Court case Us I-199/2025-9 – Court Ruling (Croatia, 2025)

On 28 January 2025, the Croatian Personal Data Protection Agency (AZOP) dismissed a complaint from a data subject who alleged that an education inspector had disclosed his personal data to the principal of a music school in Rijeka. The data subject claimed that the inspector copied him on an email to the principal without his consent, revealing his identity and breaching the GDPR and the Croatian implementing act. AZOP rejected the complaint, stating that there were no legal grounds to open a procedure, without assessing whether the data subject’s rights had been violated. They argued that the data subject’s allegations were about breaches of sectoral rules governing inspections, not about GDPR violations and consequently they lacked competence. The data subject challenged this decision before the Administrative Court in Rijeka. The Administrative Court in Rijeka annulled AZOP’s decision and sent the case back for reconsideration. The court held that AZOP could not rule on breaches of the Education Inspection Act or the inspector’s disciplinary responsibilities. However, as an independent supervisory authority under Article 51 GDPR, AZOP was competent and obliged to assess whether the data subject’s personal data had been unlawfully processed. The court found that AZOP should have examined the complaint on its merits rather than dismissing it on procedural grounds. The court required AZOP to establish the full facts, determine if unlawful processing occurred, and issue a substantive decision within 60 days. AZOP was ordered to reimburse the data subject €1,000 for legal costs while other cost claims were denied.