Details:
| Summary | The Croatian DPA (AZOP) has imposed a fine of EUR 2,265,000 on a debt collection agency. The fine is the highest ever imposed by AZOP. AZOP had received an anonymous complaint in December 2022 stating that a large number of debtors’ personal data had been processed by the collection agency without authorization. Attached to the complaint was a USB stick containing personal data (name, date of birth, personal identification number) of 77,317 debtors.
During its investigation, AZOP found that controller did not provide sufficient information about the processing of personal data in its privacy policy. Moreover, it failed to provide information about the legal basis for the refund of overpaid funds. The breach affected 132,652 individuals. Further, the AZOP found that the controller had not entered into a data processing agreement with a processor that monitored simple consumer bankruptcies. This put the data of 83,896 individuals at risk. The breach persisted for 2 years. Finally, AZOP found that the controller had failed to implement adequate technical and organizational measures to protect personal data. Aggravating factors considered by AZOP included the controller’s failure to adequately cooperate with the DPA during the process. Furthermore, the controller has not yet informed AZOP of additional measures it has taken to prevent future risks of identified violations and has not yet brought its privacy policy into compliance with the GDPR. |
| Link: | link link |
| Related articles: | Art. 6 (1) GDPR, Art. 13 (1) GDPR, Art. 28 (3) GDPR, Art. 32 (1) b), d) GDPR, Art. 32 (2) GDPR |
| Type: | Insufficient technical and organisational measures to ensure information security |
| Fine: | EUR 2,265,000 |
| Sector | Finance, Insurance and Consulting |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/