Hospital – €20,000 Fine (Croatia, 2025)

€20,000Agencija za zaštitu osobnih podataka24 March 2025Croatia
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The Croatian DPA (AZOP) imposed a fine of EUR 20,000 on a hospital for failing to implement adequate technical and organizational measures to protect personal data in line with Art. 32 (1) (b) and (d), and Art. 32 (2) GDPR. Following a cyberattack, it was revealed that over a period of seven days, at least 3 GB of personal data had been unlawfully copied from the system. The attacker allegedly gained access through social engineering and a VPN connection, exploited an outdated operating system, and obtained domain administrator rights. In addition to the data breach, numerous servers were locked, backups were deleted, and unauthorized executable files were launched. AZOP found that key security measures such as access restrictions, monitoring, incident response, and corrective actions were either missing or insufficient, which significantly contributed to the success of the attack.

GDPR Articles Cited

Art. 32(1)(b) GDPR
Art. 32(2) GDPR
Croatia enforcementAgencija za zaštitu osobnih podataka actionsAll Hospital actions
Full Legal Summary

The Croatian DPA (AZOP) imposed a fine of EUR 20,000 on a hospital for failing to implement adequate technical and organizational measures to protect personal data in line with Art. 32 (1) (b) and (d), and Art. 32 (2) GDPR. Following a cyberattack, it was revealed that over a period of seven days, at least 3 GB of personal data had been unlawfully copied from the system. The attacker allegedly gained access through social engineering and a VPN connection, exploited an outdated operating system, and obtained domain administrator rights. In addition to the data breach, numerous servers were locked, backups were deleted, and unauthorized executable files were launched. AZOP found that key security measures such as access restrictions, monitoring, incident response, and corrective actions were either missing or insufficient, which significantly contributed to the success of the attack.

Related Enforcement Actions (3)

Other enforcement actions involving Hospital in HR

Fine
Sept 2024· Agencija za zaštitu osobnih podataka

The Croatian DPA (AZOP) has imposed a fine of EUR 190,000 on a hospital. The hospital had suffered a data breach in which radiological image files wer...

€190K
Fine
Mar 2025· Agencija za zaštitu osobnih podataka

The Croation DPA (AZOP) has imposed a fine of EUR 4,000 on a hospital. The AZOP found that the hospital used a company which automatically retrieved p...

€4K
Fine
Mar 2025· Agencija za zaštitu osobnih podataka

The Croation DPA (AZOP) has imposed a fine of EUR 3,000 on a hospital. Despite the extensive and high-risk processing of health data, the hospital had...

€3K
Current
Mar 2025

Fine

€20K

Details

Fine Date

24 March 2025

Authority

Agencija za zaštitu osobnih podataka

Fine Amount

€20,000

Enforcement Tracker ID

ETid-2605

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Hospital - Croatia (2025). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: