AZOP (Croatia) - Decision 14-09-2023: Difference between revisions

From GDPRhub
mNo edit summary
Tags: Reverted Visual edit
m (Reverted edits by Karlo Paljug (talk) to last revision by SR)
Tag: Rollback
 
(24 intermediate revisions by 6 users not shown)
Line 1: Line 1:
{{DISPLAYTITLE:AZOP (Croatia) - Decision 14-09-2023}}
{{DPAdecisionBOX
{{DPAdecisionBOX


Line 7: Line 8:
|DPA_With_Country=AZOP (Croatia)
|DPA_With_Country=AZOP (Croatia)


|Case_Number_Name=Decision 1-9-2023
|Case_Number_Name=Decision 14-09-2023
|ECLI=
|ECLI=


|Original_Source_Name_1=AZOP
|Original_Source_Name_1=AZOP
|Original_Source_Link_1=https://azop.hr/upravna-novcana-kazna-u-iznosu-od-15-000-eura-izrecena-hotelu/
|Original_Source_Link_1=https://azop.hr/upravne-novcane-kazne-zbog-neovlastene-obrade-osobnih-podataka-putem-kolacica/
|Original_Source_Language_1=Croatian
|Original_Source_Language_1=Croatian
|Original_Source_Language__Code_1=HR
|Original_Source_Language__Code_1=HR
Line 19: Line 20:
|Original_Source_Language__Code_2=
|Original_Source_Language__Code_2=


|Type=Complaint
|Type=Investigation
|Outcome=Upheld
|Outcome=Violation Found
|Date_Started=
|Date_Started=
|Date_Decided=01.09.2023
|Date_Decided=01.09.2023
|Date_Published=26.09.2023
|Date_Published=14.09.2023
|Year=2023
|Year=2023
|Fine=15000
|Fine=20,000 and 30,000
|Currency=EUR
|Currency=


|GDPR_Article_1=Article 6(1) GDPR
|GDPR_Article_1=Article 6(1) GDPR
|GDPR_Article_Link_1=Article 6 GDPR#1
|GDPR_Article_Link_1=Article 6 GDPR#1
|GDPR_Article_2=Article 13(1) GDPR
|GDPR_Article_2=Article 7 GDPR
|GDPR_Article_Link_2=Article 13 GDPR#1
|GDPR_Article_Link_2=Article 7 GDPR
|GDPR_Article_3=Article 13(2) GDPR
|GDPR_Article_3=Article 13(1) GDPR
|GDPR_Article_Link_3=Article 13 GDPR#2
|GDPR_Article_Link_3=Article 13 GDPR#1
|GDPR_Article_4=Article 32(1) GDPR
|GDPR_Article_4=Article 13(2) GDPR
|GDPR_Article_Link_4=Article 32 GDPR#1
|GDPR_Article_Link_4=Article 13 GDPR#2
|GDPR_Article_5=Article 32(4) GDPR
|GDPR_Article_5=
|GDPR_Article_Link_5=Article 32 GDPR#4
|GDPR_Article_Link_5=
|GDPR_Article_6=Article 38(6) GDPR
|GDPR_Article_6=
|GDPR_Article_Link_6=Article 38 GDPR#6
|GDPR_Article_Link_6=
|GDPR_Article_7=
|GDPR_Article_Link_7=
|GDPR_Article_8=
|GDPR_Article_Link_8=


|EU_Law_Name_1=
|EU_Law_Name_1=ePrivacy Directive
|EU_Law_Link_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Name_2=
|EU_Law_Link_2=
|EU_Law_Link_2=
|EU_Law_Name_3=
|EU_Law_Link_3=


|National_Law_Name_1=
|National_Law_Name_1=
Line 55: Line 54:
|National_Law_Link_2=
|National_Law_Link_2=


|Party_Name_1=Hotel*
|Party_Name_1=Unknown
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=
|Party_Name_2=
Line 67: Line 66:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=Karlo Paljug
|Initial_Contributor=
|
|
}}
}}


The DPA has imposed an administrative fine in the amount of EUR 15,000.00 to the hotel due to multiple violations of the GDPR provisions.
The Croatian DPA imposed two administrative fines in the amounts of €20,000 and €30,000 on a gambling and a betting company, due to unlawful data processing via cookies on their websites.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Agency received a report from a data subject who stated that when booking accommodation in the hotel, it had been requested CVV of the credit card (via a form) through completely unprotected channels (via e-mail). Also, he was not informed in the terms of the article 13.
The two companies in question, as controllers, made use of cookies on their websites, but failed to inform data subjects visiting their web pages about the legal basis for installing cookies and collected a combined consent for all types of cookies. Information on how to withdraw one's consent was also missing on the cookie banners.  
The hotel had three options for booking accommodation:
- through the service provider,
- online reservation through a web form, and
- through e-mail,  
(*through the web form and e-mail only reservation can be made without payment)
 
When making a reservation via the web form, it was necessary to enter: name, surname, e-mail address, address and financial data (card number, date and year until which the card is valid, CVV number and name of the card holder), while for the reservation via e-mail, it was necessary to submit the specified information and a copy of a valid identification document with a photo, all for the reason that there would be no misuse of the bank card by third parties, as claimed by the hotel.


