The Personal Data Protection Agency (AZOP) announced, on October 5, 2023, that it had imposed a fine of €5.47 million on EOS Matrix d.o.o. for violations of the General Data Protection Regulation (GDPR), following an anonymous petition.

Background to the decision

The AZOP stated that it had received, on March 22, 2023, an anonymous petition stating that a large number of personal data of individuals (debtors) had been unauthorizedly processed by EOS Matrix. The AZOP added that the petition was accompanied by a USB stick containing the personal data of 181,641 persons, out of which 294 were minors at the time the database was compiled and contained personal data, including first name, last name, date of birth, and OIB, and who had outstanding debts to the initial creditors that were purchased by EOS Matrix.

Findings of the AZOP

Importantly, the AZOP noted that the information that a certain person is in a debtor-creditor relationship with the company EOS Matrix, along with other personal data, is not recorded in any storage system with other institutions, except in the system of EOS Matrix, while individual primary creditors could only dispose of the scope limited to their clients/debtors, whose debts they sold to EOS Matrix and therefore, the AZOP established that the personal data submitted via the USB stick was excluded from the database of EOS Matrix.

In particular, the AZOP identified the following violations of the GDPR:

• the controller did not take appropriate technical measures that could timely recognize activities that deviated from the usual ones (e.g., increased number of data retrievals in the database, data transfer outside the system, compromise of user access, etc.) to protect the processing of the personal data of the respondents, in violation of Articles 32(1)(b) and 32(2) of the GDPR;
• the controller processed the personal data of respondents who were not in a debtor-creditor relationship in their database without the existence of a legal basis, in violation of Article 6(1) of the GDPR;
• the controller processed special category data (health data) of the respondent without the existence of a legal basis in violation of Articles 6(1) and 9(2) of the GDPR. Specifically, the health condition of the subjects in question was monitored down to the details of individual diagnoses, which included terminal illnesses;
• the controller did not inform the respondents in a transparent manner about the processing of their health data in the privacy policies, which stated that it does not process and will not process health data, in violation of Articles 12(1), 13(1), and 13(2) of the GDPR;
• the data controller did not have an established legal basis for recording telephone conversations with respondents in the period from May 25, 2018, to January 16, 2019, in violation of Articles 5(2) and 6(1) of the GDPR; and
• the controller did not inform the respondents in an understandable and clear way about the processing of personal data in the form of recording telephone conversations, in violation of Article 12(1) of the GDPR.

Outcomes

In light of the above, the AZOP issued a fine of €5.47 million on EOS Matrix for the aforementioned violations of the GDPR.

Finally, the AZOP stated that it has not been established how exactly 181,641 personal data were exfiltrated, that it is a possible criminal offense of unauthorized use of personal data, and noted that the AZOP is actively cooperating with the Zagreb Police Department and the Zagreb Municipal State Attorney's Office for the same.

You can read the press release, only available in Croatian, here, and the European Data Protection Board's (EDPB) summary in English here.

Update: October 9, 2023

AZOP releases FAQs for citizens regarding AZOP decision

On October 6, 2023, AZOP published frequently asked questions (FAQs) following the imposition of the fine on EOS Matrix. In particular, the FAQs are for citizens and provide information on how they can exercise their rights guaranteed by the GDPR. The FAQs answer, among others, the following questions:

• how affected citizens can claim compensation from EOS Matrix and whether the AZOP would determine damages;
• how to access information about personal data from EOS Matrix;
• if the AZOP can provide information on whether personal data contained in the EOS Matrix's database was discovered without authorization and delivered to AZOP on a USB stick;
• what are the consequences if EOS Matrix refuses to provide the required information; and
• how to exercise the right to erasure.

You can read the press release, only available in Croatian, here.