Croatian Privacy Regulator Fines Telco $5.2M for GDPR Breaches
Croatia's DPA slapped an unnamed telecom operator with a 4.5 million euro ($5.2 million) fine for GDPR violations, it announced Nov. 14.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The breaches related to "the transfer of personal data without a valid transfer instrument or transparent information to data subjects, the processing of copies of employees' identity cards and other documents without a legal basis, and the failure to perform appropriate prior checks on a [data] processor," the watchdog said.
The data controller shifted users' personal information to a data importer in Serbia, the DPA said. From April 16, 2020, to Dec. 27, 2002, it transferred data on the basis of standard contractual clauses but then failed to agree on such clauses with the Serbian processor, meaning the personal data transfer took place without appropriate safeguards.
The processor then had unlimited access rights to personal data in nearly 850,000 records of the Croatian controller's users/data subjects, the DPA said, and the controller didn't do a transfer risk assessment for the movement of the personal data to Serbia.
The controller also failed to tell data subjects about the transfers to Serbia, which is outside the European Economic Area. The Croatian company excessively processed the personal data of its staff as well, collecting copies of their identity cards against the advice of its data protection officer.
In addition, the DPA found that the controller hired a processor for telemarketing services that lacked basic security measures. Under GDPR due diligence provisions, the controller is required to verify such services prior to processing.