AZOP (Croatia) - Decision 04-05-2023

From GDPRhub
Revision as of 07:15, 22 May 2023 by Presido croatia (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Croatia |DPA-BG-Color= |DPAlogo=LogoHR.png |DPA_Abbrevation=AZOP |DPA_With_Country=AZOP (Croatia) |Case_Number_Name=Decision of 4 May 2023 - debt collection agency |ECLI= |Original_Source_Name_1=AZOP |Original_Source_Link_1=https://azop.hr/agenciji-za-naplatu-potrazivanja-izrecena-upravna-novcana-kazna-u-iznosu-od-226-milijuna-eura/ |Original_Source_Language_1=Croatian |Original_Source_Language__Code_1=HR |Original_Source_Name_2= |Origin...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AZOP - Decision of 4 May 2023 - debt collection agency
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 13(1) GDPR
Article 28(3) GDPR
Article 32(1) GDPR
Type: Investigation
Outcome: Violation Found
Started: 15.12.2022
Decided: 04.05.2023
Published: 04.05.2023
Fine: 2265000 EUR
Parties: n/a
National Case Number/Name: Decision of 4 May 2023 - debt collection agency
European Case Law Identifier: n/a
Appeal: Pending appeal
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: n/a

Croatian DPA received an anonymous complaint against debt collection agency and a USB stick containing database of personal data. DPA launched an official investigation in which they stated certain GDPR violations (fine of total 2.265.000,00 EUR).

English Summary

Facts

In December 2022, Croatian DPA received an anonymous complaint (post mail) in which it was stated that there was unauthorized processing of a large number of personal data of natural persons - debtors by the debt collection agency. They also received a USB stick containing a database with personal data of debtors - first and last name, date of birth and OIB for a total of 77,317 natural persons who had outstanding debts to credit institutions, and which were purchased by the debt collection agency based on the cession agreement. After they received a USB stick, DPA launched an investigation and supervisory procedure.

Holding

The key findings are: The data controller did not clearly and accurately inform its data subjescts about the processing of their personal data through the notification on the processing of personal data (privacy policy), and regarding the legal basis for the return of overpaid funds, which is against the provisions of Article 13, paragraph 1 of the General Regulation on Protection data. This resulted in the non-transparent processing of the data subjects' personal data (that is, incorrect information regarding the legal basis of processing from Article 6, Paragraph 1 of the General Data Protection Regulation) of which there were (at least) 132,652 at the time of the monitoring, and the privacy policy remained unchanged and the violation has not yet been remedied, i.e. it has lasted from May 25, 2018.

Contrary to the provisions of Article 28, paragraph 3 of the General Data Protection Regulation, the data controller did not enter into a contract on the processing of personal data with the processor for the consumers simple bankruptcy monitoring service, and thus the security of the personal data of 83,896 respondents (OIB) was threatened, since concluding a contract with the processor is one of a kind of security levers that ensures that the rules for the processing of personal data, their flow in the business relationship between the manager and the processor are clearly agreed upon, and that the manager of the processing ensures that the processor meets the technical and organizational protection measures during processing personal data of a large number of respondents. It was established that the said violation lasted from the acceptance of the offer to provide the service of monitoring simple consumer bankruptcy, that is, from February 14, 2019 to February 26, 2021, when the business cooperation was interrupted.

The controller did not take appropriate technical and organizational protection measures when processing personal data, which is contrary to Article 32, Paragraph 1, Points b) and d) and Paragraph 2 of the General Data Protection Regulation. By not taking appropriate measures, there was a violation of the security of the personal data of all data subjects (at least 132,652 at the time of the surveillance), i.e. their basic identification data (at least in the structure: first and last name, date of birth and OIB) and, consequently, all personal data entered in to the storage systems of the debt collection agency, which are of a financial nature and thus quite sensitive. In the process, it was determined that the violation has been ongoing since at least 2019 and has not yet been remedied, all due to the failure to take appropriate protective measures.

The data controller stated that it does not agree with the decision, they emphasize that they are not responsible for a data breach and they will initiate an administrative dispute before the competent administrative court. In the meantime, they have further strengthened the already high level of protection when processing personal data, and they continue to process personal data exclusively in accordance with the law and with the greatest possible care.

Comment

This case is related with this one - https://azop.hr/u-tijeku-nadzorno-postupanje-nad-agencijom-za-naplatu-potrazivanja-obavijest-za-gradane/ https://dnevnik.hr/vijesti/hrvatska/veliko-curenje-osobnih-podataka-netko-moze-u-vase-ime-sklopiti-ugovor-s-teleoepraterom-a-vi-cete-se-s-tim-godinama-natezati---773512.html In May 2023 Croatian DPA received another USB stick containg database of personal data of debtors of another data collection agency. Therefore, in Croatia, this cases considered to be connected because this 2 data breaches are practicaly identical. We are still waiting DPA report and/or fine for the seconde case. The circumstances of both data breaches are very suspicious - who left the USB stick, who may be in possession of the data of both agencies, are we talking about the same data subjects, what about the forensic investigation...

