AZOP (Croatia) - Decision 14-09-2023

From GDPRhub
(Redirected from AZOP (Croatia) - /)
AZOP - Decision 14-09-2023
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 6(1) GDPR
Article 7 GDPR
Article 13(1) GDPR
Article 13(2) GDPR
ePrivacy Directive
Type: Investigation
Outcome: Violation Found
Started:
Decided: 01.09.2023
Published: 14.09.2023
Fine: 20,000 and 30,000 €
Parties: Unknown
National Case Number/Name: Decision 14-09-2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: n/a

The Croatian DPA imposed two administrative fines in the amounts of €20,000 and €30,000 on a gambling and a betting company, due to unlawful data processing via cookies on their websites.

English Summary

Facts

The two companies in question, as controllers, made use of cookies on their websites, but failed to inform data subjects visiting their web pages about the legal basis for installing cookies and collected a combined consent for all types of cookies. Information on how to withdraw one's consent was also missing on the cookie banners.

Holding

The AZOP found three GDPR infringements by both controllers.

First, the AZOP held that, failing to prove the existence of a legal basis for processing of personal data of the visitors of their websites through the use of cookies, the controllers acted contrary to Article 6(1) GDPR.

In this, the controllers also failed to collect valid consents by the data subjects visiting their web pages. Namely, the controllers did not require separate consents for each type of cookie according to their functionality and in some cases there was no option to withdraw one's consent. This, according to the AZOP amounted to a violation of Article 7 GDPR.

Further, the AZOP established that the controllers did not adequately inform the website visitors about the processing of personal data, i.e. about the use of cookies, the legal basis therefore and the period of storage of their personal data, thereby violating Article 13(1) GDPR and Article 13(2) GDPR.

Accordingly, the AZOP decided to impose an administrative fine on each company in line with Article 83(2) GDPR, in the amounts of €20,000 and €30,000 respectively.

Comment

This decision is only available as a press-release on the AZOP website, hence little factual background is given.

Also, it is worth noting that the violations found are all based on GDPR provisions and no mention of the national implementation of the e-Privacy Directive is made, which constitutes the primary legal instrument regulating the use of cookies.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

The Agency for the Protection of Personal Data imposed two administrative fines on data processors, gambling and betting companies in the amount of EUR 20,000.00 (HRK 150,690.00) and EUR 30,000.00 (HRK 226,035.00), due to three identified violations General regulations on data protection in both cases:

The processing managers collected and processed the personal data of respondents or website visitors through cookies without a legal basis, which violated Art. 6, paragraph 1 of the General Data Protection Regulation. Namely, in order for the processing of personal data to be legal, the existence of at least one of the legal bases from the article in question is necessary, which in this particular case the processing managers did not fulfill, that is, they did not prove the existence of a legal basis for the processing of personal data through cookies (cookies - small files that The Internet browser stores on the computer, mobile device or other device with which the respondent visited the Internet pages, and in this way they remember and monitor his further actions on the Internet pages, and which processing is also related to aspects of personal data).
 

In the same way, the data controllers did not adequately provide information to the respondents, i.e. enable the respondents to be sufficiently informed, i.e. voluntarily give and/or withdraw their consent, which violated Article 7 of the General Data Protection Regulation. Namely, the visitor must give separate consent for each type of cookie according to their functionality, that is, consent cannot be combined for all types of cookies, and in specific cases there was no option to give/withdraw consent separately for each type of cookie.
 

It was established that the data controllers did not adequately inform the respondents (website visitors) about the processing of personal data, i.e. about the processing of data through cookies, which violated Art. 13, paragraphs 1 and 2 of the General Data Protection Regulation. Namely, the processing managers did not inform the respondents about the subject processing in accordance with the principle of transparency, and thus the respondents (website visitors) were deprived of information about data processing such as the legal basis, the function of each cookie and the cookie storage period.
When deciding on the imposition of administrative fines and their amounts, attention is paid to the provisions specified in Article 83 paragraph 2 of the General Data Protection Regulation, such as the nature, severity and duration of the violation; whether the violation is intentional or negligent; the degree of responsibility of the data controller, etc.