On July 21, 2022, the Croatian Personal Data Protection Agency (AZOP) imposed HRK 2.15 million (approximately €286,000) fine on one of the leading telecommunications service providers in Croatia for violation of the General Data Protection Regulation (GDPR).
The fine was issued for failing to implement appropriate technical and organizational measures for the processing of personal data, which led to the unauthorized access and processing of personal data by attackers, affecting approximately 100,000 individuals.
The background of the case
The Agency learned about the breach incident after the company reported the violation and informed the users of its services about the incident in accordance with Article 33.
The Agency determined that the implemented organizational and technical measures were insufficient, and the company made multiple omissions when designing the processing system. Namely regarding restriction of access to personal data, monitoring, reporting, timely response, implementation of appropriate corrective actions in the system, and execution of the organizational measures prescribed by the existing internal acts.
The Agency found an aggravating circumstance in the fact that the company, as one of the leading providers of telecommunications services in Croatia that collects and processes a large volume of personal data, did not apply more complex measures before as well as during the processing itself.
Additionally, the company should have taken into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.
The Agency assessed that the company did not take the necessary measures to achieve an adequate security measure in accordance with the existing foreseeable risks, thereby acting contrary to Article 25 (1) and Article 32 (1) (2) of the General Data Protection Regulation.
Second GDPR fine for failure to provide notice of video surveillance
Additionally, the Agency issued another fine to another data controller – the car sales and service center, after carrying out supervision without prior notice over the collection and processing of personal data made by the video surveillance system.
The Agency determined that the car sales and service center did not indicate that certain rooms, as well as the outside premises of the object in question, were under video surveillance.
The DPA issued HRK 30,000 fine (approximately €4000) for not marking the facility under video surveillance.