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

The Agency for the Protection of Personal Data imposed an administrative fine on the processing manager - the debt collection agency B2 Kapital d.o.o. in the amount of EUR 2,265,000.00 (HRK 17,065,642.50) due to the following violations of the General Data Protection Regulation:

The data controller did not clearly and accurately inform its respondents about the processing of their personal data through the notification on the processing of personal data (privacy policy), and regarding the legal basis for the return of overpaid funds, which is against the provisions of Article 13, paragraph 1 of the General Regulation on Protection data. This resulted in the non-transparent processing of the respondents' personal data (that is, incorrect information regarding the legal basis of processing from Article 6, Paragraph 1 of the General Data Protection Regulation) of which there were (at least) 132,652 at the time of the monitoring, and the privacy policy remained unchanged and the violation has not yet been remedied, i.e. it has lasted from May 25, 2018 until today.
 

2. Contrary to the provisions of Article 28, paragraph 3 of the General Data Protection Regulation, the data controller did not enter into a contract on the processing of personal data with the processor for the simple bankruptcy monitoring service of consumers, and thus the security of the personal data of 83,896 respondents (OIB) was threatened, since concluding a contract with the processor is one of a kind of security levers that ensures that the rules for the processing of personal data, their flow in the business relationship between the manager and the processor are clearly agreed upon, and that the manager of the processing ensures that the processor meets the technical and organizational protection measures during processing personal data of a large number of respondents. It was established that the said violation lasted from the acceptance of the offer to provide the service of monitoring simple consumer bankruptcy, that is, from February 14, 2019 to February 26, 2021, when the business cooperation was interrupted.

 

3. The controller did not take appropriate technical and organizational protection measures when processing personal data, which is contrary to Article 32, Paragraph 1, Points b) and d) and Paragraph 2 of the General Data Protection Regulation. By not taking appropriate measures, there was a violation of the security of the personal data of all respondents (at least 132,652 at the time of the surveillance), i.e. their basic identification data (at least in the structure: first and last name, date of birth and OIB) and, consequently, all personal data entered in to the storage systems of the debt collection agency, which are of a financial nature and thus quite sensitive. In the process, it was determined that the violation has been ongoing since at least 2019 and has not yet been remedied, all due to the failure to take appropriate protective measures.

Namely, in December 2022, the Agency for the Protection of Personal Data received an anonymous petition in which it was stated that there was unauthorized processing of a large number of personal data of natural persons - debtors by the debt collection agency, and a USB stick containing personal data was attached. data in the structure of first and last name, date of birth and OIB for a total of 77,317 natural persons who had outstanding debts to credit institutions, and which were purchased by the debt collection agency based on the cession agreement.

On the basis of official duty, the Agency initiated a supervisory procedure in December 2022 and conducted a procedure in which the three previously described violations were determined due to negligent treatment by the processing manager (claims collection agency). The processing manager bears the greatest degree of responsibility for not taking technical protection measures, since it was precisely because of deficiencies in such a security system that unsafe processing of a large number of personal data occurred. The debt collection agency lost complete control over the movement of personal data of their respondents and could not explain the causes of unauthorized exfiltration (extraction) of personal data.

Also, as an aggravating circumstance in the conducted administrative procedure, certain deficiencies in cooperation were determined. Namely, after several letters sent by the Agency for the purpose of requesting additional statements or documentation from the processing manager, he responded to them before the last days of the set deadline and sent letters for the purpose of extending the deadline and clarifying the requested circumstances, although he could have requested the same before. and which to a certain extent influenced the delay of the procedure. Also, upon repeated requests from the Personal Data Protection Agency for certain documentation (list of system records), the processing manager did not provide it.

Also, as an additional aggravating circumstance, the fact that the data controller has not informed the Agency until today that he has taken additional protection measures that would prevent future risks of established violations and that he has not adjusted the privacy policy available on their website to date has been taken into account.

In conclusion, we state that in this particular case, we are talking about a violation of several provisions of the General Regulation on Data Protection by one of the leading companies in the field of debt collection, which should not have allowed itself to process the personal data of a large number of respondents in a non-transparent and insecure manner. Also, the data controller would probably never have noticed the exfiltration of personal data of a large number of respondents, at least for 77,317 of them from their system, if the Agency for the Protection of Personal Data had not received an anonymous report and conducted surveillance activities. To this day, the data controller has not clarified all the circumstances of the breach, i.e. the release of a certain amount of personal data outside their storage system, which additionally speaks of inadequate protection measures on the part of the data controller.

We also point out that in this particular case we are talking about possible individual criminal liability, that is, the commission of a criminal offense, which is the responsibility of the Ministry of the Interior, which conducts criminal investigations within its jurisdiction.