2/2/2021 Supervisory authority director appointment


Politiscope sent an open letter to the European Commission, European Parliament and the European Data Protection Board due to violations of the GDPR and the Croatian GDPR Act in the Government’s appointment of Zdravko Vukić as the director of the supervisory authority (Croatian Data Protection Agency). Vukić does not have the relevant professional experience or expertise prescribed by law, and is in a situation of permanent conflict of interest due to his close ties to the ruling conservative party – he was a member of the party and a state official linked to the Government, prior to being appointed as the director.

Duje Prkut, Executive Director of Politiscope, commented on the fact that Vukić was a member of at least four different political parties: „Third-rate secret agent novels Vukić writes might be humorous to the wider public. But this is a serious case of state capture of an independent oversight institution and a further decline in the rule of law in Croatia. There is no public confidence Vukić can perform his function impartially and independently and this makes him an unacceptable candidate for the head position of an independent institution. As a typical third-tier party soldier, Vukić does not have adequate competencies or expertise and does not meet the minimum criteria set forth by the law.“

Prkut explained Politiscope’s actions: „In an open letter we urged the European Commission to swiftly initiate an infringement procedure against Croatia. European Data Protection Board was called upon to issue guidelines with clear recommendations for colling-off periods for heads of supervisory authorities who were once members of political parties. Politiscope asked the European parliament to include the appointment of Vukić in rule of law monitoring actions undertaken in Croatia”.

Duje Kozomara, Assistant Executive Director, emphasized the expertise and competencies which are necessary to perform the function of the director of a data protection supervisory body: „You need to have a deep understanding of personal data protection as a fundamental right safeguarded by the EU Charter of Fundamental Right, at the same time proportionately aligning it with other rights and legitimate interests. This task includes the ability to distinguish the ways in which personal data is collected and processed in the modern digital environment, as well as the knowledge of all relevant national and European regulations related to the processing of personal data. "

Despite lacking relevant professional experience and not meeting the legal conditions for the position, Vukić was appointed as the director of the Croatian Data Protection Agency in May 2020. His only professional experience was dealing with general legal affairs in Cesting - a company that did maintenance work on local and state roads, where he was appointed as the data protection officer, among other duties. The last time Cesting was in the media was due to company’s alleged involvement in an attempt of bribery of members of Croatia’s High Court. It is clear that Mr. Vukić is not „a renowned expert with a recognized professional reputation and expert knowledge and experience in the field of data protection”, which is one of the legal requirements for the position of the director of the supervisory authority prescribed by the Croatian GDPR act.


Photo: Politiscope