Croatia’s Data Protection Authority Fines Bank €1.5 Million Over Mobile Banking Privacy Violations

Key Takeaways

• Unlawful Data Collection: The bank collected full lists of installed mobile applications from more than 433,000 users without a valid GDPR legal basis.
• Transparency Failures: Users were not clearly informed that their mobile devices would be scanned, breaching GDPR transparency requirements.
• Data Minimization Breach: Regulators found the data collection excessive and disproportionate, with less intrusive technical alternatives available.
• Sensitive Data Risks: The practice risked exposing special categories of personal data through inference from installed applications.

Deep Dive

Croatia’s Personal Data Protection Agency has imposed an administrative fine of €1.5 million on a bank for multiple violations of the General Data Protection Regulation (GDPR), following findings that the institution unlawfully collected extensive personal data from users of its mobile banking application. The Agency did not publicly identify the bank in its published decision.

The enforcement action stems from a complaint filed by a customer who alleged that the bank’s mobile banking app collected a full list of applications installed on users’ mobile devices. After reviewing the complaint, the Agency launched an ex officio supervisory procedure, citing the potential impact on a large number of individuals.

That concern proved well-founded. Regulators determined that the bank processed personal data relating to 433,922 users through a software solution embedded in its mobile banking application without a valid legal basis under Article 6(1) of the GDPR, in breach of the fairness and lawfulness principles set out in Article 5(1)(a).

According to the Agency, the bank had implemented a program within its Android and Huawei mobile banking applications that scanned users’ devices and transmitted data to the bank’s centralized systems. The information collected included a comprehensive list of all installed applications and programs on each user’s device. The Agency concluded that this practice amounted to a significant, excessive, and unjustified intrusion into users’ privacy.

During the supervisory process, the bank argued that its legal basis for collecting this information derived from EU delegated legislation and Croatia’s Law on Payment Transactions. The Agency rejected that justification, finding that neither framework contained provisions or legislative intent that would permit the collection or storage of a complete inventory of applications installed on a customer’s mobile device.

Transparency failures compounded the violation. When users signed up for the mobile banking service, the bank did not clearly inform them that their personal data would be processed in this manner. Although a privacy information link was available during the app download process, regulators found that the information was designed for general website visitors and failed to address data processing specific to the mobile banking application. References to the collection of application data were described as minimal, vague, and insufficient.

As a result, the Agency concluded that users were effectively kept in the dark about the scope and nature of the data being collected. Essential information was difficult to access, and the processing of personal data through the mobile application was, in practice, carried out covertly.

The regulator also identified failures related to data protection by design and by default. When selecting and implementing the software solution, the bank did not adopt appropriate technical and organizational measures to ensure that only personal data necessary for the stated purpose was processed, as required under Article 25(2) of the GDPR in conjunction with the data minimization principle in Article 5(1)(c).

The Agency noted that less intrusive alternatives were available. For example, the bank could have designed a system that stored information only about applications appearing on a predefined security “blacklist,” rather than retaining a full list of every application installed on users’ devices.

In its decision, the Agency emphasized the heightened risks associated with collecting such broad data sets. Certain applications installed on a mobile device may reveal or imply sensitive personal information, including special categories of data related to health, political opinions, religious beliefs, or sexual orientation. This, the regulator said, further demonstrated the disproportionate nature of the processing activity.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.