AZOP (Croatia) - Decision 13-09-2023

From GDPRhub
Revision as of 07:58, 24 October 2023 by Co (talk | contribs)
AZOP - Decision of 13 September 2023 - Zagrebački Holding
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 13(1)(c) GDPR
Article 13(2)(a) GDPR
Article 13(2)(e) GDPR
Article 25(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 13.09.2023
Fine: 25000 EUR
Parties: n/a
National Case Number/Name: Decision of 13 September 2023 - Zagrebački Holding
European Case Law Identifier: n/a
Appeal: Pending appeal
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: n/a

The Croatian DPA (AZOP) imposed an administrative fine in the amount of EUR 25,000 on Zagrebački holding d.o.o., the public service company of the city of Zagreb, as a controller due to the lack of clear rules for identifying users and for not having appropriate technical and organizational measures in place.

English Summary

Facts

The AZOP received a data subject's complaint stating that Zagrebački holding d.o.o., which runs several public services in the city of Zagreb, requested a copy of the users' identity card before issuing a copy of the bill via e-mail. The complainant stated that for the same service, for the purpose of identification, it was previously sufficient to submit one's name, surname, address, identification number, system number of the facility and system number of the payer.

Upon receiving such complaint, the AZOP launched a formal investigation into the processing activities of the controller.

Holding

During the investigations, the AZOP found multiple breaches of GDPR.

First of all, the AZOP held that the controller does not have prescribed rules of procedure for the identification of its users who requests the delivery of a copy of the invoice via e-mail. As a matter of fact, the AZOP found that the controller would only ask users who do not have their first and last name in their e-mail address, to provide a copy of their document for identification. The AZOP thus held that this means first, that there is no uniform data processing practice that data subjetcs can expect and secondly, that relying on user's name and surname in the e-mail address cannot be said to constitute a sufficient guarantee that the request actually came from that user. As a consequence the AZOP held that the controller failed to take appropriate technical and organizational measures when processing personal data for the purpose of identifying service users due to the issuance of invoice transcripts via e-mail, thereby violating the provisions of Article 25(2) GDPR.

Furthermore, the AZOP found that the controller did not adequately inform service users about the legal basis for processing and the period of storage of personal data when collecting a copy of their dentification documents. In this way the controller violated the provisions of Article 13(1)(c) GDPR, Article 13(2)(a) GDPR and Article 13(2)(e) GDPR, according to which, a controller is obliged, at the time of collection, to provide data subjects with all information about the processing of their personal data (among others, to inform them of the purpose and legal basis for the processing of personal data, the period in which the personal data will be stored, etc.) in a concise, understandable and easily accessible form, using clear and simple language.

For these reasons, the AZOP imposed a fine of EUR 25,000 on the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

The Personal Data Protection Agency imposed an administrative fine on the data controller, Zagrebačka holding d.o.o. in the amount of EUR 25,000.00 (HRK 188,362.50) due to the following violations of the General Data Protection Regulation:

The data controller did not adequately inform service users about the legal basis for processing personal data and the period of storage of personal data when collecting a copy of a personal identification document due to the issuance of a copy of the invoice via e-mail, thus acting contrary to the provisions of Art. 13. paragraph 1. (c) and Art. 13. paragraph 2. (a), (e) of the General Regulation on data protection. In accordance with the aforementioned provisions, and if personal data is collected from respondents, the data controller is obliged at the time of collection to provide respondents with all information about the processing of their personal data (for example, inform them of the purpose and legal basis for the processing of personal data, the period in which the personal data will be stored, etc.) in a concise, understandable and easily accessible form, using clear and simple language
The controller did not take appropriate technical and organizational measures when processing personal data for the purpose of identifying service users due to the issuance of invoice transcripts via e-mail, thereby violating the provisions of Art. 25, paragraph 2 of the General Data Protection Regulation.
Namely, the Personal Data Protection Agency received a citizen's submission stating that Zagrebački holding d.o.o. requests a copy of the identity card from the service user before issuing a copy of the bill (fee for water treatment and utility fee) via e-mail. Also, it was stated that for the same service, for the purpose of identification, it was previously sufficient to submit the name, surname, address, OIB, system number of the facility and system number of the payer.

In the process, it was determined that the data controller does not have prescribed rules for the identification of the service user who requests the delivery of a copy of the invoice via e-mail, and that he collected copies of the user's identification document via e-mail only in case of suspected fraud. Namely, Zagrebački holding requested a copy of the personal identification document from users who use an e-mail address that has a different name in its structure from the name and surname of the service user, that is, if the name and surname of the service user who requested a copy via e-mail of the account did not match the structure of the e-mail address from which they requested a copy of the account. The very construction of the name of the e-mail address, which contains the appropriate first and last name, is not a protective measure that would provide the data controller with a sufficient guarantee that the request was made by the actual user of the service. As a result of the above, it was determined that the processing manager failed to implement appropriate technical and organizational protection measures, i.e. to organize the processing process for the purpose of identifying service users who requested a copy of the invoice via e-mail, thereby acting contrary to Art. 25, paragraph 2 of the General Data Protection Regulation.

The controller should have worked out the business processes of identification via electronic mail in a way that would ensure that the process of identifying service users is the same for all users, regardless of the structure of the e-mail. With the aforementioned procedure, it is impossible for service users, who do not have a first and last name in the structure of their e-mail address, to communicate remotely without submitting a personal identification document, or to request a copy of the invoice via e-mail.

Also, this method of identification resulted in insecure processing in the form of collection of copies of personal identification documents, while respondents who were asked to submit identification documents without providing all relevant information also felt a sense of loss of control over their personal data.

The controller also failed to transparently inform service users about the legal basis for collecting personal data (copies of identity cards) for identification purposes. Subject information was not available to respondents either through the published documents related to the processing of personal data on the official website of the data controller, nor after the respondents directly requested information about processing via e-mail, which is contrary to the provisions of Art. 13. paragraph 1. (c) and Art. 13. paragraph 2. (a), (e) of the General Regulation on data protection.