HEP Proizvodnja d.o.o. – Court Ruling (Croatia, 2026)

The data subject was employed by HEP Proizvodnja d.o.o., an electricity and heat generation provider (the controller), at one of its hydroelectric plants. Their work involved the maintenance of computer systems. Their employment was later terminated in April 2022. While the data subject was on sick leave, one of the computers located in their office stopped functioning. The data subject claimed that, because of this malfunction, they came to the workplace, disconnected and rearranged some equipment, and then left. According to the data subject, their office contained both work-related and private computer equipment, including devices and hard drives on which their personal data and the personal data of third parties were stored. The controller stated that the engineering workstation located in the office used by the data subject had lost its uninterrupted power supply due to equipment failure. It was necessary to turn it on and log in so that business processes could continue uninterrupted. The controller further claimed that the data subject appeared at the workplace despite warnings from their superiors that their presence was not needed, entered their workspace, attempted to tamper with the equipment and prevented other colleagues from accessing the computer data. The controller launched an internal investigation for the security incident. The controller stated that the processing of the data subject’s data was carried out by its Corporate Security Office and was necessary to maintain operational continuity and security of the facility. The data subject filed a complaint with the Croatian DPA. They claimed that, during the investigation, the controller unlawfully accessed and processed their personal data, including data stored on several computers and hard drives. They argued that some of the data stored there were private, that special categories of personal data were processed, and that the controller could tell from the names of certain files, before opening