AZOP (Croatia) - Decision of 21 July 2022 - provider of telecommunications services A1 Hrvatska d.o.o.
|AZOP - Decision of 21 July 2022 - provider of telecommunications services A1 Hrvatska d.o.o.|
|Relevant Law:||Article 25(1) GDPR|
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
|National Case Number/Name:||Decision of 21 July 2022 - provider of telecommunications services A1 Hrvatska d.o.o.|
|European Case Law Identifier:||n/a|
|Original Source:||AZOP (in HR)|
|Initial Contributor:||Presido Croatia|
The Croatian DPA fined a provider of telecommunications services approximately €283,000 for not taking appropriate technical and organisational security measures which exposed personal data of 100,000 data subjects to attackers.
English Summary[edit | edit source]
Facts[edit | edit source]
A1 Hrvatska d.o.o., a provider of telecommunications services (the controller), processed personal data of approximately 100,000 data subjects. These data were accessed by attackers. After the controller was made aware of the data breach, it notified both the DPA and the affected data subjects.
Holding[edit | edit source]
The Croatian DPA fined the controller HRK 2.15 million (approximately €283,000). It held that the controller violated Articles 25(1), 32(1)(b), 32(1)(d) and 32(2) GDPR by not taking appropriate technical and organizational security measures to ensure a level of security appropriate to the risk in its processing of personal data. This led to the unauthorized access to personal data of 100,000 data subjects by attackers.
The DPA recognized that the controller implemented certain organizational and technical measures when processing personal data, but held that they were not sufficient. Namely, the controller made multiple omissions in the design of the processing system. These omissions related to access restriction, monitoring, reporting, timely reaction, inclusion of appropriate corrective actions in the system, and compliance with the organizational measures contained in the existing internal acts.
The Croatian DPA considered as an aggravating circumstance that the controller was one of the leading companies for the provision of telecommunications services in Croatia. Due to the large amount of personal data it processed, the controller should have implemented stricter organizational and technical protection measures before as well as during the processing itself. In that, it should have taken into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, especially after the violation in question.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
Administrative fine of HRK 2.15 million due to failure to take appropriate technical and organizational measures The Personal Data Protection Agency imposed an administrative fine in the amount of HRK 2.15 million on the data controller - telecommunications service provider for failing to take appropriate technical and organizational security measures for the processing of personal data, which led to the unauthorized processing of the personal data of approximately 100,000 subjects, i.e. unauthorized access to personal data by attackers. The controller did not take the necessary measures to achieve an adequate security measure in accordance with the existing foreseeable risks, thereby acting contrary to Article 25 paragraph 1 and Article 32 paragraph 1 points b) and d) and paragraph 2 of the General Data Protection Regulation. The Agency learned about the violation in question from the data controller through the received Report on the violation of personal data, in accordance with Article 33, paragraph 1 of the General Regulation on Data Protection. Also, the data controller informed the users of its services about the incident in question. In the case in question, it was determined that the data controller implements certain organizational and technical measures when processing personal data, but in the specific case they were not sufficient. Namely, the processing manager made multiple omissions when designing the processing system, including restricting access, monitoring, reporting, timely response and inclusion of appropriate corrective actions in the system, and execution of the prescribed organizational measures contained in the existing internal acts and, finally, their changes in accordance with the provisions in the relevant hurt. For the aforementioned violations, the General Data Protection Regulation stipulates the imposition of an administrative fine in accordance with Article 83, paragraph 4, point a), that is, an administrative fine of up to EUR 10,000,000 or, in the case of an entrepreneur, up to 2% of the total annual turnover at the world level for the previous financial year, whichever is greater. Likewise, the Agency finds as an aggravating circumstance the fact that the data controller is one of the leading companies providing telecommunications services in the Republic of Croatia, and it was to be expected that due to the large volume of personal data it processes, it will apply more complex organizational and technical protection measures before the start, as well as during the processing itself, taking into account the latest achievements, the cost of implementation and the nature, scope, context and purposes of processing, as well as risks of different levels of probability and severity for the rights and freedoms of individuals arising from data processing, and especially after the breach in question, which is the same society failed to do. Following the established circumstances, the Agency, in accordance with its powers from Article 58, paragraph 2, point of the General Data Protection Regulation, imposed an administrative fine, all in accordance with the conditions for its imposition from Article 83 of the General Regulation and Articles 44, 45 and 46 of the Act on the Implementation of the General Regulation on Data Protection.