Debt collection agency – €2,265,000 Fine (Croatia, 2023)

The Croatian DPA (AZOP) has imposed a fine of EUR 2,265,000 on a debt collection agency. The fine is the highest ever imposed by AZOP. AZOP had received an anonymous complaint in December 2022 stating that a large number of debtors' personal data had been processed by the collection agency without authorization. Attached to the complaint was a USB stick containing personal data (name, date of birth, personal identification number) of 77,317 debtors. During its investigation, AZOP found that controller did not provide sufficient information about the processing of personal data in its privacy policy. Moreover, it failed to provide information about the legal basis for the refund of overpaid funds. The breach affected 132,652 individuals. Further, the AZOP found that the controller had not entered into a data processing agreement with a processor that monitored simple consumer bankruptcies. This put the data of 83,896 individuals at risk. The breach persisted for 2 years. Finally, AZOP found that the controller had failed to implement adequate technical and organizational measures to protect personal data. Deficiencies in the controller's security system led to insecure processing of personal data on a large scale, resulting in the unauthorized filtering of data. AZOP noted that the breach has been ongoing since at least 2019 and has not been addressed to date. Aggravating factors considered by AZOP included the controller's failure to adequately cooperate with the DPA during the process. Furthermore, the controller has not yet informed AZOP of additional measures it has taken to prevent future risks of identified violations and has not yet brought its privacy policy into compliance with the GDPR.