Debt collection company – €5,470,000 Fine (Croatia, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A debt collection company was fined EUR 5,470,000 for mishandling personal data of over 181,000 individuals. They stored sensitive health information without proper security and processed data of people who weren't even their debtors. This case serves as a warning for companies to protect personal data and follow legal guidelines.
What happened
The debt collection company unlawfully processed sensitive personal data, including health information, of 181,641 individuals.
Who was affected
Individuals whose personal data was collected and processed by the debt collection company were affected, including those who were not debtors.
What the authority found
The authority found that the company failed to implement adequate security measures and did not have a valid legal basis for processing sensitive data, violating multiple GDPR articles.
Why this matters
This case highlights the need for strict data protection practices in the debt collection industry. Companies must ensure they have the right legal basis and security measures in place to handle personal data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Croatian DPA (AZOP) has imposed of fine of EUR 5,470,000 to a debt collection company. The investigation was triggered by an anonymous complaint stating that controller unlawfully processed personal data, with USB stick attached to the complaint containing personal data of 181,641 individuals. As a controller, the debt-collection company unlawfully processed sensitive data (health related) of their debtors, as well as the data of individuals who are not in a debtor-creditor relationship, most often collecting telephone number, first and last name and residential address. It was determined that the data controller did not adequately implement sufficient technical protection measures that could timely detected leakage of data from their system. Although there was a security system, the DPA determined that due to deficiencies the company lost control over the movement of their data subjects´ personal data. Furthermore, the company recorded comments related to the debtor´s state of health that the DPA found to be excessive processing without an adequate legal basis. Additionally, the DPA determined that the data controller has unlawfully recorded telephone conversations with data subject as the legitimate interest test assessment that established a legal basis for processing has not been conducted prior to the start of such processing. Finally, the DPA found that the data subjects have not been transparently informed on the processing of their data.
Related Enforcement Actions (0)
No other enforcement actions found for Debt collection company in HR
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
5 October 2023
Authority
Agencija za zaštitu osobnih podataka
Fine Amount
€5,470,000
Enforcement Tracker ID
ETid-2063
About this data
Cite as: Cookie Fines. Debt collection company - Croatia (2023). Retrieved from cookiefines.eu
Last updated: