Data Privacy Fines in Croatia: A Cautionary Tale for Multinational Companies

Introduction:

On October 5, 2023, the Croatian Personal Data Protection Agency (AZOP) imposed a substantial administrative fine of €5,470,000.00 on a multinational company as a data controller.This significant penalty underscores the importance of compliance with data protection regulations in today’s business landscape. In this article, we will delve into the General Data Protection Regulation (GDPR) violations that led to this fine and offer guidance on how businesses can avoid similar pitfalls.

Understanding the Violations:

Inadequate Technical Measures: The multinational company failed to implement adequate technical measures to protect the personal data of individuals stored in their systems, in violation of Article 32(1)(b) and (2) of the GDPR. This lapse left them vulnerable to unauthorized access and data breaches.

Processing without Legal Basis: The company processed personal data of individuals who were not in a client relationship without a legal basis, as required by Article 6(1) of the GDPR. This underscores the necessity of having a legitimate reason for processing personal information.

Handling Sensitive Health Data: The multinational company processed sensitive health data of individuals without the necessary legal basis, contravening Article 9(2) of the GDPR. This highlights the importance of obtaining explicit consent or relying on specific legal grounds when dealing with sensitive data.

Lack of Transparency: The company failed to transparently and correctly inform individuals about the processing of their health data in their privacy policies, a violation of Article 12(1), Article 13(1), and (2) of the GDPR. Transparency is essential in ensuring that individuals understand how their data is used.

Unauthorized Call Recording: The multinational company recorded phone conversations with individuals without a valid legal basis, violating Article 6(1) and breached Article 5(2) of the GDPR. It’s crucial to establish a legitimate reason for recording phone calls.

Implications for Businesses:

The case of the multinational company serves as a stark reminder to businesses operating in Croatia or any jurisdiction with stringent data protection laws. Failing to comply with GDPR can lead to substantial fines and potential reputational damage. Here are some key takeaways for businesses:

Prioritize Technical Measures: Ensure your organization has robust technical measures to protect personal data. Invest in data security systems that detect unusual activities and prevent breaches.

Legal Basis for Data Processing: Always establish a clear legal basis for processing personal data. Review and update your data processing procedures to align with GDPR requirements.

Handle Sensitive Data with Care: If your business deals with sensitive data, such as health information, ensure you have explicit consent or a legal basis for processing this data. Maintain strict controls and access restrictions.

Transparency in Privacy Policies: Clearly and transparently communicate your data processing practices to individuals in your privacy policies. Ensure that they understand how their data will be used.

Call Recording Compliance: If you record phone conversations, be sure to have a valid legal basis and inform callers clearly that the conversation is being recorded.

Navigating Legal Proceedings:

Understanding that legal proceedings regarding data protection violations can be protracted in Croatia is essential. Even after receiving a fine from AZOP, the process can take more than five years to reach a final decision in the courts. This extended period poses significant challenges for businesses, as they must contend with the financial burden of fines during this time.

Furthermore, Dijana Kladar emphasizes the significance of swift action and close collaboration between IT experts and legal professionals, especially in the face of data breaches. With her extensive experience, she advises businesses to make prompt decisions on how to address data breaches, even when these incidents occur during weekends or holidays, such as Christmas. Dijana Kladar’s practical guidance underscores the critical nature of timely and coordinated responses to data privacy challenges.

Conclusion:

The case of the multinational company highlights the importance of compliance with data protection regulations in Croatia. To avoid fines and reputational damage, businesses must prioritize data security, establish legal grounds for data processing, and maintain transparency in their practices. Additionally, understanding the lengthy legal process in Croatia is vital for financial planning and compliance. Seek legal counsel when needed to protect your business’s interests and ensure GDPR compliance under the guidance of experienced practitioners.


 

More from DKL Attorneys at Law