The General Data Protection Regulation (GDPR) is a crucial legal framework that ensures the protection of personal data for individuals within the European Union. Companies must comply with the GDPR or face significant financial penalties. In this article, we examine a recent case involving a Croatian debt collection agency, B2 Kapital d.o.o., that was fined €2.26 million (17,065,642.50 HRK) for multiple GDPR violations. This case highlights the importance of GDPR compliance and serves as a reminder to both companies and data subjects of the need for strict adherence to data protection regulations.
The Data Protection Agency identified three main GDPR violations in the case of B2 Kapital d.o.o.:
- Lack of transparency and accuracy in informing data subjects about the processing of their personal data (Article 13.1). At least 132,652 individuals were affected by this violation, which began on May 25, 2018, and remained unaddressed.
- Failure to establish a data processing agreement with a data processor for the service of monitoring consumer bankruptcies (Article 28.3). This violation compromised the personal data security of 83,896 individuals and persisted from February 14, 2019, to February 26, 2021.
- Inadequate technical and organizational measures to protect personal data during processing (Article 32.1). This violation affected the security of personal data for at least 132,652 individuals and was ongoing at the time of the investigation.
The Data Protection Agency initiated the investigation in December 2022, following an anonymous complaint and the receipt of a USB stick containing the personal data of 77,317 individuals who had outstanding debts with credit institutions. The debt collection agency had acquired these debts through debt assignment contracts.
The debt collection agency’s negligence and failure to implement appropriate technical measures resulted in the unauthorized processing of a large number of personal data records. The agency lost complete control over the movement of personal data and could not explain the causes of unauthorized data exfiltration.
Furthermore, the company’s cooperation during the investigation was inadequate. The agency repeatedly responded to the Data Protection Agency’s request for additional information or documentation at the last minute, often seeking deadline extensions. Additionally, certain requested documents were never provided.
As an aggravating factor, the debt collection agency failed to inform the Data Protection Agency of any additional protective measures taken to prevent future risks from the identified violations. The privacy policy on the company’s website remained unaltered.
This case serves as a warning to all companies about the consequences of GDPR non-compliance, particularly for those handling large volumes of personal data. It is crucial for businesses to understand their obligations under the GDPR and ensure they are taking appropriate measures to protect personal data. Failure to do so can result in significant financial penalties and reputational damage, as well as potential criminal liability.
This case illustrates the importance of GDPR compliance for companies and data subjects alike. Companies must ensure they are transparent, secure, and adhere to all GDPR requirements, while data subjects should be aware of their rights under the regulation. Together, these efforts will contribute to a more secure and privacy-focused digital environment.