Croatia

Hospital

4,000 €

GDPR enforcement action by Croatian Data Protection Authority (azop) on 2025-03-24.

Rank · Sector

#199

of 270 in Health Care

Rank · Croatia

#31

of 43

Rank · All fines

#1,929

of 3,042

Case details

Authority: Croatian Data Protection Authority (azop)
Date: 2025-03-24
Controller / Processor: Hospital
Sector: Health Care
Quoted Articles: Art. 13 GDPR, Art. 14 (2) f) GDPR, Art. 25 (1) GDPR, Art. 28 (3) GDPR
Type of violation: Non-compliance with general data processing principles

Summary

The Croation DPA (AZOP) has imposed a fine of EUR 4,000 on a hospital. The AZOP found that the hospital used a company which automatically retrieved personal data of vehicle owners via the Ministry of the Interior's web service without a legal basis, to issue parking fines for vehicle owners. Additionally, the hospital failed to inform parking users transparently and in accordance with legal requirements about the processing of their personal data related to parking fees. Furthermore, the hospital did not implement appropriate organizational measures to protect the data and lacked a contractual agreement with the external commercial company processing the data. The hospital was fined for breaching Art. 13, Art. 14 (2)(f), Art. 25 (1) and Art. 28(3) GDPR.

Open original source Links to the regulator's original publication or another source.