In recent years, members of the European Union have shown a particularly high level of awareness of how important it is to protect personal data and to implement the General Data Protection Regulation (GDPR). We are witnessing the imposition of fines exceeding millions for GDPR violations in countries such as Ireland, Germany, and France to household names such as Meta, H&M, and Google.
Despite this, the punitive policies of the countries of the region have not been as harsh, and GDPR enforcement authorities in those countries have generally given companies multiple chances to comply, before imposing fines. At least that was the case until May 2023, when the Croatian Personal Data Protection Agency (AZOP or the Agency) imposed a fine of 2,265,000.00 euros against the limited liability company B2 Kapital from Zagreb for a violation of GDPR.
B2 Kapital d.o.o. is a debt collection agency and one of the leading companies in the provision of financial services in collection and claims management, which belongs to the Norwegian B2Holding ASA group.
In 2022, Croatian Personal Data Protection Agency received an anonymous complaint with allegations that B2 Kapital did not adequately handle the personal data of tens of thousands of natural persons. Attached to the complaint was a USB flash memory with saved personal data of natural persons, including each of their name, surname, date of birth, and OIB (personal identification number). In particular, the USB contained the data of 77,317 natural persons who had unpaid debts to credit institutions, which were purchased by B2 Capital.
Since B2 Kapital could not explain how this unauthorized leakage of personal data occurred, nor how it was delivered to AZOP via a USB stick, it seems that the personal data controller did not ensure adequate data protection and had no control and supervision over the flow of data.
What Did B2 Kapital Do to Deserve the Fine of 2.265.000,00 Euros?
According to the Agency, B2 Kapital violated several provisions of the GDPR by its actions or lack of them, which, together with the additional aggravating circumstances charged against it, led to the imposition of a multimillion-euro fine. In particular, it is stated that B2 Kapital made the following omissions:
1. Individuals were not clearly and accurately informed about the processing of their personal data through the privacy policy.
The data controller is obliged to inform the persons whose data is being processed transparently and truthfully about what data is the object of processing, what is the purpose and legal basis of the processing, how long the data will be stored, as well as about all other information of importance that are clearly defined in the GDPR.
In particular, B2 Kapital wrongly informed the persons whose data it processed about the legal basis of data processing for the return of overpaid funds, where it was incorrectly stated that the processing is necessary to protect the vital interests of the data subject or another natural person.
Bearing that in mind, the Agency considers that non-transparent processing of personal data occurred, i.e. incorrect informing of 132,652 persons (how many were there at the time of the supervision).
2. No contract was concluded between the controller (B2 Kapital) and the processor of personal data
If, in addition to the data controller, there is another person who processes personal data on behalf and for the account of the controller, also known as the processor, the controller must conclude a Data Processing Agreement with that processor in connection with entrusted processing.
The goal of such a contract is to ensure the same level of personal data protection in situations when the controller is not the direct data processor, and it regulates the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, the rights, and obligations of the contracting parties.
As B2 Kapital used the service of another legal entity when monitoring the consumer bankruptcy, and the processing of the data it transferred to the processor was not regulated by any contract, AZOP believes that such processing was not under the GDPR.
More precisely, AZOP determined that since B2 Kapital failed to conclude the Data Processing Agreement it jeopardized the security of the data of over 83,000 persons, and this violation lasted for almost 2 years.
3. Technical and organizational measures necessary for the safe processing of personal data have not been taken.
As the biggest omission on the part of B2 Kapital, the Agency finds the lack of application of appropriate technical and organizational measures to ensure the security of processing and personal data.
The controller and the processor must implement appropriate technical and organizational measures to ensure a level of security that corresponds to the risk of violation of the rights of the data subjects, especially against accidental or illegal destruction, loss, alteration, and unauthorized disclosure.
Among other things, the mentioned measures include the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of data processing systems, as well as enabling processes for regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures for ensuring processing security.
Since the anonymous complaint sent to the Croatian Personal Data Protection Agency contained the data of 77,317 people, everything indicates that the measures, that B2 Kapital had to implement, were not taken.
Thus, as AZOP claims, B2 Kapital completely lost control over the movement of personal data and could not explain the causes of unauthorized data leakage.
4. B2 Kapital did not demonstrate a satisfactory level of cooperation with the Croatian Personal Data Protection Agency.’
The lack of cooperation in the procedure for determining violations of the provisions of the GDPR proved to be an aggravating circumstance, which was taken into account when assessing the amount of the fine.
Namely, B2 Kapital sent answers to the letters of the Croatian Personal Data Protection Agency on the last day of a determined deadline or asked for an extension of the deadlines and clarification of the request of the Croatian authority at the last minute, when, according to the Agency, it could have asked for it at an earlier time.
In addition, as an additional aggravating circumstance, the Agency points out that B2 Kapital, even after repeated requests for the submission of documents that were needed to conduct the investigation, never submitted such documents.
5. No measures have been taken to remedy the aforementioned GDPR violations.’
Although it was already aware of the non-compliance of its business with the provisions on the protection of personal data, according to the Agency, B2 Kapital failed to correct previous mistakes and take measures that would prevent violations of the privacy of data subjects from occurring in the future.
While the previously mentioned cooperation with the processor ended, the privacy policy on the operator’s website was not updated from 2018 until the day of the Agency’s decision, nor was the Agency informed about the debt collection agency taking technical and organizational measures that would ensure adequate protection of personal data. These facts were also treated as an aggravating circumstance in the decision of AZOP.
Although after 5 years since the full implementation of the GDPR began, progress can be noted in the field of application of provisions on data protection in the countries of the region, the protection of the data of natural persons has still not reached the level of protection provided in the countries of the West and Northern Europe.
The Croatian Personal Data Protection Agency recognized this by announcing that lack of information and ignorance can no longer be a justification and an excuse for violating the basic rights of Croatian and European citizens.
Although Serbia is not yet a member of the European Union, the Serbian Law on Personal Data Protection practically copied the provisions from the GDPR, so the level of personal data protection required by that regulation, and the standards it provides for the processing of the personal data are equal to those prescribed by the GDPR. Bearing in mind the fact that the Commissioner for Information of Public Importance and Personal Data Protection monitors the implementation of the GDPR and trends in data protection at the EU level, we believe that it is only a matter of time before the Commissioner also starts applying a stricter penal policy and impose high fines for violation of the Law on Personal Data Protection.
In addition, personal data processors outside the European Union should be aware that, under certain conditions, they may also be subject to the extraterritorial effect of the GDPR provisions, as well as the penalties imposed under this regulation.
As compliance with data protection regulations has become imperative, this should be the last warning for all companies that collect and process personal data to learn from others’ mistakes and align their businesses with the relevant norms.
