The Personal Data Protection Agency ('AZOP') announced, on 21 July 2022, that it had imposed a fine of HRK 2.15 million (approx. €286,066) on an unnamed telecommunications service provider, for violation of Articles 25(1), 32(1)(b), 32(1)(d), and 32(2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a data breach notification.

Background to the decision

In particular, the AZOP explained that the telecommunications service provider had notified both the AZOP and the users of a security incident affecting approximately 100,000 data subjects.

Findings of the AZOP

Further to the above, the AZOP found that the telecommunications service provider had implemented insufficient technical and organisational measures, failing to ensure an adequate level of security of the personal data processed. In particular, the AZOP outlined that the telecommunications service provider was responsible for multiple omissions during the design of the processing system, including in relation to limiting access, the inclusion of appropriate corrective actions in the system, and the execution of the prescribed organisational measures contained in the existing internal policies. As such, the AZOP determined that the telecommunications service provider had breached its obligations under Articles 25(1), 32(1)(b), 32(1)(d), and 32(2) of the GDPR.

In light of the established facts, the AZOP imposed an administrative fine. In determining its amount, the AZOP took into account, as an aggravating factor, the fact that the data controller is one of the leading companies providing telecommunications services in Croatia, and thus, given the large volume of personal data processed, it was expected to implement more complex organisational and technical measures.

Outcomes

In conclusion, the AZOP imposed a fine of HRK 2.15 million (approx. €286,066) on the telecommunications service provider.

You can read the press release, only available in Croatian, here.