GDPR COMPLIANCE CHALLENGES IN CROATIAN MICRO, SMALL AND MEDIUM SIZED ENTERPRISES
DOI:
https://doi.org/10.25234/pv/23972Keywords:
compliance, Croatian SMEs, data protection authorities, General Data Protection Regulation (GDPR), personal data protectionAbstract
The General Data Protection Regulation (EU) 2016/679 which applies uniformly since 25th May 2018 in the European Economic Area (EEA) requires small and medium enterprises (SMEs) to respect the right to personal data protection of their clients, customers, and employees. The GDPR is designed to strengthen the data protection rights of all individuals within the EEA ensuring more effective protection for consumers and increased privacy considerations for businesses. However, even after more than four years of its entry into full application, the implementation of the GDPR is still an issue for Croatian SMEs, who, unlike the larger companies, very often lack the human and financial resources to comply with the data protection legal framework. This paper covers theoretical considerations and results of an online survey conducted with 345 SMEs in the Republic of Croatia with the aim to gain insights into their GDPR compliance hurdles. The results of the study have shown that the level of understanding of obligations arising from the GDPR among Croatian SMEs is rather low and that compliance with the data protection legal framework is not at a satisfactory level.
References
Brodin M, 'A Framework for GDPR Compliance for Small and Medium‑Sized Enterprises' (2019) 4 European Journal for Security Research 243
de Hert P and Papakonstantinou V, 'The new General Data Protection Regulation: still a sound system for the protection of individuals?' (2016) 32 Computer Law and Security Review 179
Cochrane L, Jasmontaite-Zaniewicz L and Barnard-Wills D, 'Data Protection Authorities and their Awareness-raising Duties under the GDPR: The Case for Engaging Umbrella Organisations to Disseminate Guidance for Small and Medium-size Enterprises' (2020) 6 (3) European Data Protection Law Review 352
Zell M, 'Data Protection in the Federal Republic of Germany and the European Union: An Unequal Playing Field German Law ' (2014) 15 (3) German Law Journal 461
Härting RC, Kaim R and Ruch D, (2020) 'Impacts of the Implementation of the General Data Protection Regulations (GDPR) in SME Business Models – An Empirical Study with a Quantitative Design' (2022) Agents and Multi-Agent Systems: Technologies and Applications 14th KES International Conference 295
Zanker M, Bureš V, Cierniak-Emerych, A, Nehéz M, 'The GDPR at the Organizational Level: A Comparative Study of Eight European Countries ' (2021) E&M Economics and Management 24(2) 207
Parlov N, Sičaja Ž, Katulić T, 'GDPR –Impact of General Data Protection Regulation on Digital Marketing', Annals of Disaster Risk Sciences (2018) 2 (1) 105
Freitas M. C. and Mira da Silva 'GDPR Compliance in SMEs: There is much to be done' (2018) 3(4) Journal of Information Systems Engineering & Management 30
Puljak L, Mladinić A, Iphofen R and Koporc Z, 'Before and after enforcement of GDPR: Personal data protection requests received by Croatian Personal Data Protection Agency from academic and research institutions' (2020) 30 (3) Biochemia Medica 363
Pedroso LM, Araújo VM, Cota MP and Paulo Magalhães J, 'How can GDPR fines help SMEs ensuring the privacy and protection of processed personal data' (2021) 16th Iberian Conference on Information Systems and Technologies (CISTI) 1
Niebel C, 'The impact of the general data protection regulation on innovation and the global political economy' (2021) 40 Computer Law & Security Review
Jasmontaitė-Zaniewicz L, Calvi A, Nagy R and Barnard-Wills D, The GDPR made simple(r) for SMEs (ASP editions - Academic and Scientific Publishers 2021)
Quinn B, Data Protection Implementation Guide: A legal, Risk and Technology Framework for the GDPR (Kluwer Law International 2021)
Tzolov T, 'One Model For Implementation GDPR Based On ISO Standards' (2018) International Conference on Information Technologies (InfoTech) 1
REGULATIONS AND DOCUMENTS
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) <https://eur-lex.europa.eu/eli/reg/2016/679/oj> accessed 16 June 2022 (HR)
Zakon o provedbi Opće uredbe o zaštiti podataka (NN 42/2018) (HR)
Zakon o zaštiti osobnih podataka (no longer in force) (NN 106/2012) (HR)
European Commission’s COMMUNICATION (COM/2020/264) Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020DC0264 > accessed 16 June 2022 (EN)
INTERNET RESOURCES
'Godišnja izvješća o radu' (Croatian Personal Data Protection Agency, 8 November 2021) <https://azop.hr/godisnja-izvjesca-o-radu/> accessed 18 June 2022
