A Croatian telecommunications operator was recently fined EUR 4.5 million after the national Data Protection Agency (AZOP) uncovered a series of systemic compliance failures.
The case stands out because the issues were not obscure technicalities but fundamental obligations:
- International transfers continued without valid safeguards,
- Employees’ documents were collected beyond what was necessary,
- Data subjects were not clearly informed,
- and processors were engaged without adequate checks.
The regulator also noted that the company ignored the advice of its own DPO, illustrating how bypassing the expert appointed to guide compliance can end up being costly.
Taken together, these findings show how everyday operational decisions, handling transfers, onboarding vendors, and collecting employee data, can create significant regulatory and financial risk when governance and oversight fall out of alignment.
1. International Transfers Without Valid Safeguards
One of the central findings in this case was the continuation of international data transfers after the legal basis for those transfers had expired.
The operator had previously relied on standard contractual clauses when sending data to a group company in Serbia, but after 27 December 2022, when those clauses were no longer in place, the transfers continued without any replacement safeguard.
During this period, the Serbian processor still had administrative access to the operator’s SAP CRM system, which contained personal data of approximately 847,862 users.
Despite the scale and sensitivity of this access, no Transfer Risk Assessment was carried out, even though Serbia does not have an adequacy decision, and a Transfer Risk Assessment was required in this case
This combination, expired safeguards, broad access rights, and missing risk evaluation, formed one of the most significant elements of the enforcement action.
2. Lack of Transparency Toward Data Subjects
The Agency also found that users were not clearly informed that their personal data was being transferred to a country outside the EEA.
Instead of stating this directly, the operator relied on vague and conditional wording in its privacy notices, suggesting that data “may” be transferred or that processing occurred “as a rule” within the EU.
Such formulations left individuals without a clear understanding of where their data was actually being processed or who might access it.
In situations involving regular, ongoing transfers, this level of ambiguity is insufficient and falls short of the transparency expected from controllers.
By not providing straightforward information, the operator created an environment where users could not meaningfully understand or assess how their personal data was being handled, a gap the regulator treated as a significant compliance failure.
3. Excessive Processing of Employee Data and Disregard of DPO Advice
Another significant issue identified in the decision was the operator’s approach to employee data.
The company collected copies of employees’ identity cards and certificates of no criminal proceedings without demonstrating that such documents were necessary for the purposes they were intended to serve.
These were routine internal processes, yet the level of data collected went beyond what was proportionate or justified.
What makes this finding particularly notable is that the company’s own Data Protection Officer had advised that collecting copies of identity cards was excessive. Despite this guidance, the practice continued.
This illustrates the practical consequence of disregarding internal expertise: the organization not only collected more data than needed, but it also missed an opportunity to correct the issue before it escalated into a regulatory finding.
The case underscores a straightforward principle: employee data must be handled with the same level of justification and restraint as any other category of personal data, and internal expert advice is a key part of maintaining that balance.
4. Processor Oversight: Failure to Conduct Prior Due Diligence
The operator also engaged a processor for telemarketing services without carrying out the level of verification expected before granting access to personal data.
The regulator found that the processor did not have even basic security measures in place, and there was no evidence that the controller had assessed these shortcomings prior to the start of processing.
This is one of the most straightforward obligations under data protection law; before involving any third party in the handling of personal data, the controller must ensure that the processor has appropriate safeguards.
In this case, those checks either did not happen or were not documented, leaving a visible gap in the organization’s oversight of its vendors.
The finding reinforces a consistent regulatory theme: when a processor fails to meet its obligations, the responsibility ultimately returns to the controller.
Due diligence is not a formality; it is a practical requirement that directly shapes how personal data is protected throughout a company’s supply chain.
5. The Role of Internal Expertise and Governance
A notable aspect of this case is the way internal expertise was treated.
The operator had a designated DPO whose role is to advise on compliance and identify risks, yet the company proceeded with practices the DPO had already flagged as problematic.
AZOP explicitly treated the disregard of the DPO’s opinion as an aggravating factor.
It highlights the disconnect between expert guidance and organizational decision-making. This gap is important because it shows how compliance issues often emerge not from a lack of knowledge but from a lack of follow-through.
When the person appointed to oversee data protection identifies a risk and the organization chooses to ignore it, vulnerabilities remain unaddressed until they surface in regulatory proceedings.
In that sense, the case demonstrates that effective governance depends on more than policies and procedures. It requires giving appropriate weight to internal expertise, acting on recommendations when risks are identified, and ensuring that decision-making structures support compliance responsibilities.
Although the decision does not comment on the controller’s internal systems or technologies, several failures relate directly to common third-party management challenges:
- Lack of visibility over processors and their access rights
- Absence of structured due diligence prior to engagement
- Missing audit trails for decisions and assessments
- Failure to track contract timelines or renewal requirements
- Limited oversight of risk changes over time
Structured third-party governance tools, like DPM’s Third Party Management module, can support organizations in addressing these specific areas.
- Organizations can centralize all vendors and associated documentation, improving visibility across the supply chain
- Automated risk assessments and monitoring enable more consistent due diligence
- Centralized audit trails strengthen regulatory accountability and evidence readiness
- Contract management features, such as renewal alerts, help maintain continuity of legal safeguards
This case also highlights how easily gaps emerge in third-party oversight when vendor access, due-diligence, contract timelines, and risk monitoring aren’t managed in a structured and traceable way, something our Third-Party Management module directly supports through centralized visibility and audit-ready documentation.
However, tools alone are not a substitute for governance. The decision underscores that compliance ultimately depends on organizational practices, decision-making, and documented consideration of expert advice.
The €4.5 million fine demonstrates a regulatory focus on:
- Sustained oversight of international data transfers,
- Proportional and lawful employee data processing,
- Transparent communication with data subjects,
- and robust management of processors and vendors.
Equally, it confirms that internal governance, including appropriate consideration of the DPO’s advice, plays a central role in risk mitigation.
Organizations seeking to avoid similar findings must pair structured third-party management processes with a governance culture that supports due diligence, transparency, and accountability across all levels of decision-making.