Enforcement

€20,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (azop) has imposed a fine of EUR 20,000 on a telecommunications company. A data subject had filed a complaint with the DPA claiming that the company was still processing their personal data even though they had not been a customer of the company for more than ten years. During its investigation, the DPA found that the company had still been storing the data due to an alleged debt. The debt was no longer outstanding, however, the company had failed to delete the data of the data

De Kroatische gegevensbeschermingsautoriteit (DPA) heeft een telecombedrijf een boete van 20.000 euro opgelegd. Een betrokkene had een klacht ingediend bij de DPA, waarin hij beweerde dat het bedrijf nog steeds zijn persoonlijke gegevens verwerkte, terwijl hij al meer dan tien jaar geen klant van het bedrijf was. Tijdens het onderzoek stelde de DPA vast dat het bedrijf de gegevens nog steeds bewaarde vanwege een vermeende schuld. Hoewel die schuld niet meer bestond, had het bedrijf de gegevens van de betrokkene niet verwijderd.

€4,500,000 fine - Croatian Data Protection Authority (azop)

Following an ex officio investigation, AZOP imposed a EUR 4.5 million fine on a telecommunications operator for multiple GDPR infringements. The controller transferred customer personal data to a processor in the Republic of Serbia (a group company maintaining software). Transfers had been based on Standard Contractual Clauses (SCCs) from 16 April 2020 until at the latest 27 December 2022; after that date, transfers continued without SCCs or equivalent safeguards, despite Serbia lacking an adequ

Een boete van 4.500.000 euro - opgelegd door de Kroatische Autoriteit voor Gegevensbescherming (AZOP).

Na een onderzoek door de autoriteit, heeft AZOP een telecombedrijf een boete van 4,5 miljoen euro opgelegd vanwege meerdere overtredingen van de AVG. De verantwoordelijke partij heeft klantgegevens overgedragen aan een verwerker in de Republiek Servië (een dochteronderneming die software onderhoudt). Deze overdrachten vonden plaats op basis van standaardcontractuele clausules (SCC's) vanaf 16 april 2020 tot uiterlijk 27 december 2022; daarna zijn de overdrachten doorgegaan zonder SCC's of equivalente waarborgen, ondanks dat Servië niet als voldoende beschermd land wordt beschouwd.

Een boete van 40.000 euro - opgelegd door de Kroatische Autoriteit voor Gegevensbescherming (AZOP).

De Kroatische gegevensbeschermingsautoriteit (AZOP) heeft een bedrijf een boete van 40.000 euro opgelegd omdat het persoonlijke gegevens van zelfstandigen op zijn website heeft gepubliceerd. De gegevens waren afkomstig van openbare bronnen en van het financiële agentschap FINA. Hoewel de gegevens openbaar toegankelijk waren, oordeelde de autoriteit dat er geen geldige juridische basis was voor de publicatie. Bovendien heeft het bedrijf de betrokkenen niet geïnformeerd over de verwerking van hun gegevens en heeft het zijn verwerkingsactiviteiten niet correct gedocumenteerd. Een ander punt van zorg was dat...

€20,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) imposed a fine of EUR 20,000 on a hospital for failing to implement adequate technical and organizational measures to protect personal data in line with Art. 32 (1) (b) and (d), and Art. 32 (2) GDPR. Following a cyberattack, it was revealed that over a period of seven days, at least 3 GB of personal data had been unlawfully copied from the system. The attacker allegedly gained access through social engineering and a VPN connection, exploited an outdated operating system,

€10,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 10,000 on an oil and fat manufacturer for for failing to appoint and designate a data protection officer.

€12,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 12,000 on a casino for for failing to appoint and designate a data protection officer.

€4,000 fine - Croatian Data Protection Authority (azop)

The Croation DPA (AZOP) has imposed a fine of EUR 4,000 on a hospital. The AZOP found that the hospital used a company which automatically retrieved personal data of vehicle owners via the Ministry of the Interior's web service without a legal basis, to issue parking fines for vehicle owners. Additionally, the hospital failed to inform parking users transparently and in accordance with legal requirements about the processing of their personal data related to parking fees. Furthermore, the hospit

€3,000 fine - Croatian Data Protection Authority (azop)

The Croation DPA (AZOP) has imposed a fine of EUR 3,000 on a hospital. Despite the extensive and high-risk processing of health data, the hospital had not implemented sufficient organizational measures to ensure the security of data processing. Specifically, measures to ensure the confidentiality of health information were lacking, which undermined trust in medical services and patient privacy. The hospital was fined for breaching Art. 13, Art.32, Art. 33, and Art. 34(1) GDPR.

€80,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 80,000 on a company. The company was responsible for monitoring parking lots at several supermarkets and a hospital. However, it accessed personal data – in particular license plate numbers and owner information – from the Croatian Ministry of the Interior's (MUP) vehicle registry without a valid legal basis. Access was gained via a web service that the company had secured the right to use in certain areas on the basis of a concession. However, t

4.000 euro boete - Kroatische Autoriteit voor Gegevensbescherming (AZOP).

