First GDPR fine in Croatia issued to an unkown bank

Two cataclysmic events that hit Croatia recently, one being Coronavirus pandemic and the other one the biggest earthquake in Croatian capital in 140 years, unfortunately, overshadowed the first GDPR fine issued in Croatia, which was quite a significant development.

The GDPR fine was issued on 13 March 2020, by Croatian Personal Data Protection Agency (AZOP) to an unknown Bank for violation of the right of access by the data subject Article 15(3), in the yet unknown amount.

Why did the DPA act?

Back in October 2018, AZOP has started receiving numerous complaints from citizens, stating that they have contacted the Bank regarding the subject access requests.

However, the Bank continuously refused to fulfill their GDPR granted right to access their personal data.

Individuals were trying to get ahold of the personal data the Bank has on them regarding documentation relating to Swiss francs (CHF) loan agreements with the Bank in question.

Why the DPA did not disclose the name of the Bank?

According to Croatian law, the DPA will disclose information only if the administrative fine in the amount of at least 100,000 HRK or approximately 13,000 EUR is made final. Since the administrative fine for the Bank is not final, the DPA did not disclose the information about the Bank.

Arguments of the Bank

The Bank refused to fulfill individuals’ right of access to personal data and submit a copy of requested documentation, insisting that the documentation represents loan documentation that is not subject to the data subjects’ right of access.

The Bank argued there is no legal grounds or obligation to provide personal data to individuals’, since the documentation in question is related to repaid loans, and has persistently refused to provide individuals a copy of their personal data.

Arguments of the DPA

Croatian supervisory authority conducted an investigation in which it determined that the documentation requested had contained personal information on data subjects, and issued a decision ordering the Bank to provide documentation/copies of personal data to all data subjects who requested it.

It is also important to note that upon its investigation, the DPA discovered there were approximately 2500 requests on top of individually filed registered complaints.

The complaints were filed between May 2018 to end of April 2019. In all those cases, the individuals were denied copies of their personal information.

Can we expect a considerable fine?

Since the DPA has not disclosed the name of the Bank nor the amount of fine, we can only make an educated guess. However, we do know that the DPA qualified the violation of GDPR as severe, and the amount of fine can be up to 20 million euros, or up to 4 % of the Bank’s total global turnover of the preceding fiscal year, whichever is higher- Article 83.

So the answer is yes, we fully expect the first GDPR fine in Croatia to be considerable!

Contributing factor to issuing the highest administrative fine is the number of filed complaints (2577)  and the time period in which the Bank was in violation of the GDPR.

The Bank was also well aware of violations and acted consciously and intentionally, disregarding numerous warnings (34 in total) from the supervisory authority, and there was no effort from the Bank to mitigate any possible consequences and risks to the rights and freedoms of individuals.

Read the entire DPAs’ decision in Croatian.