The Croatian Supervisory Authority (SA) has slapped a whopping €5.47 million fine on EOS Matrix, a debt collection agency. The company was found in breach of several GDPR regulations, including unauthorised data processing, failing to implement sufficient technical measures, and a lack of transparency.
The case came to light when an anonymous petition was filed back in March 2023, revealing that EOS Matrix had been involved in unauthorised processing of personal data of a significant number of natural persons (debtors). The petition was backed by a USB stick loaded with personal data of over 180,000 people, including minors, who had outstanding debts towards certain credit institutions EOS Matrix had purchased based on a cession contract.
Further investigation revealed that the company had inadequate technical measures in their processing system, which could not identify unusual activities like increased data retrievals, data transfers outside the system, or user access compromise. Moreover, EOS Matrix was also found guilty of processing personal data of individuals who were neither debtors nor legal representatives of inheritors in debtor-creditor relations without any legal basis.
What’s more shocking is the discovery that EOS Matrix was actively recording comments related to the health status of debtors and tracking individual diagnoses, including terminal illnesses. All this while their privacy policies explicitly stated that they do not process health data. This action is a clear violation of the GDPR regulations and led to the huge administrative fine. This case is a stark reminder for all companies dealing with data collection and processing about the importance of adhering to GDPR regulations.
Source: Croatian SA imposed an administrative fine on the data controller – the Debt Collection Agency EOS Matrix in the amount of 5.470.000,00 EUR due to violations of Articles 5, 6, 9, 12,13 and 32 of the GDPR | European Data Protection Board