GDPR imposed on employers the obligation to adopt internal acts

General Data Protection Regulation (GDPR; hereinafter referred to as Regulation) has determined specific requirements for a majority of small and medium-sized enterprises regarding the implementation of a system related to the protection of personal data.
The system related to the protection of data shall be established by internal documentation regulating personal data processing operations conducted by the business enterprises.

Firstly, it would be important to identify the roles in processing operations. Each of the business enterprises is a controller for himself/herself; a controller is a person that determines the purposes and means of the processing; or the processing may be regulated by the laws such as in cases where a employer is obliged to collect, process, or transmit the employee's personal data.

The controller can entrust the carrying out of some operations in relation to the processing of personal data of data subjects (employees, suppliers, customers) to a processor who performs its tasks under the instructions and control of the controller. Processors are accounting services, software vendors, web designers et al.

In data processing procedures should be created data maps which answer questions ranging from categories, types, origins of data, purpose, legal basis, place, type of processing, information on whether the processing is performed by the processor, on the possible transfer of data and the storage period of data. In regards to these maps, there shall be implemented appropriate measures for ensuring the security of the processing which are adopted in the internal data protection policy.

The controller shall draft certain documents which are necessary to demonstrate compliance of processing activities with this Regulation in the Republic of Croatia, for example:

Author: Silvija Žužić | Lawyer Croatia | Law office Rijeka, Krk