regulation. 2. It is established that the company ____, contrary to the provisions of Article 37, paragraph 7 of the General Data Protection Regulation, did not publish the contact details of the data protection officer on the company's official website at least until 22 December 2023. 3. Due to the established violations of the General Data Protection Regulation referred to in points 1 and 2 of this decision, the company ____ from Zagreb is hereby imposed an administrative fine in the amount of: 12,000.00 Euros (in words: twelve thousand Euros) 4. The company ____ from Zagreb is obliged to pay the imposed administrative fine in favor of the state budget within 15 days from the date of entry into force of this decision in favor of account number: HR1210010051863000160, model HR64 and reference to the approval number 6092-25860- 47715592647 s with the indication – “administrative fines imposed by the AZOP”. 1 5. If the company ____ from Zagreb fails to pay the imposed administrative fine within 15 days from the entry into force of this decision, the Agency shall, in accordance with Article 46, paragraph 2. of the Act on the Implementation of the General Data Protection Regulation (“Official Gazette”, No. 42/18) notify the Regional Office of the Tax Administration of the Ministry of Finance in whose territory the registered office of the said company is located, in order to collect the administrative fine by force in accordance with the regulations on forced tax collection. 6. The company ____ from Zagreb is obliged to submit proof of payment to this Agency within 15 days from the payment. R e a n t i o n I. DETERMINATION OF A VIOLATION As part of the implementation of the coordinated activity of the European Data Protection Board, in which 26 data protection authorities across the European Economic Area and the European Data Protection Supervisor seek to assess and determine whether data protection officers have an adequate role in their organisations as prescribed in Articles 37-39 of the General Data Protection Regulation, as well as adequate resources necessary to perform their tasks, the Personal Data Protection Agency began on 20 March 2023 with the implementation of a survey among data protection officers in the Republic of Croatia by delivering a Questionnaire on the appointment and position of data protection officers (hereinafter referred to as: the Questionnaire). Data protection officers, as intermediaries between personal data protection authorities, individuals and business entities (controllers and/or processors), play a key role in contributing to compliance with the legal framework on personal data protection and promoting the effective protection of data subjects' rights. According to the information in the Questionnaire, the appointed data protection officer at the controller stated that he receives instructions regarding the performance of his tasks and duties as a data protection officer and that, in addition to his duties as a data protection officer, he works in the position of "compliance manager". Accordingly, for the purposes of the investigation procedure, the Personal Data Protection Agency requested a statement on 18 October 2023 from the controller, the Company ____ from Zagreb, (hereinafter referred to as the controller), on the following points: A statement was requested (hereinafter referred to as the first request for a statement) on how the data protection officer was enabled to independently perform his tasks. 2A statement was requested on how the controller provides active support to the function of the data protection officer, and in this regard, documentation was requested - a hierarchical chart of the controller, reports and correspondence with the highest level of management. A statement was also requested on how the tasks and duties of the compliance manager position do not affect the determination of the purpose and means of personal data processing within the controller's organization, and on the actions and protective measures taken by the controller to avoid conflicts of interest in situations where the data protection officer fulfills other tasks and duties. Furthermore, the submission of an act regulating the internal organization of the organization and an act determining the name of the organizational units and their scope of work, management method and approximate number of employees within them, or an act regulating the systematization of jobs with a description of the tasks of individual jobs, including the job of the data protection officer, was requested. The submission of the employment contract of the appointed data protection officer was also requested if it determines the tasks of his/her job. The controller submitted the requested statement (hereinafter referred to as: the first statement) in which it essentially states that the data protection officer filled out the Questionnaire incorrectly and that a misunderstanding arose. It is further stated that the data protection officer, who is employed in the position of "compliance manager", has an obligation to work independently and warn the responsible persons - directors of possible omissions, and reports to the Management Board on a monthly basis through a presentation with all relevant information. An organizational chart was submitted in the statement, and it is stated that it is evident from it that the said position is not part of senior management, i.e. decision-makers. He/she apologizes and asks for the opportunity to personally present the working methods, documents, reports, regulations, etc. Following the above, the Agency requested a new statement on 22 December 2023 (hereinafter: the second request for a statement) on the reasons for the failure to provide the requested documentation (the act regulating the internal structure of the organization, and determining the name of the organizational units and their scope of work, the method of management and the approximate number of employees within them, or the act regulating the systematization of jobs with a description of the tasks of individual jobs, including the job of the data protection officer as well as the delivery of the employment contract of the appointed data protection officer if the latter determines the tasks of the job). A review of the court register determined that the appointed data protection officer ____ is also the company's procurator. In the second request for a statement, the Agency also requested a statement on how the powers of the procurator do not affect the determination of the purpose and means of processing in the organization of the controller. Upon inspection of the official website of the controller ____, the contact details of the data protection officer were not visible, therefore, with a second request for comment, the Agency requested a comment on the reasons for not publishing the contact details of the data protection officer on the controller's website. 3The controller submitted an additional comment in which it states that the job descriptions of the "compliance manager" position are listed in the job classification and that the position of data protection officer is one of the tasks. The controller states that the tasks of the data protection officer are performed only on the condition that these tasks are not performed by an external employee in accordance with a service contract or order, and submits an excerpt from the job classification for the "compliance manager" position. The controller further states that the powers of the procuration are completely separate from the tasks of the data protection officer, and submits the decision on granting the procuration in the attachment. Furthermore, the controller states that in the job description of the "compliance manager" position, the job description clearly states that the data protection officer has complete independence in performing his/her duties and that the employee may set aside one hour of his/her working time for these tasks every day. The controller states that it is stipulated that in terms of performing the duties of the data protection officer, the employee may not be dismissed from duty or held accountable, and that the controller may not give instructions to the data protection officer, which guarantees independence. The controller states that in terms of tasks, the data protection officer reports to the highest management position. Regarding the contact details on the controller's official website, he states that, due to an oversight by the developer of the page, the officer's contact details are not clearly displayed, and a correction to the layout of the page has been requested in this regard. The controller states that a notice is displayed in each of their branches where they can contact the data protection officer and request the fulfillment of their rights. In the annex to the second statement, the controller submits, among other things, the decision to grant a power of attorney to Ms. ____ dated 19 February 2019 and an excerpt from the job description describing the powers and responsibilities of the position of "compliance manager". The Agency points out that since 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) has been directly and bindingly applied in all Member States of the European Union, including the Republic of Croatia. In accordance with Article 37(5) of the General Data Protection Regulation, the Data Protection Officer shall be appointed on the basis of professional qualifications, in particular expert knowledge of data protection law and practice, and the ability to carry out the tasks referred to in Article 39. The same Article, paragraph 6, stipulates that the data protection officer may be a member of the staff of the controller or processor or may perform tasks on the basis of a contract of employment. 4Article 37(7) of the General Data Protection Regulation stipulates that the controller or processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority. In accordance with Article 38(1), (2) and (3) of the General Data Protection Regulation, the controller and the processor shall ensure that the data protection officer is involved in an appropriate and timely manner in all matters relating to the protection of personal data. The controller and the processor shall support the data protection officer in carrying out the tasks referred to in Article 39 by providing him with the necessary means to carry out those tasks and to access personal data and processing operations and to maintain his professional knowledge. The controller and the processor shall ensure that the data protection officer does not receive any instructions in relation to the performance of these tasks. The controller or processor shall not dismiss him or her or impose any penalty on him or her for the performance of his or her tasks. The data protection officer shall be directly accountable to the highest management level of the controller or processor. In accordance with Article 38(6) of the General Data Protection Regulation, the data protection officer may also perform other tasks and duties. The controller or processor shall ensure that such tasks and duties do not give rise to a conflict of interest. In accordance with Article 39(1) of the General Data Protection Regulation, the data protection officer shall perform at least the following tasks: informing and advising the controller or processor and the employees who carry out processing of their obligations under this Regulation and other Union or Member State data protection provisions; monitoring compliance with this Regulation, other Union or Member State data protection provisions and the policies of the controller or processor with regard to the protection of personal data, including the allocation of responsibilities, awareness-raising and training of staff involved in processing operations and related audits; providing advice, where requested, on data protection impact assessments and monitoring their implementation in accordance with Article 35; cooperating with the supervisory authority; acting as the contact point for the supervisory authority on matters relating to processing, including prior consultation referred to in Article 36, and advising, where appropriate, on any other matters. According to the Guidelines of the Article 29 Working Party on Data Protection Officers of 13 December 2016, as last revised and adopted on 5 April 2017 (WP 243 rev.01), and endorsed by the European Data Protection Board at its first plenary session on 25 May 2018, the absence of a conflict of interest is closely linked to the obligation to act in an independent manner. While data protection officers are allowed to perform other duties, they may only be entrusted with other tasks and duties provided that they do not give rise to a conflict of interest. In particular, this means that the data protection officer cannot be an employee of the organisation whose purposes and means of processing personal data he or she is required to determine. Due to the specific organisational structure of each organisation, this must be decided on a case-by-case basis. It is an unwritten rule that positions that may present a conflict of interest within an organization may include senior management positions (such as CEO, COO, CFO, CMO, marketing manager, HR manager or IT manager), but also lower-level roles in the hierarchical structure of an organization if such positions or roles involve determining the purpose and manner of processing personal data. In addition, a conflict of interest may arise, for example, if an external data protection officer is asked to represent the controller or processor in court in cases involving data protection issues. In its judgment C-453/21 of 9 February 2023, in relation to conflict of interest, the Court of Justice of the EU stated that Article 38(6) of the General Data Protection Regulation should be interpreted as meaning that a "conflict of interest" within the meaning of that provision may exist when the data protection officer is entrusted with other tasks or duties which would lead him to determine the purposes and means of the processing of personal data with the controller or its processor, which should be verified in each individual case on the basis of an assessment of all the relevant circumstances, in particular the organisational structure of the controller or its processor and taking into account all applicable regulations, including their possible internal rules. From the above, the Agency concludes that a conflict of interest will not generally arise if the data protection officer, in addition to his tasks, also performs other tasks and duties which are exclusively advisory or supervisory in nature, or if this other role performed by the data protection officer cannot influence the purposes and means of the processing of personal data. In accordance with Article 47, paragraph 1 of the Companies Act (Official Gazette, No. 111/93, 34/99, 121/99, 52/00, 118/03, 107/07, 146/08, 137/09, 125/11, 152/11, 111/12, 68/13, 110/15, 40/19, 34/22, 114/22, 18/23, 130/23; hereinafter referred to as the ZTD), a procurator may conclude all contracts and undertake all legal actions in the name and on behalf of the company and represent it in proceedings before administrative and other state bodies, institutions with public law powers, and state and elected courts. In this administrative matter, it was established that the controller appointed Ms ____ as Data Protection Officer on 18 May 2018 (the appointment decision is attached to the case file). In this administrative matter, it was established that the Data Protection Officer from 19 February 2019 (the decision to grant the power of attorney is attached to the case file) until today has a conflict of interest because, in addition to the duties of the Data Protection Officer position, he represents the company as the company's procurator. Since this is the broadest commercial power of attorney whose powers and limitations are set out in the ZTD, the Agency has determined that the role of the procurator is incompatible with the role of the Data Protection Officer due to a conflict of interest, which has led to a violation of Article 38, paragraph 6, of the General Data Protection Regulation. Namely, Article 38(6) of the General Data Protection Regulation establishes a safeguard mechanism that prevents the Data Protection Officer from finding himself in a conflict of interest while performing his tasks prescribed by the Regulation. The Agency believes that this primarily means that the Data Protection Officer cannot be an employee of the controller who determines the reason (purpose) and the manner (means) of the processing of personal data, or who can have a direct influence on the determination of the same. The role of the procurator in a company is one of the most important roles within a company. This fact is recognized by the legislator himself, who gave the widest powers of representation through the power of attorney. In this sense, when the procurator also performs the tasks of the Data Protection Officer, he can inevitably influence the determination of the purpose and means of the processing of personal data within the controller and is therefore in a conflict of interest. In his second statement, the controller states that the powers of the power of attorney are completely separated from the duties of the Data Protection Officer. The Agency holds that the same allegations are not of impact for establishing the existence of a conflict of interest which is the subject of this decision. In the case in question, the Agency has established that the conflict of interest consists primarily in the fact that the procurator can conclude all contracts and undertake all legal actions in the name and on behalf of the company and can represent it in proceedings before administrative and other state bodies, institutions with public law powers, and state and elected courts, and thus can directly influence the determination of the purpose and means of data processing by the controller. The tasks of the data protection officer are predetermined by Article 39, paragraph 1 of the General Data Protection Regulation, and his role is of an advisory nature precisely for the reason that he can advise and inform in an independent manner about all risks arising from the processing of the controller's personal data. Representing the company in the broadest possible form for the data protection officer means a conflict of interest in performing his/her tasks, since taking care of risks and informing about possible violations of the General Data Protection Regulation is incompatible with making business decisions that may be profitable for the controller, and negatively affects the right to the protection of personal data as one of the fundamental constitutional rights of the Republic of Croatia. The imbalance resulting from the incompatibility of the two roles lies precisely in the fact that the data protection officer essentially "reports and warns" himself/herself, since the company's procurator has the authority to represent the company together with the company's director (an extract from the court register is attached to the case file). Furthermore, in this administrative matter, it was established that the controller communicated the contact details of the data protection officer to the supervisory authority, but did not publish the contact details of the data protection officer on the company's official website until at least 22 December 2023, thus violating the provisions of Article 37(7) of the General Data Protection Regulation. In its second statement, the controller states that due to an omission on the part of the website developer, the contact details of the officer are not clearly displayed and a correction of the website layout has been requested in this regard. In this administrative matter, it was established that on the official website of the controller____, until 22 December 2023, when the Agency requested a second request for clarification, the contact details of the data protection officer were not published, but only a cookie statement, within which information on the contact details of the data protection officer was not provided (a printout of the cookie statement dated 22 December 2023 is attached to the file). 7The Cookie Statement dated 22 December 2023, which is attached to the file until 22 December 2023, was the only document published on the controller's website related to the processing of personal data. The contact details of the Data Protection Officer were not published within it, therefore the controller's statement that "the officer's contact details are not clearly highlighted" is not correct. Furthermore, in another statement, the controller states that the officer's contact details were published as an e-mail: ____However, the controller did not provide evidence that the aforementioned contact details were published on the company's official website before 20 December 2023. II. IMPOSITION OF ADMINISTRATIVE FINES Article 44 of the Act on the Implementation of the General Data Protection Regulation stipulates that the Agency shall impose administrative fines for violations of the provisions of this Act and the General Data Protection Regulation, in accordance with Article 83 of the General Data Protection Regulation. Article 45, paragraph 1 of the aforementioned Act stipulates that administrative fines shall be imposed by decision. Pursuant to paragraph 2 of the same Article, the decision shall determine the amount and manner of payment of the administrative fine. The decision may determine that the administrative fine shall be paid in installments. Pursuant to paragraph 4 of the same Article, no appeal is allowed against the decision, but an administrative dispute may be initiated before the competent administrative court. Pursuant to Article 46 of the same Act, the administrative fine shall be paid within 15 days from the date on which the decision imposing it becomes final. If the party fails to pay the administrative fine within the prescribed period, or upon the maturity of the last installment if payment by installments has been approved, the Agency shall notify the Regional Office of the Tax Administration of the Ministry of Finance in whose territory the party to whom the administrative fine was imposed has its residence or registered office, in order to collect the administrative fine by force in accordance with the regulations on forced tax collection. Administrative fines shall be paid to the state budget. By way of exception to paragraph 2 of this Article, no interest shall be calculated on a due but unpaid administrative fine. Given the circumstances established in this case, the Agency, in accordance with its powers under Article 58, paragraph 2, item (i) of the General Data Protection Regulation, imposed an administrative fine instead of other corrective measures under the relevant Article, all in accordance with the conditions for its imposition under Article 83 of the General Data Protection Regulation and Articles 44, 45 and 46 of the Act Implementing to the General Data Protection Regulation. After a detailed examination of the available remedies referred to in Article 58(2) of the General Data Protection Regulation, which the supervisory authority is empowered to impose on the controller in the event of an infringement of the provisions of the General Data Protection Regulation, and having regard to all the circumstances of the case, in particular that the chosen remedy must be effective, proportionate and dissuasive in each individual case, the Agency has decided to impose an administrative fine, paying due regard to the criteria laid down in Article 83(2) of the General Data Protection Regulation. 8 Namely, Article 83(1) of the General Data Protection Regulation requires each supervisory authority to ensure that the imposition of administrative fines in accordance with this Article in respect of infringements of paragraphs 4, 5 and 6 of this Regulation is effective, proportionate and dissuasive in each individual case. The Agency considers that the amount of the administrative fine imposed cannot be effective if it does not have a significant impact on the controller's income, the principle of proportionality cannot be maintained if the infringement is considered in the abstract without regard to the impact on the controller or processor, and it should also be a deterrent to future infringements. Therefore, the administrative fine imposed cannot be a deterrent if it does not have a financial impact on the controller in question. Pursuant to Article 83(2) of the General Data Protection Regulation, administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and Article 58(2)(j), depending on the circumstances of each individual case. When deciding whether to impose an administrative fine and when determining the amount of the administrative fine in each case, due regard shall be had to the following: (a) the nature, gravity and duration of the infringement, taking into account the nature, scope and purpose of the processing concerned, as well as the number of data subjects and the level of damage suffered by them; (b) whether the infringement was intentional or negligent; (c) any action taken by the controller or processor to mitigate the damage suffered by data subjects; (d) the level of responsibility of the controller or processor, taking into account the technical and organisational measures implemented by them in accordance with Articles 25 and 32; (e) any relevant previous infringements by the controller or processor; (f) the level of cooperation with the supervisory authority to remedy the infringement and mitigate the potential harmful effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether and to what extent the controller or processor reported the infringement; (i) where measures referred to in Article 58(2) have previously been imposed on the controller or processor concerned in relation to the same matter , compliance with those measures; (j) compliance with approved codes of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42; and (k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as the financial gain gained from the infringement or the losses avoided, directly or indirectly, by the infringement. Article 83(4) of the GDPR provides that administrative fines of up to EUR 10,000,000 or, in the case of an undertaking, up to 2% of its worldwide annual turnover in the preceding financial year, whichever is the higher, may be imposed for infringements of the obligations of the controller and processor in accordance with Articles 37 and 38 of the GDPR. 9 Recital 150 of the GDPR states that where administrative fines are imposed on an undertaking, the undertaking should be interpreted for these purposes in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union. In accordance with the Guidelines of the Article 29 Working Party on the application and setting of administrative fines for the purposes of Regulation 2016/679 of 3 October 2017 (WP 253), which the European Data Protection Board endorsed at its first plenary session on 25 May 2018, in order for the supervisory authority to impose a fine that is effective, proportionate and dissuasive, it applies the definition of the concept of undertaking as given by the Court of Justice of the European Union for the purposes of Articles 101 and 102 TFEU, namely that the concept of undertaking is understood to mean an economic unit which can be set up by a parent company and any subsidiaries involved. In accordance with EU law and case-law, the concept of undertaking should be understood as an economic unit which carries out commercial/economic activities regardless of the legal person involved. The aforementioned Guidelines also provide definitions of the term “undertaking” from the decisions of the Court of Justice of the European Union: The term “undertaking” covers any entity “which carries out an economic activity, irrespective of its legal status and the way in which it is financed” (Höfner and Elsner, paragraph 21, ECLI:EU:C:1991:161). The term “undertaking” “must be regarded as an expression designating an economic unit even if, in law, that economic unit consists of several persons, whether natural or legal.” (Confederación Española de Empresarios de Estaciones de Servicio, paragraph 40, ECLI:EU:C:2006:784). Upon review of the financial report for 2023, it was determined that the total revenue of the company ____ amounted to 3,843,428.18 Euros, and 2% of that amount is 76,868.56 Euros. In this regard, the upper limit for imposing an administrative fine in this specific case is EUR 10,000,000.00. Due to the violation of Articles 37, paragraph 7 and 38, paragraph 6 of the General Regulation on the Protection of Personal Data, the Agency imposed an administrative fine of EUR 12,000.00 on the controller of the company ____, which amount constitutes 0.12% of the maximum amount of the administrative fine that the Agency could or was authorized to impose in this specific case. Pursuant to Article 83(2) of the General Data Protection Regulation, when deciding on the imposition of an administrative fine and deciding on the amount of the administrative fine, the Agency in this case paid due attention to the following: - The nature, gravity and duration of the infringement, taking into account the nature, scope and purpose of the processing in question as well as the number of data subjects and the level of damage suffered by them (Article 83(2)(a); In the case in question, the Agency determined that in the period from 19 February 2019 to the present day, a conflict of interest occurred in the performance of the tasks of the Data Protection Officer who, in addition to the duties of the Data Protection Officer position, represents the company as a company procurator and the controller did not publish the contact details of the Data Protection Officer. 