Court case Pn-1378/2023-18 – Court Ruling (Croatia, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 16 July 2021, a data subject and a bank (the controller) concluded a Custody Agreement for Financial Instruments. Under this agreement, the bank had to open a custody account for the data subject, safeguard and settle financial instruments, report on account activity, collect income, and keep the data subject informed about the status and changes of the custody account. On the same day, the parties also concluded a Service Agreement, which defined the rights and obligations related to that service. Article 4 of this agreement required the bank to keep all client information confidential in accordance with applicable laws and prohibited disclosure to third parties without written consent or a legal basis. On 11 January 2023, the controller mistakenly sent the data subject’s monthly custodial account statement, which contained sensitive personal and financial data, to another client instead of the data subject. The controller requested that the unintended recipient delete the email and corrected the technical error. The data subject remained uncertain about the extent of the data disclosure. Subsequently, she initiated a lawsuit claiming that this incident caused stress, anxiety, discomfort, and a loss of trust in the controller, and requested compensation for non-material damages. The Court held that the controller violated the data subject’s right to privacy under Croatian law and that this violation constituted non-material damage. It also referred to the violation of GDPR, without pointing out any specific article. The Court awarded compensation on the basis of Croatian civil law, specifically the rules on protection of personality rights and non-material damages under the Croatian Obligations Act. The court explained that the right to privacy is a personal non-property right that gives an individual full authority over their private life, including the ability to exclude others from accessing, collecting, or disclosing personal data without consent. Because
National Law Articles
On 16 July 2021, a data subject and a bank (the controller) concluded a Custody Agreement for Financial Instruments. Under this agreement, the bank had to open a custody account for the data subject, safeguard and settle financial instruments, report on account activity, collect income, and keep the data subject informed about the status and changes of the custody account. On the same day, the parties also concluded a Service Agreement, which defined the rights and obligations related to that service. Article 4 of this agreement required the bank to keep all client information confidential in accordance with applicable laws and prohibited disclosure to third parties without written consent or a legal basis. On 11 January 2023, the controller mistakenly sent the data subject’s monthly custodial account statement, which contained sensitive personal and financial data, to another client instead of the data subject. The controller requested that the unintended recipient delete the email and corrected the technical error. The data subject remained uncertain about the extent of the data disclosure. Subsequently, she initiated a lawsuit claiming that this incident caused stress, anxiety, discomfort, and a loss of trust in the controller, and requested compensation for non-material damages. The Court held that the controller violated the data subject’s right to privacy under Croatian law and that this violation constituted non-material damage. It also referred to the violation of GDPR, without pointing out any specific article. The Court awarded compensation on the basis of Croatian civil law, specifically the rules on protection of personality rights and non-material damages under the Croatian Obligations Act. The court explained that the right to privacy is a personal non-property right that gives an individual full authority over their private life, including the ability to exclude others from accessing, collecting, or disclosing personal data without consent. Because
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case Pn-1378/2023-18 in HR
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case Pn-1378/2023-18 - Croatia (2025). Retrieved from cookiefines.eu
Last updated: