AZOP (Croatia) - Decision 08-03-2022 (supermarket chain)

From GDPRhub
AZOP (Croatia) - Decision 08-03-2022 (supermarket chain)
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 08.03.2022
Fine: 675000 HRK
Parties: n/a
National Case Number/Name: Decision 08-03-2022 (supermarket chain)
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: Presido Croatia

The Croatian DPA imposed a fine of approximately €89,000 against a super market chain for lacking to implement appropriate security measures for the processing of personal data (in violation of several provisions under Article 32 GDPR) after an employee recorded video surveillance footage with their mobile phone and shared it on social media.

English Summary

Facts

The controller is an supermarket chain owner. The DPA received the data subject's complaint, which stated that employees of the controller, without authorisation and contrary to internal acts and instructions of the controller, recorded video surveillance footage with a mobile phone and distributed it to the public through social media. Moreover, this recording remained available on social media. The DPA then investigated the matter further.

Holding

The DPA found that the controller did not take appropriate measures to prevent its employee from filing the video surveillance with their phone.

The DPA considered that the controller took certain organisational measures, such as the education of employees, and the adoption of internal acts that prescribed the authorisation of access to video surveillance. Moreover, the controller required employees to sign a confidentiality statement. However, according to the DPA, this was not enough. First, the controller did not supervise, test, evaluate and determine the effectiveness these measures (Article 32(1)(d) GDPR). Second, the controller did not ensure the ongoing confidentiality, integrity, availability of personal data (Article 32(1)(b) GDPR). Hence the controller did not take appropriate organisational and technical security measures that could have minimised the risk of the same, or a similar violation. Therefore, the DPA concluded that the controller violated Article 32(1)(b), Article 32(1)(d), Article 32(2), and Article 32(4) GDPR.

Therefore, the DPA decided to impose a fine of HRK 675,000 (approx. €89,000).

Comment

Regarding the height of the fine, the DPA mentioned that "corrective measures in the form of administrative fines are effective, proportionate and dissuasive and that the amount is fully appropriate to the circumstances of both cases". However, due to the limited reasoning, it is unclear why the controller found that this amount was effective, proportionate and dissuasive.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

Administrative fine for failure to take appropriate security measures for the processing of personal data

The Personal Data Protection Agency imposed an administrative fine in the amount of HRK 675,000.00 for failure to take appropriate security measures for the processing of personal data by the retail chain (hereinafter: the Company) as the controller, contrary to Article 32, paragraph 1, item b) and d) and paragraphs 2 and 4 of the General Data Protection Regulation, which led to the unauthorized processing of personal data of respondents through their public publication on social networks and in the media.

The Agency for Personal Data Protection received from the Company a Report on Violation of Personal Data of Respondents stating that employees of the Company unauthorisedly and contrary to internal acts and instructions of the Company, recorded video surveillance footage and distributed it to the public. networks and the media, and it remains available.

It was determined that the Company did not take adequate actions to prevent its employee from taking a video surveillance monitor image using a mobile device. Namely, the Company took certain organizational protection measures such as employee education, adoption of internal acts prescribing authorization to access videos and signing a confidentiality statement for employees, but did not take appropriate organizational and technical security measures, neither before nor after the incident, and which could reduce the risk of the same or similar injury to a minimum.

Also, the processing manager did not regularly monitor the implementation of technical and organizational measures aimed at ensuring the confidentiality, integrity and availability of personal data, or failed to regularly test, evaluate and determine the effectiveness of technical and organizational measures to ensure security of video surveillance.

In this case, there was a violation of the obligations of the controller by failing to implement appropriate technical security measures for personal data processing, for which violation of the General Data Protection Regulation prescribes the imposition of administrative fines in accordance with Article 83 (4) (a). EUR 000 000 or, in the case of undertakings, up to 2% of the total annual worldwide turnover for the preceding financial year, whichever is greater.