Croatian Personal Data Protection Agency (AZOP) imposed a €2,26 million GDPR fine on a debt collection agency B2 Kapital. AZOP launched an investigation after receiving an anonymous complaint stating that a debt collection agency had carried out unauthorized processing of a large number of personal data.
A USB stick was also attached to the complaint, containing personal data such as first and last name, date of birth, and personal identification number (OIB) for a total of 77,317 individuals.
AZOP’s investigation
AZOP initiated a supervisory procedure in December 2022 and conducted an investigation that revealed three violations of the General Data Protection Regulation due to the negligent conduct of the debt collection agency.
1. Failure to inform data subjects about data processing activities
As a data controller, B2 Kapital failed to inform individuals about details of the processing of their personal data in a clear and accurate manner through their privacy policy. Particularly regarding the legal basis for refunds, which is contrary to the provisions of Article 13(1) GDPR.
This resulted in the non-transparent processing of the personal data of at least 132,652 individuals at the time of the inspection. AZOP also noted that at the time of the inspection, the company did not update its privacy policy since May 25th, 2018.
2. Lack of a data processing agreement with a processor
B2 Kapital did not have a data processing agreement in place with the data processor to monitor simple consumer bankruptcies compromising the security of personal data (personal identification number) of 83,896 individuals.
3. Failure to implement appropriate technical and organizational measures
The lack of data processing agreements with data processors means the company did not implement appropriate technical and organizational measures to ensure that the rules for processing personal data are clearly agreed upon and that security measures are put in place.
AZOP concluded that B2 Kapital lost complete control over sharing of personal data and could not explain the causes of the unauthorized exfiltration of data.
How can you avoid similar scenarios
Most companies don’t prioritize privacy until they experience a data breach or face an audit from a supervisory authority. However, multimillion fines like this could be avoided or significantly lower if companies are willing to invest time and resources and do it smartly.
When a company processes a large amount of data or collected data is considered sensitive personal data, it is important to keep track of processing activities, who has access to data, are there proper technical and organizational measures put into place, and reevaluate the state of their privacy program.
The recommended approach is to conduct an external independent audit: State-of-Privacy-Assessment (SOPA) focused on providing you with objective insight into the current state of privacy and data protection affairs within your organization, allowing you to prevent financial loss and recognize privacy and security risks.
The end product of such assessment is a detailed GDPR compliance maturity report adapted to your specific requirements and recommendations for improving your organization’s privacy program. Conducting SOPA is a first step toward approaching your privacy program systematically with a clear vision of your goals.
Reasons behind €2 million fine
Even when such violations of GDPR happen, how well are you able to respond to the request of the supervisory authority, how quickly can you provide documentation, and how fast can you fix the issues and contain the negative repercussions for individuals will have a huge impact on the total amount of the fine. Unfortunately without proper privacy solution that can be almost impossible.
In this case, the amount of the fine was defined, taking into account the aggravating circumstance. AZOP identified some shortcomings in cooperation during the investigation, such as delays in submitting requested documents, which affected the process’s duration.
Namely, B2 Kapital was slow to respond to AZOP’s several requests for documentation and responded only in the last days before the set deadline to ask for an extension of the deadline or clarification of circumstances that could have been requested earlier. Also, despite several requests for documentation (system log listings), the data controller did not provide them.
The debt agency probably would not have even noticed the exfiltration of personal data if the AZOP had not received an anonymous report and conducted supervisory activities.
To this day, B2 Kapital has not clarified all the circumstances of the breach, that is, the disclosure of personal data outside their storage system, which further indicates a lack of adequate protection measures.
Read more (in Croatian): Agenciji za naplatu potraživanja izrečena upravna novčana kazna u iznosu od 2,26 milijuna eura