According to the International Association of Privacy Professionals (IAPP), the Croatian data protection authority has fined 20 million euro a credit institution for violating the EU's GDPR. The authority stated that the company breached Article 15(3) of the GDPR with its refusal to honor requests of nearly 2,500 clients who sought to access the personal information shared in credit documents held by the institution. Additionally, the DPA found that the institution did not take appropriate actions to protect the rights of the data subjects.