AZOP (Croatia) - Decision 14-09-2023: Difference between revisions

From GDPRhub
No edit summary
Tags: Manual revert Reverted Visual edit
m (Reverted edits by Karlo Paljug (talk) to last revision by SR)
Tag: Rollback
 
(19 intermediate revisions by 6 users not shown)
Line 1: Line 1:
{{DISPLAYTITLE:AZOP (Croatia) - Decision 14-09-2023}}
{{DPAdecisionBOX
{{DPAdecisionBOX


Line 7: Line 8:
|DPA_With_Country=AZOP (Croatia)
|DPA_With_Country=AZOP (Croatia)


|Case_Number_Name=/
|Case_Number_Name=Decision 14-09-2023
|ECLI=
|ECLI=


|Original_Source_Name_1=AZOP
|Original_Source_Name_1=AZOP
|Original_Source_Link_1=https://azop.hr/wp-content/uploads/2023/08/24012022_Otkrivanje-osobnih-podataka-trecoj-osobi.pdf
|Original_Source_Link_1=https://azop.hr/upravne-novcane-kazne-zbog-neovlastene-obrade-osobnih-podataka-putem-kolacica/
|Original_Source_Language_1=Croatian
|Original_Source_Language_1=Croatian
|Original_Source_Language__Code_1=HR
|Original_Source_Language__Code_1=HR
Line 19: Line 20:
|Original_Source_Language__Code_2=
|Original_Source_Language__Code_2=


|Type=Complaint
|Type=Investigation
|Outcome=Rejected
|Outcome=Violation Found
|Date_Started=
|Date_Started=
|Date_Decided=24.01.2022
|Date_Decided=01.09.2023
|Date_Published=24.01.2022
|Date_Published=14.09.2023
|Year=2022
|Year=2023
|Fine=
|Fine=20,000 and 30,000
|Currency=
|Currency=


|GDPR_Article_1=Article 4 GDPR
|GDPR_Article_1=Article 6(1) GDPR
|GDPR_Article_Link_1=Article 4 GDPR
|GDPR_Article_Link_1=Article 6 GDPR#1
|GDPR_Article_2=Article 5 GDPR
|GDPR_Article_2=Article 7 GDPR
|GDPR_Article_Link_2=Article 5 GDPR
|GDPR_Article_Link_2=Article 7 GDPR
|GDPR_Article_3=Article 6 GDPR
|GDPR_Article_3=Article 13(1) GDPR
|GDPR_Article_Link_3=Article 6 GDPR
|GDPR_Article_Link_3=Article 13 GDPR#1
|GDPR_Article_4=
|GDPR_Article_4=Article 13(2) GDPR
|GDPR_Article_Link_4=
|GDPR_Article_Link_4=Article 13 GDPR#2
|GDPR_Article_5=
|GDPR_Article_5=
|GDPR_Article_Link_5=
|GDPR_Article_Link_5=
|GDPR_Article_6=
|GDPR_Article_Link_6=


|EU_Law_Name_1=
|EU_Law_Name_1=ePrivacy Directive
|EU_Law_Link_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Name_2=
|EU_Law_Link_2=
|EU_Law_Link_2=
|EU_Law_Name_3=
|EU_Law_Link_3=


|National_Law_Name_1=Postal Service Act
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Name_2=
|National_Law_Link_2=
|National_Law_Link_2=
|National_Law_Name_3=
|National_Law_Link_3=


|Party_Name_1=Center for Social Welfare
|Party_Name_1=Unknown
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=
|Party_Name_2=
Line 60: Line 63:
|Appeal_To_Body=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Not appealed
|Appeal_To_Status=Unknown
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=Karlo Paljug
|Initial_Contributor=
|
|
}}
}}


The DPA rejected complaint of the data subject who had stated that his rights were violated because data controller sent compensation via postal service.
The Croatian DPA imposed two administrative fines in the amounts of €20,000 and €30,000 on a gambling and a betting company, due to unlawful data processing via cookies on their websites.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The DPA received a request for determination of violation of the right in which data subject states that the Center for Social Welfare brought Decision by which the data subject is recognized with a guaranteed minimum of compensation. In this regard, the data subject points out how his compensation for the September was not paid through a current account, but the employee of the Croatian Post has brought him compensation. On that occasion employee asked him for his ID card.
The two companies in question, as controllers, made use of cookies on their websites, but failed to inform data subjects visiting their web pages about the legal basis for installing cookies and collected a combined consent for all types of cookies. Information on how to withdraw one's consent was also missing on the cookie banners.  
Therefore, the data subject considers that data controller disclosed his personal data about him as a user of the social benefit without his authorization.


