Croatian Data Protection Authority imposes a new fine on a telecoms operator for violation of the GDPR.
March 2023
The Croatian Data Protection Authority (DPA) recently imposed on a telecoms operator a fine of EUR 20,000 for the unlawful processing of user’s personal data. According to information published by the DPA, the fine was imposed for violation of Article 6(1) of the GDPR (absence of a legal basis for the processing) because the operator, acting as controller, continued to process user’s personal data for a period exceeding 12 months after termination of contract with user without having a legal basis for such continued processing, and such continued processing exposed user’s personal data to a security incident in the meantime.