AZOP (Croatia) - Decision 08-03-2022 (supermarket chain)

From GDPRhub
Revision as of 21:58, 8 March 2022 by Presido croatia (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Croatia |DPA-BG-Color= |DPAlogo=LogoHR.png |DPA_Abbrevation=AZOP (Croatia) |DPA_With_Country=AZOP (Croatia) |Case_Number_Name=AZOP (Croatia) -...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AZOP (Croatia) - AZOP (Croatia) - Decision of 8 March 2022 - Unknown supermarket chain
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 08.03.2022
Fine: 675000 HRK
Parties: n/a
National Case Number/Name: AZOP (Croatia) - Decision of 8 March 2022 - Unknown supermarket chain
European Case Law Identifier: CRO
Appeal: Unknown
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: Presido Croatia

The Croatian DPA (AZOP) imposed a fine of HRK 675,000 (approx. €89,000) on an controller for failing to take adequate security measures for the processing of personal data, in violation of Article 32(1)(b)(d), 32(2) and 32(4) GDPR.

English Summary

Facts

The controller is an supermarket chain owner. Croatian DPA received a report on violation of personal data stating that employees of the controller unauthorisedly and contrary to internal acts and instructions of the controller, recorded with mobile device a video surveillance footage and distributed it to the public throug social network and media. The recording remained available.

Holding

It was determined that the controller did not take adequate actions to prevent its employee from taking a video surveillance monitor image using a mobile device. The controller took certain organizational protection measures such as employee education, adoption of internal acts prescribing authorization of access to videos and signing a confidentiality statement for employees, but did not take appropriate organizational and technical security measures, neither before nor after the incident which could reduce the risk of the same or similar injury to a minimum.

Also, the controller did not regularly monitor the implementation of technical and organizational measures aimed at ensuring the confidentiality, integrity and availability of personal data, or failed to regularly test, evaluate and determine the effectiveness of technical and organizational measures to ensure security of video surveillance.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

Administrative fine for failure to take appropriate security measures for the processing of personal data

The Personal Data Protection Agency imposed an administrative fine in the amount of HRK 675,000.00 for failure to take appropriate security measures for the processing of personal data by the retail chain (hereinafter: the Company) as the controller, contrary to Article 32, paragraph 1, item b) and d) and paragraphs 2 and 4 of the General Data Protection Regulation, which led to the unauthorized processing of personal data of respondents through their public publication on social networks and in the media.

The Agency for Personal Data Protection received from the Company a Report on Violation of Personal Data of Respondents stating that employees of the Company unauthorisedly and contrary to internal acts and instructions of the Company, recorded video surveillance footage and distributed it to the public. networks and the media, and it remains available.

It was determined that the Company did not take adequate actions to prevent its employee from taking a video surveillance monitor image using a mobile device. Namely, the Company took certain organizational protection measures such as employee education, adoption of internal acts prescribing authorization to access videos and signing a confidentiality statement for employees, but did not take appropriate organizational and technical security measures, neither before nor after the incident, and which could reduce the risk of the same or similar injury to a minimum.

Also, the processing manager did not regularly monitor the implementation of technical and organizational measures aimed at ensuring the confidentiality, integrity and availability of personal data, or failed to regularly test, evaluate and determine the effectiveness of technical and organizational measures to ensure security of video surveillance.

In this case, there was a violation of the obligations of the controller by failing to implement appropriate technical security measures for personal data processing, for which violation of the General Data Protection Regulation prescribes the imposition of administrative fines in accordance with Article 83 (4) (a). EUR 000 000 or, in the case of undertakings, up to 2% of the total annual worldwide turnover for the preceding financial year, whichever is greater.