POST Online Media Lite Edition


Croatian data protection agency fines B2 Kapital EUR 2.26 million over GDPR failure, criminal investigation ongoing

Christian Fernsby |
The Personal Data Protection Agency imposed an administrative fine on B2 Kapital in the amount of EUR 2,265,000.00 for the established violations of the General Data Protection Regulation.

Article continues below

"The Controller has not clearly and accurately informed its data subjects about the processing of their personal data by means of a notice on the processing of personal data (privacy policy) regarding the legal basis for the recovery of overpayments, which is contrary to the provision of Article 13(1) of the Gdpr. General Data Protection Regulation.

"This resulted in non-transparent processing of personal data of the data subject (i.e. misinformation regarding the legal basis for processing referred to in Article 6(1) of the Gdpr). There were (at least) 132,652 at the time of the inspection, and the privacy policy remained unchanged and the violation has not yet been remedied, i.e. it lasts from May 25, 2018 until today Contrary to article 28(3) of the Code of Civil Procedure.

"In accordance with Article 83 of the General Data Protection Regulation, the controller has not concluded a personal data processing contract with the processor for the service of monitoring simple consumer bankruptcy and thus jeopardizes the security of personal data of 896 14 data subjects (OIB), since the conclusion of a contract with the processor is one of a kind of security levers that ensures that the rules of personal data processing are clearly agreed, their course in the business relationship between the controller and the processor and in order for the controller to ensure that the processor satisfies the technical and organizational protection measures for the processing of personal data of a large number of data subjects.

"It was found that the said infringement lasted from the acceptance of the offer to provide a simple consumer bankruptcy service, i.e. from 2019 February 26 to 2021 February, when the business cooperation was terminated.

"The controller has not taken appropriate technical and organisational measures to protect the processing of personal data, which is contrary to Article 32(1)(b) and (d) and (2) General Data Protection Regulation.

"Failure to take appropriate measures resulted in a breach of the security of personal data of all respondents (at least 132 652 at the time of supervision), i.e. their basic identification data (at least in the structure: name and surname, date of birth and OIB) and consequently all personal data filed in the storage systems of the debt collection agency, which are of a financial nature and are thus quite sensitive.

"The proceedings found that the violation has lasted for at least 2019 and has not yet been remedied, all due to the failure to take appropriate protection measures.

"Namely, in December 2022, the Personal Data Protection Agency received an anonymous petition stating that there was an unauthorized processing of a large number of personal data of natural persons – debtors by the debt collection agency and attached a USB stick containing personal data in the structure name and surname, date of birth and OIB for a total of 77,317 natural persons, and who had an outstanding debt to credit institutions, which was purchased by a debt collection agency on the basis of a cession contract.

"On the basis of official duty, the Agency initiated a supervisory procedure in December 2022 and conducted a procedure in which three previously described infringements were identified due to negligent conduct by the controller (debt collection agency).

"The controller bears the greatest degree of responsibility for failure to take technical protection measures, since it is precisely because of deficiencies in such a security system that a large number of personal data have been unsafely processed.

"The Debt Collection Agency lost full control over the movement of personal data of their data subjects and could not explain the causes of unauthorized exfiltration (extraction) of personal data.

"Likewise, as an aggravating circumstance in the conducted administrative procedure, certain shortcomings in cooperation were identified. Namely, after several letters sent by the Agency for the purpose of requesting additional comments or documentation by the processing manager, he responded to them before the last days of the set deadline and sent letters for the purpose of extending the deadline and clarifying the requested circumstances, although he could have requested the same before, which to some extent affected the delay of the proceedings.

"Also, on repeated requests of the Agency for the Protection of Personal Data certain documentation (list of system records), the controller did not submit them.

"Also, as an additional aggravating circumstance, the fact that the controller has not informed the Agency to this day that it has taken additional protection measures to prevent future risks of identified violations and that to date it has not adapted the privacy policy available on their website.

