Croatian Pensions Institute – Court Ruling (Croatia, 2025)

An employee of the Croatian Pension Institute (controller) provided an employer with information about the work history and potential pension size of one of their employees (data subject) without the data subject’s knowledge or consent. The employer then used this information to pressure the data subject into retirement in order to avoid formal termination procedures and the paying of required severance payments. The data subject suffered extreme emotional distress due to fear of loss of her livelihood and took sick leave. The data subject later had to find alternative employment. The data subject brought a claim for non-material damage against the controller for the emotional distress caused by the alleged improper disclosure of her personal data. During the trial before the Kutina Munuicipal Court, the controller argued that the data subject could not show evidence of damage and that, in any event, the personal data in question was not sensitive and would be known to any employer. The Court rejected the controller’s contention that the personal data in question was not sensitive. In doing so, the Court accepted that a data breach had occurred, as there was no lawful basis for the disclosure. Accordingly, the Court found that the controller had violated Article 6 & 24 GDPR. The Court accepted that the emotional damage suffered by the data subject warranted the awarding of monetary compensation and ordered the controller to pay the data subject €1,500.