The Croatian Personal Data Protection Agency has successfully completed project “Data Protection Training Programme for Croatian DPOs in health and education sector” within European Data Protection Board (EDPB) Support Pool of Expert initiative.
The objective of the SPE is to contribute to a high and consistent level of protection of personal data throughout the EEA Member States by:
(1) Providing material support to EDPB members in the form of expertise that is useful for investigations and enforcement activities of significant common interest and thereby promote better
protection of data subjects; as well as
(2) Enhancing the cooperation and solidarity between all EDPB members by sharing, reinforcing and complementing strengths and addressing operational needs.
The Support Pool of Experts (SPE) is one of the key initiatives within the EDPB 2021-2023 Strategy. The main goal of this initiative is to support individual supervisory authorities in building and increasing their capacity to enforce by developing common tools and giving them access to an EEA-wide pool of experts.
After five years of application of the GDPR, research conducted by the Croatian Personal Data Protection Agency in cooperation with established experts from academia has revealed significant issues with regard to the status and function of data protection officers. In 2020 Croatian DPA has conducted a survey with almost 800 DPOs, and the results have shown that 54% of DPOs in the Republic of Croatia have minimal experience and knowledge of personal data protection, and 82% of them stated that they need further education in the field of data protection. Most DPOs do not fully understand their responsibilities, and they have shown insufficient knowledge about data protection basics. In 2023 the Croatian DPA conducted a second survey with Croatian DPOs.
Many of Croatian DPOs have limited financial and human resources, and Croatian DPA recognized the need to give them concrete support by providing adequate training programs that can efficiently equip DPOs with the necessary skills and knowledge to become effective DPOs. The Croatian DPA within its staff doesn’t have experts able to develop such kind of comprehensive data protection training programme, adapted to the needs of DPOs from the education and health sectors.
According to the research and insights of Croatian DPA (gained while conducting investigations and educational activities), DPOs from the public education sector and health sectors face the biggest challenges while trying to comply with the GDPR. The level of their knowledge and willingness to understand and comply with the obligations arising from the data protection legal framework raises many concerns, especially having in mind that data controllers from these two sectors process vast amounts of personal data, including special categories of personal data and children’s data.
When conducting investigations and enforcement activities, for the Croatian DPA (and DPAs all over EEA) the main contact point with the data controller is a data protection officer. According to the experiences of Croatian DPA, in a large number of cases, data protection officers from health and education sectors don’t have adequate knowledge of personal data protection, they don’t understand data protection processing activities in their organisations and their obligations and sectoral laws. Consequently, they are not able to cooperate efficiently with Croatian DPAs during the investigations. This creates difficulties for the Croatian DPA in relation to investigation and enforcement activities. Namely, it makes the administrative procedure much longer than needed, prolongs decision-making and imposition of corrective measures.
PROJECT RESULTS
The expert assigned to Croatian DPA from SPE pool of experts in cooperation with AZOP team developed programme that will foster better understanding of general data protection requirements, as well as a practical understanding of specific sectoral requirements in sectors of public education and public health organizations.
The Croatian Data Protection Authority is set to commence training sessions based on the developed program in February 2024. Through this initiative, coupled with the Coordinated Enforcement Framework of the European Data Protection Board for DPOs, we anticipate a substantial enhancement in awareness surrounding personal data protection.
The training sessions within Data Protection Training Programme aim to underscore the pivotal role of DPOs, fostering a deeper understanding and knowledge of GDPR obligations. We are confident that this collaborative approach will contribute significantly to elevating the overall standards of data protection awareness and competence.
While there are DPO programs available in the EU, none are available in Croatian or take into account the specific legal and institutional framework of the Republic of Croatia.Currently, Croatia is woefully underserved with sector-specific practical guidance and locally directly applicable data protection best practices.
The programme consists of:
General DPO Training Module (10 hrs)
The general training module that covers practical knowledge with examples, cases, applicable EU and national guidance, and applicable industry standards of information security on the following topics:
- Basic sources and concepts of EU data protection law
- GDPR basics: understanding the basic GDPR terminology
- Act on the Implementation of the GDPR
- Understanding data protection principles and their application in the GDPR theory and practice
- Identifying appropriate lawful basis for the processing of personal data
- Special categories of personal data
- Data subject rights and data controller obligations
- Data controller security of processing obligations
- Data processing contracts, ROPA, breach obligations, technical and organisational measures
- Competences, position, and tasks of the DPO
- Data transfers
- Modern technologies: processing of personal data through the use of AI, automated decision-making, profiling
- Uses of anonymisation and pseudonymisation
- Processing of personal data via cookies
- Processing of personal data via video surveillance
Two specialized modules:
1) Data protection in public education institutions module (10 hrs)
- Understanding national legal framework of the public education system of the Republic of Croatia and data protection ramifications
- Review of data protection related provisions of applicable national laws and bylaws governing elementary and secondary education
- Simulations of Data Protection Impact Assessment, conducting legitimate interest test, identifying appropriate lawful basis, development of privacy policy, maintaining records of processing activities, data retention periods etc. (examples from the education sector)
2) Data protection in public health service institutions module (10hrs)
- Understanding national legal framework of the public health system of the Republic of Croatia and data protection ramifications
- Understanding specific issues and data protection requirements of the health institutions such as hospitals, city clinics, health insurance system in Croatia
- Simulations of Data Protection Impact Assessment, conducting legitimate interest test, identifying appropriate lawful basis, development of privacy policy, maintaining records of processing activities, data retention periods etc. (examples from the health sector)
DELIVERABLES
D1- General Training Module (GTM)
Presentation that will be used by AZOP staff to conduct training for DPOs for a duration of 10 hours
Ready to use final exams with correct answers (each test with 50 questions and answers
D2- Sectoral Training Modules – Public Education (STM-PE)
Presentation that will be used by AZOP staff to conduct training for DPOs in a duration of 10 hours
Ready to use final exam with correct answers with 50 questions and answers
D3- Sectoral Training Modules – Public Health (STM-PH)
Presentation that will be used by AZOP staff to conduct training for DPOs for a duration of 10 hours
Ready to use final exam with correct answers 50 questions and answers
D4. Train-the-trainers sessions (simulation of Data protection training for DPOs) for a duration of 30 hours for AZOP staff who will conduct a data protection training programme for DPOs.
