Six years after the introduction of the GDPR, many businesses still treat it as if it were a “new law,” a regulation to be addressed later, rather than a priority today. It took years for the GDPR and data protection in general to even make their way onto Q&A lists in legal due diligence, competing alongside other established legal risks when analyzing target companies.
Even years after its implementation, many businesses continue to treat the GDPR as an unfamiliar or optional regulation. This ongoing delay creates a dangerous disconnect, as companies that neglect the GDPR expose themselves to serious risks, major fines, and significant reputational damage.
The significance of the GDPR is becoming increasingly evident, even in major transactions, where the complexity of compliance is reflected in the substantial number of work hours dedicated to addressing data protection concerns. A prime example of this is the issuance of the Republic of Croatia’s first retail bond. Given the large number of retail investors involved, the transaction required careful handling of personal data, making GDPR compliance a significant factor throughout the transaction.
Furthermore, the rise in cyberattacks and data breaches only compounds the need for GDPR compliance. As cybercriminals become more sophisticated, companies that fail to implement adequate data protection measures are increasingly vulnerable. Data breaches not only expose personal information but also highlight companies’ failure to safeguard their clients’ privacy. In today’s world of advanced technology, ensuring technical data security should not be a challenge.
The Croatian Personal Data Protection Agency (Agency) has played a key role in raising compliance standards for data protection in Croatia. Its growing influence is evident from its ranking by the European Data Protection Board, which placed the Agency 9th in the number of total fines issued under the GDPR in its 2023 report. This recognition highlights the Agency’s proactive approach to enforcing data protection standards, aligning with EU expectations and the increasing public demand for stronger privacy safeguards.
The most common reasons for penalties imposed by the Agency are inadequate technical and organizational measures to ensure information security, lack of a legal basis for data processing, and insufficient fulfillment of information obligations.
In 2023, the Agency imposed a total of 28 administrative fines, amounting to EUR 8.27 million, reinforcing its belief that fines serve as effective, proportionate, and deterrent corrective measures.
Among these, the highest fines ever issued by the Agency were prompted by anonymous complaints, both of which were directed at debt collection agencies as controllers of personal data.
The first of these fines, totaling EUR 2.27 million, was imposed on a debt collection agency for failing to implement appropriate technical and organizational measures to ensure the security of personal data, resulting in a data breach affecting over 130,000 data subjects. Additionally, the data controller failed to provide the required information to data subjects and did not establish appropriate data processing agreements.
The second fine imposed by the Agency amounted to EUR 5.47 million. The controller failed to implement appropriate technical and organizational measures to protect personal data. The controller processed data without determining a legal basis, including data from individuals not in a debtor-creditor relationship, sensitive health data (including data on terminal illnesses), and telephone call recordings. Additionally, the controller did not provide data subjects with transparent information about the processing of their health data and recording of telephone conversations.
An alarming example of blatant negligence emerged when the Agency imposed a EUR 380,000 fine on a sports betting company for multiple GDPR violations. Despite the company’s Privacy Policy explicitly stating that it does not store or permit unauthorized access to bank card data, it collected two-sided copies of bank cards without a valid legal basis. Furthermore, it was later revealed that company employees had access to 655 copies of bank cards, displaying full data, out of a total of 2,078 collected.
The aforementioned fines imposed on data controllers highlight the serious consequences of neglecting data privacy. They also reveal a deep and ongoing misunderstanding of what exactly the GDPR entails, as well as a continued carelessness about the topic, even within large companies. As compliance standards grow more rigorous, companies can no longer afford to treat data protection as an afterthought. With stricter enforcement and the growing risks of fines and reputational damage, prioritizing data privacy compliance is no longer optional. It ensures legal security and builds trust with clients. In a data-driven world, companies must act promptly to protect what matters most, both legally and ethically.
The wake-up call is louder than ever – don’t snooze it.
By Vanda Frcko, Co-Head of TMT, Miskovic & Miskovic
This article was originally published in Issue 11.11 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
