Croatia: Data Protection in the Financial Sector
1. Governing Texts
The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is the main legal instrument regulating and stipulating the general rules for data protection in Croatia. The GDPR is further implemented by the Law on the Implementation of the General Data Protection Regulation 2018 (only available in Croatian here) ('the Law').
Both the GDPR and the Law are fully applicable to enterprises active in the Croatian financial market.
Most pieces of Croatian national legislation originate from European legislation implemented in Croatian law, notably the Capital Market Act, as amended by Decision amending the Capital Markets Act (only available in Croatian here) ('the Capital Market Act'), the Credit Institutions Act, as amended by Decision amending the Credit Institutions Act (only available in Croatian here) ('the Credit Institutions Act'), and the Payment System Act ('the Payment System Act'). In addition, EU regulations containing regulatory rules for financial enterprises are directly applicable in Croatia.
Such legislation includes various obligations for financial enterprises which may result in or have an impact on their processing activities (e.g. requiring financial enterprises to collect certain personal data of their customers).
To the extent that financial enterprises process personal data in order to comply with such obligations, the GDPR and the Law also apply in entirety.
The following EU legislation, among others, is applicable:
- the GDPR is applicable to financial services with regard to their personal data processing activities;
- the Payment Services Directive (Directive (EU) 2015/2366) ('PSD2'); and
- the Directive (EU) 2018/843 of 30 May 2018 Amending Directive (EU) 2015/849 on the Prevention of the Use of the Financial System for the Purposes of Money Laundering or Terrorist Financing, and Amending Directives 2009/138/EC and 2013/36/EU ('the Fifth Anti-Money Laundering Directive').
The European Data Protection Board ('EDPB') has issued the following relevant Opinion:
- Opinion 4/2019 on the draft Administrative Arrangement for the Transfer of Personal Data between the European Economic Area ('EEA') Financial Supervisory Authorities and non-EEA Financial Supervisory Authorities; and
- Letter regarding the PSD2 Directive.
The Article 29 Working Party ('WP29') has issued the following relevant guidance:
- Opinion 14/2011 on Data Protection Issues related to the Prevention of Money Laundering and Terrorist Financing;
- Opinion 1/2006 on the Application of EU Data Protection Rules to Internal Whistleblowing Schemes in the Fields of Accounting, Internal Accounting Controls, Auditing Matters, Fight against Bribery, Banking and Financial Crime ('WP29 Opinion on Whistleblowing');
- Letter of the Chair of the Article 29 Working Party to FATCA; and
- Guidelines on Transparency under Regulation 2016/679 ('the Guidelines On Transparency').
The European Banking Authority ('EBA') has issued, among others, the following relevant guidance:
- Recommendations on Outsourcing to Cloud Service Providers (20 December 2017);
- Guidelines on Major Incident Reporting under Directive (EU) 2015/2366 (PSD2) (27 July 2017);
- Guidelines on Reporting Requirements for Fraud Data under Article 96(6) PSD2;
- Final Report on EBA Guidelines on Outsourcing Arrangements ('the EBA Guidelines on Outsourcing'); and
- Guidelines on ICT and Security Risk Management.
Apart from national laws, as a member of the EU, Croatia has implemented relevant European legislation to the full extent. The basic laws regulating the financial sector in Croatia are the Credit Institutions Act and the Capital Markets Act.
The Fourth Anti-Money Laundering Directive (Directive (EU) 2015/849) and the Fifth Anti-Money Laundering Directive are implemented in the Anti-Money Laundering and Terrorist Financing Law, as amended by Decision amending the Anti-Money Laundering and Terrorist Financing Law (only available in Croatian here) ('the AML/CFT Law').
Apart from the aforementioned laws, some other regulating acts in the Croatian financial sector are:
- the Act on the Croatian National Bank;
- the Payment System Act; and
- the Act on Croatian Financial Services Supervisory Agency ('the HANFA Act').
