Debt collection agency B2 Kapital recieved a fine €2,26 million from Croatian Personal Data Protection Agency (AZOP) .
The investigation was started after receiving an anonymous complaint. The document with atteched USB stick, contained personal data of 77,317 individuals. The personal data consisted of first and last name, date of birth, and personal identification number. The complained stated that B2 Kapital had carried out unauthorized processing of a large number of personal data.
The investigation proved several massive GDPR breaches:
1. Breach of lawfulness, fairness and transparency principle and Article 13(1) GDPR. B2 Kapital failed to inform data subjects about data processing activities, namely the legal basis.
As a data controller, B2 Kapital failed to inform individuals about details of the processing of their personal data in a clear and accurate manner through their privacy policy. This resulted in the non-transparent processing of the personal data of at least 132,652 individuals at the time of the inspection. AZOP also noted that at the time of the inspection, the company did not update its privacy policy since May 25th, 2018.
2. The DPA with data processor wasn't concluded
B2 Kapital did not have a data processing agreement in place with the data processor to monitor simple consumer bankruptcies compromising the security of personal data (personal identification number) of 83,896 individuals.
3. B2 Kapital failed to implement appropriate technical and organizational measures
The lack of data processing agreements with data processors means the company did not implement appropriate technical and organizational measures to ensure that the rules for processing personal data are clearly agreed upon and that security measures are put in place.
AZOP concluded that B2 Kapital lost complete control over sharing of personal data and could not explain the causes of the unauthorized exfiltration of data.
Comments