Croatia’s Personal Data Protection Agency has imposed a €4.5 million administrative fine on a telecommunications operator after determining the company committed multiple and prolonged violations of the EU’s General Data Protection Regulation (GDPR). The decision, announced 14 November, follows ex officio proceedings into cross-border data transfers, employee data handling, and insufficient oversight of processors.
According to the regulator, the operator unlawfully transferred the personal data of nearly 848,000 users to a processor in Serbia—a country without an EU adequacy decision—after failing to maintain legally required safeguards. While the transfer had been covered under standard contractual clauses (SCCs) until December 2022, the company neglected to renew or replace these instruments. As a result, the Serbian affiliate had unrestricted administrative access to the operator’s full SAP CRM database without a valid legal basis, violating Articles 44 and 46 of the GDPR. The operator also failed to complete a mandatory Transfer Risk Assessment before transferring data outside the EU.
The agency said the telecom provider compounded the violation by not clearly informing users that their personal data—including names, national ID numbers, addresses, phone identifiers, IBANs, and contract details—were being transferred to a non-EEA country. Its privacy policies instead used vague language suggesting data “may” be transferred abroad, falling short of GDPR transparency requirements.
The investigation also uncovered excessive and unjustified processing of employee data. The operator collected copies of staff identity cards and certificates confirming no criminal proceedings, despite lacking any valid legal basis under Article 6 and ignoring warnings from its own Data Protection Officer that the practices were disproportionate.
In addition, the company failed to perform basic due diligence on a telemarketing processor that lacked essential security measures—a breach of its Article 28 obligation to ensure processors provide adequate protection before handling personal data.
The regulator said the severity and breadth of the infringements warranted the multimillion-euro penalty, underscoring the importance of robust transfer mechanisms, employee data minimization, and proper oversight of third-party processors in cross-border operations.
Need Help?
If you’re concerned or have questions about how to navigate the global AI regulatory landscape, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight and ensure you’re informed and compliant.
