Application for access to and/or rectification, erasure or blocking of personal data held pursuant to the
U.S. Terrorist Finance Tracking Program (TFTP)

Information

Article 15 of the Agreement between the United States of America and the European Union on the Processing and Transfer of Financial Messaging Data from the European Union to the United States for the Purposes of the Terrorist Finance Tracking Program (hereafter: the TFTP Agreement) provides the ability to seek access to personal data processed under the Agreement. Article 16 provides the ability to seek rectification, erasure or blocking of personal data that are inaccurate or processed in contravention of the Agreement. Articles 15 and 16 provide that your national data protection authority will act as intermediary to the U.S. Treasury Department, which administers the TFTP.

If you wish to make a request pursuant to Article 15 and/or Article 16 of the TFTP Agreement, please fill out the attached identification form (Form A), as well as the request form(s) (Form(s) B and/or C) and waiver form (Form D). This is the information that is needed by the U.S. Treasury Department to conduct a thorough and accurate review in response to your request.

Proof of identity
Your national data protection authority needs to be satisfied that you are who you say you are. Consequently, we require you to provide evidence of your identity by supplying a photocopy of a driving licence, passport, identity card or other official identity document containing your photograph and bearing your signature. Please see Annex 2 for an overview of the official means of identification in your country.

Your national data protection authority will verify your identity based solely on the information you provide. The photocopy of your proof of identity will not be transferred to the U.S. Treasury Department, but will remain with your national data protection authority. No later than six months after the file related to your Article 15 and/or Article 16 request has been closed, this photocopy will be destroyed.

Please note that this procedure only applies to individuals with the nationality of one of the EU Member States and those permanently residing in one of the countries of the European Union.

Procedure
In order to start your application for access, please ensure you send at least the following information in hard copy to your data protection authority (see Annex 1):

• Identification Verification Form (Form A) - fully completed and signed
• Article 15 Access Request Form (Form B) - fully completed and signed and/or
• Article 16 Rectification, Erasure or Blocking Request Form (Form C) - fully completed and signed
• Waiver form (Form D) - fully completed and signed
• Photocopy of an official means of identification bearing your signature1 (see Annex 2)

Further information regarding your request may be provided in a separate letter. Please ensure that you have clearly indicated whether you authorize the transfer of the additional information to the U.S. Treasury Department. Without explicit authorization to transfer the additional information to the U.S. Treasury Department, that information will only be retained by your national data protection authority and will not be used by the U.S. Treasury Department to help process the request.

Upon its receipt of your application, your national DPA will forward Form D and Form(s) B and/or C to the U.S. Treasury Department. Your national DPA will keep you informed about the procedure and after a response is provided to your national DPA by the U.S. Treasury Department, your national DPA will forward the information regarding your request to you without undue delay. However, please bear in mind that the response to your access request may be very limited, given the nature of the Terrorist Finance Tracking Program.

Further information
For further information about the TFTP Agreement and requests pursuant to Article 15 and/or Article 16, please see www.treasury.gov/tftp

One of many tasks and obligations of the Croatian Personal Data Protection Agency (CPDPA) is to take part in international conferences and working parties either as an active member or as an observer. Thanks to its regular and active participation on the international scene the Agency contributes to a continuous work development, search for better solutions, harmonisation of the Croatian legislation in the field of personal data protection with the highest European and international norms and standards and finally to a meet obligations arising from international conventions signed and ratified by the Republic of Croatia.

Council of Europe (Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data)

Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data is the first internationally binding instrument, which protects an individual from possible misuses of his/her personal data in the process of data collecting and processing. The Convention also regulates cross-border transfers of personal data.

The Convention 108 has been adopted by the Council of Europe in Strasbourg on January 28th, 1981. The Council of Europe has established the Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (T-PD). The Republic of Croatia is one of 40 members of the Council of Europe, which have signed and ratified the Convention 108. By being a full member with the right to vote Croatia takes an active part in the plennary meetings of the Consultative Committee (T-PD).

