Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Croatia: AZOP fines B2 Kapital €2.27M for unauthorised processing of personal data

The Personal Data Protection Agency ('AZOP') announced, on 4 May 2023, that it had imposed a fine of €2,265,000 on B2 Kapital d.o.o., for violations of Articles 6(1), 13(1), 28(3), 32(1)(b), and 32(2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an anonymous report.

Background to the case

In particular, the AZOP highlighted that it had received an anonymous report, in December 2022, claiming that there was ongoing unauthorised processing of large numbers of personal data by B2 Kapital. Further, the AZOP detailed that it had received a USB stick with the anonymous report, containing the personal data of persons who had outstanding debts with credit institutions, that were purchased by B2 Kapital, with personal information, including the first and last names and dates of birth of around 77,317 people.

Findings of the AZOP

Following its investigation, the AZOP found that B2 Kapital failed to inform the data subjects, namely those whose debt had been purchased, of the processing of their personal data and the relevant legal basis for processing, thereby violating Article 13(1) of the GDPR. Likewise, the AZOP outlined that B2 Kapital's non-transparent processing of personal data, citing the failure to change the company privacy policy regarding the legal basis of processing, also violated Article 6(1) of the GDPR.

Further, the AZOP stipulated that B2 Kapital, as data controller, failed to enter into a contract with a processor for the processing of personal data for bankruptcy monitoring purposes. Accordingly, the AZOP noted that the absence of a contract which establishes that the processor must meet technical and organisational protection measures resulted in a breach of Article 28(3) of the GDPR.

In addition, the AZOP noted that B2 Kapital, by failing to take appropriate technical and organisational measures, violated Articles 32(1)(b) and 32(2) of the GDPR. Notably, the AZOP held that B2 Kapital would likely have failed to notice the exfiltration of the personal data of the 77,317 persons if the AZOP had not received an anonymous report and conducted its own investigation.


As a result, the AZOP imposed a fine of €2,265,000 for the aforementioned violations.

You can read the press release, only available in Croatian, here and the European Data Protection Board summary here.