Court case Pn-1378/2023-18 – Court Ruling (Croatia, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Croatian court ruled that a bank violated a customer's privacy by mistakenly sending their sensitive account information to another client. This matters because it shows that companies must protect personal data and can be held accountable for mistakes that cause harm to individuals. The court awarded compensation for the distress caused.
What happened
The bank accidentally sent a customer's monthly account statement containing sensitive information to another client.
Who was affected
The customer whose account information was mistakenly sent was affected by this incident.
What the authority found
The court found that the bank violated the customer's right to privacy under Croatian law and awarded compensation for the non-material damages caused.
Why this matters
This case emphasizes the need for companies to have strong data protection measures in place. It also highlights that individuals can seek compensation for emotional distress caused by privacy violations.
National Law Articles
On 16 July 2021, a data subject and a bank (the controller) concluded a Custody Agreement for Financial Instruments. Under this agreement, the bank had to open a custody account for the data subject, safeguard and settle financial instruments, report on account activity, collect income, and keep the data subject informed about the status and changes of the custody account. On the same day, the parties also concluded a Service Agreement, which defined the rights and obligations related to that service. Article 4 of this agreement required the bank to keep all client information confidential in accordance with applicable laws and prohibited disclosure to third parties without written consent or a legal basis. On 11 January 2023, the controller mistakenly sent the data subject’s monthly custodial account statement, which contained sensitive personal and financial data, to another client instead of the data subject. The controller requested that the unintended recipient delete the email and corrected the technical error. The data subject remained uncertain about the extent of the data disclosure. Subsequently, she initiated a lawsuit claiming that this incident caused stress, anxiety, discomfort, and a loss of trust in the controller, and requested compensation for non-material damages. The Court held that the controller violated the data subject’s right to privacy under Croatian law and that this violation constituted non-material damage. It also referred to the violation of GDPR, without pointing out any specific article. The Court awarded compensation on the basis of Croatian civil law, specifically the rules on protection of personality rights and non-material damages under the Croatian Obligations Act. The court explained that the right to privacy is a personal non-property right that gives an individual full authority over their private life, including the ability to exclude others from accessing, collecting, or disclosing personal data without consent. Because
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case Pn-1378/2023-18 in HR
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case Pn-1378/2023-18 - Croatia (2025). Retrieved from cookiefines.eu
Last updated: