Croatian data protection agency fines B2 Kapital EUR 2.26 million over GDPR failure, criminal investigation ongoing
"In accordance with Article 83 of the General Data Protection Regulation, the controller has not concluded a personal data processing contract with the processor for the service of monitoring simple consumer bankruptcy and thus jeopardizes the security of personal data of 896 14 data subjects (OIB), since the conclusion of a contract with the processor is one of a kind of security levers that ensures that the rules of personal data processing are clearly agreed, their course in the business relationship between the controller and the processor and in order for the controller to ensure that the processor satisfies the technical and organizational protection measures for the processing of personal data of a large number of data subjects.
"It was found that the said infringement lasted from the acceptance of the offer to provide a simple consumer bankruptcy service, i.e. from 2019 February 26 to 2021 February, when the business cooperation was terminated.
"The controller has not taken appropriate technical and organisational measures to protect the processing of personal data, which is contrary to Article 32(1)(b) and (d) and (2) General Data Protection Regulation.
"Failure to take appropriate measures resulted in a breach of the security of personal data of all respondents (at least 132 652 at the time of supervision), i.e. their basic identification data (at least in the structure: name and surname, date of birth and OIB) and consequently all personal data filed in the storage systems of the debt collection agency, which are of a financial nature and are thus quite sensitive.
"The proceedings found that the violation has lasted for at least 2019 and has not yet been remedied, all due to the failure to take appropriate protection measures.
"Namely, in December 2022, the Personal Data Protection Agency received an anonymous petition stating that there was an unauthorized processing of a large number of personal data of natural persons – debtors by the debt collection agency and attached a USB stick containing personal data in the structure name and surname, date of birth and OIB for a total of 77,317 natural persons, and who had an outstanding debt to credit institutions, which was purchased by a debt collection agency on the basis of a cession contract.
"On the basis of official duty, the Agency initiated a supervisory procedure in December 2022 and conducted a procedure in which three previously described infringements were identified due to negligent conduct by the controller (debt collection agency).
"The controller bears the greatest degree of responsibility for failure to take technical protection measures, since it is precisely because of deficiencies in such a security system that a large number of personal data have been unsafely processed.
"The Debt Collection Agency lost full control over the movement of personal data of their data subjects and could not explain the causes of unauthorized exfiltration (extraction) of personal data.
"Likewise, as an aggravating circumstance in the conducted administrative procedure, certain shortcomings in cooperation were identified. Namely, after several letters sent by the Agency for the purpose of requesting additional comments or documentation by the processing manager, he responded to them before the last days of the set deadline and sent letters for the purpose of extending the deadline and clarifying the requested circumstances, although he could have requested the same before, which to some extent affected the delay of the proceedings.
"Also, on repeated requests of the Agency for the Protection of Personal Data certain documentation (list of system records), the controller did not submit them.
""In conclusion, we state that in this particular case it is a violation of several provisions of the General Data Protection Regulation by one of the leading companies in the field of debt collection, which should not have allowed itself to process the personal data of a large number of respondents in an opaque and unsafe way.
"Also, the controller would probably never have noticed the exfiltration of the personal data of a large number of data subjects, at least for 77 317 of them from their system if the Personal Data Protection Agency had not received an anonymous report and carried out supervisory activities to this day, the controller has not clarified all the circumstances of the infringement, i.e. the removal of a certain scope of personal data outside their storage system, which further indicates inadequate protection measures by the controller.
"We also point out that in this particular case it is about possible individual criminal liability, i.e. the commission of a criminal offense, which is within the competence of the Ministry of the Interior, which conducts criminal investigation within its competences." ■