De Kroatische beschermingsautoriteit (AZOP) heeft een ziekenhuis een boete van 4.000 euro opgelegd. De AZOP heeft vastgesteld dat het ziekenhuis een bedrijf gebruikte dat automatisch persoonlijke gegevens van autobezitters ophaalde via de webdienst van het Ministerie van Binnenlandse Zaken, zonder daar een wettelijke basis voor te hebben, om parkeerboetes aan autobezitters te sturen. Bovendien heeft het ziekenhuis parkeergebruikers niet op een transparante en in overeenstemming met de wettelijke vereisten geïnformeerd over de verwerking van hun persoonlijke gegevens met betrekking tot parkeerkosten. Verder...

€40,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 40,000 on a company that published personal data of sole traders on its website. The data originated from public sources and from the financial agency FINA. Although publicly accessible, the authority found that there was no valid legal basis for the publication. Furthermore, the company did not inform the data subjects about the processing of their data and did not properly document its processing activities. Another point of concern was that th

€190,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 190,000 on a hospital. The hospital had suffered a data breach in which radiological image files were irrevocably lost. AZOP had received several complaints from data subjects whose personal data, including medical images, could not be provided. The investigation revealed that the hospital failed to implement appropriate technical measures to safeguard personal data, as no backups of the affected data were made (violation of Art. 32 (1) b) GDPR).

€35,700 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed fines totaling EUR 35,700 on nine companies for failing to adequately indicate their video surveillance areas and for failing to provide all the necessary information on data processing related to video processing.

€45,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 45,000 on two hotels for unlawfully processing personal data through the use of cookies.

Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed seven fines totaling EUR 16,000 on data controllers for failing to adequately mark video-monitored areas. This lack of marking resulted in people entering these areas not being informed of the surveillance, as the signs were either not visible on entry or did not contain all the necessary information. The fines ranged from EUR 500 to 4,000 and were imposed on various establishments, including hotels, restaurants, and shops. According to Art. 27 (1) of the Law

€20,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 20,000 on a data controller operating in the gambling and betting sector. The data controller collected and processed personal data of data subjects through cookies without providing them the opportunity to give or withdraw consent for such processing in an informed and voluntary manner, violating Art. 6 (1) a) GDPR and Art. 7 GDPR. In cases where personal data processing relies on consent and serves multiple purposes, the consent mechanism, such

€15,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 15,000 on a data controller operating in the gambling and betting sector. The data controller collected and processed personal data of data subjects through cookies without providing them the opportunity to give or withdraw consent for such processing in an informed and voluntary manner, violating Art. 6 (1) a) GDPR and Art. 7 GDPR. In cases where personal data processing relies on consent and serves multiple purposes, the consent mechanism, such

€5,470,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed of fine of EUR 5,470,000 to a debt collection company. The investigation was triggered by an anonymous complaint stating that controller unlawfully processed personal data, with USB stick attached to the complaint containing personal data of 181,641 individuals. As a controller, the debt-collection company unlawfully processed sensitive data (health related) of their debtors, as well as the data of individuals who are not in a debtor-creditor relationship, mos

€15,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed of fine of EUR 15,000 to a hotel. The hotel was collecting personal data from guests in excess of what would have been necessary for the purpose of booking a hotel room and without a valid legal basis. Specifically, the hotel collected the CVC number of guests' credit cards and copies of their identification documents. The hotel also failed to provide clear and transparent information to guests on the collection and use of their data. The hotel claimed it coll

€30,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 30,000 on a company engaged in gambling and betting activities due to three identified violations of the GDPR. As noted by AZOP, the controller collected and processed personal data of data subjects, i.e. website visitors through cookies without a valid legal basis, thereby violating Art. 6 (1) GDPR. Furthermore, the controller also failed to provide data subjects with appropriate information or enable data subjects to provide or withdraw consent

€20,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 20,000 on a company engaged in gambling and betting activities due to three identified violations of the GDPR. As noted by AZOP, the controller collected and processed personal data of data subjects, i.e. website visitors through cookies without a valid legal basis, thereby violating Art. 6 (1) GDPR. Furthermore, the controller also failed to provide data subjects with appropriate information or enable data subjects to provide or withdraw consent

€25,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 25,000 on Zagreb Holding d.o.o., utilities company owned by the city of Zagreb. The DPA had received a complaint from a citizen concerning Zagreb Holding's practice of requesting a copy of users' personal identification cards before issuing invoices via email. Previously, to receive invoice by email the users only needed to provide their name, surname, address, personal identification number, facility number and their user number. During the inve

€380,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 380,000 on a sports betting operator. AZOP had received a complaint from a data subject, stating that the controller had obtained a copy of their bank card. During its investigation, AZOP found that the controller had collected personal data (including copies of bank cards) of data subjects without a valid legal basis. In 2022, players had the option to have their winnings paid out not only via their bank account but also via their Visa card. The

€2,265,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 2,265,000 on a debt collection agency. The fine is the highest ever imposed by AZOP. AZOP had received an anonymous complaint in December 2022 stating that a large number of debtors' personal data had been processed by the collection agency without authorization. Attached to the complaint was a USB stick containing personal data (name, date of birth, personal identification number) of 77,317 debtors. During its investigation, AZOP found that cont

€2,654 fine - Croatian Data Protection Authority (azop)

The Croation DPA (azop) has imposed a fine of EUR 2,654 on a retailer. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR.