1.2. Supervisory authorities
The GDPR requires every Member State to establish a supervisory authority (Article 54 of the GDPR). In addition, the GDPR provides for a system of cooperation and transparency among all Member States' supervisory authorities in order to ensure consistent application of the GDPR throughout the EU.
In Croatia, the competent supervisory authority for data protection is the Personal Data Protection Agency ('AZOP'), granted with supervision tasks as defined by the GDPR.
The main supervisory body in the financial sector in Croatia is the Croatian Financial Services Supervisory Agency ('HANFA'). The activity of HANFA is regulated by the HANFA Act. The following tasks are the responsibility of HANFA (Article 15 of the HANFA Act):
- enacting implementing regulations and bylaws;
- supervising the operations of supervised entities specified in the regulations and legal entities engaged in factoring operations;
- issuing and revoking permits, approvals, licences, and consents; and
- encouraging, organising, and supervising measures for the efficient functioning of financial markets.
The Croatian National Bank ('HNB') is responsible for determining and implementing monetary and foreign exchange policy in Croatia. Apart from that, the HNB is entitled with the following tasks (Article 4 of the Act on the Croatian National Bank):
- holding and managing the international reserves of Croatia;
- issuing banknotes and coins;
- performing supervision in accordance with the laws governing the operations of credit institutions; and
- regulating and improving payment operations and ensuring its functioning.
Other competent bodies:
- the Financial Inspectorate of the Republic of Croatia;
- the Ministry of Finance Tax Administration; and
- the European Central Bank.
2. Personal and Financial Data Management
2.1. Legal basis for processing
Under the GDPR, personal data must be processed in accordance with the principles of fairness, lawfulness and transparency, among others. In addition, processing shall only be lawful if (Article 6(1) of the GDPR):
- the data subject has given consent to the processing for one or more specific purpose;
- the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of a data subject prior to entering a contract;
- the processing is necessary for the compliance with a legal obligation to which the controller is subject;
- the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary to for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Moreover, under Article 9 of the GDPR, processing of special categories of personal data is prohibited unless one of the conditions in Article 9(2) of the GDPR applies.
The GDPR establishes the principle of transparency (Article 5 of the GDPR). In addition, when data is being processed, information on the controller, purposes for processing, recipients of the data, retention period, and details of the data subject's rights shall be provided to the data subject (Article 13 of the GDPR).
In Croatia, there are no sector-specific requirements regarding the notice of the institution’s privacy policies and practices. However, general information obligations under the GDPR apply.
Taking into account the costs of implementation, nature, scope, context, and purposes of the processing, as well as the level of risk to the rights and freedoms of natural persons, data controllers and processors must implement technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 of the GDPR).
Financial enterprises may be required to appoint a data protection officer ('DPO'). The DPO, among other things, informs and advises the organisation on its obligations under the GDPR, monitors compliance with the GDPR within the organisation, provides advice regarding data protection impact assessments, cooperates with the supervisory authority, and acts as a point of contact between the organisation and the supervisory authority.
Under the Credit Institutions Act, financial institutions are required to exchange information, including personal information relating to their customers, with other credit institutions.
Therefore, financial institutions in Croatia have concluded an agreement on the basis of which it has been agreed that, in accordance with the Credit Institutions Act, they will exchange personal data through special registers and on that way comply with the GDPR.
Personal data must not be retained in a form that permits the identification of the data subject for longer than is necessary for the purposes the data was processed (Article 5(1)(e) of the GDPR). Moreover, the period for which the personal data are stored should be limited to a strict minimum, and to these ends, time limits should be established by the controller for erasure or a periodic review (Recital 39 of the GDPR).
The GDPR does not provide for any specific retention period for financial personal data. Consequently, financial organisations must determine their retention periods, however, specific Croatian laws may provide for minimum or maximum retention periods, including the Credit Institutions Act which prescribes the time limit for which personal data is stored to be up to four years from the full fulfilment of the obligation by the client. That refers to the information and personal data of clients, that is necessary for the assessment of creditworthiness or credit risk management.
