ost companies think security is a lock on a door. They think it’s an expensive firewall or a genius hacker in a hoodie.
They’re wrong. Dead wrong.
A Croatian telecom operator just got hit with a €4.5 million fine. And let’s be clear: they didn’t get hacked. They didn’t suffer a "sophisticated" attack. They failed because they were lazy. They served up a "compliance" strategy that was raw, messy, and frankly, embarrassing.
Here is the "menu of failure" that cost them millions. Listen closely, because your organization is likely making the same amateur mistakes.
They were sending data to Serbia. They had a contract (Standard Contractual Clauses). But then, the contract expired in December 2022.
What did they do? Nothing. They kept the data flowing. They let a Serbian processor keep administrative access to a CRM with 850,000 users. No legal basis. No risk assessment. Just total, unadulterated negligence. You can’t run a world-class operation on expired ingredients.
Their privacy notices didn't tell the truth; they hid behind it. They used words like "may be transferred" or "as a rule." If you are moving data across borders, say it. Be clear. Be direct. When you use "vague" language, you aren't being clever—you’re being deceptive. Regulators hate it, and users deserve better.
This is the part that really makes my blood boil. They hired a Data Protection Officer (DPO). They had an expert in the kitchen.
The DPO told them: "Stop collecting employee ID cards. It’s excessive. It’s unnecessary." The company's response? They ignored them. They appointed an expert and then threw their advice in the bin. That isn't governance; it’s compliance theater. And AZOP (the regulator) rightfully treated that arrogance as an "aggravating factor."
They hired a telemarketing vendor. Did they check their security? No. Did they audit their processes? No. They just handed over the keys to the kingdom.
As a controller, you are responsible for the plate until it hits the table. If your vendor is a mess, you are a mess.
Governance isn't a thick manual gathering dust on a shelf. It’s not a "set it and forget it" software package.
Governance is a culture. It’s the discipline to notice when a contract expires. It’s the integrity to be transparent with your customers. It’s the wisdom to actually listen to the experts you hired.
This €4.5M fine wasn't bad luck. It was the inevitable result of a thousand small, lazy decisions.
Wake up. Stop making excuses, stop the "fluff," and start respecting the data you’ve been trusted with. Because next time, the regulator won't just give you a warning—they’ll shut your kitchen down.
