Croatia
HEP-Toplinarstvo
320,000 €
GDPR enforcement action by Croatian Data Protection Authority (azop) on 2025-07-22.
Rank · Sector
#44
of 167 in Transportation and Energy
Rank · Croatia
#7
of 43
Rank · All fines
#291
of 3,050
Case details
- Authority
- Croatian Data Protection Authority (azop)
- Date
- 2025-07-22
- Controller / Processor
- HEP-Toplinarstvo
- Sector
- Transportation and Energy
- Quoted Articles
- Art. 31 GDPR, Art. 32 GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The Croatian DPA has imposed a fine of EUR 320,000 on HEP-Toplinarstvo. The controller failed to implement sufficient technical and organisational measures to ensure data security. When a data subject requested a new password for the controller's online platform, the controller transmitted the old password rather than a new, temporary password. Additionally, the controller stored their customers' passwords in readable form without encryption. Furthermore, the controller failed to cooperate adequately with the supervisory authority.
Open original source
Links to the regulator's original publication or another source.
Related fines
Croatia
2023-10-05
5,470,000 €
ETid-2063
Debt collection company
Finance, Insurance and Consulting
Croatia
2024-04-22
5,004,000 €
ETid-2303
Unknown
Not assigned
Croatia
2025-11-24
4,500,000 €
ETid-2937
Telecommunications operator (operator of electronic communications networks and services)
Media, Telecoms and Broadcasting
Croatia
2023-05-04
2,265,000 €
ETid-1816
Debt collection agency
Finance, Insurance and Consulting
Croatia
2025-12-18
1,500,000 €
ETid-3102
Bank
Finance, Insurance and Consulting
Croatia
2023-05-18
380,000 €
ETid-1859
Sports betting operator
Industry and Commerce