Croatia
Debt collection company
GDPR enforcement action by Croatian Data Protection Authority (azop) on 2023-10-05.
Case details
- Authority
- Croatian Data Protection Authority (azop)
- Date
- 2023-10-05
- Controller / Processor
- Debt collection company
- Sector
- Finance, Insurance and Consulting
- Quoted Articles
- Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 12 (1) GDPR, Art. 13 (1) GDPR, Art. 32 (1) b) GDPR
- Type of violation
- Insufficient legal basis for data processing
Summary
The Croatian DPA (AZOP) has imposed of fine of EUR 5,470,000 to a debt collection company. The investigation was triggered by an anonymous complaint stating that controller unlawfully processed personal data, with USB stick attached to the complaint containing personal data of 181,641 individuals.
As a controller, the debt-collection company unlawfully processed sensitive data (health related) of their debtors, as well as the data of individuals who are not in a debtor-creditor relationship, most often collecting telephone number, first and last name and residential address.
It was determined that the data controller did not adequately implement sufficient technical protection measures that could timely detected leakage of data from their system. Although there was a security system, the DPA determined that due to deficiencies the company lost control over the movement of their data subjects´ personal data. Furthermore, the company recorded comments related to the debtor´s state of health that the DPA found to be excessive processing without an adequate legal basis. Additionally, the DPA determined that the data controller has unlawfully recorded telephone conversations with data subject as the legitimate interest test assessment that established a legal basis for processing has not been conducted prior to the start of such processing.
Finally, the DPA found that the data subjects have not been transparently informed on the processing of their data.
Related fines