Company – €80,000 Fine (Croatia, 2025)

€80,000Agencija za zaštitu osobnih podataka24 March 2025Croatia
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

A Croatian company was fined EUR 80,000 for improperly accessing personal data from a vehicle registry. They monitored parking lots but went beyond their allowed use of the data, violating privacy rules. This case highlights the importance of having a valid legal basis for data access.

What happened

The company accessed personal data from the Croatian vehicle registry without a valid legal basis.

Who was affected

Individuals whose license plate numbers and owner information were accessed by the company.

What the authority found

The authority ruled that the company violated multiple GDPR articles by processing personal data without a valid legal basis.

Why this matters

This ruling emphasizes that companies must strictly adhere to the limits of their data access rights. It serves as a reminder for businesses to ensure they have proper agreements and protective measures in place when handling personal data.

GDPR Articles Cited

AI-verified

Art. 5(1)(b) GDPR
Art. 6(1) GDPR
Art. 32(2) GDPR
View original scraped data
Art. 5(1) b) GDPR
Art. 6(1) GDPR
Art. 32(2) GDPR
(4) GDPR

Original data from scraper before AI verification against source document.

Source verified 10 March 2026
articles corrected
national law identified
Croatia enforcementAgencija za zaštitu osobnih podataka actionsAll Company actions
Full Legal Summary
Detailed

The Croatian DPA (AZOP) has imposed a fine of EUR 80,000 on a company. The company was responsible for monitoring parking lots at several supermarkets and a hospital. However, it accessed personal data – in particular license plate numbers and owner information – from the Croatian Ministry of the Interior's (MUP) vehicle registry without a valid legal basis. Access was gained via a web service that the company had secured the right to use in certain areas on the basis of a concession. However, the actual use went beyond the scope of this concession. In addition, a data processing agreement with the hospital was missing, the system was operated without appropriate technical and organizational protective measures, and there was no legal basis for processing the data. Thus, the company was fined for breaching Art. 5 (1) (b), Art. 6 (1), and Art.32 (2) and (4) GDPR.

Related Enforcement Actions (3)

Other enforcement actions involving Company in HR

Fine
Feb 2024· Agencija za zaštitu osobnih podataka

The company was fined for loading non-essential cookies before obtaining valid consent and for not providing adequate cookie and privacy information.

€20K
Fine
Sept 2024· Agencija za zaštitu osobnih podataka

The Croatian DPA (AZOP) has imposed fines totaling EUR 35,700 on nine companies for failing to adequately indicate their video surveillance areas and ...

€36K
Fine
Mar 2025· Agencija za zaštitu osobnih podataka

The Croatian DPA (AZOP) has imposed a fine of EUR 40,000 on a company that published personal data of sole traders on its website. The data originated...

€40K
Current
Mar 2025

Fine

€80K

Details

Fine Date

24 March 2025

Authority

Agencija za zaštitu osobnih podataka

Fine Amount

€80,000

Enforcement Tracker ID

ETid-2603

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Company - Croatia (2025). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: