Financial Crime World

Here is the converted article in markdown format:

Croatia Enhances Data Protection Measures

The Croatian government has strengthened its data protection regulations, introducing additional safeguards to protect sensitive personal information.

Enhanced Protection Measures

According to the Regulation on the Manner of Storing and Special Measures of Technical Protection of Special Categories of Personal Data (Official Gazette, No. 139/04), credit reports, criminal records, and medical data are subject to enhanced protection measures.

  • These types of data must be processed under strict observation of processing conditions set forth in the Personal Data Protection Act and other relevant regulations.
  • For example, credit reports can only be transferred for credit risk analysis purposes or to institutions established to collect and disseminate information on the creditworthiness of legal entities and individuals.
  • Medical record data must comply with specific requirements, including obtaining prior written consent from patients and limiting use to the original purpose for which the data was collected. Criminal records are subject to special measures, requiring supervision by competent authorities before processing.

Transfer Restrictions

While there is no specific reference to credit reports in the law governing the prevention of money laundering and terrorist financing, any transfer of these reports must be done in accordance with processing conditions set forth in the Personal Data Protection Act.

  • Transfers for credit risk analysis purposes or to institutions established to collect and disseminate information on the creditworthiness of legal entities and individuals are not considered a violation of secrecy obligations.

Risk-Based Approach

Croatia has adopted a risk-based approach to combating money laundering and terrorist financing. This approach involves identifying and assessing the risks associated with specific transactions, customers, or activities, and implementing measures to mitigate those risks.

Identification and Verification Requirements

Institutions and persons performing customer identification and verification must ensure that original documents are not more than three months old at the time of submission.

  • Legal entities can be identified and verified through a direct examination of court or other public registers.
  • Legal representatives must provide original personal identification documents.
  • Beneficial ownership information is also subject to specific requirements, including examining originals or notarised copies of documents from a court or other public register, or collecting data directly from written statements provided by the customer’s legal representative or person authorized by power of attorney.

Case Law and Other Regulations

EU case law on data protection, as applied in Croatia since July 2013, may impact on the transfer of information. Additionally, the Credit Institutions Act includes a bank secrecy section aimed at protecting confidential information, which can be disclosed to the Anti-Money Laundering Office under specific circumstances.

In summary, Croatia’s enhanced data protection measures aim to provide an additional layer of security for sensitive personal information, while also facilitating international cooperation and information exchange in combating money laundering and terrorist financing.