AZOP (Croatia) - Decision 13-09-2023: Difference between revisions

Revision as of 17:48, 22 October 2023

AZOP - Decision of 13 September 2023 - Zagrebački Holding

Authority:	AZOP (Croatia)
Jurisdiction:	Croatia
Relevant Law:	Article 13(1)(c) GDPR Article 13(2)(a) GDPR Article 13(2)(e) GDPR Article 25(2) GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:
Published:	13.09.2023
Fine:	25000 EUR
Parties:	n/a
National Case Number/Name:	Decision of 13 September 2023 - Zagrebački Holding
European Case Law Identifier:	n/a
Appeal:	Pending appeal
Original Language(s):	Croatian
Original Source:	AZOP (in HR)
Initial Contributor:	n/a

The Croatian DPA imposed an administrative fine in the amount of EUR 25 000 on Zagrebački holding as a controller due to the lack of identification process of its service users and due to lack of appropriate technical and organizational measures.

English Summary

Facts

DPA received a data subject's complain stating that Zagrebački holding d.o.o. requested a copy of the identity card from the service user before issuing a copy of the bill via e-mail. It was stated that for the same service, for the purpose of identification, it was previously sufficient to submit the name, surname, address, OIB, system number of the facility and system number of the payer. After the complaint, DPA launched a formal investigation.

Holding

DPA found multiple breaches of GDPR.

The controller does not have prescribed procedure for the identification of the service user who requests the delivery of a copy of the invoice via e-mail - that is, there is no uniform data processing practice that data subjetcs can expect.

The controller did not adequately inform service users about the legal basis for processing personal data and the period of storage of personal data when collecting a copy of a personal identification document due to the issuance of a copy of the invoice via e-mail, thus acting contrary to the provisions of Art. 13. paragraph 1. (c) and Art. 13. paragraph 2. (a), (e) of the General Regulation on data protection. In accordance with the aforementioned provisions, and if personal data is collected from data subjects, the controller is obliged at the time of collection to provide data subjects with all information about the processing of their personal data (for example, inform them of the purpose and legal basis for the processing of personal data, the period in which the personal data will be stored, etc.) in a concise, understandable and easily accessible form, using clear and simple language.

The controller did not take appropriate technical and organizational measures when processing personal data for the purpose of identifying service users due to the issuance of invoice transcripts via e-mail, thereby violating the provisions of Art. 25, paragraph 2 of the General Data Protection Regulation.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

The Personal Data Protection Agency imposed an administrative fine on the data controller, Zagrebačka holding d.o.o. in the amount of EUR 25,000.00 (HRK 188,362.50) due to the following violations of the General Data Protection Regulation:

The data controller did not adequately inform service users about the legal basis for processing personal data and the period of storage of personal data when collecting a copy of a personal identification document due to the issuance of a copy of the invoice via e-mail, thus acting contrary to the provisions of Art. 13. paragraph 1. (c) and Art. 13. paragraph 2. (a), (e) of the General Regulation on data protection. In accordance with the aforementioned provisions, and if personal data is collected from respondents, the data controller is obliged at the time of collection to provide respondents with all information about the processing of their personal data (for example, inform them of the purpose and legal basis for the processing of personal data, the period in which the personal data will be stored, etc.) in a concise, understandable and easily accessible form, using clear and simple language
The controller did not take appropriate technical and organizational measures when processing personal data for the purpose of identifying service users due to the issuance of invoice transcripts via e-mail, thereby violating the provisions of Art. 25, paragraph 2 of the General Data Protection Regulation.
Namely, the Personal Data Protection Agency received a citizen's submission stating that Zagrebački holding d.o.o. requests a copy of the identity card from the service user before issuing a copy of the bill (fee for water treatment and utility fee) via e-mail. Also, it was stated that for the same service, for the purpose of identification, it was previously sufficient to submit the name, surname, address, OIB, system number of the facility and system number of the payer.

In the process, it was determined that the data controller does not have prescribed rules for the identification of the service user who requests the delivery of a copy of the invoice via e-mail, and that he collected copies of the user's identification document via e-mail only in case of suspected fraud. Namely, Zagrebački holding requested a copy of the personal identification document from users who use an e-mail address that has a different name in its structure from the name and surname of the service user, that is, if the name and surname of the service user who requested a copy via e-mail of the account did not match the structure of the e-mail address from which they requested a copy of the account. The very construction of the name of the e-mail address, which contains the appropriate first and last name, is not a protective measure that would provide the data controller with a sufficient guarantee that the request was made by the actual user of the service. As a result of the above, it was determined that the processing manager failed to implement appropriate technical and organizational protection measures, i.e. to organize the processing process for the purpose of identifying service users who requested a copy of the invoice via e-mail, thereby acting contrary to Art. 25, paragraph 2 of the General Data Protection Regulation.

The controller should have worked out the business processes of identification via electronic mail in a way that would ensure that the process of identifying service users is the same for all users, regardless of the structure of the e-mail. With the aforementioned procedure, it is impossible for service users, who do not have a first and last name in the structure of their e-mail address, to communicate remotely without submitting a personal identification document, or to request a copy of the invoice via e-mail.

Also, this method of identification resulted in insecure processing in the form of collection of copies of personal identification documents, while respondents who were asked to submit identification documents without providing all relevant information also felt a sense of loss of control over their personal data.

The controller also failed to transparently inform service users about the legal basis for collecting personal data (copies of identity cards) for identification purposes. Subject information was not available to respondents either through the published documents related to the processing of personal data on the official website of the data controller, nor after the respondents directly requested information about processing via e-mail, which is contrary to the provisions of Art. 13. paragraph 1. (c) and Art. 13. paragraph 2. (a), (e) of the General Regulation on data protection.