AZOP (Croatia) - Decision 05-07-2021

From GDPRhub
Revision as of 10:41, 5 July 2021 by InfoHouse (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Croatia |DPA-BG-Color= |DPAlogo=LogoHR.png |DPA_Abbrevation=AZOP (Croatia) |DPA_With_Country=AZOP (Croatia) |Case_Number_Name=Administrative f...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AZOP (Croatia) - Administrative fines, July 5th 2021
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 05.07.2021
Fine: None
Parties: n/a
National Case Number/Name: Administrative fines, July 5th 2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: Info hiša

The AZOP considers that the corrective measure in the form of an administrative fine is effective, proportionate and dissuasive and fully appropriate to the circumstances of both fines.

English Summary

Facts

The AZOP (Croatian Personal Data Protection Agency) imposed two new administrative fines for violating the provisions of the General Regulation on Data Protection and the Act on the Implementation of the General Regulation on Data Protection.

Dispute

Holding

The first administrative fine is related to failure to take appropriate technical measures, where the company provisioning the IT services as a processor failed to properly secure the personal data. As found by AZOP, the processor did not take the necessary measures to achieve an adequate level of security in accordance with the existing and foreseeable risks and acted contrary to Article 32 (1) (b) and (d) and paragraph 2 of the GDPR, which lead to unauthorised processing of 28,085 data subjects.

The second administrative fine has been issued for not marking the object under video surveillance. The AZOP concluded direct ex-officio supervision over the processing and enforcement of personal data protection, collection and processing of personal data made by the video surveillance system. In this case AZOP determined that the insurance company based in Zagreb did not indicate that the business facility (in which technical inspections and vehicle registration are carried out and insurance services are contracted) and the external surface of the business facility are under video surveillance. Thus, the controller, i.e. the insurance company, acted in-contrary to Article 27, paragraph 1 of the Act on the Implementation of the General Regulation on Data Protection.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.