The Croatian Data Protection Authority have investigated a debt collection agency after receiving an anonymous petition that the agency were violating GDPR (link in Croatian). The DPA were advised that the agency were processing large amounts of personal data that they were not authorized to process. The personal data was of debtors who had outstanding debts to credit institutions. The debt collection agency purchased the data based on the cession agreement. The data included:
- First and last names
- Dates of birth
- Personal identification numbers for 77,317 people.
Additionally, the controller failed to enter into an adequate contract with the processor regarding the processing of personal data. Also, they did not take appropriate technical and organizational protection measures when processing the data. By not taking the appropriate measures they violated the security of the personal data of all the respondents (at least 132,652 people). This violation has been ongoing since at least 2019 and up to date date of this fine by the DPA had not been remedied.
The company has been ordered to pay a fine of HRK 17,065,642.50 ($2,475,112 USD). There were a number of aggravating factors when the fine was being determined. Firstly, the violations were due to negligent actions that led to unsafe processing. The company also completely lost control over the movement of the data and couldn’t explain the unauthorized exfiltration.
Value Privacy’s experts are on hand to make sure that you and your company aren’t caught out by new or existing privacy laws.
You can find out more about the services we offer or just get in touch with us directly with any questions you have about how privacy laws impact you.