Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

III. Privacy topics

Internet and consumer privacy

E-commerce

In cases of violation of consumer privacy, the Agency has endorsed the following rule of consumer identity, provided under the Consumer Protection Act,1 Art. 7 paragraph 3: "The Merchant is prohibited from providing the personal data of the consumer to any third person without prior explicit and written permission of the consumer, except if he/she is obligated to do it by the law or the decision of a competent authority." For a violation of this rule, the merchant that has provided a third person with the data of a consumer without prior consent and authorisation can be fined from €2,055 to €13,698 (Article 145 paragraph 1).

Cybersecurity

No specific information has been provided under this heading.

Online behavioural marketing and search engine privacy

No specific information has been provided under this heading.

Online social networks and virtual communities

The National CERT has published a brochure designed to protect privacy on Facebook.2

The Agency for Protection of Personal Data has dealt with some cases concerning the disclosure of personal information online by different actors. For example, a Croatian NGO published a person's personal data on its Web page without his consent, thus violating Article 7 of the Personal Data Protection Act. Following the data subject's complaint to the Agency, the NGO was ordered to erase the plaintiff's photograph and personal data from the Web page within eight days. On 16 November 2007, the Agency decided the case of a person whose personal data was unlawfully disclosed on a blog opened by another person. The service provider hosting the blog was ordered to remove the specific contents of the blog relating to the personal information within eight days.

In 2010, the journalist and blogger Damir Fintić from Vukovar, Croatia, was convicted of slander and ordered by court to pay a fine of HRK250,000 (approx €34,000) to the former mayor of Vukovar, Vladimir Štengl, and his wife for psychological distress. In 2005, Fintić published an anonymous letter on his site, Vukovarac.net, that provoked 300 citizens of Vukovar into writing negative comments about the Štengls. Offended, they sued Fintić because he did not remove the letter and did not delete the readers' comments. They also asked Fintić to provide them with the name of the letter's author. He refused to remove the contents from his Web page, claiming that according to the law a Web page was not legally considered a medium, and it did not have a publisher or editor. The service provider of the domain was notified of the Web page's slanderous content, which led to the page's being taken down. The author of the anonymous comment has never been sued.

Certain prominent human rights activists, journalists, and academics have made public requests in the media that the users of public Internet fora should not be granted the right to remain anonymous while posting their comments online. The policy of the largest Internet forum in the region3 is to remove all anonymous posts upon the request of a person or firm that considers the information slanderous, untrue, or in any way harmful to their dignity and reputation (which is understood to be in line with the Vukovarac.net case). On the other hand, the forum also protects the anonymity of its users. The idea behind this policy is that all those who want their information to be considered valid and true should publicly disclose their true identity, because the firms and persons that are not anonymous are not granted the refuge of anonymity while commenting or providing information about themselves or the others. Theoretically, it would be possible to start criminal proceedings against an anonymous user by reporting the issue to the police, who can then search for the IP addresses of such users and track them down, but in practice it is the owner of the Internet site who is responsible for anonymous comments. The issue of the right to remain anonymous while posting public comments on the Internet has not yet been tackled by the government, and such comments have essentially become the legal responsibility of the owner of the Web site or domain.

Online youth safety

On its web pages, the Office of the Ombudsman for Children has issued a short note in called "Seven Golden Rules for Safe Chatting and SMS-Messaging."4

Workplace privacy

Critics have called for a review of workplace surveillance practices, and for regulatory guidance after a number of cases. One of the leading cases involved an employee of the Zagreb branch of Siemens PLC who was accused of using a company computer to visit a football fan forum where he used foul language in conversation with members of the opposing team. One of these members found his IP address, and informed the Siemens board of the event. This led to an investigation where the employee was placed under surveillance for five months, during which time all of his computer activities were monitored. The investigation concluded that he had violated the corporate rules regarding the use of inappropriate language.

Health and genetic privacy

Medical records

In 2008, the Croatian publisher Ivo Pukanić was expelled from the Croatian Journalists' Association for having published his wife's medical records in his weekly newspaper, Nacional. The Council of Honour of the Croatian Journalist Association has been contacted by the Media Committee of the Office for Gender Equality and the Parliamentary Committee for Human Rights and National Minority Rights regarding this case.5

Genetic identification

No specific information has been provided under this section.

Financial privacy

According to Article 7, paragraph 1 of the Personal Data Protection Act, personal data may be collected and processed only with the data subject's consent or if provided for under the law. Croatian banking law provides for the possibility that the bank associations may exchange information about the credit ratings of their clients and the processing and exchange of personal data, and does not require specific approval by the client. This permits wide-scale data sharing, as was encountered in one legal case where personal data had been exchanged among banks and other institutions, as well as among the employees of the bank, without prior written permission or any other approval; the Agency for the Protection of Personal Data dismissed the complaint under Croatian banking law.

