2/17/2021 Pandemic data processing in Croatia

Successful management of the Coronavirus pandemic implies the establishment of new practices of collecting sensitive data of citizens to preserve public health. Politiscope monitored pandemic practices of data collection and processing to detect possible and likely violations of fundamental rights.

The analysis focuses on public bodies which shape pandemic data processing practices: Crisis Command of the Civil Protection, Croatian Institute for Public Health, Croatian Personal Data Protection Agency and the Government. The analysis is created for institutional actors in charge of shaping national privacy policy and data practices, independent oversight institutions safeguarding constitutional and human rights, NGOs, citizens and the wider public. Through monitoring the work of these public bodies and conducting evidence-based advocacy, Politiscope aims to deal away with illegitimate and illegal data practices and promote principles of good governance and transparency among institutional actors in charge of shaping Croatia’s privacy policy and data practices.  

The analysis shows that key public bodies in charge of managing the pandemic show continuous and complete negligence towards the protection of citizens’ data by promoting illegal and harmful data practices. The analysis lists most relevant and most problematic case-studies of pandemic data processing: i) unconstitutional amendments to the Law on Electronic Communication, ii) illegal and illegitimate legislative framework for pandemic data processing, iii) Government’s digital assistant Andrija launched without a Privacy Policy, iv) illegal instruction for parlors and salons, v)illegitimate processing of pupils’ data in schools, vi) Beroš-Badrić case (health minister and a pop singer), vii) delivery of wrong PCR test results. 

The key issue detected by the analysis is the lack of a separate legal framework for collecting and processing personal data in order to protect public health. In given circumstances, citizens’ data can be collected and processed without their consent, but recital 45. of the GDPR clearly defines the obligation to create a separate legal framework that defines all relevant elements of the processing. Considering pandemic data processing also includes the category of sensitive data, the obligation for creation of a separate legal framework stated in recital 52. also applies. Although the agency regularly refers pandemic data controllers to national laws as the lawful basis for data collection (for example, laws governing the work of schools), none of the existing laws contains all the necessary elements prescribed by Recital 45 of the Regulation (such as the categories of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing). It is not surprising this legal mess led to dangerous and illegal instruction given to parlors and salons by the Croatian Institute for Public Health, while the schools conducted illegal processing of pupils’ data.

As the head of an independent oversight institution, the Government proposed and the ruling parliamentarian majority appointed a person who is in a permanent conflict of interest due to his close ties to the Government and the ruling party. Analysis of individual case studies indicates there is not merely an impression, but an actual case of dependency as a result of political capture by the Government. For instance, the Government launched its digital assistant Andrija without a privacy policy, while the agency finds nothing problematic in the case where the health minister shared information on testing results for several individuals he was in close contact with, in an effort to control damage inflicted to his public reputation by his own irresponsible behaviour. It is extremely discomforting the agency hadn’t suggested, warned or counselled the government to bring pandemic data collecting and processing practices in line with recitals 45. and 52. of the GDPR. 

PHOTO: Electronic Frontier Foundation