""In conclusion, we state that in this particular case it is a violation of several provisions of the General Data Protection Regulation by one of the leading companies in the field of debt collection, which should not have allowed itself to process the personal data of a large number of respondents in an opaque and unsafe way.

"Also, the controller would probably never have noticed the exfiltration of the personal data of a large number of data subjects, at least for 77 317 of them from their system if the Personal Data Protection Agency had not received an anonymous report and carried out supervisory activities to this day, the controller has not clarified all the circumstances of the infringement, i.e. the removal of a certain scope of personal data outside their storage system, which further indicates inadequate protection measures by the controller.

"We also point out that in this particular case it is about possible individual criminal liability, i.e. the commission of a criminal offense, which is within the competence of the Ministry of the Interior, which conducts criminal investigation within its competences."

What to read next

North Carolina: 22 stores pay fines for price scanning errors
Spain fines Facebook for violating data protection regulations
Croatian Plodine fined for engagement in unfair trading practices

U.S.: Heavy precipitation for west

The main area of unsettled weather through the next 24 hours remains over California as showers and thunderstorms stream inland associated with a deep upper-trough and atmospheric river.


Capital One to acquire Discover Financial for $35.3 billion
Malawi rolls out fresh COVID-19 vaccination campaign
Rosneft posts 47% rise in net profit
Italian customs officials arrested for helping 'Ndrangheta


204 kg raw opium seized in eastern Myanmar

Bulgaria issues guidelines for AI implementation in schools
Germany prepares for next strike at several airports
Polish farmers to step up protests with total blockade of Ukrainian border
Czechia: 10 arrested in probe into corruption ring involving medical supplies to hospitals
U.S.: Atmospheric river producing heavy precipitation, gusty winds, and severe weather threat to California


Suez Canal revenues drop by 40-50 percent since Gaza war

UK: TRA proposes anti-dumping measures on ceramic tiles be kept
Azerbaijan reduces gas supplies to Italy via TAP by 3.2% in 2023
Bosnia and Herzegovina: European Union and its bank EIB Global support construction of Vlašić wind farm
€160 million EIB and CEB financing for vital water irrigation investment helps protect key farming area in Crete
Highlights: February 12, 2024 - February 14, 2024

Trending Now

Suez Canal revenues drop by 40-50 percent since Gaza war

Malawi rolls out fresh COVID-19 vaccination campaign

Qatari Power International hosts groundbreaking ceremony for major resort and convention center in Guyana

TerraPay appoints Ruben Salazar Genovez as president


UK government cracks down on controversial ‘fire and rehire’ practices

France launches river strategy
Shapiro administration invests $3.2 million in U.S. Boiler Company’s expansion
Governor Justice issues statement on closing of Cleveland-Cliffs Weirton facility
EU to invest 40 mln U.S. dollars in Nigeria's power sector
Azerbaijan gas to be transported to Hungary via Türkiye

Today We Recommend

UK government cracks down on controversial ‘fire and rehire’ practices


Capital One to acquire Discover Financial for $35.3 billion

Rosneft posts 47% rise in net profit

Barclays Q4 profit before tax down 92 percent


Qatari Power International hosts groundbreaking ceremony for major resort and convention center in Guyana

BP to invest $1.5 bln in Egypt for development, exploration activities
Discount retailer Pepco to exit Austrian market
Bulgaria could pick Hyundai to expand Kozloduy nuclear power plant
AstraZeneca completes $1.1 billion acquisition of Icosavax
Electron launches Astroscale inspection satellite


TerraPay appoints Ruben Salazar Genovez as president

Personetics names Udi Ziv as new CEO
Lingotto appoints Pam Chan to launch Mosaic
Fogmaker International appoints Johan Bjerstedt as new sales and marketing manager
Africa Finance Corporation appoints Emeka Emuwa as chairman
IGT Solutions announces CEO succession plan


Trade between China and Brazil continues rise

China keeps medium term lending facility at 2.5%
U.S. consumer sentiment inches higher in February
German economy sets to sink deeper into recession
Eurozone industrial output records strongest growth since August 2022
Slovenia reports 1.6 pct economic growth


