AZOP (Croatia) - Decision 04-05-2023
| AZOP - Decision 04-05-2023 | |
|---|---|
 | |
| Authority: | AZOP (Croatia) |
| Jurisdiction: | Croatia |
| Relevant Law: | Article 13(1) GDPR Article 28(3) GDPR Article 32(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 15.12.2022 |
| Decided: | 04.05.2023 |
| Published: | 04.05.2023 |
| Fine: | 2265000 EUR |
| Parties: | n/a |
| National Case Number/Name: | Decision 04-05-2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Pending appeal |
| Original Language(s): | Croatian |
| Original Source: | AZOP (in HR) |
| Initial Contributor: | n/a |
Following an anonymous complaint against a debt collection agency the Croatian DPA issued a €2,265,000 fine for lack of security measures, lack of a processing agreement and violation of the controller's information obligation.
English Summary
Facts
In December 2022, Croatian DPA received an anonymous complaint in which it was stated that a debt collection agency processed a large number of personal data of natural persons (debtors) without authorization. They also received a USB stick containing a database with personal data of debtors - first and last name, date of birth and personal identification number for a total of 77,317 natural persons who had outstanding debts to credit institutions, and which were purchased by the debt collection agency.
Following this complaint, the DPA launched an investigation and supervisory procedure.
Holding
Following the investigation, the key findings are:
(1) The controller did not clearly and accurately inform the data subjects about the processing and regarding the legal basis as required by Article 13(1) GDPR. This resulted in the non-transparent processing of the data subjects' personal data of which there were (at least) 132,652 at the time of the monitoring. The controller did not take measures to comply with its transparency obligation.
(2) Contrary to the provisions of Article 28(3) GDPR, the controller did not have a processing agreement with the processor regarding the processing which concerned 83,896 data subjects. According to the DPA, the absence of such agreement implied a lack of security. Indeed, no rules were established regarding the technical and organizational measures in place.was important.
(3) The controller did not take appropriate technical and organizational measures when processing personal data, as requested by Article 32(1)(b) and (d) GDPR. This implied a risk for the security of the personal data of all data subjects concerned (at least 132,652). The DPA recalled that these data were of a financial nature and thus quite sensitive. The DPA determined that the violation has been ongoing since at least 2019 and has not yet been remedied.
The DPA issued a fine of €2,265,000 for these three violations.
Comment
The data controller stated that it does not agree with the decision, they emphasize that they are not responsible for a data breach and they will initiate an administrative procedure before the competent administrative court. In the meantime, they have further strengthened the already high level of protection when processing personal data, and they continue to process personal data exclusively in accordance with the law and with the greatest possible care.
This case is related with this one - https://azop.hr/u-tijeku-nadzorno-postupanje-nad-agencijom-za-naplatu-potrazivanja-obavijest-za-gradane/ / https://dnevnik.hr/vijesti/hrvatska/veliko-curenje-osobnih-podataka-netko-moze-u-vase-ime-sklopiti-ugovor-s-teleoepraterom-a-vi-cete-se-s-tim-godinama-natezati---773512.html
In May 2023 the Croatian DPA received another USB stick containing a database of personal data of debtors of another data collection agency. Therefore, in Croatia, this cases are considered to be connected because these two data breaches are practicaly identical. A DPA report and/or fine for the second case has not yet been issued.
The circumstances of both data breaches are very suspicious: It is unclear who left the USB stick, who may be in possession of the data of both agencies, if the same data subjects are affected, if a forensic investigation should take place...