The anti-money laundering system is set by the AML/CFT Law. The AML/CFT Law provides requirements to prevent all kinds of institutions and participants from using their position in order to enable money laundering, as well as being directly applicable to financial institutions. For that purpose, the AML/CFT Law regulates institutes, such as in-depth client analysis, and all the requirements for its implementation.
The Law on Credit Institutions prescribes banking secrecy, the obligation to keep bank secrecy, and the persons for whom it is prescribed. The Law on Credit Institutions also regulates the use and protection of confidential data. As written above, credit institutions exchange personal data through special registers to assess creditworthiness and manage the credit risk of clients.
These subjects are obliged to use confidential data exclusively for the purpose for which they were given and may not disclose them to third parties or enable them to find out and use them, except in cases prescribed by law.
Regulations applicable to insurance entities in Croatia are the Insurance Act as amended by Decision amending the Insurance Act (only available in Croatian here) and the GDPR. The Insurance Act prescribes the general duty and terms by which insurance companies must comply when keeping the information that they have learned about, in doing business with the persons enumerated in the law. The Insurance Act also prescribes an overview of data that can be processed, and conditions for the exchange of personal data with other insurance companies and organisations.
In Croatia, PSD2 has been implemented by the Payment Services Act since July 2018. In accordance with the stated Act, the payment service provider is obliged to apply reliable authentication when a client performs any action online or remotely that may involve risk regarding payment frauds.
In addition, a service provider must apply appropriate measures to secure the credentials of payment service users. It is also necessary to establish mechanisms by which the operational and security risks associated with payment services would be managed.
There are no sector-specific requirements in relation to the transfer of financial personal data by financial enterprises or the use of such data by third parties or cloud computing.
See Chapter V of the GDPR for the general requirements regarding transfers of personal data to third countries or international organisations.
As a general rule, it is mandatory for a data controller to notify the competent supervisory authority of any suffered personal data breach (Article 33(1) of the GDPR). For further information on general data breach requirements, see EU – GDPR – Data Breach and Croatia - Data Breach.
At the EU level, there is currently no harmonised framework for FinTech regulation. In March 2018, the European Commission adopted a FinTech Action Plan, in addition to publishing discussion papers on the same. Moreover, many EU financial regulators have signalled support for the development of a more comprehensive regulatory FinTech framework.
Croatia has not yet set out the regulations regarding FinTech, so the general rules displayed above apply to this sector as well.
However, HANFA established a regulatory Innovation Hub in the field of financial services innovation. The purpose of the regulatory Innovation Hub is to be the place where innovative projects can get support, and guidance.
Functions of the hub are as follows (according to the HANFA web page):
- support to the development of innovative projects;
- reducing the time needed for innovative projects to enter the market;
- lessening regulatory uncertainty;
- creating a special contact point to facilitate access to HANFA; and
- enabling faster and individual access to projects, among others.
The GDPR provides for administrative fines of up to (Article 83 of the GDPR):
- €10 million, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for infringing provisions on the obligations of a controller, processor, certification body or monitoring body; and
- €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover for the preceding financial year, whichever is higher, for infringing provisions on the basic principles for processing, data subjects’ rights, transfer of personal data to a recipient in a third country or international organisation, or non-compliance with an order or a limitation on processing by the supervisory authority.
AZOP has issued four fines since the GDPR entered in force. Out of these four fines, one was issued to a credit institution and one to an insurance company. Even though AZOP does not publish the amounts of fines, AZOP publicized that both fines were issued due to severe breaches of the GDPR, for which, according to Article 83(5), fines in the maximum amount of €20 million or 4% of annual turnover, whichever is higher, may be imposed.
None of resolutions on fines has become final yet, as a result of appeals submitted by the controllers. Further information regarding these cases (including the amount of fines and involved controllers) will become available once the relevant court finally decides on the appeals.
11. Additional Areas of Interest
Boris Dvoršćak Partner
Ilej & Partners, Zagreb