AZOP (Croatia) - Decision 05-10-2023: Difference between revisions

AZOP - Decision 5-10-2023
Authority:	AZOP (Croatia)
Jurisdiction:	Croatia
Relevant Law:	[5(2) GDPR] Article 6(1) GDPR Article 9(2) GDPR Article 12(1) GDPR Article 13 GDPR Article 32(1)(b) GDPR Article 32(2) GDPR
Type:	Investigation
Outcome:	Violation Found
Started:	22.03.2023
Decided:	05.10.2023
Published:	05.10.2023
Fine:	5470000 EUR
Parties:	EOS Matrix d.o.o.
National Case Number/Name:	Decision 5-10-2023
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Croatian
Original Source:	AZOP (in HR)
Initial Contributor:	Karlo Paljug

The Croatian DPA imposed an administrative fine in the amount of EUR 5,470,000.00 on EOS Matrix d.o.o., a debt collection agency, for multiple GDPR violations.

English Summary

Facts

On 22 March 2023, the Croatian DPA received an anonymous submission stating that EOS Matrix d.o.o., a debt collection agency (the controller), had unlawfully processed a large amount of personal data. The DPA received a USB stick containing perosonal data including first and last name, date of birth and identification number of 181,641 persons who had outstanding debts to creditors that were acquired by EOS Matrix. In addition to this, the database also included personal data of 294 people who were minors at the time of processing.

On the basis of this information, the Croatian DPA started an own volition investigation.

Holding

In its investigation, the Croatian DPA found several processing activities by the controller to be in violation of the GDPR.

First, the DPA held that the controller infringed the provisions of Article 32(1)(b) GDPR and Article 32(2) GDPR since it failed to take appropriate technical measures to protect personal data contained in its database taking into account the given risks. As a matter of fact, the controller failed to implemented an alarm system that would notify it of anomalies in the processing activites and lost control over an important amount of personal data.

Secondly, the DPA found that the controller lacked a legal basis under Article 6(1)(a) GDPR to process personal data in its database of data subjects who were not in a debtor-creditor relationship with the controller nor legal representatives of debtors.

Thirdly, the controller unlawfully processed special categories of personal data, in particular data concerning the health status of data subjects, including individual diagnoses, without an appropriate legal basis under Article 6(1) GDPR and under Article 9(2) GDPR. Further, in relation to this, the controller failed to specify in its privacy policies that data concerning health of data subjects would be processed, which is contrary to Article 12(1) GDPR, Article 13(1) GDPR and Article 13(2) GDPR.

Lastly, the DPA held that the controller unlawfully recorded telephone conversations with data subjects in the period between 25 May 2018 and 16 January 2019 as it lacked a legal basis under Article 6(1) GDPR to do so and which constitutes a violation of Article 5(2) GDPR too. In this respect, the DPA also found that the controller had infringed Article 12(1) GDPR for failing to clearly inform data subjects about such processing activities.

In light of all this, the Croatian DPA issued a fine in the amount of EUR 5,470,000.00 against EOS Matrix d.o.o. for the above mentioned GDPR violations.

Comment

This decision is highly relevant as this is the highest fine ever imposed by the Croatian DPA.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

DPA has concluded: 
1. The controller did not take appropriate technical measures to protect the processing of the personal data contained in the storage systems, which is contrary to Article 32 paragraph 1 point b) and paragraph 2 of the GDPR;
2. The controller processed the personal data of respondents who are not in a debtor-creditor relationship in their database without the existence of a legal basis from Article 6, paragraph 1 of the GDPR;
3. The controller processed special category (health data) in its database without the existence of a legal basis from Article 6, paragraph 1, and in connection with this, Article 9, paragraph 2 of the GDPR;
4. The data controller did not inform the data subjects in a transparent and prescribed manner about the processing of their health data in the privacy policies, which is contrary to Article 12 paragraph 1 of the GDPR and, in this regard, to Article 13 paragraphs 1 and 2;
5. For the recording of telephone conversations with data subjects in the period from May 25, 2018 to January 16, 2019, the data controller did not have an established legal basis from Article 6, paragraph 1 of the GDPR, and in this connection there was also a violation of Article 5, paragraph 2;
6. The controller did not inform the data subjects in an understandable and clear way about the processing of personal data in the form of recording telephone conversations, and thus acted contrary to Article 12, paragraph 1 of the GDPR.

Regarding the point 1 it was determined that the data controller did not implement sufficient TOM that could timely recognize in the processing system (the main database in which personal data of about 370,000 data subjects are processed) activities that deviate from the usual ones (e.g. increased number of retrievals data in the database, transfer of data outside the system, compromise of user access, etc.). Precisely because of deficiencies in the security system, the insecure processing of personal data on a large scale number of respondents, and the company lost control over the movement of data and could not explain the causes or methods of data exfiltration.

It was established that EOS Matrix also processed data of data subjects who are not debtors nor legal representative (most often telephone number and first and last name and residential address).

Regarding the processing of health data, it was established that EOS Matrix, after communication with respondents, actively recorded comments related to the debtor's state of health in the internal database. Particularly worrying is the situation where the health condition of the subjects was monitored down to the details of individual diagnoses, which included terminal illnesses, and which almost exposes privacy to the maximum level to persons who are authorized to access the application (database) used by EOS Matrix employees. The arguments of EOS Matrix was that data subject had provided such information. DPA stressed that this does not mean that the same can be actively entered into the database. As a result of the above, it cannot be considered that there is an exception for the processing of health data from Article 9, paragraph 2, point e) of the GDPR. Furthermore, the reference to the legal basis regarding the execution of the contract, as well as the legitimate interest (which was referred to by the company in question) cannot be a legal basis either, since the processing of health data is not necessary to achieve the intended purpose. If the goal is better collection towards the debtor and avoidance of communication due to the health condition, then the same purpose could be achieved by recording a general comment about the need to avoid contact for a certain period of time due to the personal condition of the debtor, without highlighting precise health data.

Also, and related to the processing of health data, it was determined that EOS Matrix defined that it does not and will not process health data. This method resulted in non-transparent processing of data.

Also, in the period from May 25, 2018 to January 16, 2019, the data of 49,850 data subjects were processed, i.e. telephone conversations were recorded without determining the legal basis. The test of legitimate interest was conducted on January 16, 2019. 

Furthermore, regarding the recording of telephone conversations, it was established that EOS Matrix since 2014 has been using the functionality of recording telephone conversations with debtors, but indicating that the conversation "may" be recorded. 

It has not been determined how exactly 181,641 personal data were exfiltrated, and considering that in this specific case it is a question of the possible commission of the criminal offense of unauthorized use of personal data and criminal offenses against computer systems, programs and data, and also under the jurisdiction of the Ministry of the Interior. The DPA actively cooperates with the Zagreb Police Department and the Zagreb Municipal State Attorney's Office, which conduct investigative activities.

As a result of the above, it was undoubtedly established that the personal data submitted to the DPA via USB stick were excluded from the database of EOS Matrix!