Anamarija Mladinić’s research while affiliated with State Institute for Nature Protection - Croatia and other places

Personal data protection is an ethical issue. In this study we analyzed how research ethics committees (RECs) and data protection officers (DPOs) handle personal data protection issues in research protocols. We conducted a mixed-methods study. We included heads (or delegated representatives) of RECs and DPOs from universities and public research institutes in Croatia. The participants provided information about data protection issues in research and their mutual collaboration on those issues through structured interviews that contained closed and open-ended questions. Qualitative description was used to analyze open-ended questions. The results showed that 55% of the REC representatives were not aware who was DPO in their institution. Among RECs, 65% never contacted the DPO. There were 61% of RECs who reported that they received no training from the organization on personal data protection. When asked about barriers to personal data protection in their institutions, 26% of REC members highlighted the lack of a clear protocol for assessing personal data protection issues, while 30% of DPOs mentioned lack of knowledge among researchers about personal data. In conclusion, we found that when it came to protecting personal data in research protocols, RECs and DPOs hardly ever worked together. When developing future personal data protection policies for academic and scientific research institutions, it is essential that RECs and DPOs should collaborate and both continue to expand/update their knowledge on personal data protection procedures.

The General Data Protection Regulation (EU) 2016/679 which applies uniformly since 25th May 2018 in the European Economic Area (EEA) requires small and medium enterprises (SMEs) to respect the right to personal data protection of their clients, customers, and employees. The GDPR is designed to strengthen the data protection rights of all individuals within the EEA ensuring more effective protection for consumers and increased privacy considerations for businesses. However, even after more than four years of its entry into full application, the implementation of the GDPR is still an issue for Croatian SMEs, who, unlike the larger companies, very often lack the human and financial resources to comply with the data protection legal framework. This paper covers theoretical considerations and results of an online survey conducted with 345 SMEs in the Republic of Croatia with the aim to gain insights into their GDPR compliance hurdles. The results of the study have shown that the level of understanding of obligations arising from the GDPR among Croatian SMEs is rather low and that compliance with the data protection legal framework is not at a satisfactory level.

Objective Data protection authorities (DPAs) are independent public authorities supervising the application of the data protection law. There is one DPA in each European Union (EU) Member State. Workload and procedures used by European DPAs were analyzed via a cross-sectional study. Results DPAs from 13 countries participated: Austria, Bulgaria, Croatia, Estonia, Finland, Greece, Italy, Latvia, Liechtenstein, Lithuania, Norway, Romania, and Slovakia. Responding to opinion/guidance requests in DPAs was highly heterogeneous. Procedure types used by DPAs varied, from telephone-based advisory service in Norway to a formal legal opinion in Austria. The deadline for responding to the requests varied considerably in DPAs. The number of opinion/guidance requests sent by data controllers and processors, and the number of opinion/guidance requests and complaints sent by data subjects, increased from 2015 to 2018 when the General Data Protection Regulation (GDPR) came into full effect; it decreased in 2019. Few DPAs organized education about data protection for the research community. In conclusion, the procedures and workload of DPAs in the EU were highly variable. It is important to study these aspects further, as they may assist in tailoring future data protection policies and procedures at the EU level.

[This corrects the article DOI: 10.11613/BM.2021.030703.].

Introduction: General Data Protection Regulation (GDPR) focuses on important elements of data ethics, including protecting people's privacy, accountability and transparency. According to the GDPR, certain public institutions are obliged to appoint a Data Protection Officer (DPO). However, there is little publicly available data from national EU surveys on DPOs. This study aimed to examine the scope of work, type of work, and education of DPOs in institutions in Croatia. Materials and methods: During 2020-2021, this cross-sectional study surveyed DPOs appointed in Croatia. The survey had 35 items. The questions referred to their appointment, work methods, number and type of cases handled by DPOs, the sources of information they use, their experience and education, level of work independence, contacts with ethics committees, problems experienced, knowledge, suggestions for improvement of their work, changes caused by the GDPR, and sociodemographic information. Results: Out of 5671 invited DPOs, 732 (13%) participated in the study. The majority (91%) indicated that they could perform their job independently; they did not have prior experience in data protection before being appointed as DPOs (54%) and that they need additional education in data protection (82%). Conclusions: Most DPOs indicated that they had none or minimal prior experience in data protection when they were appointed as DPO, that they would benefit from further education on data protection, and exhibited insufficient knowledge on basic concepts of personal data protection. Requirements for DPO appointments should be clarified; mandatory education and certification of DPOs could be introduced and DPOs encouraged to engage in continuous education.

Introduction: The European Union's (EU) General Data Protection Regulation (GDPR) was put in force on 25th May 2018. It is not known how many personal data protection requests the national authority in Croatia had received before and after GDPR, and how many of those were related to research. Materials and methods: We obtained data from the Croatian Personal Data Protection Agency (CPDPA) about requests/complaints related to personal data protection that were received specifically from academic/research institutions, specifically the number and type of all cases/requests between the years 2015-2019. Results: In 2018, CPDPA had a dramatic increase in the number of requests in the post-GDPR period, compared to the pre-GDPR period of the same year. In 2019, CPDPA received 2718 requests/complaints; less than in the year 2018. From 2015 to 2019, CPDPA received only 37 requests related to research. Conclusions: Very few requests about personal data protection from academic and research institutions in Croatia were submitted to the national Croatian data protection authority. Future studies could explore whether researchers have sufficient awareness and knowledge about personal data protection related to research, to adequately implement the GDPR regulations.