€2,654 fine - Croatian Data Protection Authority (azop)

The Croation DPA (azop) has imposed a fine of EUR 2,654 on a jewelry manufacturer. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR.

€1,991 fine - Croatian Data Protection Authority (azop)

The Croation DPA (azop) has imposed a fine of EUR 1,991 on a fish market. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR.

€2,654 fine - Croatian Data Protection Authority (azop)

The Croation DPA (azop) has imposed a fine of EUR 2,654 on a retailer. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR.

€3,185 fine - Croatian Data Protection Authority (azop)

The Croation DPA (azop) has imposed a fine of EUR 3,185 on a retailer. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR.

€1,991 fine - Croatian Data Protection Authority (azop)

The Croation DPA (azop) has imposed a fine of EUR 1,991 on a retailer. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR.

€1,991 fine - Croatian Data Protection Authority (azop)

The Croation DPA (azop) has imposed a fine of EUR 1,991 on a betting place. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice was not visible for data subjects entering the video perimeter. Furthermore the the video surveillance notice did not contain all relevant information on the CCTV. The DPA therefore concluded that the controller had violated Art. 27 (1) and (2) of the Croatian Act on the Implementation of the

€3,583 fine - Croatian Data Protection Authority (azop)

The Croation DPA (azop) has imposed a fine of EUR 3,583 on a retailer. The controller had installed a video surveillance system in their premises, however the DPA found that the controller failed to inform the data subjects about the fact that they would be recorded by the CCTV. The DPA therefore concluded that the controller had violated Art. 27 (1) of the Croatian Act on the Implementation of the GDPR.

€1,991 fine - Croatian Data Protection Authority (azop)

The Croation DPA (azop) has imposed a fine of EUR 1,991 on a company in the hospitality industry. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR.

€1,991 fine - Croatian Data Protection Authority (azop)

The Croation DPA (azop) has imposed a fine of EUR 1,991 on a betting place. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR.

€4,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA has fined a car dealership EUR 4,000. The controller had installed video surveillance cameras in its premises without properly informing the data subjects about the processing of the data by the video surveillance.

€285,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA has fined a telecommunications company EUR 285,000. The company had suffered a data breach. Attackers had managed to access data from about 100,000 data subjects. During its investigation, the DPA found that such a breach was facilitated by the company's failure to implement adequate technical and organizational security measures for the processing of personal data. For example, the processing systems lacked access restrictions. In assessing the fine, it was taken into aggravati

€89,250 fine - Croatian Data Protection Authority (azop)

A retail company, i.e. the data controller, reported the breach of personal data to the DPA informing that its employees have recorded video surveillance footage via mobile phone which was unauthorised and contrary to the company’s internal acts and instructions. The recording was made public by leaking to social media and consequently other media outlets. The DPA determined that the data controller did not take adequate actions to prevent its employees from creating the footage. Although the co

€124,245 fine - Croatian Data Protection Authority (azop)

The fined energy company owns petrol stations and sells fuel to customers. The data subject is a customer who filed a consumer complaint relating to inaccurate measuring and consequently charging of fuelled petrol at one of the petrol stations. The data subject requested a copy of its personal data, i.e. a copy of the video surveillance footage relating to a specific time and area. The energy company justified rejecting the request by: (i) lack of written request by competent authorities to deli

Croatian Data Protection Authority (azop)

The DPA has ex officio, without prior notice, conducted a direct supervision over an insurance company based in Zagreb. Upon inspection of its business facility for carrying out technical inspections and vehicle registration and contracting insurance services, the DPA established that both the business facility and its external surface are under video surveillance. However, the DPA established that the insurance company has failed to provide notice of such surveillance, which is contrary to Art

Croatian Data Protection Authority (azop)

A Croatian IT company provides IT services to entities such as mobile operators, banks and state institutions in Croatia, as well as to companies abroad (USA, Great Britain, the Netherlands, etc.), thereby acting as a data processor in relation to personal data. The data controller, a telecommunications company using the services of the IT provider, informed the DPA as well its users of the potential breach of personal data by the IT provider. The incident consisted of a security breach which le

Croatian Data Protection Authority (azop)

A data controller using the services of the security company reported the breach of personal data to the DPA, arising after an employee of the security company recorded the video surveillance footage with a phone and shared it with third party. The recording was ultimately made available on social media and in the media. The DPA found that the security company as a data processor enabled the breach by not maintaining adequate and sufficient technical and organizational measures for personal data

Croatian Data Protection Authority (azop)

In the period from May 2018 to April 2019, the bank (name not available at the moment) refused to provide its customers with copies of credit documentation (e.g. repayment plan, loan agreement annex, interest rates changes review etc.). The bank insisted with the argument that the documentation is related to repaid loans and represents loan documentation that cannot be subject to the customers’ right of access. During the procedure initiated based on data subject’s complaints, the DPA ordered th