The Personal Data Protection Authority has imposed two new administrative sanctions for breaches of the General Data Protection Regulation and the Law on the implementation of the General Data Protection Regulation.
Administrative Sanction for a lack of adoption of technical and organizational measures
Due to the lack of adequate technical security measures for the personal data processing by the company for the provision of information services by Zagreb (hereinafter the company), as data controller, has occurred a security breach which has bring to the personal data processing of 28.085 interviewed as an unauthorized access by hackers. The company has not adopted necessary measures in order to reach a security level adequate in compliance with existent risks and has acted in breaching the article 32, paragraph 1, letters b) and d) and the paragraph 2 of the General Data Protection Regulation.
The accident has been reported to AZOP, and the telecommunications company has also informed with a written form to users of its services of the potential personal data breach.
During the personal data processing the company is obliged to adopt technical measure adequate in order to guarantee the ongoing confidentiality of the system, as well as the verification process, the assessment and the periodical assessment of the efficiency of technical and organizational measures in order to guarantee the risks of unauthorized sharing of personal information. Since the company, according the information available, provides IT services to other mobile operators, banks and government institutions in the Croatian Republic, but also to foreign companies (USA, Great Britain, Netherlands, etc.) shall be important in provide opinions, guidelines, propose solutions to data controllers on the web applications realizations, and so in order to realize and implement technical adequate measures in order to protect the personal data processing.
Consequently, in compliance with its powers pursuant to the article 58, paragraph 2, of the GDPR, the Agency has imposed an administrative sanction, in compliance with he conditions for its imposition pursuant to the article 83 of the GDPR and the articles 44, 45, and 46 of the Law on the Implementation of the GDPR.
Administrative sanction for not having marked the object under video surveillance
The Personal Data Protection Agency, without notice, has carried out a direct supervision on the processing and the application of the personal data protection, the recollection on the processing of data carried out by the system of video surveillance and has established that the insurance company of Zagreb (hereinafter the company) has not indicated that the corporate structure (in which are carried out technical inspections and the registrations of vehicles and are outsourced insurance services) and the external surface of the company structure are video surveilled. Therefore, the data controller, which is the insurance company, has acted in contrast with the article 27, paragraph 1, of the Law on the Implementation of the GDPR.
According to the article 51, paragraph 1, point 1, of the Law, it has been sanctioned for a lack of a structure under the video surveillance.
The agency considers that the corrective measures as a sanction is effective, proportionate and dissuasive and full in compliance with the circumstances of both the fines.