=== Holding ===
=== Holding ===
The DPA rejected the complaint.  
The AZOP found three GDPR infringements by both controllers.


It emphasized that the right to protection of personal data is not absolute right, and it should be considered in relation to its function in society and harmonized with other fundamental rights in accordance with the principle of proportionality.
First, the AZOP held that, failing to prove the existence of a legal basis for processing of personal data of the visitors of their websites through the use of cookies, the controllers acted contrary to [[Article 6 GDPR#1|Article 6(1) GDPR]].  
Also, DPA noted that Postal Service Act prescribe the conditions for performance of its services. In connection, GTC of Croatian Post prescribe in article 47 that the sender, receiver or other authorized person proves his identity, between
among other things, with an identity card, and the type and number of the identification document that established the identity
it is entered in the corresponding place of the postal document.


Namely, in the specific case there was a legitimate purpose and legal basis from Articles 5 and 6 of the GDPR for forwarding certain personal data to Croatian Post.
In this, the controllers also failed to collect valid consents by the data subjects visiting their web pages. Namely, the controllers did not require separate consents for each type of cookie according to their functionality and in some cases there was no option to withdraw one's consent. This, according to the AZOP amounted to a violation of [[Article 7 GDPR]].  


DPA pointed out that the method of delivery/payment of the user's minimum fee is not in jurisdiction of this Agency, but it is the decision of the data controller himself in accordance with the special regulation.
Further, the AZOP established that the controllers did not adequately inform the website visitors about the processing of personal data, i.e. about the use of cookies, the legal basis therefore and the period of storage of their personal data, thereby violating [[Article 13 GDPR#1|Article 13(1) GDPR]] and [[Article 13 GDPR#2|Article 13(2) GDPR]].
 
Accordingly, the AZOP decided to impose an administrative fine on each company in line with [[Article 83 GDPR#2|Article 83(2) GDPR]], in the amounts of €20,000 and €30,000 respectively.  


== Comment ==
== Comment ==
''Share your comments here!''
This decision is only available as a press-release on the AZOP website, hence little factual background is given.
 
Also, it is worth noting that the violations found are all based on GDPR provisions and no mention of the national implementation of the [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32009L0136 e-Privacy Directive] is made, which constitutes the primary legal instrument regulating the use of cookies.


== Further Resources ==
== Further Resources ==
Line 97: Line 100:


<pre>
<pre>
1
The Agency for the Protection of Personal Data imposed two administrative fines on data processors, gambling and betting companies in the amount of EUR 20,000.00 (HRK 150,690.00) and EUR 30,000.00 (HRK 226,035.00), due to three identified violations General regulations on data protection in both cases:
REPUBLIC OF CROATIA
 
PROTECTION AGENCY
The processing managers collected and processed the personal data of respondents or website visitors through cookies without a legal basis, which violated Art. 6, paragraph 1 of the General Data Protection Regulation. Namely, in order for the processing of personal data to be legal, the existence of at least one of the legal bases from the article in question is necessary, which in this particular case the processing managers did not fulfill, that is, they did not prove the existence of a legal basis for the processing of personal data through cookies (cookies - small files that The Internet browser stores on the computer, mobile device or other device with which the respondent visited the Internet pages, and in this way they remember and monitor his further actions on the Internet pages, and which processing is also related to aspects of personal data).
PERSONAL DATA
CLASS:
 
NUMBER:
In the same way, the data controllers did not adequately provide information to the respondents, i.e. enable the respondents to be sufficiently informed, i.e. voluntarily give and/or withdraw their consent, which violated Article 7 of the General Data Protection Regulation. Namely, the visitor must give separate consent for each type of cookie according to their functionality, that is, consent cannot be combined for all types of cookies, and in specific cases there was no option to give/withdraw consent separately for each type of cookie.
Zagreb, January 24, 2022.
Personal Data Protection Agency, OIB: 28454963989 based on Article 57 paragraph
 
