Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Croatia: AZOP fines B2 Kapital €2.26M for unauthorised processing of personal data
The Personal Data Protection Agency ('AZOP') announced, on 4 May 2023, that it had imposed a fine of €2,265,000 on B2 Kapital d.o.o., for violations of Articles 6(1), 13(1), 28(3), 32(1)(b), and 32(2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an anonymous report.
Background to the case
In particular, the AZOP highlighted that it had received an anonymous report, in December 2022, claiming that there was ongoing unauthorised processing of large numbers of personal data by B2 Kapital. Further, the AZOP detailed that it had received a USB stick with the anonymous report, containing the personal data of persons who had outstanding debts with credit institutions, that were purchased by B2 Kapital, with personal information, including the first and last names and dates of birth of around 77,317 people.
Findings of the AZOP
Following its investigation, the AZOP found that B2 Kapital failed to inform the data subjects, namely those whose debt had been purchased, of the processing of their personal data and the relevant legal basis for processing, thereby violating Article 13(1) of the GDPR. Likewise, the AZOP outlined that B2 Kapital's non-transparent processing of personal data, citing the failure to change the company privacy policy regarding the legal basis of processing, also violated Article 6(1) of the GDPR.
Further, the AZOP stipulated that B2 Kapital, as data controller, failed to enter into a contract with a processor for the processing of personal data for bankruptcy monitoring purposes. Accordingly, the AZOP noted that the absence of a contract which establishes that the processor must meet technical and organisational protection measures resulted in a breach of Article 28(3) of the GDPR.
In addition, the AZOP noted that B2 Kapital, by failing to take appropriate technical and organisational measures, violated Articles 32(1)(b) and 32(2) of the GDPR. Notably, the AZOP held that B2 Kapital would likely have failed to notice the exfiltration of the personal data of the 77,317 persons if the AZOP had not received an anonymous report and conducted its own investigation.
Outcomes
As a result, the AZOP imposed a fine of €2,265,000 for the aforementioned violations.
You can read the press release, only available in Croatian, here and the European Data Protection Board summary here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
