The Croatian Personal Data Protection Authority (AZOP) has imposed a fine of €1.5 million on a bank for serious GDPR violations committed through its mobile banking app, which is used by over 400,000 customers.

The decision, dated December 18, 2025, and pertaining to the Erste Bank case, concerns the indiscriminate collection of the list of apps installed on customers’ smartphones, without a valid legal basis and without adequate notice.

AZOP’s investigation was launched following a report from a customer who had noticed unusual access to data on their device. The investigation found that the bank processed the personal data of 433,922 customers, violating the principles of lawfulness, transparency, and purpose limitation set forth in the GDPR. AZOP also ordered the cessation of the unlawful practices and the adoption of corrective measures, emphasizing the seriousness of the conduct that compromised users’ privacy.