Security company (name not available at the moment) – Fine (Croatia, 2021)

A data controller using the services of the security company reported the breach of personal data to the DPA, arising after an employee of the security company recorded the video surveillance footage with a phone and shared it with third party. The recording was ultimately made available on social media and in the media. The DPA found that the security company as a data processor enabled the breach by not maintaining adequate and sufficient technical and organizational measures for personal data security for more than two and a half years. Moreover, the processor has not foreseen or implemented adequate technical security measures following the incident to prevent or minimize the risks. One data subject was consequently exposed to insults and ridicule in the public and the security company has not taken any action to remove the recording from social networks and media. The amount of the fine is unknown at the moment, but the DPA clarified which aggravating circumstances it has taken into consideration when determining the fine – (i) the fact that the processor did not fulfil its obligation to inform the controller of the incident as required by the Art 33 (2) GDPR and (ii) the fact that the basic activity of the company is the provision of physical and technical protection, which includes the use of video surveillance. The DPA also noted that the fined security company is one of the leading companies in Croatia in that activity and as such should be the relevant entity in providing opinions, guidelines, advice and propose solutions to controllers on the use of the video surveillance system and give an example to its work and pay greater attention to it than others.