October 5th, 2023
Croatian Personal Data Protection Agency imposed an administrative fine in the amount of 5.470.000.00 EUR (41.213.715.00 HRK) on EOS Matrix d.o.o. as a data controller due to the following violations of the General Data Protection Regulation:
The controller did not take appropriate technical measures to protect personal data of the data subjects contained in the storage systems, which is contrary to Article 32 paragraph 1 point b) and paragraph 2 of the General Data Protection Regulation.
The controller processed the personal data of data subjects who are not in a debtor-creditor relationship in their database (application) without determining a legal basis from Article 6, paragraph 1 of the General Data Protection Regulation.
The controller processed personal data of a special category (health data) of the data subject in its database (application) without determining a legal basis from Article 6, paragraph 1, and in connection with this, Article 9, paragraph 2 of the General Data Protection Regulation.
The data controller did not inform the data subject in a transparent and prescribed manner about the processing of their health data in the privacy policies, which is contrary to Article 12 paragraph 1 of the General Data Protection Regulation and, in this regard, Article 13 paragraphs 1 and 2 of the General Data Protection Regulation.
For the recording of telephone conversations with the data subjects in the period from May 25, 2018, to January 16, 2019, the data controller did not identify legal basis from Article 6, paragraph 1 of the General Data Protection Regulation, and in connection with mentioned above there was violation of Article 5, paragraph 2 of the General Data Protection Regulation.
The controller did not inform the data subjects in an understandable and clear way about the recording of telephone conversations, and thus he acted contrary to Article 12, paragraph 1 of the General Data Protection Regulation.
The Personal Data Protection Agency received an anonymous complaint on March 22, 2023, stating that there had been unauthorized processing of a large number of personal data belonging to individuals (debtors) by EOS Matrix d.o.o. An USB stick was attached to the complaint containing 181,641 personal data of natural persons in the structure of first and last name, date of birth and personal identification number, who had outstanding debts to initial creditors that were purchased by EOS Matrix d.o.o. based on the cession agreement. Likewise, in the complaint in question, it is stated that the database includes 294 natural persons who were minors at the time the database was compiled. Upon receiving the complaint, the Agency conducted a supervisory procedure over the data controller, EOS Matrix d.o.o.
With regard to the mentioned point 1, it was determined that the data controller did not implement sufficient technical measures that could timely recognize in the processing system (the main database in which personal data of about 370,000 data subjects are processed) activities that deviate from the usual ones (e.g. increased number of retrievals of data in the database, transfer of data outside the system, compromise of user access, etc.). The system, which could warn of anomalies in the processing system and inform the competent persons about it through an alarm and/or initiate an automated measure to prevent further possible unauthorized activities, was implemented only in 2021. Precisely because of deficiencies in the security system, there was an insecure processing of personal data on a large scale number of data subjects, and the company lost control over the movement of their data subjects’ personal data and could not explain the causes or methods of data exfiltration, which additionally speaks of the frivolous handling of a large number of their data subjects personal data.
Namely, the aforementioned data controller did not adequately implement technical measures to ensure an adequate level of security in view of the risk, all in accordance with the provisions of Article 32 of the General Data Protection Regulation.
In the supervisory procedure, it was established that EOS Matrix d.o.o. also processed personal data of persons who are not debtors (most often telephone number and first and last name and residential address), nor legal representatives of inheritors in debtor-creditor relations, and for which there was no legal basis from Article 6, paragraph 1 of the General Data Protection Regulation for their personal data to be actively entered into the database and further processed for the purpose of collecting the claims of debtors.