1 and Article 58 paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27
It was established that the data controllers did not adequately inform the respondents (website visitors) about the processing of personal data, i.e. about the processing of data through cookies, which violated Art. 13, paragraphs 1 and 2 of the General Data Protection Regulation. Namely, the processing managers did not inform the respondents about the subject processing in accordance with the principle of transparency, and thus the respondents (website visitors) were deprived of information about data processing such as the legal basis, the function of each cookie and the cookie storage period.
2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data
When deciding on the imposition of administrative fines and their amounts, attention is paid to the provisions specified in Article 83 paragraph 2 of the General Data Protection Regulation, such as the nature, severity and duration of the violation; whether the violation is intentional or negligent; the degree of responsibility of the data controller, etc.
data and repealing Directive 95/46/EC (hereinafter referred to as the General Protection Regulation
data) SL EU 119, Article 34 of the Law on the Implementation of the General Regulation on Data Protection ("People's
novine" no. 42/18) and Article 96 of the Act on General Administrative Procedure ("Narodne novine" no.
47/09 and 110/21), and regarding the request to determine the violation of the right to the protection of personal data
x yields the following
SOLUTION
Request x to establish a violation of the right to personal data protection is rejected as
ungrounded.
Form layout
The Agency for the Protection of Personal Data (hereinafter: the Agency) received a request for
determination of violation of the right to protection of personal data x (hereinafter: the applicant)
in which he states that the Center for Social Welfare y (hereinafter referred to as the processing manager) brought
Decision, CLASS..., NUMBER: ... by which the applicant is recognized with a guaranteed minimum
compensation and in which it is determined that the same will be paid to the applicant as a beneficiary on a monthly basis,
through the competent center for social welfare to a current account. In this regard, the applicant points out how
his compensation for the month of September was not paid through a current account, but through the company of Croatia
pošte d.d. and points out that an employee of the said company visited him when he arrived at his home
address, asked for an identity card and the signing of the receipt. Therefore, the applicant considers it as it is
the processing manager disclosed personal data about him as a user of the Social Center without authorization
care and society Hrvatska pošta d.d.
2
Along with his request, the applicant submitted the Decision of the Center for Social Welfare y, CLASS:
.., NUMBER: ... from ... year; Decision of the Center for Social Welfare y, CLASS: .., NUMBER: .. of
... years; Complaint sent to the Center for Social Welfare y and the response from the Center for Social Welfare y,
CLASS: .., NUMBER: .... years.
The request is not founded.
First of all, it should be noted that from May 25, 2018, in the Republic of
In Croatia, Regulation (EU) 2016/679 of the European Parliament is directly and bindingly applied
of the Council of April 27, 2016 on the protection of individuals in connection with the processing of personal data and on
free movement of such data and repealing Directive 95/46/EC (General
data protection regulation) SL EU L119.
The General Data Protection Regulation in Article 4, Paragraph 1, Point 1 stipulates that they are personal
data all data relating to an individual whose identity has been determined or can be determined, a
an individual whose identity can be established is a person who can be identified directly or
indirectly, especially with the help of identifiers such as name, identification number, information about
location, network identifier or with the help of one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that individual.
Pursuant to Article 5 of the General Data Protection Regulation, personal data must be: (a)
lawfully, fairly and transparently processed with respect to the data subject ("lawfulness, fairness,
transparency"); (b) collected for specific, express and lawful purposes and may not be further
process in a way that is inconsistent with those purposes ("purpose limitation"); (c) appropriate,
relevant and limited to what is necessary in relation to the purposes for which they are processed ("reduction
amount of data"); (d) accurate and as necessary up-to-date; every reasonable measure must be taken
in order to ensure that personal data that are not accurate, taking into account the purposes for which
process, delete or correct without delay ("accuracy"); (e) stored in a form that enables
identification of the respondent only for as long as is necessary for the purposes for which it is personal
data processing ("storage limitation"); (f) processed in the manner in which it is secured
adequate security of personal data, including protection against unauthorized or illegal access
processing and from accidental loss, destruction or damage by applying appropriate technical or
organizational measures ("integrity and confidentiality").
Furthermore, in accordance with Article 6 of the General Data Protection Regulation, processing is only lawful
if and to the extent that at least one of the following is met: (a) the subject has given consent
to process your personal data for one or more specific purposes; (b) processing is necessary for
execution of a contract to which the respondent is a party or to take action upon request
