AZOP (Croatia) - Decision 14-09-2023
AZOP - / | |
---|---|
Authority: | AZOP (Croatia) |
Jurisdiction: | Croatia |
Relevant Law: | Article 6(1) GDPR Article 7 GDPR Article 13(1) GDPR Article 13(2) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 01.09.2023 |
Published: | 14.09.2023 |
Fine: | 30000 EUR |
Parties: | Unknown |
National Case Number/Name: | / |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Croatian |
Original Source: | AZOP (in HR) |
Initial Contributor: | Karlo Paljug |
The Croatian DPA imposed fine in the amount of EUR 30.000 to gambling and betting company due to illegal data processing via cookies.
English Summary
Facts
The DPA imposed administrative fine on data controller (gambling and betting company) in the amount of EUR 30,000.00 due to illegal data processing via cookies.
Holding
The DPA concluded that data controller collected and processed the data of website visitors through cookies without a legal basis, which violated Art. 6, paragraph 1 of the GDPR.
In the same way, the data controller did not adequately provide information to the data subjects, i.e. voluntarily give and/or withdraw their consent, which violated Article 7. Namely, the visitor must give separate consent for each type of cookie according to their functionality, that is, consent cannot be combined for all types of cookies, and in specific cases there was no option to give/withdraw consent separately for each type of cookie.
It was established that the data controller did not adequately inform the website visitors about the processing of personal data, i.e. about the processing of data through cookies, which violated Art. 13, paragraphs 1 and 2. When deciding on the imposition of administrative fines and their amounts, attention is paid to the provisions specified in Article 83 paragraph 2, such as the nature, severity and duration of the violation; whether the violation is intentional or negligent; the degree of responsibility of the data controller, etc.
Comment
AZOP has imposed 2 similar fines to different data controllers for illegal data processing via cookies.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
The Agency for the Protection of Personal Data imposed two administrative fines on data processors, gambling and betting companies in the amount of EUR 20,000.00 (HRK 150,690.00) and EUR 30,000.00 (HRK 226,035.00), due to three identified violations General regulations on data protection in both cases: The processing managers collected and processed the personal data of respondents or website visitors through cookies without a legal basis, which violated Art. 6, paragraph 1 of the General Data Protection Regulation. Namely, in order for the processing of personal data to be legal, the existence of at least one of the legal bases from the article in question is necessary, which in this particular case the data controllers did not fulfill, that is, they did not prove the existence of a legal basis for the processing of personal data through cookies (eng. cookies - small files that The Internet browser stores on the computer, mobile device or other device with which the respondent visited the Internet pages and in this way remembers and monitors his further actions on the Internet pages, which processing also relates to aspects of personal data). In the same way, the data controllers did not adequately provide information to the respondents, i.e. enable the respondents to be sufficiently informed, i.e. voluntarily give and/or withdraw their consent, which violated Article 7 of the General Data Protection Regulation. Namely, the visitor must give separate consent for each type of cookie according to their functionality, that is, consent cannot be combined for all types of cookies, and in specific cases there was no option to give/withdraw consent separately for each type of cookie. It was established that the data controllers did not adequately inform the respondents (website visitors) about the processing of personal data, i.e. about the processing of data through cookies, which violated Art. 13, paragraphs 1 and 2 of the General Data Protection Regulation. Namely, the processing managers did not inform the respondents about the subject processing in accordance with the principle of transparency, and thus the respondents (website visitors) were deprived of information about data processing such as the legal basis, the function of each cookie and the cookie storage period. When deciding on the imposition of administrative fines and their amounts, attention is paid to the provisions specified in Article 83 paragraph 2 of the General Data Protection Regulation, such as the nature, severity and duration of the violation; whether the violation is intentional or negligent; the degree of responsibility of the data controller, etc. You can find more about the processing of personal data through cookies at the link https://azop.hr/obrada-osobnih-podataka-kolacici/, as well as in the Cookie Guide.