AZOP: Fine of 4.5 million euros goes to Telemach; Telemach rejects this

The Agency for Personal Data Protection (AZOP) confirmed to Hina on Friday that it imposed a fine of 4.5 million euros on Telemach Croatia for violations of the General Data Protection Regulation, while Telemach rejected AZOP’s claims, emphasizing that user data of Telemach in Croatia is secure and that there has been no data leakage.

AZOP announced the fine on Friday due to a violation of provisions, specifically in this case for processing copies of personal identification cards and certificates of non-conviction of employees without legal basis, as well as the failure to undertake appropriate prior control of the data processor.

In response to Hina’s inquiry, AZOP stated on Friday that such a decision regarding the fine was delivered to the telecommunications operator today, that no appeal is allowed, but a court dispute can be initiated within 30 days.

The data controller, i.e., Telemach, transferred personal data of its users to a data processor in Serbia (a company within the group that maintained the software) and based the transfer on standard contractual clauses from April 16, 2020, to no later than December 27, 2022, but after that date, the data controller failed to conclude standard contractual clauses with the data processor in the Republic of Serbia. This means that after the specified date, the transfer of personal data of the respondents occurred without appropriate protective measures, AZOP explains among other things.

Telemach: We strongly reject AZOP’s claims and claims in some media

Telemach Croatia responded that the user data of Telemach in the Republic of Croatia is secure and that there has been no data leakage.

– We strongly reject the claims published on AZOP’s website and in some media and announce that we will take all available legal measures to protect the rights, integrity, and reputation of the company – stated Telemach.

They assert that in the case cited by AZOP, there was no data breach, nor were they forwarded outside Croatia and the EU, and that they were stored exclusively in the territory of the Republic of Croatia, they are secure, and there has been no leakage.

They explain that this is a business collaboration within the parent United Group, of which Telemach is a part, and that the companies that are part of the Group participate in the maintenance and development of business systems, which in certain situations includes access by some experts from outside Croatia to these systems.

– Access to the system was granted exclusively for technical purposes and under precisely defined security conditions. The business functions that take place at the level of United Group do not include the transfer of user data, but exclusively technical supervision and system development in strictly controlled conditions and in accordance with the best technical-security European standards – emphasize Telemach.

The company operates in a highly regulated telecommunications sector, in accordance with the highest standards of personal data protection, and Telemach, as they emphasize, regularly conducts audits and employee training and possesses international certificates (ISO 9001, 27001, 22301), confirming their commitment to quality management, information security, and business continuity.

Additionally, the company has clearly defined personal data protection policies as well as a specialized service that deals with this, along with regular annual risk assessments, they say from that telecom.

They emphasize that during the oversight, they demonstrated full transparency and cooperation and that they were “taken aback by the manner in which the decision was delivered to us, which is not in accordance with applicable regulations.”

– Such conduct undermines the reputation and business of Telemach, and in that segment, we will take legal measures available to us. Once again, we emphasize that the data of all our users is secure, that there has never been any abuse, nor leakage of user data – conclude Telemach.