AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Turn data subjects request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

Croatian DPA AZOP imposed 2.26 million GDPR fine on the debt collection agency

Azop fine to b2 Kapital

Croatian Personal Data Protection Agency (AZOP) imposed a €2,26 million GDPR fine on a debt collection agency B2 Kapital. AZOP launched an investigation after receiving an anonymous complaint stating that a debt collection agency had carried out unauthorized processing of a large number of personal data.

A USB stick was also attached to the complaint, containing personal data such as first and last name, date of birth, and personal identification number (OIB) for a total of 77,317 individuals.

AZOP’s investigation

AZOP initiated a supervisory procedure in December 2022 and conducted an investigation that revealed three violations of the General Data Protection Regulation due to the negligent conduct of the debt collection agency.

1. Failure to inform data subjects about data processing activities

As a data controller, B2 Kapital failed to inform individuals about details of the processing of their personal data in a clear and accurate manner through their privacy policy. Particularly regarding the legal basis for refunds, which is contrary to the provisions of Article 13(1) GDPR.

This resulted in the non-transparent processing of the personal data of at least 132,652 individuals at the time of the inspection. AZOP also noted that at the time of the inspection, the company did not update its privacy policy since May 25th, 2018.

2. Lack of a data processing agreement with a processor

B2 Kapital did not have a data processing agreement in place with the data processor to monitor simple consumer bankruptcies compromising the security of personal data (personal identification number) of 83,896 individuals.

3. Failure to implement appropriate technical and organizational measures

The lack of data processing agreements with data processors means the company did not implement appropriate technical and organizational measures to ensure that the rules for processing personal data are clearly agreed upon and that security measures are put in place.

AZOP concluded that B2 Kapital lost complete control over sharing of personal data and could not explain the causes of the unauthorized exfiltration of data.

How can you avoid similar scenarios

Most companies don’t prioritize privacy until they experience a data breach or face an audit from a supervisory authority. However, multimillion fines like this could be avoided or significantly lower if companies are willing to invest time and resources and do it smartly.

When a company processes a large amount of data or collected data is considered sensitive personal data, it is important to keep track of processing activities, who has access to data, are there proper technical and organizational measures put into place, and reevaluate the state of their privacy program.

The recommended approach is to conduct an external independent audit: State-of-Privacy-Assessment (SOPA) focused on providing you with objective insight into the current state of privacy and data protection affairs within your organization, allowing you to prevent financial loss and recognize privacy and security risks.

New call-to-action

The end product of such assessment is a detailed GDPR compliance maturity report adapted to your specific requirements and recommendations for improving your organization’s privacy program. Conducting SOPA is a first step toward approaching your privacy program systematically with a clear vision of your goals.

Reasons behind €2 million fine

Even when such violations of GDPR happen, how well are you able to respond to the request of the supervisory authority, how quickly can you provide documentation, and how fast can you fix the issues and contain the negative repercussions for individuals will have a huge impact on the total amount of the fine. Unfortunately without proper privacy solution that can be almost impossible.

In this case, the amount of the fine was defined, taking into account the aggravating circumstance. AZOP identified some shortcomings in cooperation during the investigation, such as delays in submitting requested documents, which affected the process’s duration.

Namely, B2 Kapital was slow to respond to AZOP’s several requests for documentation and responded only in the last days before the set deadline to ask for an extension of the deadline or clarification of circumstances that could have been requested earlier. Also, despite several requests for documentation (system log listings), the data controller did not provide them.

The debt agency probably would not have even noticed the exfiltration of personal data if the AZOP had not received an anonymous report and conducted supervisory activities.

To this day, B2 Kapital has not clarified all the circumstances of the breach, that is, the disclosure of personal data outside their storage system, which further indicates a lack of adequate protection measures.

Read more (in Croatian): Agenciji za naplatu potraživanja izrečena upravna novčana kazna u iznosu od 2,26 milijuna eura

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top