Bank who got the first GDPR fine in Croatia has been consciously violating human rights for almost a year and got more than 30 notices from data protection authority before it was actually fined

On March 13th 2020. croatian data protection authority (AZOP) published an information about issuing first GDPR fine in Croatia. According to fuzzy local law, it is not really clear how transparent AZOP has to be with regards to issuing fines, although local regulation does require non-anonymised fines to be published on the AZOP web site in case they are bigger than 100.000 HRK (about 13.150 EUR).

In this particular case, published information doesn’t mention which bank has been fined nor how much, but has detail explanation of the case and the reasons.

Fine is issued because bank has been refusing to provide information about their loans to its clients in the period between 25.5.2018 and 30.4.2019.

Explanation provided by the bank was that this information is not considered personal data, but loan documentation which is regulated by specific law. Despite 34 direct orders AZOP issued to a Bank, its practice didn’t change. Information has only been provided to those clients who complained to AZOP. Investigation found that Bank denied data access requests to about 2.500 clients. The whole case is connected to huge and long court case against 8 biggest banks in Croatia. During the investigation, AZOP found that Bank has been aware that denying information prevents its clients in collecting evidences for the court case in which many Croatians lost money and even get expelled from their homes.

AZOP explains that having in mind number of affected data subjects, nature and duration of the violation and other applicable facts, imposing financial fine is the best way to ensure adequate effective, proportionate and dissuasive effect. It also highlights that fine for this type of infringement can be up to 20 million euro.