Telecommunications operator (operator of electronic communications networks and services) – €4,500,000 Fine (Croatia, 2025)

Following an ex officio investigation, AZOP imposed a EUR 4.5 million fine on a telecommunications operator for multiple GDPR infringements. The controller transferred customer personal data to a processor in the Republic of Serbia (a group company maintaining software). Transfers had been based on Standard Contractual Clauses (SCCs) from 16 April 2020 until at the latest 27 December 2022; after that date, transfers continued without SCCs or equivalent safeguards, despite Serbia lacking an adequacy decision. The Serbian processor had administrator access to the controller’s SAP CRM database covering 847,862 data subjects, with access to extensive customer data (including name, Personal Identification Number, address, service/installation/billing addresses, contact details, email, IBAN for SEPA direct debit users, MSISDN, ICCID, and service information). The controller also failed to conduct a transfer risk assessment before commencing transfers. In addition, the controller did not transparently inform data subjects about third-country transfers, using vague “may” language in privacy policies instead of clearly stating that data are transferred outside the EEA, thereby breaching transparency obligations. Separately, the controller excessively processed employee data by collecting copies of employees’ ID cards and certificates of no criminal proceedings without a valid legal basis and contrary to the data minimisation and purpose limitation principles; notably, it disregarded its DPO’s opinion flagging such collection as excessive. Finally, the controller failed to carry out prior checks of a telesales processor’s security measures and engaged a processor lacking even basic safeguards, in breach of Article 28(1) GDPR.