DPA powers toward effective and transparent GDPR enforcement: the case of Croatia

Abstract

The paper identifies and explores the solutions to certain underdeveloped and lacking legislative solutions and issues in the practice of the national data protection authority (CPDPA), which affect the aims of effective GDPR enforcement and transparency. On a broader level it contributes to the EDPB initiatives toward the harmonization of certain procedural provisions and overcoming the differences in the conduct of cross-border proceedings. Most of the research considerations are supported by a study of the case that received much public attention and involves the first administrative fine in Croatia. Arguments are provided toward prescribing time limits for the resolution of data protection administrative disputes and toward appropriate addressal of the closely related issues of publishing CPDPA rulings, with the concerns of their accessibility worked out through a comprehensive policy. This includes also the particular considerations on the corrective measures issued to public authorities, which cannot be fined, and on the underdeveloped fine-limitation rule for certain other public sector bodies. Public interest concerns should be closely examined in the assessment of communicating information on relevant data protection cases and CPDPA decisions, as well as the interrelation with the freedom of information requests. The publishing of non-anonymous final rulings should be recognized as a form of additional sanction and power of the data protection authority and as such further explored also at the EU level. In terms of more efficient CPDPA functioning it is argued that the prescribed time limits for issuing expert opinions are extended. At the same time resources should be utilized toward better inclusivity and accessibility of relevant information, primarily rulings, on its website.