The Croatian Personal Data Protection Agency (AZOP) has imposed an administrative fine of €1.5 million on a bank for serious violations of the General Data Protection Regulation (GDPR) related to the operation of its mobile banking application. The decision sends a strong signal to the financial services sector that mobile app functionality must be carefully aligned with GDPR principles, particularly data minimization, transparency, and privacy by design.
How the Investigation Began
The case originated from user complaints alleging that the bank’s mobile application was collecting information far beyond what was necessary to provide banking services. Following these complaints, AZOP launched a supervisory investigation to examine the technical and organizational measures embedded in the app.
The authority found that the application scanned customers’ mobile devices and collected a full list of installed applications. This information was transmitted to the bank’s systems and stored centrally. The practice affected hundreds of thousands of users and occurred without a clearly defined legal basis or sufficiently transparent disclosure.
Why App Lists Are Sensitive Personal Data
Although a list of installed applications may appear harmless at first glance, AZOP emphasized that such data can reveal highly sensitive aspects of a person’s life. Apps related to health, religion, political activity, sexuality, or financial distress can indirectly expose special-category data protected under GDPR.
Because of this inference risk, supervisory authorities across the EU increasingly treat device-level data as high-risk processing. Collecting comprehensive app inventories goes well beyond what is necessary for authentication, fraud prevention, or service delivery unless narrowly scoped and strictly justified.
Core GDPR Breaches Identified
The authority concluded that the bank violated several foundational GDPR principles:
- It failed to establish a lawful basis for collecting and storing app lists.
- It did not adequately inform users about the scope and purpose of the data collection.
- The processing was disproportionate and incompatible with data minimization requirements.
- Privacy by design and default principles were not properly implemented.
AZOP also noted that less intrusive alternatives were available. Instead of scanning all installed applications, the bank could have relied on limited technical indicators or narrowly defined security checks targeting only known malicious software.
Expanded Regulatory Significance for Financial Institutions
This enforcement action is particularly significant for banks and fintech providers because mobile applications are now a primary customer interface. As digital services expand, institutions often integrate security, analytics, and fraud-detection tools without fully reassessing their data protection implications.
Regulators are making it clear that security objectives do not automatically justify broad data collection. Even where fraud prevention or risk management is invoked, organizations must demonstrate necessity, proportionality, and transparency. Security cannot be used as a blanket justification for intrusive processing.
The case also reinforces that mobile app permissions and background data access are an area of growing supervisory focus. Authorities increasingly expect organizations to understand precisely what data their applications collect at the operating-system level and to document those practices in detail.
Implications for Privacy by Design
Privacy by design is not limited to policy documentation; it must be embedded into technical architecture. AZOP’s decision highlights that privacy considerations should shape app development from the earliest design stages, including decisions about what data is collected, how long it is retained, and whether alternative approaches exist.
For regulated sectors such as banking, this includes close collaboration between compliance teams, developers, cybersecurity staff, and data protection officers. Failure to integrate these perspectives can result in enforcement actions even where there is no data breach or malicious intent.
What Organizations Should Do Now
Organizations operating mobile applications—especially in finance, healthcare, and telecommunications—should view this case as a warning. Regular technical audits of mobile apps, permission reviews, and data-flow mapping are essential. Generic privacy notices are no longer sufficient when complex background processing occurs.
Equally important is documenting decision-making. Organizations must be able to explain not only what data they collect, but why each data element is necessary and how it complies with GDPR principles.
Croatian Data Protection Authority Fines Are Ramping Up Sign Up With Captain Compliance To Protect Your Business
The €1.5 million fine imposed by the Croatian data protection authority underscores the seriousness with which EU regulators are enforcing GDPR in the mobile app ecosystem. Excessive data collection—particularly when it enables sensitive inference—poses unacceptable risks to individuals’ privacy.
For banks and digital service providers, the message is clear: innovation and security must be balanced with strict adherence to data protection law. Mobile applications are no exception to GDPR’s core principles, and failure to respect those principles can result in significant financial and reputational consequences.
If you want to automate the GDPR compliance requirements then you’ll want to switch over to the Captain Compliance platform right away. Get a GDPR compliance audit complimentary below.
