AZOP (Croatia) - Decision 05-07-2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Croatia |DPA-BG-Color= |DPAlogo=LogoHR.png |DPA_Abbrevation=AZOP (Croatia) |DPA_With_Country=AZOP (Croatia) |Case_Number_Name=Administrative f...")
 
No edit summary
Line 52: Line 52:
}}
}}


The AZOP considers that the corrective measure in the form of an administrative fine is effective, proportionate and dissuasive and fully appropriate to the circumstances of both fines.
The Croatian DPA (AZOP) fined a telecommunications company for failing to take appropriate security measures for the processing of personal data. The inadequate level of security resulted in a security breach that led to the unauthorized processing of personal data of 28,085 data subjects by hackers.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The AZOP (Croatian Personal Data Protection Agency) imposed two new administrative fines for violating the provisions of the General Regulation on Data Protection and the Act on the Implementation of the General Regulation on Data Protection.
A telecommunications company in Zagreb provides IT services to mobile operators, banks and government institutions in the Republic of Croatia, but also to companies abroad (USA, UK, Netherlands, etc.). Its main service is providing opinions, guidelines, and proposed solutions to data processing managers on the implementation of web applications. The head of processing at the company in Zagreb informed the DPA, as well as the user of its services, that there had been a potential breach of personal data.  
 
=== Dispute ===
 
 
=== Holding ===
=== Holding ===
The first administrative fine is related to failure to take appropriate technical measures, where the company provisioning the IT services as a processor failed to properly secure the personal data. As found by AZOP, the processor did not take the necessary measures to achieve an adequate level of security in accordance with the existing and foreseeable risks and acted contrary to Article 32 (1) (b) and (d) and paragraph 2 of the GDPR, which lead to unauthorised processing of 28,085 data subjects.
The Croatian DPA (AZOP) held that the IT services company did not take the necessary measures to achieve an adequate level of security in accordance with existing and foreseeable risks, and further violated Article 32(1)(b) and (d) GDPR. Accordingly, the DPA, in accordance with its powers under Article 58 (2) GDPR, imposed an administrative fine that it considered effective, proportionate, dissuasive and fully appropriate to the circumstances.  
 
The second administrative fine has been issued for not marking the object under video surveillance. The AZOP concluded direct ex-officio supervision over the processing and enforcement of personal data protection, collection and processing of personal data made by the video surveillance system. In this case AZOP determined that the insurance company based in Zagreb did not indicate that the business facility (in which technical inspections and vehicle registration are carried out and insurance services are contracted) and the external surface of the business facility are under video surveillance. Thus, the controller, i.e. the insurance company, acted in-contrary to Article 27, paragraph 1 of the Act on the Implementation of the General Regulation on Data Protection.
 
 
== Comment ==
== Comment ==
''Share your comments here!''
''Share your comments here!''

Revision as of 11:52, 5 July 2021

AZOP (Croatia) - Administrative fines, July 5th 2021
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 05.07.2021
Fine: None
Parties: n/a
National Case Number/Name: Administrative fines, July 5th 2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: Info hiša

The Croatian DPA (AZOP) fined a telecommunications company for failing to take appropriate security measures for the processing of personal data. The inadequate level of security resulted in a security breach that led to the unauthorized processing of personal data of 28,085 data subjects by hackers.

English Summary

Facts

A telecommunications company in Zagreb provides IT services to mobile operators, banks and government institutions in the Republic of Croatia, but also to companies abroad (USA, UK, Netherlands, etc.). Its main service is providing opinions, guidelines, and proposed solutions to data processing managers on the implementation of web applications. The head of processing at the company in Zagreb informed the DPA, as well as the user of its services, that there had been a potential breach of personal data.

Holding

The Croatian DPA (AZOP) held that the IT services company did not take the necessary measures to achieve an adequate level of security in accordance with existing and foreseeable risks, and further violated Article 32(1)(b) and (d) GDPR. Accordingly, the DPA, in accordance with its powers under Article 58 (2) GDPR, imposed an administrative fine that it considered effective, proportionate, dissuasive and fully appropriate to the circumstances.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.