AZOP (Croatia) - Decision 14-09-2023: Difference between revisions

From GDPRhub
No edit summary
Tags: Reverted Visual edit
Line 1: Line 1:
{{DISPLAYTITLE:AZOP (Croatia) - Decision 14-09-2023}}
{{DPAdecisionBOX
{{DPAdecisionBOX


Line 8: Line 7:
|DPA_With_Country=AZOP (Croatia)
|DPA_With_Country=AZOP (Croatia)


|Case_Number_Name=Decision 14-09-2023
|Case_Number_Name=14-9-2023
|ECLI=
|ECLI=


Line 26: Line 25:
|Date_Published=14.09.2023
|Date_Published=14.09.2023
|Year=2023
|Year=2023
|Fine=20,000 and 30,000
|Fine=30000
|Currency=
|Currency=EUR


|GDPR_Article_1=Article 6(1) GDPR
|GDPR_Article_1=Article 6(1) GDPR
Line 42: Line 41:
|GDPR_Article_Link_6=
|GDPR_Article_Link_6=


|EU_Law_Name_1=ePrivacy Directive
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Name_2=
|EU_Law_Link_2=
|EU_Law_Link_2=
|EU_Law_Name_3=
|EU_Law_Link_3=


|National_Law_Name_1=
|National_Law_Name_1=
Line 66: Line 63:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=
|Initial_Contributor=Karlo Paljug
|
|
}}
}}


The Croatian DPA imposed two administrative fines in the amounts of €20,000 and €30,000 on a gambling and a betting company, due to unlawful data processing via cookies on their websites.
The Croatian DPA imposed fine in the amount of EUR 30.000 to gambling and betting company due to illegal data processing via cookies.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The two companies in question, as controllers, made use of cookies on their websites, but failed to inform data subjects visiting their web pages about the legal basis for installing cookies and collected a combined consent for all types of cookies. Information on how to withdraw one's consent was also missing on the cookie banners.  
The DPA imposed administrative fine on data controller (gambling and betting company) in the amount of EUR 30,000.00 due to illegal data processing via cookies.


=== Holding ===
=== Holding ===
The AZOP found three GDPR infringements by both controllers.
The DPA concluded that data controller collected and processed the data of website visitors through cookies without a legal basis, which violated Art. 6, paragraph 1 of the GDPR.  


First, the AZOP held that, failing to prove the existence of a legal basis for processing of personal data of the visitors of their websites through the use of cookies, the controllers acted contrary to [[Article 6 GDPR#1|Article 6(1) GDPR]].  
In the same way, the data controller did not adequately provide information to the data subjects, i.e. voluntarily give and/or withdraw their consent, which violated Article 7. Namely, the visitor must give separate consent for each type of cookie according to their functionality, that is, consent cannot be combined for all types of cookies, and in specific cases there was no option to give/withdraw consent separately for each type of cookie.


In this, the controllers also failed to collect valid consents by the data subjects visiting their web pages. Namely, the controllers did not require separate consents for each type of cookie according to their functionality and in some cases there was no option to withdraw one's consent. This, according to the AZOP amounted to a violation of [[Article 7 GDPR]].
It was established that the data controller did not adequately inform the website visitors about the processing of personal data, i.e. about the processing of data through cookies, which violated Art. 13, paragraphs 1 and 2.
 
When deciding on the imposition of administrative fines and their amounts, attention is paid to the provisions specified in Article 83 paragraph 2, such as the nature, severity and duration of the violation; whether the violation is intentional or negligent; the degree of responsibility of the data controller, etc.
Further, the AZOP established that the controllers did not adequately inform the website visitors about the processing of personal data, i.e. about the use of cookies, the legal basis therefore and the period of storage of their personal data, thereby violating [[Article 13 GDPR#1|Article 13(1) GDPR]] and [[Article 13 GDPR#2|Article 13(2) GDPR]].  
 
