EOS Matrix d.o.o. – €5,470,000 Fine (Croatia, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
EOS Matrix d.o.o. was fined EUR 5,470,000 for improperly processing personal data of over 181,000 people, including minors. They failed to protect this data and did not inform individuals about how their data was used. This ruling stresses the importance of transparency and security in handling personal information.
What happened
EOS Matrix d.o.o. processed personal data of 181,641 individuals without proper legal grounds and security measures.
Who was affected
Individuals, including minors, whose personal data was improperly processed by EOS Matrix were affected.
What the authority found
The authority determined that EOS Matrix did not comply with GDPR requirements for data protection and transparency, lacking valid legal bases for processing sensitive data.
Why this matters
This case serves as a critical reminder for companies to ensure they have appropriate security measures and legal justifications for processing personal data, especially when it involves vulnerable groups like minors.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The DPA received an anonymous petition stating that EOS Matrix had unauthorized processing of a large number of personal data (of debtors). A USB stick containing 181,641 personal data of natural persons in the structure of first and last name, date of birth and OIB, who had outstanding debts to initial creditors that were purchased by EOS Matrix based on the cession agreement. Likewise, in the petition, it was stated that the database also includes 294 natural persons who were minors at the time. DPA has concluded: 1. The controller did not take appropriate technical measures to protect the processing of the personal data contained in the storage systems, which is contrary to Article 32 paragraph 1 point b) and paragraph 2 of the GDPR; 2. The controller processed the personal data of respondents who are not in a debtor-creditor relationship in their database without the existence of a legal basis from Article 6, paragraph 1 of the GDPR; 3. The controller processed special category (health data) in its database without the existence of a legal basis from Article 6, paragraph 1, and in connection with this, Article 9, paragraph 2 of the GDPR; 4. The data controller did not inform the data subjects in a transparent and prescribed manner about the processing of their health data in the privacy policies, which is contrary to Article 12 paragraph 1 of the GDPR and, in this regard, to Article 13 paragraphs 1 and 2; 5. For the recording of telephone conversations with data subjects in the period from May 25, 2018 to January 16, 2019, the data controller did not have an established legal basis from Article 6, paragraph 1 of the GDPR, and in this connection there was also a violation of Article 5, paragraph 2; 6. The controller did not inform the data subjects in an understandable and clear way about the processing of personal data in the form of recording telephone conversations, and thus acted contrary to Article 12, paragraph 1 of the GDPR. Regarding the point 1 it was
Related Enforcement Actions (0)
No other enforcement actions found for EOS Matrix d.o.o. in HR
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
5 October 2023
Authority
Agencija za zaštitu osobnih podataka
Fine Amount
€5,470,000
GDPRhub ID
gdprhub-6311About this data
Cite as: Cookie Fines. EOS Matrix d.o.o. - Croatia (2023). Retrieved from cookiefines.eu
Last updated: