Croatia: AZOP fines Telemach 4,5 million euros, personal data of 900 thousand users allegedly compromised

The Croatian Agency for Personal Data Protection (AZOP) has imposed an administrative fine of 4,5 million euros on a telecom operator, as a data controller, for violations of the General Data Protection Regulation, which, they claim, jeopardized the personal data of 900 users.

Following the procedure conducted ex officio, the AZOP announced on its website on Friday, the fine was imposed on the teleoperator for transferring personal data to third countries without a valid instrument and without transparently informing the respondents, as well as processing copies of ID cards and certificates of non-criminal proceedings of employees without a legal basis, as well as failing to undertake appropriate prior control of the processor, reports Index.hr.

The telecom operator, AZOP explains without specifying which telecom operator, transferred the personal data of its users to a data importer in Serbia, i.e. a company within the group that maintained the software.

The telecom operator, Telemach, strongly rejects the allegations published on the AZOP website and announces that it will take all available legal measures to protect the rights, integrity and reputation of the company.

"In the case cited by AZOP, there was no data breach. The data was not forwarded outside Croatia or the EU and was stored exclusively in Croatia, it is secure and there was no leak," Telemach claims.

The data transfer, according to AZOP, was based on standard contractual clauses from mid-April 2020 until December 27, 2022 at the latest, but after that date the telecom operator failed to conclude standard contractual clauses with the processor in Serbia.

This means, the AZOP explains, that after that date, the transfer of personal data of respondents took place "without appropriate protective measures".

AZOP explained that since the European Commission for Serbia had not issued an adequacy decision in terms of the provisions of the General Data Protection Regulation, the operator had to base regular transfers of personal data of data subjects on one of the transfer instruments.

"The processor from Serbia could access the entire SAP CRM database with administrator permissions, which meant that it had unlimited access to personal data, a total of 847,86 thousand respondents/users of the processor's services," the AZOP states.

That is, AZOP continues, that it was able to access the name and surname, OIB, address from the ID card, connection address, billing address, contact number, email address, IBAN, MSISDN, ICCID, and data on the user's contracted services.

In addition, the AZOP stated, the telecom operator did not conduct a Risk Assessment for the transfer of personal data to Serbia, which it was obliged to do before the transfer of personal data to a third country began, and all of these actions are contrary to the provisions of the General Data Protection Regulation.

Also, AZOP adds, the telecom operator "did not even inform the respondents about the aforementioned transfer to Serbia, a country outside the European Economic Area (EEA), which is its obligation under the General Data Protection Regulation."

"A review of privacy policies determined that the controller did not use clear language to state that the personal data of the data subjects would be transferred outside the EEA, but rather used formulations such as #maybe# personal data will be shared with third countries or that personal data is generally processed within the European Union, and only exceptionally outside the European Union," the AZOP added.

The telecom operator, they said, "excessively" processed the personal data of its employees, that is, it collected "copies of their ID cards", which is also contrary to the provisions of the General Data Protection Regulation.

"An additional aggravating circumstance," the AZOP said, is that the operator "ignored the opinion of its data protection officer, who issued an opinion that collecting copies of ID cards, given the content of the data, could be considered excessive processing of personal data."

Likewise, the operator collected certificates of non-criminal proceedings against its employees, which is also contrary to the General Data Protection Regulation.