Accordingly, the AZOP decided to impose an administrative fine on each company in line with [[Article 83 GDPR#2|Article 83(2) GDPR]], in the amounts of €20,000 and €30,000 respectively.  


== Comment ==
== Comment ==
This decision is only available as a press-release on the AZOP website, hence little factual background is given.
AZOP has imposed 2 similar fines to different data controllers for illegal data processing via cookies.
 
Also, it is worth noting that the violations found are all based on GDPR provisions and no mention of the national implementation of the [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32009L0136 e-Privacy Directive] is made, which constitutes the primary legal instrument regulating the use of cookies.  


== Further Resources ==
== Further Resources ==
Line 102: Line 94:
The Agency for the Protection of Personal Data imposed two administrative fines on data processors, gambling and betting companies in the amount of EUR 20,000.00 (HRK 150,690.00) and EUR 30,000.00 (HRK 226,035.00), due to three identified violations General regulations on data protection in both cases:
The Agency for the Protection of Personal Data imposed two administrative fines on data processors, gambling and betting companies in the amount of EUR 20,000.00 (HRK 150,690.00) and EUR 30,000.00 (HRK 226,035.00), due to three identified violations General regulations on data protection in both cases:


The processing managers collected and processed the personal data of respondents or website visitors through cookies without a legal basis, which violated Art. 6, paragraph 1 of the General Data Protection Regulation. Namely, in order for the processing of personal data to be legal, the existence of at least one of the legal bases from the article in question is necessary, which in this particular case the processing managers did not fulfill, that is, they did not prove the existence of a legal basis for the processing of personal data through cookies (cookies - small files that The Internet browser stores on the computer, mobile device or other device with which the respondent visited the Internet pages, and in this way they remember and monitor his further actions on the Internet pages, and which processing is also related to aspects of personal data).
The processing managers collected and processed the personal data of respondents or website visitors through cookies without a legal basis, which violated Art. 6, paragraph 1 of the General Data Protection Regulation. Namely, in order for the processing of personal data to be legal, the existence of at least one of the legal bases from the article in question is necessary, which in this particular case the data controllers did not fulfill, that is, they did not prove the existence of a legal basis for the processing of personal data through cookies (eng. cookies - small files that The Internet browser stores on the computer, mobile device or other device with which the respondent visited the Internet pages and in this way remembers and monitors his further actions on the Internet pages, which processing also relates to aspects of personal data).
   
   


Line 110: Line 102:
It was established that the data controllers did not adequately inform the respondents (website visitors) about the processing of personal data, i.e. about the processing of data through cookies, which violated Art. 13, paragraphs 1 and 2 of the General Data Protection Regulation. Namely, the processing managers did not inform the respondents about the subject processing in accordance with the principle of transparency, and thus the respondents (website visitors) were deprived of information about data processing such as the legal basis, the function of each cookie and the cookie storage period.
It was established that the data controllers did not adequately inform the respondents (website visitors) about the processing of personal data, i.e. about the processing of data through cookies, which violated Art. 13, paragraphs 1 and 2 of the General Data Protection Regulation. Namely, the processing managers did not inform the respondents about the subject processing in accordance with the principle of transparency, and thus the respondents (website visitors) were deprived of information about data processing such as the legal basis, the function of each cookie and the cookie storage period.
When deciding on the imposition of administrative fines and their amounts, attention is paid to the provisions specified in Article 83 paragraph 2 of the General Data Protection Regulation, such as the nature, severity and duration of the violation; whether the violation is intentional or negligent; the degree of responsibility of the data controller, etc.
When deciding on the imposition of administrative fines and their amounts, attention is paid to the provisions specified in Article 83 paragraph 2 of the General Data Protection Regulation, such as the nature, severity and duration of the violation; whether the violation is intentional or negligent; the degree of responsibility of the data controller, etc.
You can find more about the processing of personal data through cookies at the link https://azop.hr/obrada-osobnih-podataka-kolacici/, as well as in the Cookie Guide.
</pre>
</pre>
{{DEFAULTSORT:AZOP_(Croatia)_-_Decision_14-09-2023}}