10The infringement concerns an unlimited number of data subjects, and its consequences were limited exclusively to the territory of the Republic of Croatia. - Whether the infringement is intentional or negligent (Article 83(2)(b)); The Article 29 Working Party states in the Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679 that “intention” generally includes knowledge and intent regarding the characteristics of the infringement, while “unintentional” means that there was no intention to cause the infringement, even if the controller/processor breached its duty of care as required by law. The same Guidelines therefore highlight the distinction between circumstances indicative of or “intentional infringements” and those indicative of infringements caused “unintentionally” or “negligently”. In this regard, the Guidelines mention “failure to adopt policies” and “human error” as examples of conduct that may indicate negligence. In relation to the above, in the case at hand, the existence of negligent conduct on the part of the controller was established, i.e. the existence of intent was not established. - Any action taken by the controller or processor to mitigate the damage suffered by the data subjects (Article 83(2)(c); Following the breach described in the case, it was established in the proceedings that the controller subsequently published the contact details of the data protection officer, which was taken into account as a mitigating circumstance. - The degree of responsibility of the controller or processor, taking into account the technical and organisational measures implemented by them in accordance with Articles 25 and 32 (Article 83(2)(d); Not applicable in the case at hand. - Relevant previous breaches by the controller or processor (Article 83(2)(e); According to the records of violations of the General Data Protection Regulation kept by this Agency, no identical violation of the General Data Protection Regulation by the controller or a violation in an identical manner has been registered. - The degree of cooperation with the supervisory authority in order to eliminate the violation and mitigate the possible harmful effects of that violation (Article 83, paragraph 2, item f); During this administrative procedure, the controller did not respond adequately to the requests of the supervisory authority and the aforementioned circumstance was taken into account as an aggravating circumstance. 11Namely, in the first request for a statement, the controller does not answer any of the questions posed and only sends the company's organizational chart as an attachment, although more detailed documentation was requested in the sense of submitting an act regulating the internal structure of the organization, determining the name of the organizational units and their scope of work, management method and approximate number of employees within them, or an act regulating the systematization of jobs with a description of the tasks of individual jobs, including the job of the data protection officer. Also, the controller did not respect the deadline for the first statement set by the Agency. In the second request for a statement, the controller cooperates more, however, he also submits general explanations in the sense that omissions were made by the website developer or that there is no processing of personal data, and does not offer evidence for the stated claims in his statement. - Categories of personal data affected by the breach (Article 83, paragraph 2, item g); Not applicable in the case at hand. - The manner in which the supervisory authority became aware of the infringement, in particular whether and to what extent the controller or processor reported the infringement (Article 83(2)(h)); The Agency became aware of the infringement of the General Data Protection Regulation in the framework of the coordinated activity carried out within the framework of the European Data Protection Board by submitting a Questionnaire on the appointment and position of the Data Protection Officer, which served to assist in establishing the facts or the possible justification for initiating a formal investigation by subsequently conducting an investigation procedure within the framework of the administrative procedure. - If measures referred to in Article 58(2) have previously been imposed on the controller or processor in relation to the same matter, compliance with those measures (Article 83(2)(i); The controller has not previously been subject to a measure referred to in Article 58(2) of the General Data Protection Regulation in relation to the same matter. - Compliance with approved codes of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 (Article 83(2)(j)); Not applicable in the present case. - Any other aggravating or mitigating factors applicable to the circumstances of the case, such as the financial gain gained from the infringement or the losses avoided, directly or indirectly, by that infringement (Article 83(2)(k)); 12The fact that the controller, since the submission of the second statement until today, has not coordinated the tasks of the data protection officer in such a way that he is not in a conflict of interest was taken into account as an additional aggravating circumstance in the proceedings. Taking into account all the above-mentioned allegations and established facts, in particular the assessment of all relevant circumstances relating to the organizational structure of the controller in question and after a detailed consideration of the available corrective measures under Article 58(2) of the General Data Protection Regulation, which the supervisory authority has the authority to impose on the controller and/or processor in the event of a breach of the provisions of the General Data Protection Regulation, and considering all the circumstances of the case in question, and in particular that the selected corrective measure must be effective, proportionate and dissuasive in each individual case, the Agency has decided, pursuant to Article 96 of the General Administrative Procedure Act (Official Gazette, No. 47/09, 110/21), as set out in the operative part of the Decision. INSTRUCTIONS ON LEGAL REMEDY An appeal against this Decision is not permitted, but an administrative dispute may be initiated before the Administrative Court in Zagreb within 30 days from the date of delivery of the Decision. DEPUTY DIRECTOR Igor Vulje SUBMIT TO: 1. ______d.o.o., Zagreb 2. Pismohrana, here 13
