Retail company (name not available at the moment)

Summary

A retail company, i.e. the data controller, reported the breach of personal data to the DPA informing that its employees have recorded video surveillance footage via mobile phone which was unauthorised and contrary to the company’s internal acts and instructions. The recording was made public by leaking to social media and consequently other media outlets. The DPA determined that the data controller did not take adequate actions to prevent its employees from creating the footage. Although the company did undertake certain measures such as adopting internal acts on access to video surveillance footage, educating employees and implementing confidentiality statements, the DPA determined the company did not ensure – neither before nor after the disclosure of the unauthorised footage – appropriate organisational and technical security measures for the purpose of minimising risk of such or similar data breaches. In addition, the data controller did not regularly monitor or inspect efficiency of the technical and organisational measures implemented for the purpose of maintaining confidentiality, integrity and accessibility of personal data. Thus, the DPA imposed a fine of HRK 675,000.00 for the failure to take appropriate technical measures and clarified that this fine should also have general preventive effects and raise awareness among the data controllers and processor on the obligations concerning data processing.