Spring Conference

The Spring Conference is a regular and the biggest conference of the European data protection and privacy commissioners, which takes place at least once a year. The commissioners exchange the data and privacy protection experiences of their countries, they adopt resolutions and make recommendations to the bodies of the EU, the Council of Europe and others. The CPDPA has become a full member to the Spring Conference at the conference held in Rome in 2008.

Working Party on Police and Justice

Having obtained full member status at the Spring Conference the CPDPA is entitled to take part in the activities of the Working Party on Police and Justice. This working party faces ever bigger challenges in terms of protection of individual's personal data and privacy in the framework of law enforcement bodies' activities.

Article 29 Working Party

Article 29 Working Party represents an independent consultative body of the European Union in the field of personal data and privacy protection. Its tasks are defined in Article 30 of the Directive 95/46/EC and Article 14 of the Directive 97/66/EC, covering expert opinion making, consultations and recommendations to the European Commission in relation to personal data and privacy protection. The CPDPA enjoys a full membership. The meetings of the Working Group take place in Brussels.

INTERPOL

A CPDPA expert for electronic data processing (EDP) has been elected for a member of the Commission for the Control of INTERPOL's Files as the biggest international criminal police organisation. This has confirmed the readiness of the Croatian staff to perform the most complex tasks in international bodies.

EUROPOL

The European Police Office has been established in 1992 in order to prevent and fight against organized crime. Its headquarters are located in The Hague.

The Republic of Croatia has an EUROPOL Liaison Officer (ELO) for the purpose of data exchange via Information System, through which also personal data are being transferred. Since the liaison officer is an employee of the Ministry of Interior of the Republic of Croatia, this Ministry cooperates well with CPDPA in order to ensure an appropriate use of information containing personal data, which are being collected, exchanged and processed outside of Croatia via Europol Information System.

EUROJUST

EUROJUST is an EU body established in 2002 with headquarters in The Hague. The main objective is to reinforce the effectiveness of cooperation and coordination between competent bodies of the EU Member States in terms of investigation of serious cross-border organized crime and prosecution procedures as well as in terms of providing more complex forms of international legal aid in criminal matters and for the purpose of accelerating of extradition procedures.

The Republic of Croatia has signed an agreement with EUROJUST on November 9th, 2001 in Brussels. Since the Republic of Croatia and the EUROJUST exchange information containing also personal data, regular exchanges of opinions take place as well as supervision over fulfillment of CPDPA's obligations arising from the Agreement.

International Conference of Data Protection and Privacy Commissioners

This international conference gathers for already 30 years cca 78 personal data and privacy commissioners from all over the world. Open sessions of the Conference invite amongst others the economic and public sector and NGOs. The closed session is reserved for accredited data protection authorities, which discuss key issues and adopt resolutions referring to personal data and privacy protection. At the Conference held in Strasbourg in 2008 the Republic of Croatia represented by the CPDPA has obtained a full member status.

Meeting of the Central and Eastern European Data Protection Authorities (CEEDPA)

The EU Member States and candidate countries from the Central and Eastern Europe (Bulgaria, Czech Republic, Estonia, Latvia, Lithuania, Hungary, Former Yugoslav Republic of Macedonia, Poland, Roumania, Slovakia, Slovenia and Croatia) sharing the common history continue their cooperation in the field of personal data and privacy protection.

In the last 10 years they have been organising regular annual meetings under the title "Meeting of the Central and Eastern European Data Protection Authorities" - the host of which is every year another member. The host of the 9th CEEDPA Meeting in 2007 in Zadar has been the Republic of Croatia and the CPDPA has been its organizer.

L’Association francophone des autorités de protection des données personnelles (AFAPDP)

The main objective of this Association and its conference is to foster exchange of experiences and to improve personal data and privacy protection in all Francophone countries. The conference can be attended also by countries, which have not yet established indipendent data protection authorities and the legal framework of which does not yet foresee personal data protection.

L’Association francophone des autorités de protection des données personnelles (AFAPDP) has been established at the first Francophone conference held in September 2007 in Motréal in Canada. The CPDPA is a full member of the Association.