AZOP (Croatia) - Decision 05-10-2023

AZOP - Decision 5-10-2023

Authority:	AZOP (Croatia)
Jurisdiction:	Croatia
Relevant Law:	Article 5 GDPR Article 6 GDPR Article 9 GDPR Article 12 GDPR Article 13 GDPR Article 32 GDPR
Type:	Investigation
Outcome:	Violation Found
Started:	22.03.2023
Decided:	05.10.2023
Published:	05.10.2023
Fine:	5470000 EUR
Parties:	EOS Matrix d.o.o.
National Case Number/Name:	Decision 5-10-2023
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Croatian
Original Source:	AZOP (in HR)
Initial Contributor:	Karlo P

The Croatian DPA imposed an administrative fine in the amount of EUR 5,470,000.00 on EOS Matrix as a data controller due to the multiple violations of the GDPR.

English Summary

Facts

The DPA received an anonymous petition stating that EOS Matrix had unauthorized processing of a large number of personal data (of debtors). A USB stick containing 181,641 personal data of natural persons in the structure of first and last name, date of birth and OIB, who had outstanding debts to initial creditors that were purchased by EOS Matrix based on the cession agreement. Likewise, in the petition, it was stated that the database also includes 294 natural persons who were minors at the time.

Holding

DPA has concluded: 1. The controller did not take appropriate technical measures to protect the processing of the personal data contained in the storage systems, which is contrary to Article 32 paragraph 1 point b) and paragraph 2 of the GDPR; 2. The controller processed the personal data of respondents who are not in a debtor-creditor relationship in their database without the existence of a legal basis from Article 6, paragraph 1 of the GDPR; 3. The controller processed special category (health data) in its database without the existence of a legal basis from Article 6, paragraph 1, and in connection with this, Article 9, paragraph 2 of the GDPR; 4. The data controller did not inform the data subjects in a transparent and prescribed manner about the processing of their health data in the privacy policies, which is contrary to Article 12 paragraph 1 of the GDPR and, in this regard, to Article 13 paragraphs 1 and 2; 5. For the recording of telephone conversations with data subjects in the period from May 25, 2018 to January 16, 2019, the data controller did not have an established legal basis from Article 6, paragraph 1 of the GDPR, and in this connection there was also a violation of Article 5, paragraph 2; 6. The controller did not inform the data subjects in an understandable and clear way about the processing of personal data in the form of recording telephone conversations, and thus acted contrary to Article 12, paragraph 1 of the GDPR.

Regarding the point 1 it was determined that the data controller did not implement sufficient TOM that could timely recognize in the processing system (the main database in which personal data of about 370,000 data subjects are processed) activities that deviate from the usual ones (e.g. increased number of retrievals data in the database, transfer of data outside the system, compromise of user access, etc.). Precisely because of deficiencies in the security system, the insecure processing of personal data on a large scale number of respondents, and the company lost control over the movement of data and could not explain the causes or methods of data exfiltration.

It was established that EOS Matrix also processed data of data subjects who are not debtors nor legal representative (most often telephone number and first and last name and residential address).

Regarding the processing of health data, it was established that EOS Matrix, after communication with respondents, actively recorded comments related to the debtor's state of health in the internal database. Particularly worrying is the situation where the health condition of the subjects was monitored down to the details of individual diagnoses, which included terminal illnesses, and which almost exposes privacy to the maximum level to persons who are authorized to access the application (database) used by EOS Matrix employees. The arguments of EOS Matrix was that data subject had provided such information. DPA stressed that this does not mean that the same can be actively entered into the database. As a result of the above, it cannot be considered that there is an exception for the processing of health data from Article 9, paragraph 2, point e) of the GDPR. Furthermore, the reference to the legal basis regarding the execution of the contract, as well as the legitimate interest (which was referred to by the company in question) cannot be a legal basis either, since the processing of health data is not necessary to achieve the intended purpose. If the goal is better collection towards the debtor and avoidance of communication due to the health condition, then the same purpose could be achieved by recording a general comment about the need to avoid contact for a certain period of time due to the personal condition of the debtor, without highlighting precise health data.

Also, and related to the processing of health data, it was determined that EOS Matrix defined that it does not and will not process health data. This method resulted in non-transparent processing of data.

Also, in the period from May 25, 2018 to January 16, 2019, the data of 49,850 data subjects were processed, i.e. telephone conversations were recorded without determining the legal basis. The test of legitimate interest was conducted on January 16, 2019.

Furthermore, regarding the recording of telephone conversations, it was established that EOS Matrix since 2014 has been using the functionality of recording telephone conversations with debtors, but indicating that the conversation "may" be recorded.

