The largest GDPR fine in Croatia so far

On GDPR's 5th anniversary, the Croatian data protection authority (DPA) has issued the biggest fine in terms of GDPR violation so far: 2,26 mil Eur. The company fined is B2 Kapital, a financial services agency specializing in purchasing non-performing loans (NPLs) from banking institutions. More info on the case here (Croatian language).

According to the GDPR Enforcement Tracker, the largest fine issued up until now in Croatia was 285,000 EUR, whereby fines were largely targeting the telecommunications sector. This is apparently the first time a financial service company is being fined (?).

Judging by the latest financial data for B2 Kapital, the penalty seems to be close to the maximum allowed, i.e. 4% of total revenue. The leak was apparently reported anonymously both to the media and the DPA itself, via an USB stick containing around 77 thousand records on physical persons on hook for non-performing loans (NPLs). According to the DPA, the leaked records contained the first and last name, date of birth and VAT number of each person. Further proceedings by the DPA found B2 Kapital responsible for handling close to 133 thousand records without proper technical and organizational measures to ensure an adequate level of protection (GDPR article 32).

This latest example shows that in today's GDPR enforcement environment, processing or storing any amount of personal data on physical persons (however trivial) is in fact to be considered a "radioactive" asset with a huge risk attached. This especially applies to companies with high revenue and comparatively small net margins, as the penalties are based on turnover.

Furthermore, the technical and organizational measures according to article 32 can be interpreted broadly, introducing substantial uncertainty. Disgruntled employees can find ways to bypass technical controls, and high penalties can even incentivize leaks, while external attackers or simply configuration errors will continue to expose customer data in the future. So it remains to be seen how companies will react. Considering all, it's reasonable to conclude most companies will consider GDPR a cost of doing business, and some markets such as NPLs reselling will probably become much less liquid, prompting banks to find other ways to wind down bad assets. In any case, unintended consequences are bound to surround GDPR for the foreseeable future.

Meanwhile, the investigation at B2 Kapital has not uncovered whether the leak was a target of a hacker attack or a result of an inside job. B2 was unable to produce any log records indicating how the data was extracted and the company has announced a legal challenge to the DPA's findings and fine.

Regardless of the outcome, this case will undoubtedly have significant implications for the future.