of the respondent before the conclusion of the contract; (c) processing is necessary to comply with the controller's legal obligations
processing; (d) processing is necessary to protect the key interests of the data subject or other natural person;
(e) processing is necessary for the performance of a task of public interest or in the exercise of official authority
processing manager; (f) the processing is necessary for the legitimate interests of the controller or a third party
parties, except when those interests are stronger than the interests or fundamental rights and freedoms of the respondents who
require the protection of personal data.
3
Also, it should be emphasized that the right to protection of personal data is not absolute
the law itself must be considered in relation to its function in society and should be harmonized
with other fundamental rights in accordance with the principle of proportionality.
As a separate law, we cite the Postal Services Act ("Narodne novine", number:
144/12, 153/13, 78/15 and 110/19) regulating postal services, prescribe the conditions for
performance of these services and for the provision and financing of universal service, govern the rights,
obligations and responsibilities of providers and users of postal services, conditions of access to the postal network,
issuance of postage stamps of the Republic of Croatia and surcharge stamps is determined by jobs
Croatian regulatory agencies for network activities in the part related to regulatory
tasks in the field of postal services, performing inspection supervision in the field of postal services
services, and regulate other issues related to the performance of postal services.
Also, Article 44 of the aforementioned Act stipulates that the provider of postal services
obliged to adopt general conditions for the performance of postal services in domestic and/or international
traffic. Based on the quoted article, Hrvatska pošta d.d. is on July 1, 2021.
passed the General Terms and Conditions for the provision of universal services, which regulate the manner and conditions
performance of the universal service provided by HP-Hrvatska pošta d.d., delivery deadlines,
method and conditions of payment for postal services, method of marking payment for postal services on
to the postal shipment, the responsibility of HP d.d. and compensation for damage and the submission and settlement procedure
complaints of users of postal services.
In this connection, it is necessary to point out article 47 of the aforementioned General Terms and Conditions, in which
stipulated that the sender, receiver or other authorized person proves his identity, between
among other things, with an identity card, and the type and number of the identification document that established the identity
it is entered in the corresponding place of the postal document.
Furthermore, by looking at the Answer, CLASS: .., CODE: .. from ... which is the Center for
social care y as a processing manager delivered to the applicant, it is clear that the manager
processing, informed the applicant that he had sent the amounts through the mail.
As a result of the above, on the basis of the submitted evidence in this administrative matter it was established
that the Center for Social Welfare, as the processing manager, did not provide personal data for use
of the applicant for this to an unauthorized recipient/third party and in this sense the request
rejects the applicant as unfounded.
Namely, in the specific case there was a legitimate purpose and legal basis from Article 5 i
6. General regulations on data protection for forwarding certain personal data to a third party
(company Hrvatska pošta d.d.), and all so that the applicant could realize the right that belongs to him
in accordance with the adopted Decision, CLASS: .., NUMBER: .. from the year ... or the right to
guaranteed minimum compensation.
4
In this regard, it should be emphasized that in the conducted procedure it was not determined that
personal data of the applicant were forwarded by the processing manager to the company
Hrvatska pošta d.d. to a greater extent than is necessary for the specific purpose of guaranteed delivery
minimum fees and that the applicant has not proven in any way that the information about him is as
to the user of the Center for Social Care, disclosed to a third party without authorization.
Likewise, in the specific case it was established that the company Hrvatska pošta d.d.
during the delivery/payment of the guaranteed minimum compensation, it complied with the prescribed procedures and
in accordance with Article 47 of the General Terms and Conditions for the provision of universal services, identity verification
of the applicant as the payee.
Additionally, and further to the applicant's statement that he is guaranteed a minimum compensation
should have been paid to the current account as determined by the Decision, CLASS: .., NUMBER: ...
from ... year, we point out that the method of delivery/payment of the user's minimum fee is not in
jurisdiction of this Agency, but it is the decision of the processing manager himself in accordance with the special
regulation.
In conclusion, and taking into account all the circumstances of the specific case, there is no evidence that
indicate that the applicant's personal data were processed contrary to the General provisions
regulations on data protection.
Due to the aforementioned circumstances, it was decided as in the Proclamation of the Decision.
LEGAL REMEDY
No appeal is allowed against this decision, but an administrative dispute can be initiated before the Administrative Court
by the court in Zagreb within 30 days from the date of delivery of the decision.
DEPUTY DIRECTOR
Igor Vulje
Deliver:
1.
2.
3. Stationery, here.
</pre>
</pre>
{{DEFAULTSORT:AZOP_(Croatia)_-_Decision_14-09-2023}}