=== Holding ===
=== Holding ===
In the case in question, and taking into account the established violations, the Agency decided to impose an administrative fine due to the existence of a high risk for the rights and freedoms of the respondents, which the data controller was obliged to take into account before processing the personal data in question. So, we are talking about a data controller whose business consists of processing personal data, and through the aforementioned procedure, personal data was collected without the existence of an appropriate legal basis, and personal data were collected that are not necessary for the purpose for which they were collected from the respondents during the reservation of hotel accommodation.  
The AZOP found three GDPR infringements by both controllers.


The existence of a legal basis has not been proven for the processing of the CVV number of the bank card and a copy of the personal document, which violates Article 6, paragraph 1 of the GDPR. .
First, the AZOP held that, failing to prove the existence of a legal basis for processing of personal data of the visitors of their websites through the use of cookies, the controllers acted contrary to [[Article 6 GDPR#1|Article 6(1) GDPR]].  
The controller did not inform the data subject in a clear/transparent way about the processing of personal data. In the specific case, the hotel did not adequately provide information on the processing of personal data to guests who booked accommodation at the hotel.  


At the same time, the form "Consent to the use of personal data", which the controller submits for the purpose of providing information to the data subjects about the processing of their personal data when booking accommodation via e-mail, does not contain accurate or complete information.
In this, the controllers also failed to collect valid consents by the data subjects visiting their web pages. Namely, the controllers did not require separate consents for each type of cookie according to their functionality and in some cases there was no option to withdraw one's consent. This, according to the AZOP amounted to a violation of [[Article 7 GDPR]].  


By not taking appropriate organizational and technical protection measures in the processing of the personal data  there was a violation of Article 32. The controller did not take appropriate technical and organizational measures, all to ensure an adequate level of security with regard to the risk, including, among other things, encryption of personal data and the implementation of processes for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures.
Further, the AZOP established that the controllers did not adequately inform the website visitors about the processing of personal data, i.e. about the use of cookies, the legal basis therefore and the period of storage of their personal data, thereby violating [[Article 13 GDPR#1|Article 13(1) GDPR]] and [[Article 13 GDPR#2|Article 13(2) GDPR]].  


By appointing the hotel manager as a DPO, the data controller acted contrary to the provisions of Article 38, paragraph 6. Namely, the data protection officer can fulfill other tasks and duties, however, the data controller ensures that such tasks and duties do not lead to a conflict of interest.
Accordingly, the AZOP decided to impose an administrative fine on each company in line with [[Article 83 GDPR#2|Article 83(2) GDPR]], in the amounts of €20,000 and €30,000 respectively.  


== Comment ==
== Comment ==
''Share your comments here!''
This decision is only available as a press-release on the AZOP website, hence little factual background is given.
 
Also, it is worth noting that the violations found are all based on GDPR provisions and no mention of the national implementation of the [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32009L0136 e-Privacy Directive] is made, which constitutes the primary legal instrument regulating the use of cookies.


== Further Resources ==
== Further Resources ==
Line 107: Line 100:


<pre>
<pre>
The Personal Data Protection Agency imposed an administrative fine in the amount of EUR 15,000.00 (113,017.50 kuna) to the hotel's processing manager (that is, the legal entity within which the hotel in question operates), due to the following violations of the General Data Protection Regulation:
The Agency for the Protection of Personal Data imposed two administrative fines on data processors, gambling and betting companies in the amount of EUR 20,000.00 (HRK 150,690.00) and EUR 30,000.00 (HRK 226,035.00), due to three identified violations General regulations on data protection in both cases:
 
