Background information
- Date of decision: 5 October 2023
- Cross-border case or national case: National case
- Controller: EOS Matrix (Debt Collection Agency)
- Legal references: Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing), Article 9 (Processing of special categories of personal data), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 13 (Information to be provided where personal data are collected from the data subject), Article 32 (Security of processing)
- Decision: Administrative fine
- Key words: Lawfulness of processing, Data security, Administrative fine, Health records, Transparency, Technical measures
Summary of the Decision
Origin of the case
In 22 March 2023, the Croatian Supervisory Authority (SA) received an anonymous petition stating that there was an unauthorised processing of a larger number of personal data of natural persons (debtors) by EOS Matrix d.o.o., debt collection agency (data controller). The petition was accompanied by a USB stick containing 181641 personal data of natural persons in the structure of the name and surname, date of birth and personal identification number, who had outstanding debts towards credit institutions which were purchased by EOS Matrix d.o.o. based on the cession contract. In addition, the petition in question stated that 294 natural persons included in the database were minors at the time of the compilation of the database.
Key Findings
The data controller didn’t implement sufficient technical measures in the processing system (main database within which personal data of about 370.000 data subjects is processed) that could identify activities which deviate from the usual ones (e.g. increased number of data retrievals in the database, data transfer outside the system, compromise of user access, etc.). This was found to be contrary to Article 32 of the GDPR.
At the time of the supervision activity conducted by the SA, it wass determined that the data controller also processed personal data of individuals who are not debtors nor legal representatives of inheritors in debtor-creditor relations and for this processing there was no legal basis under Article 6(1) of the GDPR.
As regards the processing of health data, it was established that the data controller actively recorded comments related to the state of health of the debtor (of certain data subjects). In addition to that, the health status of the subjects concerned was followed up with the details of individual diagnoses, which included terminal illnesses, and for which processing activity there was no applicable exception under Article 9(2) of the GDPR.
By examining the first three privacy policies (which were in force between May 2018 and October 2020), it was established that the data controller defined in these documents that they do not process and will not process health data. Therefore, the processing of personal data was non-transparent, which is not in line with Article 12(1) and Articles 13(1) and 13(2) of the GDPR.
In addition, in the period from May 2018 to January 2019, the data controller processed data relating to 49.850 data subjects by recording telephone conversations without having established the legal basis referred to in Article 6( 1) of the GDPR, which also lead to the infringement of Article 5(2) of the GDPR.
Decision
Croatian SA imposed an administrative fine on the data controller – the Debt Collection Agency EOS Matrix d.o.o. in the amount of 5,470,000.00 EUR due to violations of Articles 5, 6, 9, 12, 13 and 32 of the GDPR.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.