Croatia: AZOP fines B2 Kapital €2.27M for unauthorised processing of personal data
The Personal Data Protection Agency ('AZOP') announced, on 4 May 2023, that it had imposed a fine of €2,265,000 on B2 Kapital d.o.o., for violations of Articles 6(1), 13(1), 28(3), 32(1)(b), and 32(2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an anonymous report.
Background to the case
In particular, the AZOP highlighted that it had received an anonymous report, in December 2022, claiming that there was ongoing unauthorised processing of large numbers of personal data by B2 Kapital. Further, the AZOP detailed that it had received a USB stick with the anonymous report, containing the personal data of persons who had outstanding debts with credit institutions, that were purchased by B2 Kapital, with personal information, including the first and last names and dates of birth of around 77,317 people.
Findings of the AZOP
Further, the AZOP stipulated that B2 Kapital, as data controller, failed to enter into a contract with a processor for the processing of personal data for bankruptcy monitoring purposes. Accordingly, the AZOP noted that the absence of a contract which establishes that the processor must meet technical and organisational protection measures resulted in a breach of Article 28(3) of the GDPR.
In addition, the AZOP noted that B2 Kapital, by failing to take appropriate technical and organisational measures, violated Articles 32(1)(b) and 32(2) of the GDPR. Notably, the AZOP held that B2 Kapital would likely have failed to notice the exfiltration of the personal data of the 77,317 persons if the AZOP had not received an anonymous report and conducted its own investigation.
As a result, the AZOP imposed a fine of €2,265,000 for the aforementioned violations.