Croatian Personal Data Protection Agency imposed two new administrative fines for violating the provisions of the General Data Protection Regulation and the Act on the implementation of the General Data Protection Regulation.
Administrative fine for not taking appropriate technical measures
Due to the failure to take appropriate technical security measures for the processing of personal data by the company for the provision of information services in Zagreb (hereinafter: the company), as the processor, there was a security breach that led to unauthorized processing of personal data of 28,085 data subjects, which led to unauthorized access to personal data by hackers. The processor did not take the necessary measures to achieve an adequate level of security in accordance with the existing and foreseeable risks and acted contrary to Article 32 (1) (b) and (d) and paragraph 2 of the General Data Protection Regulation.
The incident was reported to AZOP by the controller, the telecommunications company from Zagreb, which also informed the users of its services in writing about the potential breach of personal data.
The processor during the processing of personal data is obliged to take appropriate technical security measures in such a way as to ensure the permanent confidentiality of the system, as well as the process of regular testing and evaluation of the effectiveness of technical and organizational measures to ensure security of processing, and to consider the risks of unauthorized disclosure of personal data. Given that the company, according to publicly available information, provides IT services to other mobile operators, banks and government institutions in the Republic of Croatia, but also to companies abroad (USA, UK, Netherlands, etc.), it should be a relevant entity in providing opinions, guidelines, proposing solutions to controllers on the implementation of web applications, and thus design and implementation of appropriate technical measures to protect the processing of personal data.
Consequently, in accordance with its powers under Article 58 (2) (i) of the General Data Protection Regulation, the Agency imposed an administrative fine, all in accordance with the conditions for its imposition under Article 83 of the GDPR and Articles 44, 45 and 46 of the Act on the implementation of the General Data Protection Regulation.
Administrative fine for not marking the object under video surveillance
Croatian Personal Data Protection Agency ex officio, without prior notice, carried out direct supervision over the processing and enforcement of personal data protection, collection and processing of personal data made by the video surveillance system and determined that the insurance company based in Zagreb (hereinafter: the company) did not mark/indicate that the business facility (in which technical inspections and vehicle registration are carried out and insurance services are contracted) and the external surface of the business facility are under video surveillance. Thus, the controller, i.e. the insurance company, acted contrary to Article 27, paragraph 1 of the Act on the implementation of the General Data Protection Regulation. An administrative fine for non-marking of a facility under video surveillance was imposed in accordance with Article 51, paragraph 1, indent 1 of the Act on the implementation of the General Data Protection Regulation.
The Agency considers that the corrective measure in the form of an administrative fine is effective, proportionate and dissuasive and fully appropriate to the circumstances of both fines.