AZOP (Croatia) - Decision 21-07-2022 (A1 telecommunications)

From GDPRhub
AZOP - Decision of 21 July 2022 - provider of telecommunications services A1 Hrvatska d.o.o.
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 25(1) GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 21.07.2022
Fine: 2100000 HRK
Parties: n/a
National Case Number/Name: Decision of 21 July 2022 - provider of telecommunications services A1 Hrvatska d.o.o.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: Presido Croatia

Provider of telecommunications services A1 did not take appropriate technical and organizational security measures for the processing of personal data, which led to the unauthorized access to personal data by attackers (100,000 data subjects).

English Summary

Facts

The Croatian DPA imposed an administrative fine in the amount of HRK 2.15 million ((approx. €283,000).on the data controller - the provider of telecommunications services (A1 Hrvatska d.o.o.) because he did not take appropriate technical and organizational security measures for the processing of personal data, which led to the unauthorized processing of personal data of 100,000 subjects, i.e. unauthorized access to personal data by attackers. The controller did not take the necessary measures to achieve an adequate security measure in accordance with the existing foreseeable risks, thereby acting contrary to Article 25 paragraph 1 and Article 32 paragraph 1 points b) and d) and paragraph 2 of the General Data Protection Regulation.

Croatian DPA learned about the violation in question from the data controller through the received Report on the violation of personal data, in accordance with Article 33, paragraph 1 of the General Regulation on Data Protection. Also, the data controller informed the users of its services about the event in question.


Holding

It was determined that the data controller implements certain organizational and technical measures when processing personal data, but in the specific case they were not sufficient. Namely, data controller made multiple omissions during the design of the processing system, including access restriction, monitoring, reporting, timely reaction and the inclusion of appropriate corrective actions in the system, and the execution of the prescribed organizational measures contained in the existing internal acts and, finally, their changes in accordance with the provisions in the relevant violation.

Also, the Croatian DPA considers as an aggravating circumstance the fact that the controller is one of the leading companies for the provision of telecommunications services in the Republic of Croatia, and it was to be expected that due to the large amount of personal data it processes, it will apply more complex organizational and technical protection measures before the start, as well as during the processing itself, taking into account the latest developments, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the risks of different levels probabilities and weight for the rights and freedoms of the individual resulting from data processing, especially after the violation in question, which the same company did not do.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

Administrative fine of HRK 2.15 million due to failure to take appropriate technical and organizational measures

The Personal Data Protection Agency imposed an administrative fine in the amount of HRK 2.15 million on the data controller - telecommunications service provider for failing to take appropriate technical and organizational security measures for the processing of personal data, which led to the unauthorized processing of the personal data of approximately 100,000 subjects, i.e. unauthorized access to personal data by attackers. The controller did not take the necessary measures to achieve an adequate security measure in accordance with the existing foreseeable risks, thereby acting contrary to Article 25 paragraph 1 and Article 32 paragraph 1 points b) and d) and paragraph 2 of the General Data Protection Regulation.

The Agency learned about the violation in question from the data controller through the received Report on the violation of personal data, in accordance with Article 33, paragraph 1 of the General Regulation on Data Protection. Also, the data controller informed the users of its services about the incident in question.

In the case in question, it was determined that the data controller implements certain organizational and technical measures when processing personal data, but in the specific case they were not sufficient. Namely, the processing manager made multiple omissions when designing the processing system, including restricting access, monitoring, reporting, timely response and inclusion of appropriate corrective actions in the system, and execution of the prescribed organizational measures contained in the existing internal acts and, finally, their changes in accordance with the provisions in the relevant hurt. For the aforementioned violations, the General Data Protection Regulation stipulates the imposition of an administrative fine in accordance with Article 83, paragraph 4, point a), that is, an administrative fine of up to EUR 10,000,000 or, in the case of an entrepreneur, up to 2% of the total annual turnover at the world level for the previous financial year, whichever is greater.

Likewise, the Agency finds as an aggravating circumstance the fact that the data controller is one of the leading companies providing telecommunications services in the Republic of Croatia, and it was to be expected that due to the large volume of personal data it processes, it will apply more complex organizational and technical protection measures before the start, as well as during the processing itself, taking into account the latest achievements, the cost of implementation and the nature, scope, context and purposes of processing, as well as risks of different levels of probability and severity for the rights and freedoms of individuals arising from data processing, and especially after the breach in question, which is the same society failed to do.

Following the established circumstances, the Agency, in accordance with its powers from Article 58, paragraph 2, point of the General Data Protection Regulation, imposed an administrative fine, all in accordance with the conditions for its imposition from Article 83 of the General Regulation and Articles 44, 45 and 46 of the Act on the Implementation of the General Regulation on Data Protection.