In the previous Bank Act,6 Article 99 paragraph 3 defined the obligation to preserve bank secrets, which included the personal data of clients found while doing business with them and providing banking services, as well as data about clients' personal account statements. According to the Bank Act, the data could be disclosed in the following cases:

1) if the client gives written permission for the disclosure of certain confidential data;

2) if the confidential data disclosure is necessary for the collection and determination of facts in criminal proceedings or the proceedings leading to it, in the case that such a disclosure has been requested or ordered by a competent court;

3) if the confidential data are disclosed for the purposes of the Office for the Prevention of Money Laundering, on the basis of law regulating the prevention of money laundering;

4) if the disclosure of confidential data is necessary for determining a legal relationship between a bank and a client in litigation, and if a competent court has requested or ordered it in writing;

5) if the confidential data are disclosed for the purpose of proceedings concerning property or inheritance, on the basis of a written request of a competent court;

6) if the disclosure of confidential data is necessary for the execution of a foreclosure of property of a bank's client, and if it has been requested or ordered by a competent court;

7) if the confidential data are disclosed to the Croatian National Bank, Foreign Currency Inspectorate or other supervisory body for the purpose of supervision within their legal competence, on the basis of a written request;

8) if the confidential data are disclosed to a legal person, organised in an adequate form, that may be founded by banks with the purpose of collecting and providing data about the total amount, types and punctuality of fulfilling the obligations of physical and legal persons acquired on any basis;

9) if the confidential data are necessary for the tax bodies in the proceedings carried out within their legal authority, and disclosed upon their written request;

10) if the confidential data are disclosed for the purposes of the institutions insuring the deposits, on the basis of the law regulating the insurance of deposits.

This Article also permits the existence of the so-called HROK or the Croatian Credit Information Registry, which contains personal data about clients who have sought credit, as well as their credit ratings, any blacklists the individual may be on, etc. However, the law did not clearly define the purpose of the data collection as making a blacklist of customers who have failed to meet their obligations, including their personal data – it only defined the purpose as the determination of the amount and type or the obligations of legal and physical persons and their punctuality in fulfilling them.

In the new Credit Institution Act, Article 169 paragraph 3 provides for the possibility of disclosing a bank secret in a much-expanded list of cases:

1) if the client gives written permission for the disclosure of certain confidential data;

2)if it enables the realisation of interests of a credit institution for selling the client's claims;

3) if the confidential data are disclosed to the Croatian National Bank, Foreign Currency Inspectorate or other supervisory body for the purpose of supervision within their legal competence;

4) if the confidential data are exchanged within a group of credit institutions for the purpose of risk management;

5) if the confidential data are disclosed to a legal person created@@ in order to collect and provide data about the financial solvency of legal and physical persons, in accordance with a special law;

6) if the confidential data are exchanged among credit and/or financial institutions about clients who have not fulfilled their obligations in time, and the confidential data are disclosed to a legal person created@@ for the purpose of collection and exchange of such data;

7) if the disclosure of confidential data is necessary for the collection and determination of facts in criminal proceedings or proceedings leading to a criminal case, under the condition that it be requested in a written form or ordered by a competent court;

8) if the disclosure of confidential data is necessary for the execution of foreclosures or bankruptcy proceedings over the property of the client, inheritance or any other legal proceedings concerning property, if it is requested or ordered in written form by a competent court or a public notary in the execution of the duties entrusted to them on the basis of the law;

9) if the interests or obligations of credit institutions or clients require the disclosure of confidential data with the purpose of clarifying the legal relationship between the credit institution and a client in a lawsuit, arbitration or conciliation procedures.

10) if the confidential data are disclosed to the Office for the Prevention of Money Laundering, on the basis of a law regulating the prevention of money laundering and financing of terrorism;

11) if the confidential data are disclosed to the Office for the Prevention of Corruption and Organised Crime on the basis of the law regulating the prevention of corruption and organised crime;

12) if the confidential data are necessary for the tax bodies in the proceedings carried out within their legal authority, and disclosed upon their written request;

13) if the confidential data are disclosed for the purposes of the institutions insuring the deposits, on the basis of the law regulating the insurance of deposits;

14) if the state of the account clearly shows insolvency, and confirmation is requested in order to prove the reasons for opening the bankruptcy proceedings;

15) in order to disclose the data to insurance companies in the procedure of securing the claims of a credit institution;

16) disclosure of data in concluding legal deals that have an effect of securing the credit institution's claims, such as credit derivatives, bank guarantees and other similar business;

17) data disclosure with the written consent of the credit institution board to the owner of the qualified stake of that credit institution, person that intends to acquire a qualified stake in a credit institution, person with which a credit institution merges or is acquired by, legal person that intends to take over a credit institution as well as auditors, legal and other experts authorised by the owner of the qualified stake or a potential owner;

18) disclosure of data necessary for carrying out the activities of a credit institution, which are subject to externalisation, if the data are disclosed to the providers of such externalisation;

19) if the credit institution providing services of depositing and administrating financial instruments on clients' behalf, including custody, delivers to a credit institution which is the issuer of intangible securities, on its request, the data on the owner of such securities;

20) if the confidential data are disclosed on the basis of a written request to social care centres within their legal authority, for the purpose of carrying out measures for the protection of the rights of minors (persons younger than 18 years) and persons under custody;

21) and if it is provided by other laws.

It is clear from this that the number of provisions for the disclosure of data has doubled, including the provisions for the creation of explicit blacklists of insolvent or overdue users of bank loans, special provision for persons under custody or whose property is under foreclosure or bankruptcy proceedings. The last line provides for the possibility of any other law that could demand the disclosure of private data, and the only extra protection is given in the paragraph 5 of the same Article, providing that a credit institution is obliged to ascertain that a customer has given his/her written permission for the processing of their personal data (above-said paragraph 3 of the same Article) in a separate document, upon conclusion of each contract concerning banking and/or financial services.

Footnotes