Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Croatia: AZOP fines Zagrebački €25,000 for lack of notice and organizational measures

The Personal Data Protection Agency (AZOP) announced, on September 13, 2023, that it had imposed an administrative fine of €25,000 on Zagrebački holding d.o.o., for violations of the General Data Protection Regulation (GDPR), following a complaint from an individual.

Background to the decision

In particular, the AZOP stated that according to the complainant, Zagrebački asked their service users for a copy of their identity card before issuing the utility and water bill via email, which was previously not required for identification purposes.

Findings of the AZOP

The AZOP found that Zagrebački requested a copy of the identification document from service users in cases of suspected fraud, particularly, when the name and surname of the service user did not match the email address. According to the AZOP, this was not a protective measure that would provide a sufficient guarantee that the request was made by the actual user of the service. The AZOP further added that the method of identification resulted in insecure processing and created a feeling of loss of control of personal data. As a result, the AZOP determined that Zagrebački did not take appropriate technical and organizational measures when processing personal data for the purpose of identifying service users due to the issuance of invoice transcripts via email, in violation of Article 25(2) of the GDPR.

Additionally, the AZOP held that Zagrebački did not adequately inform service users about the legal basis for processing personal data and its retention period when collecting a copy of the identification document. The information was neither available to service users on the official website nor after directly requesting it via email, in violation of Articles 13(1)(c), 13(2)(a), and 13(2)(e) of the GDPR.


In light of the above, the AZOP issued a fine of €25,000 on Zagrebački for the aforementioned violations of the GDPR.

You can read the decision, only available in Croatian, here.