The Croatian data protection authority (AZOP) has imposed a fine of EUR 20m for violating the EU General Data Protection Regulation. 

Since October 2018, AZOP  had been receiving multiple complaints from citizens regarding one of Croatia’s credit institutions based in Zagreb, whereby citizens were asking the institution for a request for information but were being refused. 

Under Article 15(1) and (3) of the GDPR, citizens are allowed to exercise the right of access to their personal data, by requesting copies of credit documentation, such as bookkeeping cards, repayment plans, and review of changes in interest rates, all of which contains their personal information. 

Despite this regulation, the institution refused to allow citizens access to their personal data or submission of requested documentation, citing that under the Consumer Credit Act and other specific regulations, they have no obligation to provide. 

Following the complaints, AZOP conducted an investigation and found that in the period May 25, 2018 to April 30, 2019, the institution received around 2,500 requests from citizens who were also denied. 

In addition, the investigation found that citizen’s requests were in accordance with Article 57 and 58 of the GDPR. 

Subsequently, the AZOP decided to impose the strictest corrective measure, an administration fine of up to EUR 20,000,000. 

“Such conduct of the Bank clearly shows that the Bank was aware of the fact that in the described manner the access to the personal data of the respondents was denied, that is, the protection of their fundamental rights guaranteed by the Regulation,” explained AZOP.