The processing manager processed the personal data of the respondent (hotel guest) to an excessive extent, namely data on the security number of the bank card (CVC number), as well as copies of personal documents when booking hotel accommodation via the hotel's online form and by e-mail. The existence of a legal basis has not been proven for the processing of the CVC number of the bank card and a copy of the personal document, which violates Article 6, paragraph 1 of the General Data Protection Regulation. The hotel had no obligation to collect the CVC number from the bank card of the persons who made the reservation of the accommodation unit, considering that the reservation of the accommodation was possible even without submitting the data in question.
The controller did not inform the respondents in a clear/transparent way about the processing of their personal data through the General Terms and Conditions document, which is available on the hotel's website, and regarding the collection of personal data when booking hotel accommodation via an online form and via e-mail, and what contrary to the provisions of Article 13, paragraphs 1 and 2 of the General Data Protection Regulation. In the specific case, the hotel did not adequately provide information on the processing of personal data to guests who booked accommodation at the hotel, including information on the collection of data on the CVC number and a copy of the identification document. Bearing in mind the provisions of the regulations governing the protection of personal data, the hotel was obliged to inform the guest what types of personal data it collects for what purpose, the legal basis for personal data processing, how personal data is used, that is, who uses personal data and what measures protection of personal data undertaken. The hotel was obliged to provide all information about the processing of personal data in a concise, comprehensible and easily accessible form, using clear and simple language, and was obliged to inform the respondent of all his rights according to the General Data Protection Regulation.
At the same time, the form "Consent to the use of personal data", which the controller submits for the purpose of providing information to respondents about the processing of their personal data when booking accommodation via e-mail, does not contain accurate or complete information, thus the controller acted contrary to the provisions of Article 13. paragraph 1 and 2 of the General Data Protection Regulation.
By not taking appropriate organizational and technical protection measures in the processing of the personal data of the respondents by the processing manager, there was a violation of Article 32, paragraph 1. a) and d) and paragraph 4 of the General Regulation on Data Protection. The controller did not take appropriate technical and organizational measures, all to ensure an adequate level of security with regard to the risk, including, among other things, encryption of personal data and the implementation of processes for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of processing.
By appointing the hotel manager as a data protection officer, the data controller acted contrary to the provisions of Article 38, paragraph 6 of the General Data Protection Regulation. Namely, the data protection officer can fulfill other tasks and duties, however, the data controller ensures that such tasks and duties do not lead to a conflict of interest. When appointing a data protection officer, the controller had to be aware that there is a conflict of interest in relation to the tasks and duties he performs. From the job description of the hotel manager, it is evident that he is largely responsible for making management decisions at the level of personal data processing, while on the other hand, as a data protection officer, he is obliged to monitor the compliance of the business in the processing of personal data with the regulations governing the protection of personal data.
The Agency for the Protection of Personal Data received a report from a citizen who stated that when booking accommodation in the hotel in question, confirmation of the reservation is requested by sending a CVC credit card (via a form) through completely unprotected channels (via e-mail). Likewise, in the received application, it was stated that the potential guest was not informed who has access to his personal data, i.e. the personal document that he is obliged to send when requesting a hotel in order to be able to charge his credit card.


Namely, the hotel in question had three options for booking accommodation - through the service provider, online reservation through a web form on the hotel's website and through e-mail, with a note that only the reservation was made through the web form and e-mail, and not the payment.
The processing managers collected and processed the personal data of respondents or website visitors through cookies without a legal basis, which violated Art. 6, paragraph 1 of the General Data Protection Regulation. Namely, in order for the processing of personal data to be legal, the existence of at least one of the legal bases from the article in question is necessary, which in this particular case the processing managers did not fulfill, that is, they did not prove the existence of a legal basis for the processing of personal data through cookies (cookies - small files that The Internet browser stores on the computer, mobile device or other device with which the respondent visited the Internet pages, and in this way they remember and monitor his further actions on the Internet pages, and which processing is also related to aspects of personal data).


When making a reservation via the web form, it was necessary to enter the guest's personal data: name, surname, e-mail address, address and financial data (card number, date and year until which the card is valid, CVC number and name of the card holder), while for the reservation via e-mail, it was necessary to submit the specified information and a copy of a valid identification document with a photo, all for the reason that there would be no misuse of the bank card by third parties, as claimed by the hotel.
In the same way, the data controllers did not adequately provide information to the respondents, i.e. enable the respondents to be sufficiently informed, i.e. voluntarily give and/or withdraw their consent, which violated Article 7 of the General Data Protection Regulation. Namely, the visitor must give separate consent for each type of cookie according to their functionality, that is, consent cannot be combined for all types of cookies, and in specific cases there was no option to give/withdraw consent separately for each type of cookie.


