AZOP (Croatia) - Decision 13-09-2023

From GDPRhub
Revision as of 15:22, 30 October 2023 by Lwr (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AZOP - Decision 13-09-2023
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 13(1)(c) GDPR
Article 13(2)(a) GDPR
Article 13(2)(e) GDPR
Article 25(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 13.09.2023
Fine: 25000 EUR
Parties: n/a
National Case Number/Name: Decision 13-09-2023
European Case Law Identifier: n/a
Appeal: Pending appeal
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: n/a

The Croatian DPA imposed an administrative fine of €25,000 on Zagrebački Holding D.O.O., a public service company of the city of Zagreb, for violations of Article 13 GDPR and Article 25(2) GDPR.

English Summary

Facts

Zagrebački holding d.o.o., the controller, is a public company, 100% owned by the city of Zagreb, which offers public services in the capital city including municipal services, water supply and drainage, gas distribution and market services.

A data subject who makes use of some of these services, was requested by the controller to provide a copy of his identity card in order to receive a copy of a bill via e-mail. The data subject stated that for the same service, for the purpose of identification, it was previously sufficient to submit one's name, surname, address, identification number, system number of the facility and system number of the payer. The data subject deemed this new identification procedure to be unlawful and filed a complaint with the AZOP.

Upon receiving such complaint, the AZOP launched a formal investigation into the processing activities of the controller.

Holding

During the investigations, the AZOP found multiple breaches of GDPR.

First of all, the AZOP held that the controller does not have prescribed rules of procedure for the identification of its users who requests the delivery of a copy of the invoice via e-mail. As a matter of fact, the AZOP found that the controller would only ask users who do not have their first and last name in their e-mail address, to provide a copy of their document for identification. In this respect, the AZOP held that there is no uniform data processing practice that data subjetcs can expect and it ruled that relying on user's name and surname in the e-mail address cannot be said to constitute a sufficient guarantee that the request actually came from that user. As a consequence the AZOP held that the controller failed to take appropriate technical and organizational measures when processing personal data for the purpose of identification, thereby violating the provisions of Article 25(2) GDPR.

Furthermore, the AZOP found that the controller did not adequately inform its users about the legal basis for processing and the period of storage of personal data when collecting a copy of their identification documents. In this way, the controller violated the provisions of Article 13(1)(c) GDPR, Article 13(2)(a) GDPR and Article 13(2)(e) GDPR, according to which a controller is obliged, at the time of collection, to provide data subjects with information about the purpose and legal basis for processing and the period for which personal data will be stored, in a concise, understandable and easily accessible form, using clear and simple language.

For these reasons, the AZOP imposed a fine of € 25,000 on the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

The Personal Data Protection Agency imposed an administrative fine on the data controller, Zagrebačka holding d.o.o. in the amount of EUR 25,000.00 (HRK 188,362.50) due to the following violations of the General Data Protection Regulation:

The data controller did not adequately inform service users about the legal basis for processing personal data and the period of storage of personal data when collecting a copy of a personal identification document due to the issuance of a copy of the invoice via e-mail, thus acting contrary to the provisions of Art. 13. paragraph 1. (c) and Art. 13. paragraph 2. (a), (e) of the General Regulation on data protection. In accordance with the aforementioned provisions, and if personal data is collected from respondents, the data controller is obliged at the time of collection to provide respondents with all information about the processing of their personal data (for example, inform them of the purpose and legal basis for the processing of personal data, the period in which the personal data will be stored, etc.) in a concise, understandable and easily accessible form, using clear and simple language
The controller did not take appropriate technical and organizational measures when processing personal data for the purpose of identifying service users due to the issuance of invoice transcripts via e-mail, thereby violating the provisions of Art. 25, paragraph 2 of the General Data Protection Regulation.
Namely, the Personal Data Protection Agency received a citizen's submission stating that Zagrebački holding d.o.o. requests a copy of the identity card from the service user before issuing a copy of the bill (fee for water treatment and utility fee) via e-mail. Also, it was stated that for the same service, for the purpose of identification, it was previously sufficient to submit the name, surname, address, OIB, system number of the facility and system number of the payer.

In the process, it was determined that the data controller does not have prescribed rules for the identification of the service user who requests the delivery of a copy of the invoice via e-mail, and that he collected copies of the user's identification document via e-mail only in case of suspected fraud. Namely, Zagrebački holding requested a copy of the personal identification document from users who use an e-mail address that has a different name in its structure from the name and surname of the service user, that is, if the name and surname of the service user who requested a copy via e-mail of the account did not match the structure of the e-mail address from which they requested a copy of the account. The very construction of the name of the e-mail address, which contains the appropriate first and last name, is not a protective measure that would provide the data controller with a sufficient guarantee that the request was made by the actual user of the service. As a result of the above, it was determined that the processing manager failed to implement appropriate technical and organizational protection measures, i.e. to organize the processing process for the purpose of identifying service users who requested a copy of the invoice via e-mail, thereby acting contrary to Art. 25, paragraph 2 of the General Data Protection Regulation.

The controller should have worked out the business processes of identification via electronic mail in a way that would ensure that the process of identifying service users is the same for all users, regardless of the structure of the e-mail. With the aforementioned procedure, it is impossible for service users, who do not have a first and last name in the structure of their e-mail address, to communicate remotely without submitting a personal identification document, or to request a copy of the invoice via e-mail.

Also, this method of identification resulted in insecure processing in the form of collection of copies of personal identification documents, while respondents who were asked to submit identification documents without providing all relevant information also felt a sense of loss of control over their personal data.

The controller also failed to transparently inform service users about the legal basis for collecting personal data (copies of identity cards) for identification purposes. Subject information was not available to respondents either through the published documents related to the processing of personal data on the official website of the data controller, nor after the respondents directly requested information about processing via e-mail, which is contrary to the provisions of Art. 13. paragraph 1. (c) and Art. 13. paragraph 2. (a), (e) of the General Regulation on data protection.