Background information
- Date of decision: 2 May 2023
- Cross-border case or national case: National case
- Controller: B2 Kapital
- Legal references: Article 32 (Security of processing), Article 13 (Information to be provided where personal data are collected from the data subject), Article 28 (Processor)
- Decision: Administrative fine
- Key words: Administrative fine, Data security, Transparency, Responsibility of the controller, Privacy statement, technical and organisational measures
Summary of the Decision
Origin of the case
In December 2022, the Croatian Supervisory Authority (SA) received an anonymous complaint in which it was stated that there was unauthorized processing of a large number of personal data of debtors, by the Debt Collection Agency. Together with the complaint, the Agency received the attached USB stick containing personal data in the structure of: first and last name, date of birth and personal identification number for a total of 77 317 natural persons who had outstanding debts in credit institutions, and which were purchased by the Debt Collection Agency based on the cession agreement. The same personal data were delivered on a USB stick to a Croatian media outlet.
Key Findings
The data controller didn’t inform data subjects, in an accurate and clear manner, about the processing of their personal data through the notification on the processing of personal data (privacy policy) regarding the legal basis, which is against the provision of Article 13, paragraph 1 of the General Data Protection Regulation. This resulted in non-transparent processing of data subjects personal data (that is, incorrect information regarding the legal basis of the processing according to the Article 6, paragraph 1 of the General Data Protection Regulation), affecting all data subjects of the specific data controller (at least 132 652 data subjects)at the time of the supervision activity, and the privacy policy still remains unchanged and so the violation has not yet been remedied, meaning it has lasted from May 25, 2018 until today. Contrary to Article 28 the GDPR, the data controller did not conclude a contract on the processing of personal data with the data processor for the service of monitoring simple consumer bankruptcy, and thus the security of personal data of 83 896 data subjects (personal identification numbers) was at risk.
The data controller did not apply appropriate technical and organizational protection measures while processing personal data, which is contrary to Article 32.2 of the GDPR. Due to not undertaking appropriate measures, the security of the personal data of all data subjects (at least 132 652 at the time of the supervision) was violated, that is: first and last name, date of birth and personal identification number and, as a result, all the personal data from the storage systems of Debt Collection Agency, which are financial information. It was established that the violation has been going on since at least 2019 and that it has not been remedied to date, all because of not applying appropriate protective measures.
Decision
Croatian SA imposed an administrative fine on the data controller – the Debt Collection Agency B2 Kapital d.o.o. in the amount of 2,265,000.00 EUR due to violations of Articles 13, 28 and 32 of the GDPR.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.