Debt collector EOS Matrix said it will challenge a General Data Protection Regulation (GDPR) penalty levied against it by the Croatian data protection authority (AZOP) after finding the data in question in the case does not match the data in its database.

AZOP announced a penalty of nearly 5.5 million euros (U.S. $5.8 million) against EOS Matrix on Oct. 5 for violating the GDPR regarding the protection and processing of individuals’ personal data. The regulator’s investigation was informed by an anonymous complaint it received in March that EOS Matrix had processed the personal data of a large number of debtors without authorization.

AZOP said it received a USB stick containing more than 180,000 personal data points for individuals with outstanding debts to initial creditors purchased by EOS Matrix. It found the company did not implement sufficient technical protection measures to ensure proper processing and safeguarding of its data, among other alleged violations.

EOS Matrix, in a translated statement on the front page of its website, battled back against the claims, saying independent forensic tests it had conducted on the data set “established that the data submitted to AZOP differ(s) significantly from the data contained in the [EOS Matrix] database.”

“The [test] confirms that EOS Matrix is not the source of data that was the subject of AZOP supervision,” the company said. “… Controls of the system and business processes have shown that there is no evidence that data was taken out of the EOS Matrix system without authorization.”

The company said it filed a criminal complaint against the “unknown perpetrator” behind the provision of the data set. EOS Matrix added it fully cooperated with AZOP’s investigation and that it “intend(s) to use all legal remedies at our disposal to protect our own legitimate interests and take all other legal actions in order to preserve our rights (and) protect the reputation of the company and all our stakeholders.”

In its release, AZOP acknowledged it hasn’t determined how the more than 180,000 data points were exfiltrated and whether a criminal offense occurred.