Revision as of 20:49, 1 November 2023

AZOP - 14-9-2023
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 6(1) GDPR
Article 7 GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 01.09.2023
Published: 14.09.2023
Fine: 30000 EUR
Parties: Unknown
National Case Number/Name: 14-9-2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: Karlo Paljug

The Croatian DPA imposed fine in the amount of EUR 30.000 to gambling and betting company due to illegal data processing via cookies.

English Summary

Facts

The DPA imposed administrative fine on data controller (gambling and betting company) in the amount of EUR 30,000.00 due to illegal data processing via cookies.

Holding

The DPA concluded that data controller collected and processed the data of website visitors through cookies without a legal basis, which violated Art. 6, paragraph 1 of the GDPR.

In the same way, the data controller did not adequately provide information to the data subjects, i.e. voluntarily give and/or withdraw their consent, which violated Article 7. Namely, the visitor must give separate consent for each type of cookie according to their functionality, that is, consent cannot be combined for all types of cookies, and in specific cases there was no option to give/withdraw consent separately for each type of cookie.

It was established that the data controller did not adequately inform the website visitors about the processing of personal data, i.e. about the processing of data through cookies, which violated Art. 13, paragraphs 1 and 2. When deciding on the imposition of administrative fines and their amounts, attention is paid to the provisions specified in Article 83 paragraph 2, such as the nature, severity and duration of the violation; whether the violation is intentional or negligent; the degree of responsibility of the data controller, etc.

Comment

AZOP has imposed 2 similar fines to different data controllers for illegal data processing via cookies.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

The Agency for the Protection of Personal Data imposed two administrative fines on data processors, gambling and betting companies in the amount of EUR 20,000.00 (HRK 150,690.00) and EUR 30,000.00 (HRK 226,035.00), due to three identified violations General regulations on data protection in both cases:

The processing managers collected and processed the personal data of respondents or website visitors through cookies without a legal basis, which violated Art. 6, paragraph 1 of the General Data Protection Regulation. Namely, in order for the processing of personal data to be legal, the existence of at least one of the legal bases from the article in question is necessary, which in this particular case the data controllers did not fulfill, that is, they did not prove the existence of a legal basis for the processing of personal data through cookies (eng. cookies - small files that The Internet browser stores on the computer, mobile device or other device with which the respondent visited the Internet pages and in this way remembers and monitors his further actions on the Internet pages, which processing also relates to aspects of personal data).
 

In the same way, the data controllers did not adequately provide information to the respondents, i.e. enable the respondents to be sufficiently informed, i.e. voluntarily give and/or withdraw their consent, which violated Article 7 of the General Data Protection Regulation. Namely, the visitor must give separate consent for each type of cookie according to their functionality, that is, consent cannot be combined for all types of cookies, and in specific cases there was no option to give/withdraw consent separately for each type of cookie.
 

It was established that the data controllers did not adequately inform the respondents (website visitors) about the processing of personal data, i.e. about the processing of data through cookies, which violated Art. 13, paragraphs 1 and 2 of the General Data Protection Regulation. Namely, the processing managers did not inform the respondents about the subject processing in accordance with the principle of transparency, and thus the respondents (website visitors) were deprived of information about data processing such as the legal basis, the function of each cookie and the cookie storage period.
When deciding on the imposition of administrative fines and their amounts, attention is paid to the provisions specified in Article 83 paragraph 2 of the General Data Protection Regulation, such as the nature, severity and duration of the violation; whether the violation is intentional or negligent; the degree of responsibility of the data controller, etc.

 

You can find more about the processing of personal data through cookies at the link https://azop.hr/obrada-osobnih-podataka-kolacici/, as well as in the Cookie Guide.