Latest revision as of 08:51, 2 November 2023

AZOP - Decision 14-09-2023
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 6(1) GDPR
Article 7 GDPR
Article 13(1) GDPR
Article 13(2) GDPR
ePrivacy Directive
Type: Investigation
Outcome: Violation Found
Started:
Decided: 01.09.2023
Published: 14.09.2023
Fine: 20,000 and 30,000 €
Parties: Unknown
National Case Number/Name: Decision 14-09-2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: n/a

The Croatian DPA imposed two administrative fines in the amounts of €20,000 and €30,000 on a gambling and a betting company, due to unlawful data processing via cookies on their websites.

English Summary

Facts

The two companies in question, as controllers, made use of cookies on their websites, but failed to inform data subjects visiting their web pages about the legal basis for installing cookies and collected a combined consent for all types of cookies. Information on how to withdraw one's consent was also missing on the cookie banners.

Holding

The AZOP found three GDPR infringements by both controllers.

First, the AZOP held that, failing to prove the existence of a legal basis for processing of personal data of the visitors of their websites through the use of cookies, the controllers acted contrary to Article 6(1) GDPR.

In this, the controllers also failed to collect valid consents by the data subjects visiting their web pages. Namely, the controllers did not require separate consents for each type of cookie according to their functionality and in some cases there was no option to withdraw one's consent. This, according to the AZOP amounted to a violation of Article 7 GDPR.

Further, the AZOP established that the controllers did not adequately inform the website visitors about the processing of personal data, i.e. about the use of cookies, the legal basis therefore and the period of storage of their personal data, thereby violating Article 13(1) GDPR and Article 13(2) GDPR.

Accordingly, the AZOP decided to impose an administrative fine on each company in line with Article 83(2) GDPR, in the amounts of €20,000 and €30,000 respectively.

Comment

This decision is only available as a press-release on the AZOP website, hence little factual background is given.

Also, it is worth noting that the violations found are all based on GDPR provisions and no mention of the national implementation of the e-Privacy Directive is made, which constitutes the primary legal instrument regulating the use of cookies.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

The Agency for the Protection of Personal Data imposed two administrative fines on data processors, gambling and betting companies in the amount of EUR 20,000.00 (HRK 150,690.00) and EUR 30,000.00 (HRK 226,035.00), due to three identified violations General regulations on data protection in both cases:

The processing managers collected and processed the personal data of respondents or website visitors through cookies without a legal basis, which violated Art. 6, paragraph 1 of the General Data Protection Regulation. Namely, in order for the processing of personal data to be legal, the existence of at least one of the legal bases from the article in question is necessary, which in this particular case the processing managers did not fulfill, that is, they did not prove the existence of a legal basis for the processing of personal data through cookies (cookies - small files that The Internet browser stores on the computer, mobile device or other device with which the respondent visited the Internet pages, and in this way they remember and monitor his further actions on the Internet pages, and which processing is also related to aspects of personal data).
 

In the same way, the data controllers did not adequately provide information to the respondents, i.e. enable the respondents to be sufficiently informed, i.e. voluntarily give and/or withdraw their consent, which violated Article 7 of the General Data Protection Regulation. Namely, the visitor must give separate consent for each type of cookie according to their functionality, that is, consent cannot be combined for all types of cookies, and in specific cases there was no option to give/withdraw consent separately for each type of cookie.
 

It was established that the data controllers did not adequately inform the respondents (website visitors) about the processing of personal data, i.e. about the processing of data through cookies, which violated Art. 13, paragraphs 1 and 2 of the General Data Protection Regulation. Namely, the processing managers did not inform the respondents about the subject processing in accordance with the principle of transparency, and thus the respondents (website visitors) were deprived of information about data processing such as the legal basis, the function of each cookie and the cookie storage period.
When deciding on the imposition of administrative fines and their amounts, attention is paid to the provisions specified in Article 83 paragraph 2 of the General Data Protection Regulation, such as the nature, severity and duration of the violation; whether the violation is intentional or negligent; the degree of responsibility of the data controller, etc.