AZOP (Croatia) - Fine against unnamed Telco provider

From GDPRhub
AZOP (Croatia) - Administrative fines, July 5th 2021
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Decided:
Published: 05.07.2021
Fine: None
Parties: n/a
National Case Number/Name: Administrative fines, July 5th 2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: Info hiša

The Croatian DPA fined an IT company for failing to take appropriate security measures for the processing of personal data. The inadequate level of technical security resulted in a security breach on data controller's IT system, whereby hackers were able to process the personal data of 28,085 data subjects.

English Summary[edit | edit source]

Facts[edit | edit source]

An IT company in Zagreb provides IT services to mobile operators, banks and government institutions in the Republic of Croatia, but also to companies abroad (USA, UK, Netherlands, etc.). Its main service is providing opinions, guidelines, and proposed solutions to data processing managers on the implementation of web applications. Data controller, telecommunications company in Zagreb informed the DPA, as well as the user of its services, that there had been a potential breach of personal data. In fact, hackers obtained the personal data of 28,085 data subjects.

Holding[edit | edit source]

Following an investigation, the Croatian DPA (AZOP) held that data processor, an IT company, did not take necessary measures to achieve an adequate level of security in accordance with existing and foreseeable risks, and that its records of data processing activities further violated Article 32(1)(b) and (d) GDPR. Accordingly, the DPA, in accordance with its powers under Article 58 (2) GDPR, imposed an administrative fine that it considered effective, proportionate, dissuasive and fully appropriate to the circumstances.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

New administrative fines issued, 5.7.2021.
The Personal Data Protection Agency imposed two new administrative fines for violating the provisions of the General Data Protection Regulation and the Law on the Implementation of the General Data Protection Regulation.

Administrative fine for failure to take appropriate technical measures

Due to the failure to take appropriate technical security measures for the processing of personal data by the company for the provision of IT services from Zagreb (hereinafter: the company), as the executor of processing, there was a security breach that led to unauthorized processing of personal data of 28,085 respondents. unauthorized access to personal data by hackers. The processor did not take the necessary measures to achieve an adequate level of security in accordance with the existing and foreseeable risks and acted contrary to Article 32 (1) (b) and (d) and paragraph 2 of the General Data Protection Regulation.

The incident was reported to AZOP by the head of processing, the telecommunications company from Zagreb, who also informed the users of its services in writing about the potential breach of personal data.

The processor during the processing of personal data is obliged to take appropriate technical security measures in such a way as to ensure lasting confidentiality of the system, as well as the process of regular testing, evaluation and evaluation of the effectiveness of technical and organizational measures to ensure security of processing. consider the risks of unauthorized disclosure of personal data. Given that the company, according to publicly available information, provides IT services to other mobile operators, banks and government institutions in the Republic of Croatia, but also to companies abroad (USA, UK, Netherlands, etc.), it should be a relevant entity in providing opinions, guidelines, propose solutions to processing managers on the implementation of web applications,

Accordingly, in accordance with its powers under Article 58 (2) and the General Data Protection Regulation, the Agency imposed an administrative fine, all in accordance with the conditions for its imposition under Article 83 of the General Regulation and Articles 44, 45 and 46 of the Law on the Implementation of the General Regulation on Data Protection.