AZOP (Croatia) - Decision 22-02-2021

From GDPRhub
AZOP - Decision 22-02-2021
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Complaint
Outcome: Upheld
Decided: 22.02.2021
Fine: 0
Parties: Security company (name N/A at the moment)
National Case Number/Name: Decision 22-02-2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Croatian
Original Source: (in HR)
Initial Contributor: Lejla Rizvanovik

The Croatian DPA (AZOP) found that the leading security company in Croatia, acting as a data processor, enabled the data breach by not maintaining adequate and sufficient technical and organizational measures for personal data security for more than two and a half years.

English Summary


A data controller, who used the services of the security company, reported the breach of personal data to the DPA, arising after an employee of the company recorded the video surveillance footage with a smartphone and shared it with third parties. In consequence a recording was revealed ridicule in the public and the security company avoid doing anything to remove it from social networks and media. Furthermore, the processor has not prognosticated or implemented adequate technical security measures following the incident to prevent or minimize the risks.



Insufficient technical and organisational measures were set to ensure data security, but the fact is that the basic activity of the company is the provision of physical and technical protection, which includes the use of video surveillance.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.