It has not been determined how exactly 181,641 personal data were exfiltrated, and considering that in this specific case it is a question of the possible commission of the criminal offense of unauthorized use of personal data and criminal offenses against computer systems, programs and data, and also under the jurisdiction of the Ministry of the Interior. The DPA actively cooperates with the Zagreb Police Department and the Zagreb Municipal State Attorney's Office, which conduct investigative activities.

As a result of the above, it was undoubtedly established that the personal data submitted to the DPA via USB stick were excluded from the database of EOS Matrix!

Comment

This is a big case and there are multiple reasons for this: The biggest fine in Croatia imposed by the DPA. Also, the data base which were purchased cannot be used any more by the data controller. The controller has to implement new and better technical and organizational measures, and if the main application has such deficiencies, that improvement is expensive. Also, there is reputational damage to controller (and its reputation is not so good). And the question is, how many debt collectors and other subjects hold database with health data.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

DPA has concluded: 
1. The controller did not take appropriate technical measures to protect the processing of the personal data contained in the storage systems, which is contrary to Article 32 paragraph 1 point b) and paragraph 2 of the GDPR;
2. The controller processed the personal data of respondents who are not in a debtor-creditor relationship in their database without the existence of a legal basis from Article 6, paragraph 1 of the GDPR;
3. The controller processed special category (health data) in its database without the existence of a legal basis from Article 6, paragraph 1, and in connection with this, Article 9, paragraph 2 of the GDPR;
4. The data controller did not inform the data subjects in a transparent and prescribed manner about the processing of their health data in the privacy policies, which is contrary to Article 12 paragraph 1 of the GDPR and, in this regard, to Article 13 paragraphs 1 and 2;
5. For the recording of telephone conversations with data subjects in the period from May 25, 2018 to January 16, 2019, the data controller did not have an established legal basis from Article 6, paragraph 1 of the GDPR, and in this connection there was also a violation of Article 5, paragraph 2;
6. The controller did not inform the data subjects in an understandable and clear way about the processing of personal data in the form of recording telephone conversations, and thus acted contrary to Article 12, paragraph 1 of the GDPR.

Regarding the point 1 it was determined that the data controller did not implement sufficient TOM that could timely recognize in the processing system (the main database in which personal data of about 370,000 data subjects are processed) activities that deviate from the usual ones (e.g. increased number of retrievals data in the database, transfer of data outside the system, compromise of user access, etc.). Precisely because of deficiencies in the security system, the insecure processing of personal data on a large scale number of respondents, and the company lost control over the movement of data and could not explain the causes or methods of data exfiltration.

It was established that EOS Matrix also processed data of data subjects who are not debtors nor legal representative (most often telephone number and first and last name and residential address).

Regarding the processing of health data, it was established that EOS Matrix, after communication with respondents, actively recorded comments related to the debtor's state of health in the internal database. Particularly worrying is the situation where the health condition of the subjects was monitored down to the details of individual diagnoses, which included terminal illnesses, and which almost exposes privacy to the maximum level to persons who are authorized to access the application (database) used by EOS Matrix employees. The arguments of EOS Matrix was that data subject had provided such information. DPA stressed that this does not mean that the same can be actively entered into the database. As a result of the above, it cannot be considered that there is an exception for the processing of health data from Article 9, paragraph 2, point e) of the GDPR. Furthermore, the reference to the legal basis regarding the execution of the contract, as well as the legitimate interest (which was referred to by the company in question) cannot be a legal basis either, since the processing of health data is not necessary to achieve the intended purpose. If the goal is better collection towards the debtor and avoidance of communication due to the health condition, then the same purpose could be achieved by recording a general comment about the need to avoid contact for a certain period of time due to the personal condition of the debtor, without highlighting precise health data.

Also, and related to the processing of health data, it was determined that EOS Matrix defined that it does not and will not process health data. This method resulted in non-transparent processing of data.

Also, in the period from May 25, 2018 to January 16, 2019, the data of 49,850 data subjects were processed, i.e. telephone conversations were recorded without determining the legal basis. The test of legitimate interest was conducted on January 16, 2019. 

Furthermore, regarding the recording of telephone conversations, it was established that EOS Matrix since 2014 has been using the functionality of recording telephone conversations with debtors, but indicating that the conversation "may" be recorded. 

It has not been determined how exactly 181,641 personal data were exfiltrated, and considering that in this specific case it is a question of the possible commission of the criminal offense of unauthorized use of personal data and criminal offenses against computer systems, programs and data, and also under the jurisdiction of the Ministry of the Interior. The DPA actively cooperates with the Zagreb Police Department and the Zagreb Municipal State Attorney's Office, which conduct investigative activities.

As a result of the above, it was undoubtedly established that the personal data submitted to the DPA via USB stick were excluded from the database of EOS Matrix!