Croatian Personal Data Protection Agency imposes a EUR 2.2 million fine on a debt collection company

In early May 2023, the Croatian Personal Data Protection Agency (AZOP) imposed a fine on a debt collection company in the amount of 2.2 million euros for multiple violations of the personal data protection requirements prescribed by Regulation (EU) 2016/679 (GDPR). This is the maximum fine that AZOP has imposed in Croatia thus far.

Circumstances of the Case

In December 2022, AZOP received an anonymous complaint regarding the unauthorized processing of a large volume of personal data (such as names and surnames, dates of birth, personal identification numbers, residential addresses, employer names and personal identification numbers, debt to the company, the amount of the principal and the default interest) belonging to 77,317 debtors by the debt collection company that purchased their debts from credit institutions. Following the receipt of the complaint, AZOP initiated an audit of the company.

Identified Infringements

During the audit, AZOP identified the following infringements of the personal data protection rights under the GDPR, on the part of the company as a data controller:

• The company failed to clearly and accurately inform its data subjects/debtors (at least 132,652 of them) about the processing of their personal data.
• The company did not enter into  a data processing agreement with the data processor who was carrying out processing on behalf of the company, as part of its services involving the monitoring of consumers’ bankruptcy, which endangered the security of the personal data belonging to 83,896 data subjects.
• The company did not take appropriate technical and organizational security measures, in relation to the processing of personal data, until the day the fine was imposed. This resulted in a breach of the personal data security of at least 132,652 data subjects.

AZOP states the following in its decision:

• The company bears the greatest responsibility for not taking technical security measures, given that it lost complete control over the data flows and could not explain the causes of the data exfiltration (unauthorized extraction of personal data).
• The following aggravating factors were identified: (i) insufficient cooperation from the company during the audit (failure to submit certain documentation, sending a response shortly before the deadline was set to expire, asking for longer deadlines, etc., which all contributed to the delay of the procedure) and (ii) the fact that the company did not inform AZOP about taking additional security measures that would prevent future risks from identified infringements until the day the decision was made, and that it did not adjust/update the privacy policy on its website.
• The company would probably never have noticed this exfiltration of personal data if AZOP had not received an anonymous complaint and carried out an audit.
• The company did not clarify the circumstances of the infringement until the day of the fine / decision.
• This case involves a violation of several provisions of the GDPR by one of the leading companies in the area of debt collection as well as possible individual criminal liability/criminal offense.

Conclusion – What Next?

This is the maximum fine that AZOP has thus far imposed in Croatia, which is a stark reminder of the importance of data protection compliance.

Given this recent precedent, all parties will have to exercise greater caution moving forward. It is recommendable (i) consistently to follow the guidelines issued by AZOP and the European Data Protection Board, (ii) to assess the actual processing activities, existing data privacy documentation and security measures, and if necessary, (iii) to update the existing and/or implement new documentation and technical and organisational measures to ensure an appropriate level of security based on the risk involved.