Following ex officio proceedings, the Croatian Personal Data Protection Agency imposed an administrative fine on a telecommunications operator (an operator of electronic communications networks and services), in its capacity as controller, in the total amount of EUR 4,500,000.00 for violations of the General Data Protection Regulation. The infringements concerned the transfer of personal data to third countries without a valid transfer instrument and without transparent information to data subjects, the processing of copies of employees’ identity cards and certificates of no criminal proceedings without a legal basis, as well as the failure to carry out appropriate prior checks of a processor.
The controller transferred personal data of its users to a data importer (processor) in the Republic of Serbia (a company within the same corporate group responsible for software maintenance). From 16 April 2020 to no later than 27 December 2022, the transfer was based on standard contractual clauses. However, after that date, the controller failed to conclude standard contractual clauses* with the processor in the Republic of Serbia, which means that, after that date, the transfer of personal data occurred without appropriate safeguards. The Serbian processor had access to the entire SAP CRM database with administrative privileges, meaning that it had unlimited access rights to the personal data (a total of 847,862 records) of the controller’s users/data subjects. This included access to the following personal data: name and surname, personal identification number (OIB), address from the identity card, service address, billing address, contact number, email address, IBAN (for users with a SEPA direct debit mandate), MSISDN (telephone number linked to a SIM card), ICCID (serial number identifying each SIM or eSIM card), and data on contracted services. In addition, the controller did not carry out a Transfer Risk Assessment (TRA) for the transfer of personal data to Serbia, which it was required to perform before initiating any transfer of personal data to a third country. These actions are contrary to Article 44 in conjunction with Article 46(1) GDPR.
The controller also failed to inform data subjects about this transfer to the Republic of Serbia, a country outside the European Economic Area, as required under Article 13(1)(f) GDPR. A review of the privacy policies showed that the controller did not use clear language indicating that personal data would be transferred outside the EEA. Instead, it used formulations such as personal data “may” be shared with third countries or that data are “as a rule” processed within the European Union and only exceptionally outside it, which is contrary to Article 12(1) GDPR.
Furthermore, the controller excessively processed personal data of its employees by collecting copies of their identity cards, contrary to Article 6(1), and in connection with Article 5(1)(c) and (2) GDPR. An aggravating factor was that the controller disregarded the opinion of its Data Protection Officer, who had advised that collecting copies of identity cards, considering the nature of the data, could be considered excessive in relation to the stated purpose.
Similarly, the controller collected certificates of no criminal proceedings for its employees, contrary to Article 6(1), and in connection with Article 5(1)(b) and (2) GDPR.
Finally, the processor engaged by the controller for the purpose of telemarketing services did not have even basic security measures in place, which the controller was required to verify before the start of the processing, in accordance with Article 28(1) GDPR. The controller thus failed to carry out prior due diligence regarding the processor’s security measures before engaging it.
*Since the European Commission has not adopted an adequacy decision for the Republic of Serbia under Article 45(3) GDPR, the controller was required to base regular transfers of personal data on one of the transfer instruments listed in Article 46 GDPR (legally binding instruments between public authorities, binding corporate rules, standard contractual clauses, codes of conduct, approved certification mechanisms, contractual clauses, or provisions in administrative arrangements).
