4 May 2023
Croatian Personal Data Protection Agency imposed an administrative fine on the data controller – the Debt Collection Agency B2 Kapital d.o.o. in the amount of 2,265,000.00 EUR (17,065,642.50 HRK) due to the following violations of the General Data Protection Regulation:
1. The data controller didn’t inform its data subjects, in an accurate and clear manner, about the processing of their personal data through the notification on the processing of personal data (privacy policy) regarding the legal basis for the return of overpaid funds, which is against the provision of Article 13, paragraph 1 of the General Data Protection Regulation. This resulted as non-transparent processing of data subjects personal data (that is, incorrect informing regarding the legal basis of the processing according to the Article 6, paragraph 1 of the General Data Protection Regulation) of which there were (at least) 132,652 at the time of the supervision activity, and the privacy policy still remains unchanged and so the violation has not yet been remedied, i.e. it has lasted from May 25, 2018 until today.
2. Contrary to the provisions of Article 28, paragraph 3 of the General Data Protection Regulation, the data controller did not conclude a contract on the processing of personal data with the data processor for the service of monitoring simple consumer bankruptcy, and thus the security of personal data of 83,896 data subjects (personal identification numbers) were at risk, since the conclusion of a contract with a processor is one of the safety measures which ensures that the rules on the processing of personal data are clearly agreed upon, as well as their flow in the business cooperation between the controller and the processor and also data controller can ensure that the data processor satisfies technical and organizational protection measures of the personal data of a larger number of data subjects. It was established that the mentioned violation lasted from the day of acceptance of the offer to provide the service of monitoring simple consumer bankruptcy, that is, from 14th February 14, 2019, to 26th February 2021 when the business cooperation was terminated.
3. The data controller did not apply appropriate technical and organizational protection measures while processing personal data, which is contrary to Article 32 paragraph 1 points b) and d) and paragraph 2 of the General Data Protection Regulation. Due to not applying appropriate measures, the security of the personal data of all data subjects (at least 132,652 at the time of the supervision) was violated, that is, their basic identification data (at least in the structure: first and last name, date of birth and personal identification number) and, as a result, all the personal data from the storage systems of Debt Collection Agency, which are financial information and therefore quite sensitive. In the procedure, it was established that the violation has been going on since at least 2019 and that it has not been remedied to date, all because of not applying appropriate protective measures.
Namely, in December 2022, the Personal Data Protection Agency received an anonymous complaint in which it was stated that there was unauthorized processing of a large number of personal data of natural persons – debtors, by the Debt Collection Agency, with the attached USB stick containing personal data in the structure of: first and last name, date of birth and personal identification number for a total of 77 317 natural persons who had outstanding debts in credit institutions, and which were purchased by the Debt Collection Agency based on the cession agreement.
The Agency in December 2022 has ex officio initiated the supervisory procedure and carried out the activities in which all three previously described violations were determined due to the negligent actions of the data controller (Debt Collection Agency). Therefore, the data controller bears the greatest degree of responsibility for not undertaking technical protection measures. Namely, a deficiency in their security system led to insecure processing of personal data on a large scale. The Debt Collection Agency has lost control over the flow of the data subjects’ personal data and could not explain the causes of unauthorized exfiltration (extraction) of personal data.
Likewise, as an aggravating circumstance in the conducted administrative procedure, certain shortcomings in cooperation were determined. Namely, after several official requests sent by the Agency in which it asked for additional statements or documentation from the data controller, the responses came before the last days of the set deadline, also asking for the extension of the deadline and requested the clarification of the circumstances, although it could have been requested in shorter period, which to a certain extent influenced on the delay of the procedure. Also, upon repeated requests from the Personal Data Protection Agency for certain documentation (list of system records), the data controller did not provide it.
Also, as an additional aggravating circumstance, the fact that the data controller has not yet informed the Agency regarding the additional protection measures taken, that would prevent future risks of established violations, and not adjusting the privacy policy available on their website, has also been taken into account.
In conclusion, we state that in this case, we are talking about a violation of several provisions of the General Data Protection Regulation by one of the leading companies in the field of debt collection, which has been processing personal data of a large number of data subjects in a non-transparent and insecure manner. Also, the data controller would probably never have noticed the exfiltration of a large number of the data subjects’ personal data, at least for 77 317 of them, from their system, if the Personal Data Protection Agency had not received an anonymous report and carried out supervisory activities. The controller did not clarify all the circumstances of the resulting violation, i.e. the transfer of a certain amount of personal data outside of their storage system, which additionally indicates on inadequate protection measures from the data controller.
We also point out that in this case we are talking about possible individual criminal liability, that is, the commission of a criminal offense, which is the responsibility of the Ministry of the Interior, which conducts criminal investigations within its jurisdiction.