Agency in Croatia Fines Bank €1.5 Million for GDPR Violations

The Croatian Personal Data Protection Agency (AZOP) has imposed an administrative fine of €1.5 million on a bank for multiple violations of the General Data Protection Regulation (GDPR). The proceedings were initiated following a user complaint claiming that the mobile banking application collected a list of all installed applications and programs on clients’ mobile devices.

The supervisory authority found that the bank processed the personal data of 433,922 users without a valid legal basis through software embedded in mobile banking applications for Android and Huawei devices. The disputed program scanned the content of mobile phones and centrally stored, among other data, complete lists of installed applications, which was assessed as a serious, excessive, and unjustified intrusion into users’ privacy.

During the proceedings, the bank referred to regulations in the field of payment services, but the Agency concluded that these rules do not justify such data collection practices. It was additionally established that users were not provided with clear and transparent information about the processing of personal data when contracting mobile banking services.

The information available via the application was general in nature, intended for visitors to the bank’s website, and did not specifically relate to data processing within the mobile app. The Agency also determined that the bank failed to apply the principle of “data protection by design,” as it could have implemented less intrusive solutions, such as processing only applications included on a so-called blacklist.

It was particularly emphasized that certain applications may reveal sensitive data, including information related to health, political views, or religious beliefs. This is the thirteenth administrative fine imposed by the Agency in 2025, bringing the total amount of fines issued this year to €6.7 million.