Data Protection Day

Data Protection Day

Data Protection Day

Data Protection Day

Data protection day is celebrated every year on 28th of January. The year 2020 has been marked by the COVID-19 pandemic and has greatly affected many aspects of our lives. It has also left its mark on personal data protection.

Personal data protection has become an indispensable part of our daily lives, therefore we have highlighted significant changes in 2020 that have had a major impact on the protection and interpretation of applicable regulations.



In order for any personal data processing to be lawful it must have basis in the General Data Protection Regulation (the "Regulation"). In regard to COVID-19 prevention and control measures, all measures which require the processing of personal data of patients, employees, students, individuals, etc., must have its basis within the Regulation.

According to the Croatian Personal Data Protection Agency ("AZOP"), the above stated personal data processing with regards to the implementation of COVID-19 prevention and control measures is considered lawful if:

  • necessary for compliance with and carrying out legal regulations and obligations,
  • necessary to protect vital interests.

Employers are entitled to request data concerning health status of their employees, and to request a COVID-19 testing.


II. Schrems II.

On 16th of July 2020, the Court of Justice of the European Union ruled that the transfer of data from the EU to the USA based on the so-called privacy shield is illegal. Now data transfer to the USA is equated with transfer to other third countries.


III. Brexit

The Brexit transition period has ended 31st December 2020 and since the UK is no longer a member state of the EU, the regulations applicable to the transfer of personal data to third countries now also apply to data transfers to the UK.


IV. Data transfer to the UK and the USA

The transfer of personal data to the UK and the USA will be facilitated when the European Commission renders an adequacy decision - a decision that the UK and the USA ensure an adequate level of personal data protection. Until such a decision is rendered by the European Commission, the following safeguards will apply to such data transfers:  

  • a legally binding and enforceable instrument between public authorities or bodies,
  • binding corporate rules,
  • standard data protection clauses,
  • an approved code of conduct,
  • an approved certification mechanism.

In November 2020, the European Data Protection Board published a list of additional measures to ensure a secure transfer of data to third countries:

  • encryption,
  • pseudonymisation,
  • anonymisation.

We will gladly support you in regulation of personal data protection should you require further assistance.