Centre for Social Welfare – Complaint Upheld (Croatia, 2022)

In March 2022, the Center for Social Welfare (the controller) published a decision on using remaining annual leave for 2021 on its bulletin board. It included the first and last names and the number of used and remaining holidays of the data subject and other of the controller's employees. The data subject doubted the lawfulness of the publication and therefore filed a complaint at the Croatian DPA. The DPA held that the controller did not prove the existence of a valid legal basis for the publication of employees' personal data on the bulletin board. First, arguing around the possible controller's legitimate interests, the DPA pointed out that the controller failed to carry out a proportionality test which should consider a number of factors to ensure that the interests and fundamental rights of data subjects are taken into account. Second, the DPA held that the controller was not under a legal obligation to process these data. Article 29 of the Croatian Labour Act and Article 5(4) of the Labour Law Rulebook (Official Gazette, no. 73/17) refer, among others, to maintaining records of employees' working time as part of the employer's legal obligation. However, the DPA empshasised that Croatian labour law does not, in fact, prescribe the publication of this data. Consequently, the DPA held that the controller violated Articles 5 and 6 GDPR. In addition, it ordered the controller to stop further processing of any personal data of the data subject or other employees on its bulletin board without a valid legal basis.