In early May 2023, the Croatian Personal Data Protection Agency (AZOP) imposed a fine on a debt collection company in the amount of 2.2 million euros for multiple violations of the personal data protection requirements prescribed by Regulation (EU) 2016/679 (GDPR). This is the maximum fine that AZOP has imposed in Croatia thus far.
Circumstances of the Case
In December 2022, AZOP received an anonymous complaint regarding the unauthorized processing of a large volume of personal data (such as names and surnames, dates of birth, personal identification numbers, residential addresses, employer names and personal identification numbers, debt to the company, the amount of the principal and the default interest) belonging to 77,317 debtors by the debt collection company that purchased their debts from credit institutions. Following the receipt of the complaint, AZOP initiated an audit of the company.
Identified Infringements
During the audit, AZOP identified the following infringements of the personal data protection rights under the GDPR, on the part of the company as a data controller:
- The company failed to clearly and accurately inform its data subjects/debtors (at least 132,652 of them) about the processing of their personal data.
- The company did not enter into a data processing agreement with the data processor who was carrying out processing on behalf of the company, as part of its services involving the monitoring of consumers’ bankruptcy, which endangered the security of the personal data belonging to 83,896 data subjects.
- The company did not take appropriate technical and organizational security measures, in relation to the processing of personal data, until the day the fine was imposed. This resulted in a breach of the personal data security of at least 132,652 data subjects.
AZOP states the following in its decision:
- The company bears the greatest responsibility for not taking technical security measures, given that it lost complete control over the data flows and could not explain the causes of the data exfiltration (unauthorized extraction of personal data).
- The following aggravating factors were identified: (i) insufficient cooperation from the company during the audit (failure to submit certain documentation, sending a response shortly before the deadline was set to expire, asking for longer deadlines, etc., which all contributed to the delay of the procedure) and (ii) the fact that the company did not inform AZOP about taking additional security measures that would prevent future risks from identified infringements until the day the decision was made, and that it did not adjust/update the privacy policy on its website.
- The company would probably never have noticed this exfiltration of personal data if AZOP had not received an anonymous complaint and carried out an audit.
- The company did not clarify the circumstances of the infringement until the day of the fine / decision.
- This case involves a violation of several provisions of the GDPR by one of the leading companies in the area of debt collection as well as possible individual criminal liability/criminal offense.
Conclusion – What Next?
This is the maximum fine that AZOP has thus far imposed in Croatia, which is a stark reminder of the importance of data protection compliance.
Given this recent precedent, all parties will have to exercise greater caution moving forward. It is recommendable (i) consistently to follow the guidelines issued by AZOP and the European Data Protection Board, (ii) to assess the actual processing activities, existing data privacy documentation and security measures, and if necessary, (iii) to update the existing and/or implement new documentation and technical and organisational measures to ensure an appropriate level of security based on the risk involved.
Download the Client Alert in English
Download the Client Alert in Croatian
Croatian Personal Data Protection Agency imposes a EUR 2.2 million fine on a debt collection company
In early May 2023, the Croatian Personal Data Protection Agency (AZOP) imposed a fine on a debt collection company in the amount of 2.2 million euros for multiple violations of the personal data protection requirements prescribed by Regulation (EU) 2016/679 (GDPR). This is the maximum fine that AZOP has imposed in Croatia thus far. Circumstances […]...
Rhenus acquires Croatian logistics provider Trans Integral with legal assistance from Wolf Theiss
Zagreb, 23 May 2023 – Wolf Theiss advised Germany-based leading logistics specialist the Rhenus Group on the acquisition of Croatian logistics provider Trans Integral d.o.o. This strategic acquisition enables the Rhenus Group to further expand its presence in the Balkan region. The Wolf Theiss Zagreb Corporate/M&A team, led by Partner Dora Gaži Kovačević, supported primarily […]...
Serbian government to launch a strategic partnership tender for self-balancing solar power plants
EPS (Elektroprivreda Srbije) seeks a strategic partner to design, build, fund, operate and maintain at least 5 new solar power plants. The purpose of the tender announced by the Serbian Government is to select a company to carry out the design, construction, financing, operation and maintenance of 5 or more self-balancing solar power plants, for […]...
