Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

First GDPR fine in Croatia issued to an unknown Bank

First GDPR fine in Croatia issued to an unkown bank

Two cataclysmic events hit Croatia recently, one being the Coronavirus pandemic and the other being the biggest earthquake in the Croatian capital in 140 years, unfortunately overshadowing the first GDPR fine issued in Croatia, which was quite a significant development.

The GDPR fine was issued on 13 March 2020 by the Croatian Personal Data Protection Agency (AZOP) to an unknown Bank for violation of the right of access by the data subject Article 15(3), in a yet unknown amount.

Why did the DPA act?

Back in October 2018, AZOP started receiving numerous complaints from citizens, stating they had contacted the Bank regarding the subject access requests.

However, the Bank continuously refused to fulfill its GDPR-granted right to access personal data.

Individuals were trying to get ahold of the personal data the Bank had on them regarding documentation relating to Swiss francs (CHF) loan agreements with the Bank in question.

Why did the DPA not disclose the name of the Bank?

According to Croatian law, the DPA will disclose information only if the administrative fine in the amount of at least 100,000 HRK or approximately 13,000 EUR is made final. Since the administrative fine for the Bank is not final, the DPA did not disclose the information about the Bank.

Arguments of the Bank

The Bank refused to fulfill individuals’ right of access to personal data and submit a copy of requested documentation, insisting that the documentation represents loan documentation that is not subject to the data subject right of access.

The Bank argued there is no legal grounds or obligation to provide personal data to individuals’, since the documentation in question is related to repaid loans, and has persistently refused to provide individuals a copy of their personal data.

Arguments of the DPA

Croatian supervisory authority conducted an investigation in which it determined that the documentation requested contained personal information on data subjects and issued a decision ordering the Bank to provide documentation/copies of personal data to all data subjects who requested it.

It is also important to note that upon its investigation, the DPA discovered there were approximately 2500 requests on top of individually filed registered complaints.

The complaints were filed between May 2018 and the end of April 2019. In all those cases, the individuals were denied copies of their personal information.

Can we expect a considerable fine?

Since the DPA has not disclosed the name of the Bank nor the amount of the fine, we can only make an educated guess. However, we do know that the DPA qualified the violation of GDPR as severe, and the amount of fine can be up to 20 million euros, or up to 4 % of the Bank’s total global turnover of the preceding fiscal year, whichever is higher- Article 83.

So the answer is yes, we fully expect the first GDPR fine in Croatia to be considerable!

Contributing factors to issuing the highest administrative fine are the number of filed complaints (2577)  and the time period in which the Bank was in violation of the GDPR.

The Bank was also well aware of violations and acted consciously and intentionally, disregarding numerous warnings (34 in total) from the supervisory authority, and there was no effort from the Bank to mitigate any possible consequences and risks to the rights and freedoms of individuals.

Read the entire DPA decision in Croatian.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top