'Izvješće o malim i srednjim poduzećima u Hrvatskoj – 2021. Mala i srednja poduzeća u hrvatskoj u uvjetima pandemije bolesti covid-19' (Center for Development Policy of SMEs, 30 June 2022) <https://www.cepor.hr/wp-content/uploads/2015/03/CEPOR-Mala-i-srednja-poduze%C4%87a-u-HR-u-vrijeme-pandemije-COVID-19.pdf> accessed September 2022
'Izdane nove upravne novčane kazne' (Croatian Personal Data Protection Agency, 5 July 2021) <https://azop.hr/izdane-nove-upravne-novcane-kazne> accessed 16 June 2022
'Radionice za mikro, male i srednje poduzetnike' (Awareness Campaign for SMEs, 20 September 2020) <https://arc-rec-project.eu/dogadanja/> accessed 18 June 2022
'About the Croatian Personal Data Protection Agency' (Croatian Personal Data Protection Agency, 2 December 2018) <https://azop.hr/about-the-agency/> accessed 18 June 2022
'Contribution of the EDPB to the evaluation of the GDPR under Article 97' (European Data Protection Board, 18 February 2020) <https://edpb.europa.eu/our-work-tools/our-documents/other/contribution-edpb-evaluation-gdpr-under-article-97_en> accessed 25 May 2022
'Handbook on European data protection law' (European Union Agency for Fundamental Rights and Council of Europe, 25 May 2018) <https://fra.europa.eu/sites/default/files/fra_uploads/fra-coe-edps-2018-handbook-data-protection_en.pdf> accessed 23 May 2022
'What is SME?' (European Commission, 8 September 2020) <https://ec.europa.eu/growth/smes/sme-definition_en> accessed 6 June 2022
Hustinx P, 'EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation' (European Data Protection Supervisor, 15 September 2014) <https://edps.europa.eu/sites/default/files/publication/14-09-15_article_eui_en.pdf> accessed 23 May 2022
'The Standard Data Protection Model: A method for Data Protection advising and controlling on the basis of uniform protection goals' (AK Technik of the Independent Data Protection Supervisory Authorities of the Federation and the Länder, 17 April 2020) <https://www.datenschutzzentrum.de/uploads/sdm/SDM-Methodology_V2.0b.pdf> accessed 23 May 2022
'DLA Piper GDPR Fines and Data Breach Survey: January 2023' (DLA Piper, 25 January 2023) <https://www.dlapiper.com/en-ae/insights/publications/2023/01/dla-piper-gdpr-fines-and-data-breach-survey-january-2023> accessed 18 June 2022
'What if my company/organisation fails to comply with the data protection rules?' (European Commission, 25 May 2018) <https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/enforcement-and-sanctions/sanctions/ what-if-my-companyorganisation-fails-comply-data-protection-rules_en> accessed 18 June 2022
Barnard-Wills D, Cochrane L, Mattur K, Waterford F, Marchetti F, 'Report on the SME experience of the GDPR' <https://star-project-2.eu/wp-content/uploads/2021/02/STARII-D-2.2-Report-on-the-SME-experience-of-the-GDPR.pdf>accessed 18 March 2023
'SME research' (Information Commissioner’s Office, SME research, April 2021) https://ico.org.uk/media/about-the-ico/documents/4024787/ico-sme-research-2021.pdf accessed 18 March 2023
'Guidelines, Recommendations, Best Practices' (European Data Protection Board) <https://edpb.europa.eu/our-work-tools/general-guidance/guidelines-recommendations-best-practices_en> accessed 18 March 2023
'How well do you comply with data protection law: an assessment for small business owners and sole traders' (Information Commissioner’s Office, April 2019) <https://ico.org.uk/for-organisations/sme-web-hub/checklists/assessment-for-small-business-owners-and-sole-traders/> accessed 18 March 2023
'Guidance for SMEs' (Data Protection Commission Ireland, July 2019) <https://www.dataprotection.ie/en/dpc-guidance/guidance-smes> accessed 18 March 2023
'Facilita RGPD' (Spanish Personal Data Protection Agency, May 2019) <https://www.aepd.es/en/guides-and-tools/tools/facilita-rgpd> accessed 18 March 2023
'Guidelines, Recommendations, Best Practices' (European Data Protection Board, 10 October 2022) <https://edpb.europa.eu/our-work-tools/general-guidance/guidelines-recommendations-best-practices_en> accessed 20 October 2022
'Objectives of ARC project' (Awareness Campaign for SMEs, 20 September 2020) <https://arc-rec-project.eu/objectives/> accessed 18 June 2022
Downloads
Published
Issue
Section
License
Copyright (c) 2023 Anamarija Mladinić, Zdravko Vukić, Ante Rončević
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
Authors retain the copyright on the papers published in the Journal, but grant the right of first publication to the Journal. Papers accepted for publication or already published in Pravni vjesnik of the Faculty of Law in Osijek may be published by the author(s) in other publications only with proper notice of its previous publication in Pravni vjesnik.