Wolf Theiss advises DTEK Renewables International on the acquisition of an approx. 50MW renewable energy project in Romania
Bucharest, 22 May 2023 – Wolf Theiss acted as legal advisor to DTEK Renewables International, a growing investor and operator in renewable energy in Romania and the EU, in relation to the staggered share deal acquisition of a 49.38 MW installed capacity photovoltaic power plant located in Glodeni village, Mureş county. This greenfield development was […]...
Schwellenwerte-VO 2023 geht in die Verlängerung
Höhere Schwellenwerte (zumindest) bis Jahresende Die Schwellenwerteverordnung 2023 soll bis 31. Dezember 2023 verlängert werden. Die entsprechende Verordnung wurde am 17. Mai von der Justizministerin unterschrieben. Zur Wirksamkeit der Verordnung bedarf es aber noch einer Zustimmung aller Bundesländer und nachfolgender entsprechender Publikation bis Ende Juni, damit nicht (erneut) eine Geltungslücke eintritt. Da die Verlängerung aber […]...
Wolf Theiss advises the initial purchasers and lenders on EUR 2 billion financing of BENTELER Group
Vienna/Salzburg, 17 May 2023 – Salzburg-based BENTELER Group debuts on the capital market and signs facility to finance general corporate purposes. The initial purchasers and lenders sought legal advice from Wolf Theiss. BENTELER Group’s capital market debut involves the issuance of two high yield bonds, the first in the amount of EUR 525 million and the second […]...
Wolf Theiss advises Erste Bank on sale of Velenjka shopping centre by WG PROJEKTIRANJE
Vienna/Ljubljana, 16 May 2023 – Wolf Theiss acted as legal advisor to Erste Group Bank AG (“EGB AG”) on the successful sale of the Velenjka shopping centre in Velenje, Slovenia, by WG PROJEKTIRANJE d.o.o. to VELENJKA d.o.o. Wolf Theiss provided legal assistance to EBG AG in every stage of the sale, from the initial phases of […]...
Refinitiv Risk Seminar – Vienna 2023
Wolf Theiss and Refinitiv (an LSEG Business) are delighted to invite you to join a complimentary Risk event taking place in Vienna on Tuesday, 6 June 2023. Refinitiv as a host of the event, is one of the world’s largest providers of financial markets data and infrastructure serving more than 40,000 institutions in approximately 190 […]...
Corporate sustainability obligations – current developments and challenges
Corporate sustainability obligations – current developments and challenges The current episode of the Wolf Theiss Soundshot podcast introduces a new series, which will address the latest developments of the proposed EU Directive on corporate sustainability obligations. The Directive is anticipated to place due diligence obligations along the entire supply chain with regard to human rights […]...
Hospitality Software Solutions acquires SiTec GmbH with legal support from Wolf Theiss
Vienna, 11 May 2023 – Wolf Theiss advised Hospitality Software Solutions on its acquisition of SiTec GmbH. This transaction allows the holding company, Hospitality Software Solutions, to further enhance its product portfolio with an award-winning Hotel, Restaurant, Wellness and Cinema management software. Hospitality Software Solutions provides professional all-in-one software solutions for the hospitality sector. Its […]...
Whistleblowing Directive: Challenges and opportunities for employers
The implementation of Whistleblowing Directive (EU) 2019/1937 is expected to boost the creation of reporting channels to sound the alert on wrongdoings within public and private companies across EU Member States. The interplay of pre-existing national laws and cultural and political circumstances across the CEE countries, however, has made implementation of the directive a lengthy […]...
Wolf Theiss strengthens its regional presence and legal expertise by promoting five senior lawyers to Counsel positions
Bucharest / Prague / Vienna, 9. May 2023 – CEE / SEE law firm Wolf Theiss announced the internal promotions of five senior lawyers to Counsel. On May 1st, 2023, Andreea Stan, George Ghitu (Bucharest), Tomáš Kren (Prague), Stephan Kugler and Nevena Skočić (Vienna) were promoted to Counsel positions. George Ghitu is a key member of […]...