The Croatian data protection authority (AZOP) handed down its largest penalty under the General Data Protection Regulation (GDPR) to date: a fine of nearly 2.3 million euros (U.S. $2.5 million) against debt collector B2 Kapital.

The enforcement action, announced in English in a May 4 press release by AZOP, is the first to include a GDPR fine surpassing seven figures in the country, according to the GDPR Enforcement Tracker. The previous high recorded was a penalty of €285,000 (then-U.S. $291,000) against a telecommunications firm in July.

The details: AZOP said it uncovered violations of multiple articles of the GDPR at B2 in its investigation, several of which the regulator claims have still yet to be remedied.

One such finding was that B2 didn’t properly inform data subjects regarding the processing of their data through its privacy policy, resulting in more than 130,000 instances of nontransparent processing. AZOP said the deficiencies date back to May 2018, when the GDPR took effect.

Another outstanding weakness identified at B2 was that the debt collector has not implemented proper protection measures to ensure the security of personally identifiable information since at least 2019.

AZOP added the firm did not conclude a data processing contract with a third party for the service of monitoring consumer bankruptcy, which resulted in nearly 84,000 customers facing potential risk during the relationship between the two parties from 2019-21.

Compliance considerations: AZOP said in December it received an anonymous complaint regarding B2 that included a USB stick containing the personal information of more than 77,000 individuals who had outstanding debts in credit institutions that could be traced back to B2.

“[A] deficiency in their security system let to insecure processing of personal data on a large scale,” said AZOP of the firm in its release. “[B2] has lost control over the flow of the data subjects’ personal data and could not explain the causes of unauthorized exfiltration … of personal data.”

B2 was also criticized by the regulator for not cooperating in the investigation, including by submitting late responses—or not responding at all—to documentation requests. AZOP added the firm “has not yet informed the agency regarding the additional protection measures taken” to prevent future risks of violations.

Company response: In a statement, B2 disagreed with AZOP’s findings and said “there has been no leak of confidential information relating to clients or debtors from the company’s IT systems.” The firm said it would appeal the regulator’s decision.