GDPR for SMEs: blessing or curse?
Security breach of telecoms company


It has been more than three years since the EU General Data Protection Regulation (GDPR) (2016/679) took effect on 25 May 2018. On the same date, the Croatian legislature enacted the Act on the Implementation of the General Data Protection Regulation (the act) (Official Gazette 42/2018) to create an adequate framework for the implementation of the GDPR.

The act sets clear and extensive rules regarding the processing of certain categories of data (eg, biometric data, video surveillance data and children's data) and carefully elaborates the Personal Data Protection Agency's (AZOP's) powers and duties, composition and proceedings.

Nevertheless, as life itself undergoes changes faster than the law, the AZOP has published numerous opinions, recommendations and clarifications on specific data processing issues that have arisen in the past three years to overcome certain legal gaps. Unsurprisingly, many of these opinions, recommendations and clarifications concern the processing of personal data in the context of the covid-19 outbreak.

GDPR for SMEs: blessing or curse?

The past three years have shown that small and medium-sized enterprises (SMEs) are one of the groups most affected by the GDPR.

The GDPR has certainly transformed the way that SMEs across the region approach data privacy, but it did not happen overnight nor effortlessly. Many SMEs are still struggling with the implementation of the GDPR, particularly regarding:

  • processing employees' personal data;
  • monitoring employees' electronic communications;
  • working time records; and
  • video surveillance systems in the workplace.

Further, SMEs encounter many difficulties and face many ambiguities regarding other issues, such as:

  • data processing for marketing purposes;
  • the distinction between the function of the controller and the processor;
  • designation of the data protection officer; and
  • the content of the privacy policy.

On the one hand, being GDPR-compliant could lead to the growth of SMEs by helping to create a more trusting relationship with existing and potential customers. On the other hand, it poses a substantial financial and administrative burden.

To help SMEs overcome some of their GDPR-related difficulties, the AZOP continues to answer queries on a daily basis in the form of recommendations and clarifications published on its website. The AZOP also provides direct guidance to SMEs on the practical implementation of the GDPR by coordinating the implementation of the EU project Awareness Raising Campaign for SMEs since March 2020.

Security breach of telecoms company

The GDPR has also caused difficulties for larger businesses. The latest example of this is the AZOP's decision to issue an administrative penalty against a large telecoms company from Zagreb for failure to take appropriate technical measures. In a 5 July 2021 statement, the AZOP elaborated on its decision regarding a security breach of the telecoms company, which led to the unauthorised processing of the data of 28,085 individuals. The incident, which took place in September 2020, was reported to the AZOP by the company itself. The company also informed the users of its services in writing about the potential breach of personal data.

The AZOP found that the company had failed to take the necessary measures to achieve an adequate level of security in accordance with the risks ascertained and that it had acted contrary to articles 32(1)(b), 32(1)(d) and 32(2) of the GDPR. The AZOP therefore issued a fine of an undisclosed amount.


Although the GDPR is often perceived as an unnecessary administrative burden imposed by the European Union, breaches of personal data – such as that of the telecoms company case – prove how important data protection rules are for everyone.

For further information on this topic please contact Zrinka Buzatović or Ivana Manovelo at Maćešić & Partners by telephone (+385 51 215 010) or email ([email protected] or [email protected]). The Maćešić & Partners website can be accessed at