May 5, 2023 - A large fine imposed on the B2 Kapital debt collection agency by thee Agency for the Protection of Personal Data (AZOP), reports Index.hr.
The Agency for the Protection of Personal Data (AZOP) imposed an administrative fine on the processing manager – the debt collection agency B2 Kapital in the amount of EUR 2,265,000.00. It is also about the possible commission of a criminal offense, which is the responsibility of the Ministry of Internal Affairs, which will conduct a criminal investigation.
Let's remind you that the B2 Kapital agency, which deals with debt collection, released the data of 77,317 natural persons, which contain first and last name, OIB, date of birth, residential address, name and OIB of the employer, debt to B2 Kapital, the amount of the principal and the amount of default interest, as well as, which is particularly controversial, a mobile phone number and a personal e-mail. Index was the first to write about it in detail.
We emphasize that we warned AZOP that we are in possession of a typed contract on the sale of receivables (assignment contract) between banks and the agency, from which it is clear that the banks also provide the phone numbers of their former and current clients to debt collection agencies. It was clear from the AZOP's response that we received that the banks provided information that they were not allowed to, so the investigation expanded.
The four largest banks operating in Croatia, the Croatian Association of Banks and the Croatian National Bank, which supervises contracts for the sale of receivables between banks and agencies, did not want to answer what banks hand over to debt collectors when they sell bad receivables.
A fine of 2.26 million euros
AZOP has now imposed a fine of 2.26 million euros, and this is because the data controller did not clearly and accurately inform his respondents about the processing of their personal data through the notification on the processing of personal data. Also, they did not enter into a contract on the processing of personal data with the processor for the simple consumer bankruptcy monitoring service and did not take appropriate technical and organizational protection measures when processing personal data.
In the explanation, it is stated that the Agency initiated a supervisory procedure in December 2022 and carried out a procedure in which the three previously described violations were determined due to the negligent actions of the processing manager (claims collection agency).
The processing manager bears the greatest degree of responsibility for not taking technical protection measures, since it was precisely because of deficiencies in such a security system that unsafe processing of a large number of personal data occurred. The debt collection agency lost complete control over the movement of personal data of their respondents and could not explain the causes of unauthorized exfiltration (extraction) of personal data.
They didn't cooperate
Also, as an aggravating circumstance in the conducted administrative procedure, certain shortcomings in cooperation were determined. Namely, to several letters sent by the Agency requesting additional statements or documentation from the processing manager, he responded before the last days of the set deadline and sent letters for the purpose of extending the deadline and clarifying the requested circumstances, although he could have requested the same earlier, which to a certain extent had an effect to the delay of the procedure.
Also, upon repeated requests from the Personal Data Protection Agency for certain documentation (list of system records), the processing manager did not provide it. Also, as an additional aggravating circumstance, the fact that the data controller has not informed the Agency until today that he has taken additional protection measures that would prevent future risks of established violations and has not adjusted the privacy policy available on their website to date has been taken into account.
Report submitted to the police
In conclusion, in this particular case we are talking about the violation of several provisions of the General Regulation on Data Protection, by one of the leading companies in the field of debt collection, which could not allow itself to process the personal data of a large number of respondents in a non-transparent and insecure manner.
Also, the data controller probably would never have noticed the exfiltration of personal data of a large number of respondents, at least for 77,317 of them from their system, if the Personal Data Protection Agency had not received an anonymous report and conducted surveillance activities.
"Until today, the data controller has not clarified all the circumstances of the breach, i.e. the transfer of a certain amount of personal data outside their storage system, which additionally indicates inadequate protection measures on the part of the data controller," reads the explanation of the AZOP's decision.
The explanation also states that it is about possible individual criminal liability, that is, the commission of a criminal offense, which is the responsibility of the Ministry of Internal Affairs, which conducts criminal investigations within its jurisdiction.