The Croatian Data Protection Authority have investigated a debt collection agency after receiving an anonymous petition that the agency were violating GDPR (link in Croatian). The DPA were advised that the agency were processing large amounts of personal data that they were not authorized to process. The personal data was of debtors who had outstanding debts to credit institutions. The debt collection agency purchased the data based on the cession agreement. The data included:
- First and last names
- Dates of birth
- Personal identification numbers for 77,317 people.
GDPR Violations
The controller did not inform the data subjects about the processing. This should have been done via a privacy policy. The consumers were also not notified of the legal basis for the return of overpaid funds which directly goes against GDPR. This meant that the data processing was being done in a non-transparent way as there was incorrect information on the legal basis of processing.
Additionally, the controller failed to enter into an adequate contract with the processor regarding the processing of personal data. Also, they did not take appropriate technical and organizational protection measures when processing the data. By not taking the appropriate measures they violated the security of the personal data of all the respondents (at least 132,652 people). This violation has been ongoing since at least 2019 and up to date date of this fine by the DPA had not been remedied.
Outcome
The company has been ordered to pay a fine of HRK 17,065,642.50 ($2,475,112 USD). There were a number of aggravating factors when the fine was being determined. Firstly, the violations were due to negligent actions that led to unsafe processing. The company also completely lost control over the movement of the data and couldn’t explain the unauthorized exfiltration.
The company failed to respond to multiple letters from the DPA which caused delays in the procedure. And they have failed to inform the DPA of whether they have taken additional protection measures to prevent the risk of further violations. Also, the privacy policy had still not been updated when this decision was made.
Value Privacy’s experts are on hand to make sure that you and your company aren’t caught out by new or existing privacy laws.
You can find out more about the services we offer or just get in touch with us directly with any questions you have about how privacy laws impact you.
