Croatian Data Protection Agency issues two new fines for violation of the GDPR


Agency determined that the unnamed teleoperator implemented certain organizational and technical measures for ensuring the security of the processing of personal data, but in the specific case of a cyber-attack, during which there was unauthorized access to the personal data of approximately 100,000 people, they were neither sufficient nor adequate. When determining the amount of the fine, Agency took as an aggravating factor the fact that the teleoperator failed to implement more complex security measures before, during, and after the violation, considering the latest developments, the nature and purposes of the processing, the risks and given the large volume of personal data it processes as one of the leading companies providing telecommunications services in Croatia.

Another administrative fine was issued to a car dealer and service center based in Zagreb for not marking the object under video surveillance.

In the first case, the teleoperator notified both the Agency and the users of a security incident, while in the second case, Agency carried out direct supervision of the car dealer center, ex officio, without prior notice.

Since the entrance into force of GDPR, the Croatian Data Protection Agency issued 8 administrative fines for violation of GDPR. Out of these 8 fines, 4 of them are related to the failure of not taking appropriate security measures for the processing of personal data, 2 fines are related to the violation of provisions related to video surveillance, both for not marking an object under video surveillance, while the remaining 2 were issued for not providing a copy of personal data to data subjects at their request.

It is interesting that the Croatian Data Protection Agency, unlike all other supervisory bodies in the EU, does not publish the text of official decisions or the names of the companies. This is because under the Croatian Law on the Implementation of GDPR, Agency’s opinions and decisions which are published on the Agency's website have to be anonymized or pseudonymized. In addition, Agency has started publishing the amounts of fines in 2022, so the public has no insight into the highest fine so far determined.