Regarding the processing of health data, it was established that EOS Matrix d.o.o. after communication with data subjects, actively recorded comments related to the debtor’s state of health in the internal database along with certain data subjects. Particularly worrying is the situation where the health condition of the subjects in question was monitored down to the details of individual diagnoses, which included terminal illnesses, and which almost exposes one’s privacy to the maximum level to those who are authorized to access the application (database) used by EOS Matrix d.o.o. employees. The arguments of EOS Matrix d.o.o. that since the data subjects themselves provided such information, does not mean that the same can be actively entered into the database, thus enriching the database and processing that data even further. In order to be able to actively record someone’s health data, the data subject himself should have manifestly made public such data (e.g. through means of public communication, social networks, etc.), which certainly does not apply to a telephone conversation between two people, which can be considered a type of confidential conversation. As a result of the above, it cannot be considered that in this particular case there is an exception for the processing of health data from Article 9, paragraph 2, point e) of the General Data Protection Regulation. Furthermore, the reference to the legal basis regarding the performance of the contract, as well as the legitimate interest (which was referred to by the company in question) it cannot be legal basis either, since the processing of health data is not necessary to achieve the intended purpose. If the goal was more efficient collection of debts and avoidance of communication due to the health condition, then the same purpose could have been achieved by recording a general comment about the need to avoid contact for a certain period of time due to the personal condition of the debtor, without highlighting precise health data.
Also, and related to the processing of health data, by analyzing the first three privacy policies which were effective during the periods from May 25th, 2018, to October 29th, 2020, it was determined that EOS Matrix d.o.o. stated that it does not and will not process health data. This resulted in non-transparent processing of personal data, since data subjects could not expect that their health data provided in a telephone conversation would be actively recorded in the database and further processed, which led to the violations mentioned in point 4. With this method of processing, data subjects did not know that their health data is available to all authorized persons who have access to the subject EOS Matrix d.o.o. database.
Likewise, in the period from May, 25, 2018, to January 16, 2019, the personal data of 49,850 data subjects were processed in such a way that telephone conversations were recorded without determining the legal basis from Article 6, Paragraph 1 of the General Data Protection Regulation and in relation to this also the violation of provisions of Article 5, paragraph 2 of the General Data Protection Regulation. Specifically, on January 16, 2019, EOS Matrix d.o.o. conducted a legitimate interest assessment and determined that it had a legal basis according to Article 6, Paragraph 1, Point f) for recording telephone conversations. It is crucial to emphasize that proving legitimate interest entails the data controller demonstrating, prior to the commencement of personal data processing, that their rights to initiate such processing (specifically, the recording of telephone conversations) outweigh the interests, rights, and freedoms of the data subject/debtor.
Furthermore, regarding the recording of telephone conversations, it was established that EOS Matrix d.o.o. since 2014 (relevant since May 25, 2018) has been using the functionality of recording telephone conversations with debtors, indicating that the conversation “may” be recorded. All data processors in the case of any processing of personal data are obliged to proactively communicate to data subjects in clear, unambiguous, and understandable language all their rights from the General Data Protection Regulation. Namely, by using the construction “may be recorded”, the debtors were not sure if the conversation was being recorded or if it could only be recorded in certain situations, so they did not even know if their personal data was being processed in that way or not. EOS Matrix d.o.o. should have used a clear language formulation “this conversation is being recorded for the purpose of…” and in this way the provision of Article 12, paragraph 1 of the General Data Protection Regulation would have been respected, while in this way it was violated.
During the supervisory procedure, the Agency was also considering the allegations from the received complaint regarding the processing of personal data of minors, and it was established that they are processed only in the case of inheritance, and in these cases proactive communication for the purpose of settling the debt is carried out exclusively through the minor’s legal representative. EOS Matrix d.o.o. does not charge minors and in the event that they receive data related to minors, they return the same to the sender or, in the event of impossibility of repurchase, the debt is written off.
In this particular instance, the precise method by which 181,641 personal data records were exfiltrated has not been ascertained. Given the nature of this specific case, it raises concerns about the potential commission of criminal offenses related to the unauthorized use of personal data and offenses against computer systems, programs, and data. Jurisdiction over such matters lies with the Ministry of the Interior. It is important to highlight that the Agency is actively collaborating with the Zagreb Police Department and the Zagreb Municipal State Attorney’s Office, both of which are conducting investigative activities in connection with this incident.
Although EOS Matrix d.o.o. denies that personal data are excluded from their storage system and states that these personal data are also stored in storage systems of some state administration bodies, in this regard it is crucial to note that information regarding an individual’s debtor-creditor relationship with EOS Matrix d.o.o., along with other personal details, is exclusively recorded in the system of EOS Matrix d.o.o. It is not found in any storage system of other institutions. Furthermore, individual primary creditors possess a scope limited to their own clients/debtors, whose debts have been sold to EOS Matrix d.o.o.