More than two years have passed since the EU General Data Protection Regulation entered into force, and Croatia's Personal Data Protection Agency, AZOP, has for a long time been (reasonably) criticized as being inactive, not having imposed a single fine up to mid-2020. Now that AZOP is finally active, it seems that it either has a specific agenda — protecting the right of access to credit documentation against banks — or is searching for a breach where it might be easy to find, purporting the amount of data each bank processes every single day.

To recall, AZOP imposed its first GDPR fine, 20 million euros, in March 2020 to a credit institution, the name of which has remained confidential, alleging that the institution breached Article 15(3) of the GDPR by failing to enable access to personal data — credit documentation to nearly 2,500 clients. Now again, the AZOP’s second action concerns fining a bank for the breach of Article 15(3) of the GDPR.

Apparently, the bank charged 197,00 Croatian Kuna (approximately 2,700 euros) to a data subject for providing copies of his credit documentation. According to the public statement given by the data subject’s attorney, AZOP argued bank clients should, at any time, have the easiest possible access to all documents containing their personal data, which is a direct embodiment of the Article 15(3) of the GDPR. Charging fees (even small ones as in this case) for providing copies of credit documentation presents a financial barrier to access personal data, and AZOP explains that such a barrier is especially accentuated in case of borrowers burdened with credit.

The bank claimed that charging fees is reasonable due to the administrative costs they have when copying and providing access to copies of credit documentation, even though the GDPR clarifies that controllers may charge a reasonable fee based on administrative costs only if data subjects request further copies, which was not the case and has been sufficiently stressed by AZOP.

As AZOP has still not published a formal decision, the exact amount of the fine remains unknown and is eagerly expected. It will indeed be interesting to see how AZOP will calculate the fine, as the amount of the charged fee is pretty small even for Croatian standards. Will AZOP concentrate more on the amount of the charged fee or raising the public awareness that the right of access must be respected?

Irrespective of the final amount of the fine, AZOP’s decision might be an interesting precedent. Namely, in this case, besides claiming administrative costs, the bank “defended” itself, arguing that charging fees for copies of credit documentation presents a “usual business practice” justified by the Act on Consumer Credit. The bank claimed that the act is the only relevant legal source for the preparation and delivery of credit documentation and related actions and, thus, that the access to credit documentation is outside the GDPR’s domain.

First, by analyzing the respective act, it seems that it does not at all regulate the procedure and charging fees for providing copies of credit documentation; it only mentions the consumer’s right to be informed in a timely manner and free of charge of the results of insight in databases conducted for creditworthiness assessment, which takes place before the conclusion of credit agreements. Secondly, the act does not (or, in any case, could) clash with the GDPR rules and principles, for which Article 2 clearly states the material scope and application. The bank statements might thus be perceived as a lack of understanding of the GDPR and other national laws outside the data protection and privacy scheme.

There is one more and quite strong reason for why this AZOP decision might be very important.

The reason why the bank client requested his credit documentation is that he needs it to file a claim for the repayment of a prepaid debt related to a housing loan agreement concluded in Swiss francs. As is publicly well-known, the currency exchange clause in Swiss franc-denominated loans issued by the banks has been quite a legal and economical scandal in Croatia, which ultimately resulted in major consumer win against banks following the class-action lawsuit. Having this in mind, and together with the observed fact that the bank claimed charging a fee for providing copies of credit documentation is "usual business practice," which means it has been doing this for a long time now (although for the GDPR’s right of access, only the period post-May 2018 is relevant), the question is: What about the fees already charged for obtaining copies of credit documentation?

According to the Croatian newspapers, which published AZOP’s decision to the public, credit documentation has been requested by several thousand Croatian citizens in the past two years, which, pursuant to the unofficial information, equals approximately million Kuna (approximately 131,900 euros) of charged fees. It can thus be expected that more claims for breaches of Article 15(3) of the GDPR will follow this AZOP decision and that AZOP might actually profile itself as a "guardian of right of access (to credit documentation)."

Photo by Niels Bosman on Unsplash