Zagreb Holding d.o.o. – €25,000 Fine (Croatia, 2023)

The Croatian DPA (AZOP) has imposed a fine of EUR 25,000 on Zagreb Holding d.o.o., utilities company owned by the city of Zagreb. The DPA had received a complaint from a citizen concerning Zagreb Holding's practice of requesting a copy of users' personal identification cards before issuing invoices via email. Previously, to receive invoice by email the users only needed to provide their name, surname, address, personal identification number, facility number and their user number. During the investigation, it was found that Zagreb Holding lacked established rules for identifying service users requesting invoice copies via email and only collected copies of identification documents when there was suspicion of false representation. The company requested personal identification document copies from users whose email addresses had a different name/ structure than their name and surname, or if the user's name and surname in the email address did not match the requested invoice copy email address's structure. The DPA found that the mere inclusion of the correct name and surname in an email address is an insufficient protective measure. Consequently, the data controller failed to implement appropriate technical and organizational measures for user identification, contrary to Art. 25 (2) GDPR. According to the explanation given by the DPA, the data controller should have developed a process for identification via email ensuring a uniform procedure for all users, regardless of the email address structure. Furthermore, the data controller failed to transparently inform service users about the legal basis for collecting personal data (scan of personal identification card) for identification purposes. Such information were not available on the company's official website nor provided upon direct request via email.