Home Depot Q4 earnings $2.80 billion

IHG RevPAR increased 16.1%
BHP HY profit down
Antofagasta revenue 8% higher
Barclays Q4 profit before tax down 92 percent
Swiss Re Q4 income $1.9 billion


Micromanaging is the worst enemy of efficiency and teamwork

Niger set to monetize massive gas reserves through Saharan natural gas pipeline
Putting the brakes on EV folly that choked the market
Oil discovery in Kavango Basin may mean huge benefits for Namibians
Cape Town and Dubai battle over Africa's energy future
Is America going to lose its superpower status?


Hong Kong suspends import of poultry meat and products from areas in Canada and Poland

Czech politicians, Agrarian Chamber agree to impose deposits on agricultural products imported from Ukraine
Hong Kong suspends import of poultry meat and products from areas in U.S.
Kazakhstan proposes to ban egg imports for six months
Barbados, Dominica, Senegal, Uruguay formally accept Agreement on Fisheries Subsidies
China agrees to lift ban on Spanish beef imports


Hiring 'problem directors' can knock up to 64% off firm's value

Problematic 'zombie leadership' lives on in many cases
Younger workers have significantly lower productivity than older
Employees who experienced burnout valued jobs with training opportunities less
Moderate performance goals let workers adapt to turbulent marketplaces, research suggests
Employment quotas are bad thing


Linde unit to pay $25.5 mln over claims it defrauded U.S. healthcare programs

FINRA fines Morgan Stanley $1.6 million for municipal securities violations and related failures
Eli Lilly to offer low cost insulin, donate to clinics in Minnesota settlement
Google to pay $350 million to settle shareholders' data privacy lawsuit
California AG announces $150 million multistate agreement with Hikma Pharmaceuticals for its role in opioid epidemic
North Carolina secures $13.5m agreement with First National Bank of Pennsylvania to resolve redlining claims



Hotel Taschenbergpalais Kempinski Dresden opens

306 Room Tempo by Hilton Nashville Downtown hotel opens
Tickets on sale now for Formula 1 Etihad Airways Abu Dhabi Grand Prix 2024
Best Western SeaWorld San Antonio hotel opens in Texas
Gigantic statue of Constantine goes on display in Rome
You still have chance to get one and only Maserati MC12


Sikorsky S-76D helicopter, for perfect business travel above roads

Porsche Taycan, improved in almost everything
New Ford Explorer is all about exploring
Chevrolet 2025 Equinox is new and refreshed
F-150 Lightning Switchgear soon available to public
Mercedes-AMG SL 63 S E Performance, most powerful SL of all time


Vacheron Constantin, watches for life and more

Schüller kitchens, where functionality marries design
Marc Kaufman Furs, from glory days of Wild West to fashion empire
Kelaghayi scarf, powerful women's fashion symbol from Azerbaijan
Tiffany reimagined their necklace collections in bold style
How to make room coherent with pieces that don't really fit together


Epikore Epikore, luxurious loudspeakers you should have

Retro radios with soul for your car
Balanced Audio Technology power amplifier REX 500, 500 watts of solid state
Marantz TT-15S1 turntable, excellent materials and sound
Samsung Galaxy S24, smartphone focused on photography
Best dash cams for your peace of mind


Problems with sleep can trigger range of psychiatric disorders

FDA approves Xolair as first and only medicine for children and adults with one or more food allergies
Record storms in California lead to surging deadly fungal infections
New study finds little-known toxic crop chemical in four out of five people tested
Traumatic brain injury leads to widespread changes in neural connections
Orexa announces first patient dosed in Phase 2 trial in post-operative patients


Colorado is home to America's newest national park

Hubble views massive star forming
Greenland's ice sheet is melting and being replaced by vegetation
India launches weather satellite INSAT-3DS
Japan launches new H3 rocket year after failure
Conflict in Ukraine found causes significant greenhouse gas emissions