Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Croatia: AZOP fines retail chain company HRK 675,000 for failure to take appropriate security measures for processing of personal data

The Personal Data Protection Agency ('AZOP') published, on 8 March 2022, its decision in which it imposed a fine of HRK 675,000 (approx. €89,000) against an unnamed retail chain company for violations of Articles 32(1)(b), 32(1)(d), 32(2), and 32(4) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), for failure to take appropriate security measures for the processing of personal data, which led to the unauthorised processing of personal data of the complainants through their publication on social networks and in the media.

Background to the decision

In particular, AZOP noted that it received a report on alledged violations of personal data from the company, stating that the employees of the company, without authorisation and contrary to internal acts and instructions, recorded video surveillance footage with their mobile devices and published it on social networks and in the media.

Findings of the AZOP

Further to this, AZOP found that the company did not take adequate actions to prevent its employees from taking video surveillance images using their mobile devices. Moreover, the decision provides that the company took certain organisational measures, such as employee education and adoption of internal acts, but did not take appropriate technical security measures that could reduce the risk of a similar violation, neither before nor after the incident.

In addition, the decision highlights that the company did not regularly monitor the implementation of technical and organisational measures aimed at ensuring the confidentiality, integrity, and availability of personal data, and failed to regularly test, evaluate, and determine the effectiveness of technical and organisational measures to ensure the security of video surveillance. Therefore, the decision confirms that the company failed to implement appropriate technical security measures for personal data processing.

In conclusion, AZOP considered that the corrective measures in the form of administrative fines are effective, proportionate, and dissuasive and that the aforementioned amount is fully appropriate to the circumstances took in this case.


Based on these findings, AZOP deemed it appropriate to impose the company with the aforementioned fine for violation of Articles 32(1)(b), 32(1)(d), 32(2), and 32(4) of the GDPR.

You can read the decision, only available in Croatian, here.