In the case in question, and taking into account the established violations, the Agency decided to impose an administrative fine due to the existence of a high risk for the rights and freedoms of the respondents, which the data controller was obliged to take into account before processing the personal data in question. So, we are talking about a data controller whose business consists of processing personal data, and through the aforementioned procedure, personal data was collected without the existence of an appropriate legal basis, and personal data were collected that are not necessary for the purpose for which they were collected from the respondents during the reservation. hotel accommodation. Also, the Agency believes that the imposition of a fine will lead to the controller fulfilling its obligations in the field of personal data protection in a timely and appropriate manner.
It was established that the data controllers did not adequately inform the respondents (website visitors) about the processing of personal data, i.e. about the processing of data through cookies, which violated Art. 13, paragraphs 1 and 2 of the General Data Protection Regulation. Namely, the processing managers did not inform the respondents about the subject processing in accordance with the principle of transparency, and thus the respondents (website visitors) were deprived of information about data processing such as the legal basis, the function of each cookie and the cookie storage period.
When deciding on the imposition of administrative fines and their amounts, attention is paid to the provisions specified in Article 83 paragraph 2 of the General Data Protection Regulation, such as the nature, severity and duration of the violation; whether the violation is intentional or negligent; the degree of responsibility of the data controller, etc.
</pre>
</pre>
{{DEFAULTSORT:AZOP_(Croatia)_-_Decision_14-09-2023}}

Latest revision as of 08:51, 2 November 2023

AZOP - Decision 14-09-2023
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 6(1) GDPR
Article 7 GDPR
Article 13(1) GDPR
Article 13(2) GDPR
ePrivacy Directive
Type: Investigation
Outcome: Violation Found
Started:
Decided: 01.09.2023
Published: 14.09.2023
Fine: 20,000 and 30,000 €
Parties: Unknown
National Case Number/Name: Decision 14-09-2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: n/a

The Croatian DPA imposed two administrative fines in the amounts of €20,000 and €30,000 on a gambling and a betting company, due to unlawful data processing via cookies on their websites.

English Summary

Facts

The two companies in question, as controllers, made use of cookies on their websites, but failed to inform data subjects visiting their web pages about the legal basis for installing cookies and collected a combined consent for all types of cookies. Information on how to withdraw one's consent was also missing on the cookie banners.

Holding

The AZOP found three GDPR infringements by both controllers.

First, the AZOP held that, failing to prove the existence of a legal basis for processing of personal data of the visitors of their websites through the use of cookies, the controllers acted contrary to Article 6(1) GDPR.

In this, the controllers also failed to collect valid consents by the data subjects visiting their web pages. Namely, the controllers did not require separate consents for each type of cookie according to their functionality and in some cases there was no option to withdraw one's consent. This, according to the AZOP amounted to a violation of Article 7 GDPR.

Further, the AZOP established that the controllers did not adequately inform the website visitors about the processing of personal data, i.e. about the use of cookies, the legal basis therefore and the period of storage of their personal data, thereby violating Article 13(1) GDPR and Article 13(2) GDPR.

Accordingly, the AZOP decided to impose an administrative fine on each company in line with Article 83(2) GDPR, in the amounts of €20,000 and €30,000 respectively.

Comment

This decision is only available as a press-release on the AZOP website, hence little factual background is given.

Also, it is worth noting that the violations found are all based on GDPR provisions and no mention of the national implementation of the e-Privacy Directive is made, which constitutes the primary legal instrument regulating the use of cookies.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

The Agency for the Protection of Personal Data imposed two administrative fines on data processors, gambling and betting companies in the amount of EUR 20,000.00 (HRK 150,690.00) and EUR 30,000.00 (HRK 226,035.00), due to three identified violations General regulations on data protection in both cases:

The processing managers collected and processed the personal data of respondents or website visitors through cookies without a legal basis, which violated Art. 6, paragraph 1 of the General Data Protection Regulation. Namely, in order for the processing of personal data to be legal, the existence of at least one of the legal bases from the article in question is necessary, which in this particular case the processing managers did not fulfill, that is, they did not prove the existence of a legal basis for the processing of personal data through cookies (cookies - small files that The Internet browser stores on the computer, mobile device or other device with which the respondent visited the Internet pages, and in this way they remember and monitor his further actions on the Internet pages, and which processing is also related to aspects of personal data).
 

In the same way, the data controllers did not adequately provide information to the respondents, i.e. enable the respondents to be sufficiently informed, i.e. voluntarily give and/or withdraw their consent, which violated Article 7 of the General Data Protection Regulation. Namely, the visitor must give separate consent for each type of cookie according to their functionality, that is, consent cannot be combined for all types of cookies, and in specific cases there was no option to give/withdraw consent separately for each type of cookie.
 

It was established that the data controllers did not adequately inform the respondents (website visitors) about the processing of personal data, i.e. about the processing of data through cookies, which violated Art. 13, paragraphs 1 and 2 of the General Data Protection Regulation. Namely, the processing managers did not inform the respondents about the subject processing in accordance with the principle of transparency, and thus the respondents (website visitors) were deprived of information about data processing such as the legal basis, the function of each cookie and the cookie storage period.
When deciding on the imposition of administrative fines and their amounts, attention is paid to the provisions specified in Article 83 paragraph 2 of the General Data Protection Regulation, such as the nature, severity and duration of the violation; whether the violation is intentional or negligent; the degree of responsibility of the data controller, etc.