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
The Agency for the Protection of Personal Data imposed an administrative fine on the processing manager - the debt collection agency B2 Kapital d.o.o. in the amount of EUR 2,265,000.00 (HRK 17,065,642.50) due to the following violations of the General Data Protection Regulation: The data controller did not clearly and accurately inform its respondents about the processing of their personal data through the notification on the processing of personal data (privacy policy), and regarding the legal basis for the return of overpaid funds, which is against the provisions of Article 13, paragraph 1 of the General Regulation on Protection data. This resulted in the non-transparent processing of the respondents' personal data (that is, incorrect information regarding the legal basis of processing from Article 6, Paragraph 1 of the General Data Protection Regulation) of which there were (at least) 132,652 at the time of the monitoring, and the privacy policy remained unchanged and the violation has not yet been remedied, i.e. it has lasted from May 25, 2018 until today. 2. Contrary to the provisions of Article 28, paragraph 3 of the General Data Protection Regulation, the data controller did not enter into a contract on the processing of personal data with the processor for the simple bankruptcy monitoring service of consumers, and thus the security of the personal data of 83,896 respondents (OIB) was threatened, since concluding a contract with the processor is one of a kind of security levers that ensures that the rules for the processing of personal data, their flow in the business relationship between the manager and the processor are clearly agreed upon, and that the manager of the processing ensures that the processor meets the technical and organizational protection measures during processing personal data of a large number of respondents. It was established that the said violation lasted from the acceptance of the offer to provide the service of monitoring simple consumer bankruptcy, that is, from February 14, 2019 to February 26, 2021, when the business cooperation was interrupted. 3. The controller did not take appropriate technical and organizational protection measures when processing personal data, which is contrary to Article 32, Paragraph 1, Points b) and d) and Paragraph 2 of the General Data Protection Regulation. By not taking appropriate measures, there was a violation of the security of the personal data of all respondents (at least 132,652 at the time of the surveillance), i.e. their basic identification data (at least in the structure: first and last name, date of birth and OIB) and, consequently, all personal data entered in to the storage systems of the debt collection agency, which are of a financial nature and thus quite sensitive. In the process, it was determined that the violation has been ongoing since at least 2019 and has not yet been remedied, all due to the failure to take appropriate protective measures. Namely, in December 2022, the Agency for the Protection of Personal Data received an anonymous petition in which it was stated that there was unauthorized processing of a large number of personal data of natural persons - debtors by the debt collection agency, and a USB stick containing personal data was attached. data in the structure of first and last name, date of birth and OIB for a total of 77,317 natural persons who had outstanding debts to credit institutions, and which were purchased by the debt collection agency based on the cession agreement. On the basis of official duty, the Agency initiated a supervisory procedure in December 2022 and conducted a procedure in which the three previously described violations were determined due to negligent treatment by the processing manager (claims collection agency). The processing manager bears the greatest degree of responsibility for not taking technical protection measures, since it was precisely because of deficiencies in such a security system that unsafe processing of a large number of personal data occurred. The debt collection agency lost complete control over the movement of personal data of their respondents and could not explain the causes of unauthorized exfiltration (extraction) of personal data. Also, as an aggravating circumstance in the conducted administrative procedure, certain deficiencies in cooperation were determined. Namely, after several letters sent by the Agency for the purpose of requesting additional statements or documentation from the processing manager, he responded to them before the last days of the set deadline and sent letters for the purpose of extending the deadline and clarifying the requested circumstances, although he could have requested the same before. and which to a certain extent influenced the delay of the procedure. Also, upon repeated requests from the Personal Data Protection Agency for certain documentation (list of system records), the processing manager did not provide it. Also, as an additional aggravating circumstance, the fact that the data controller has not informed the Agency until today that he has taken additional protection measures that would prevent future risks of established violations and that he has not adjusted the privacy policy available on their website to date has been taken into account. In conclusion, we state that in this particular case, we are talking about a violation of several provisions of the General Regulation on Data Protection by one of the leading companies in the field of debt collection, which should not have allowed itself to process the personal data of a large number of respondents in a non-transparent and insecure manner. Also, the data controller would probably never have noticed the exfiltration of personal data of a large number of respondents, at least for 77,317 of them from their system, if the Agency for the Protection of Personal Data had not received an anonymous report and conducted surveillance activities. To this day, the data controller has not clarified all the circumstances of the breach, i.e. the release of a certain amount of personal data outside their storage system, which additionally speaks of inadequate protection measures on the part of the data controller. We also point out that in this particular case we are talking about possible individual criminal liability, that is, the commission of a criminal offense, which is the responsibility of the Ministry of the Interior, which conducts criminal investigations within its jurisdiction.
