CLOSE

close

CLOSE

EN

Staying compliant when your data crosses borders: Lessons from Croatia’s €4.5M GDPR fine

Recommended
Workplace stress hits record highs in latest HSE stats: What employers need to know

Workplace stress hits record highs in latest HSE stats: What employers need to know
Staying compliant when your data crosses borders: Lessons from Croatia’s €4.5M GDPR fine

Staying compliant when your data crosses borders: Lessons from Croatia’s €4.5M GDPR fine
How a billion-dollar laundering network exposed the limits of AML and the high stakes of sanctions compliance

How a billion-dollar laundering network exposed the limits of AML and the high stakes of sanctions compliance

On November 14, 2025, Croatia’s data protection authority (AZOP) issued a striking reminder to organisations across Europe that if you transfer personal data outside the EEA, you must keep your safeguards valid, up to date and transparent.

 

A major telecommunications operator received a €4.5GDPR fine after continuing to send customer data to Serbia without a lawful transfer mechanism, failing to inform individuals about those transfers, and engaging in a series of additional compliance missteps.

For organisations this is a reminder that data transfers are far from a one-time setup in your data protection programme. It also means that the upcoming updates to the Standard Contractual Clauses (SCCs) is something organisations should start thinking about now.

 

The case: Transfers based on SCCs…until they weren’t

 

The telecom operator relied on SCCs to legitimise its transfers of customer data to a Serbian group company responsible for software maintenance. But when the EC updated its SCCs in 2021 the operator failed to replace the old clauses or implement any other transfer tool.

 

The result is that for nearly two years, the Serbian affiliate, with full admin access to an SAP CRM system holding over 847,000 customer records, operated without any valid transfer instrument in place. 

 

This was not a technicality. It was a direct breach of GDPR, exacerbated by the controller’s failure to conduct a Transfer Impact Assessment (TIA).

 

Transparency failures

 

As AZOP emphasised, transparency obligations require organisations to say when personal data is transferred to a third country, not hide behind vague or exceptional-case language.

 

The operator used statements such as personal data “may be shared with third countries” and data is “as a rule processed within the EU and only exceptionally outside it” but in reality, transfers to Serbia occurred regularly and systematically.

 

This violated GDPR, which requires clear, accessible information about third-country transfers, the safeguards used and how individuals can obtain a copy of them. If your organisation consistently shares data with a third country, you must say so plainly. Anything less risks enforcement, particularly in a post-Schrems II landscape where transparency around international transfers is a regulatory priority.

 

Additional compliance failures 

 

The telecom operator’s exposure grew due to two further issues:

 

Excessive processing of employee data: The company collected copies of identity cards and “no criminal record” certificates without a valid legal basis, breaching GDPR. Worse, the DPO explicitly warned that this was excessive and management ignored the advice. AZOP treated this as an aggravating factor, reinforcing the principle that a DPO’s independence must be respected.

 

Poor processor due diligence: The operator engaged a processor for telemarketing services without verifying even basic security measures. This failure to perform due diligence contributed to the overall penalty.

 

A broader lesson?

 

The case lands at a critical moment. The EC is expected to update the SCCs again in 2026, reflecting:

 

  • evolving international data transfer risks

  • new case law

  • shifting geopolitical conditions

  • the operational realities of modern cloud and AI services

While details of the upcoming update are still emerging, the implications are already clear. Organisations should prepare for yet another transition period once the SCCs are updated in 2026. Any contracts that still rely on older clauses will likely need to be replaced within a defined timeframe, meaning teams will once again face a tight compliance window. In addition, TIAs will need a fresh look. Changes to the SCCs typically alter the expected safeguards and risk assessments, requiring controllers to revisit their analyses to ensure they remain accurate and defensible.

 

Updating SCCs will also have a ripple effect across an organisation’s wider governance framework. Contracts, vendor arrangements, data maps, privacy notices and records may all need to be reviewed and amended to remain aligned with the new transfer mechanisms. This is why starting early is critical. The 2021 SCC overhaul caught many organisations unprepared, and regulators have made it clear, especially through AZOP’s recent decision, that they will be far less tolerant of delays or incomplete transitions this time.

 

The Croatian fine demonstrates the consequences of letting SCC updates fall through the cracks. It also provides a preview of the regulatory expectations organisations will face as the 2026 changes approach.

 

What can organisations do now?

 

The key action items emerging from this case are straightforward but essential:

Audit all international transfers.

Identify what data leaves the EEA, to whom, and under what conditions.

Verify that your SCCs are the current versions.

If you still rely on pre-2021 SCCs or SCCs that lapsed during organisational restructuring, you are already out of compliance.

Prepare for the 2026 SCC update now.

Maintain a contract inventory and plan for a structured transition.

Conduct (or refresh) Transfer Impact Assessments.

A TIA is not a one-off document. It must reflect reality and be updated when circumstances change.

Improve transparency in your privacy notices.

If you regularly transfer data outside the EEA, say so clearly. Avoid hypothetical wording such as “may”, “exceptionally” or “from time to time”.

Respect your DPO’s advice.

Ignoring a DPO’s recommendations can, and increasingly does, lead to higher fines.

Perform diligent checks on all processors.

Ensure they have security controls, policies, and technical measures that meet GDPR standards before processing begins.

 

International transfers require vigilance

 

AZOP’s €4.5M decision is more than a cautionary tale. It’s a roadmap for what EU regulators expect in 2025 and beyond. With SCCs scheduled for another update in 2026, organisations must adopt a proactive approach, treating international data transfer compliance as an ongoing operational responsibility, not a checkbox exercise. In a globalised digital ecosystem, keeping SCCs current and ensuring full transparency isn’t optional anymore.

 

Vinciworks’ new conversational learning course on data protection’s rights and responsibilities puts you at the heart of data protection, turning policy into practical action. Guided by AI-powered experts, it explores how personal data should be handled, shared and stored through realistic workplace scenarios. Try it here.