Croatia

Company

80,000 €

GDPR enforcement action by Croatian Data Protection Authority (azop) on 2025-03-24.

Rank · Sector

#67

of 165 in Transportation and Energy

Rank · Croatia

#14

of 43

Rank · All fines

#530

of 3,042

Case details

Authority: Croatian Data Protection Authority (azop)
Date: 2025-03-24
Controller / Processor: Company
Sector: Transportation and Energy
Quoted Articles: Art. 5 (1) b) GDPR , Art. 6 (1) GDPR, Art. 32 (2), (4) GDPR
Type of violation: Insufficient legal basis for data processing

Summary

The Croatian DPA (AZOP) has imposed a fine of EUR 80,000 on a company. The company was responsible for monitoring parking lots at several supermarkets and a hospital. However, it accessed personal data – in particular license plate numbers and owner information – from the Croatian Ministry of the Interior's (MUP) vehicle registry without a valid legal basis. Access was gained via a web service that the company had secured the right to use in certain areas on the basis of a concession. However, the actual use went beyond the scope of this concession. In addition, a data processing agreement with the hospital was missing, the system was operated without appropriate technical and organizational protective measures, and there was no legal basis for processing the data. Thus, the company was fined for breaching Art. 5 (1) (b), Art. 6 (1), and Art.32 (2) and (4) GDPR.

Open original source Links to the regulator's original publication or another source.