AZOP (Croatia) - Decision 08-03-2022 (supermarket chain)

From GDPRhub
Revision as of 08:10, 9 March 2022 by Gr (talk | contribs) (Changed structure and wording a bit and added part about the fine)
AZOP (Croatia) - AZOP (Croatia) - Decision of 8 March 2022 - Unknown supermarket chain
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 08.03.2022
Fine: 675000 HRK
Parties: n/a
National Case Number/Name: AZOP (Croatia) - Decision of 8 March 2022 - Unknown supermarket chain
European Case Law Identifier: CRO
Appeal: Unknown
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: Presido Croatia

The Croatian DPA (AZOP) imposed a fine of HRK 675,000 (approx. €89,000) on an controller for failing to take appropriate security measures for the processing of personal data, in violation of Article 32(1)(b), (d), Article 32(2) and Article 32(4) GDPR.

English Summary

Facts

The controller is an supermarket chain owner. The Croatian DPA received a report on violation of personal data stating that employees of the controller, without authorisation and contrary to internal acts and instructions of the controller, recorded video surveillance footage with a mobile phone and distributed it to the public through social media. The recording remained available.

Holding

The DPA found that the controller did not take adequate actions to prevent its employee from filing the video surveillance with their phone.

The DPA considered that the controller took certain organisational measures, such as education of employees, adoption of internal acts that prescribed the authorisation of access to video surveillance. Moreover, the controller required employees to sign a confidentiality statement. However, according to the DPA, this was not enough, as the controller did not supervise, test, evaluate and determine the effectiveness of technical and organisational measures. Therefore, the DPA concluded that the controller did not take appropriate organisational and technical security measures, neither before, nor after the incident.

Hence, the DPA decided to impose a fine of HRK 675,000 (approx. €89,000). Although the DPA considered that this was effective, proportionate and dissuasive, they did not specify why this was the case.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

Administrative fine for failure to take appropriate security measures for the processing of personal data

The Personal Data Protection Agency imposed an administrative fine in the amount of HRK 675,000.00 for failure to take appropriate security measures for the processing of personal data by the retail chain (hereinafter: the Company) as the controller, contrary to Article 32, paragraph 1, item b) and d) and paragraphs 2 and 4 of the General Data Protection Regulation, which led to the unauthorized processing of personal data of respondents through their public publication on social networks and in the media.

The Agency for Personal Data Protection received from the Company a Report on Violation of Personal Data of Respondents stating that employees of the Company unauthorisedly and contrary to internal acts and instructions of the Company, recorded video surveillance footage and distributed it to the public. networks and the media, and it remains available.

It was determined that the Company did not take adequate actions to prevent its employee from taking a video surveillance monitor image using a mobile device. Namely, the Company took certain organizational protection measures such as employee education, adoption of internal acts prescribing authorization to access videos and signing a confidentiality statement for employees, but did not take appropriate organizational and technical security measures, neither before nor after the incident, and which could reduce the risk of the same or similar injury to a minimum.

Also, the processing manager did not regularly monitor the implementation of technical and organizational measures aimed at ensuring the confidentiality, integrity and availability of personal data, or failed to regularly test, evaluate and determine the effectiveness of technical and organizational measures to ensure security of video surveillance.

In this case, there was a violation of the obligations of the controller by failing to implement appropriate technical security measures for personal data processing, for which violation of the General Data Protection Regulation prescribes the imposition of administrative fines in accordance with Article 83 (4) (a). EUR 000 000 or, in the case of undertakings, up to 2% of the total annual worldwide turnover for the preceding financial year, whichever is greater.