19 February 2026
The Croatian Personal Data Protection Agency imposed an administrative fine of EUR 100,000.00 on a real estate agency, acting as a controller, for processing contrary to the provisions of the General Data Protection Regulation, specifically in relation to the storage limitation principle, lawfulness of processing, and the implementation of appropriate technical and organisational measures. In particular, the following GDPR infringements were established:
-
the controller retained the personal data of 11,887 clients after the purpose of processing had expired, contrary to Article 5(1)(e);
-
the controller, without a legal basis, processed clients’ personal data in the form of copies of 898 identity cards, 6 copies of passports, 1 copy of a health insurance card, 1 copy of an identity card of a minor child, 3 copies of bank cards, 1 copy of a residence permit, 2 copies of driving licences, and 2 copies of foreign passports, which constitutes an infringement of Article 6(1) in conjunction with Article 5(1)(c);
-
the controller failed to take appropriate technical and organisational measures to ensure that all employees acting under its authority who have access to personal data do not process such data unless instructed by the controller, contrary to Article 32(4).
During the supervisory procedure, the controller’s paper archive contained a total of 11,887 forms titled Mediation Agreement for the Purchase of Real Estate, Mediation Agreement for the Rental/Lease of Real Estate, and Broker’s Sheet (the title depending on the period in which they were concluded and their purpose), together with supporting documentation. These agreements were concluded in the period from as early as 23 September 2010 and no later than 31 December 2019. This breached the storage limitation principle, i.e., the controller’s obligation to keep personal data in a form which permits identification of data subjects only for as long as necessary for the purposes for which the personal data are processed.
In addition, within the archived documentation, 914 copies of personal identification documents and bank cards were found, for which the controller did not demonstrate a legal basis for processing (storage). It is particularly noteworthy that, during the inspection, the company’s director stated that copies of bank cards are not collected, while copies of bank cards were found in the documentation as an integral part of the mediation documentation between the controller and the client. This further confirms a lack of oversight over processing operations and insufficient awareness and training of employees regarding the security of personal data processing, especially given that processing copies of identification documents and financial documents represents a high risk to the rights and freedoms of data subjects.
With regard to technical and organisational measures, it was established that the controller had not ensured sufficient training and supervision of the persons/employees who, under its responsibility, process clients’ personal data, thereby breaching Article 32(4) GDPR, which requires the controller to ensure that any person acting under its authority processes personal data only on the controller’s instructions. The supervisory procedure found that personal data protection training was conducted irregularly and to an insufficient extent.
In the specific case, non-compliance was found to result from the controller’s negligent conduct, and no harm to data subjects was established.
