HEP-Toplinarstvo – €320,000 Fine (Croatia, 2025)

€320,000Agencija za zaštitu osobnih podataka22 July 2025Croatia
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

HEP-Toplinarstvo was fined €320,000 for not keeping customer data secure. They mistakenly sent old passwords instead of new ones and stored passwords in a readable format. This case highlights the importance of strong security measures for businesses handling personal information.

What happened

HEP-Toplinarstvo failed to implement proper security measures, leading to the mishandling of customer passwords.

Who was affected

Customers of HEP-Toplinarstvo who requested password resets and had their old passwords sent to them.

What the authority found

The Croatian DPA found that HEP-Toplinarstvo did not take adequate steps to protect personal data, violating GDPR's requirements for data security.

Why this matters

This ruling emphasizes that companies must prioritize data security to protect customer information. Other businesses should review their security practices to avoid similar penalties.

GDPR Articles Cited

AI-verified

Art. 31(GDPR)
Art. 32(GDPR)
View original scraped data
Art. 31(GDPR)
Art. 32(GDPR)

Original data from scraper before AI verification against source document.

Source verified 23 April 2026
verified correct
Croatia enforcementAgencija za zaštitu osobnih podataka actionsAll HEP-Toplinarstvo actions
Full Legal Summary
Detailed

The Croatian DPA has imposed a fine of EUR 320,000 on HEP-Toplinarstvo. The controller failed to implement sufficient technical and organisational measures to ensure data security. When a data subject requested a new password for the controller's online platform, the controller transmitted the old password rather than a new, temporary password. Additionally, the controller stored their customers' passwords in readable form without encryption. Furthermore, the controller failed to cooperate adequately with the supervisory authority.

Related Enforcement Actions (0)

No other enforcement actions found for HEP-Toplinarstvo in HR

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

22 July 2025

Authority

Agencija za zaštitu osobnih podataka

Fine Amount

€320,000

Enforcement Tracker ID

ETid-3100

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. HEP-Toplinarstvo - Croatia (2025). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: