AZOP (Croatia) - Decision 04-22-2024 (gambling websites): Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Croatia |DPA-BG-Color= |DPAlogo=LogoHR.png |DPA_Abbrevation=AZOP |DPA_With_Country=AZOP (Croatia) |Case_Number_Name=Decision 04-22-2024 (gambling websites) |ECLI= |Original_Source_Name_1=AZOP |Original_Source_Link_1=https://azop.hr/devet-novih-upravnih-novcanih-kazni-u-ukupnom-iznosu-od-51-000-eura/ |Original_Source_Language_1=Croatian |Original_Source_Language__Code_1=HR |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source...") |
mNo edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 65: | Line 65: | ||
}} | }} | ||
The DPA imposed fines of €15,000 and €20,000 respectively on two gambling | The DPA imposed fines of €15,000 and €20,000 respectively on two controllers managing gambling websites, finding that they lacked a legal basis for processing because their cookie banners failed to specify and obtain consent for different processing purposes. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Two controllers that offered gambling and betting activities online included cookie banners on their websites. The banners did not distinguish different purposes for processing, making a single request for consent. | Two controllers that offered gambling and betting activities online included cookie banners on their websites. The banners did not distinguish different purposes for processing, making a single request for consent. The controllers' privacy policies also lacked information about the legal basis for processing, the types of cookies used, the purpose of each cookie and the cookie storage periods. In addition, one of the controllers processed personal data prior to obtaining data subjects' consent. | ||
=== Holding === | === Holding === | ||
The Croatian DPA (AZOP) found that the controllers lacked a legal basis for processing in violation of [[Article 6 GDPR#1|Article 6(1) GDPR]] and failed to inform data subjects pursuant to [[Article 13 GDPR|Article 13 GDPR]]. In addition, one of the controllers began processing data before obtaining consent from data subjects. The AZOP imposed fines of €15,000 and €20,000, respectively, on the controllers. | The Croatian DPA (AZOP) found that the controllers lacked a legal basis for processing in violation of [[Article 6 GDPR#1|Article 6(1) GDPR]] and failed to inform data subjects pursuant to [[Article 13 GDPR|Article 13 GDPR]]. In addition, one of the controllers violated [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] after it began processing data before obtaining consent from data subjects. The AZOP imposed fines of €15,000 and €20,000, respectively, on the controllers. | ||
Where processing is based on consent and has multiple purposes, cookie banners must indicate the purposes in a clear and understandable manner. They also must clearly distinguish the purposes from each other. In this case, the controllers did not distinguish different purposes for processing in obtaining user consent. Such consent, the AZOP found, did not meet the GDPR's requirements. As a result, consent was not a valid legal basis in this case and the controllers violated [[Article 6 GDPR#1|Article 6(1) GDPR]]. | Where processing is based on consent and has multiple purposes, cookie banners must indicate the purposes in a clear and understandable manner. They also must clearly distinguish the purposes from each other. In this case, the controllers did not distinguish different purposes for processing in obtaining user consent. Such consent, the AZOP found, did not meet the GDPR's requirements. As a result, consent was not a valid legal basis in this case and the controllers violated [[Article 6 GDPR#1|Article 6(1) GDPR]]. | ||
Latest revision as of 07:42, 30 April 2024
| AZOP - Decision 04-22-2024 (gambling websites) | |
|---|---|
 | |
| Authority: | AZOP (Croatia) |
| Jurisdiction: | Croatia |
| Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(a) GDPR Article 13(1) GDPR Article 13(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 22.04.2024 |
| Fine: | 35,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | Decision 04-22-2024 (gambling websites) |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Croatian |
| Original Source: | AZOP (in HR) |
| Initial Contributor: | lm |
The DPA imposed fines of €15,000 and €20,000 respectively on two controllers managing gambling websites, finding that they lacked a legal basis for processing because their cookie banners failed to specify and obtain consent for different processing purposes.
English Summary
Facts
Two controllers that offered gambling and betting activities online included cookie banners on their websites. The banners did not distinguish different purposes for processing, making a single request for consent. The controllers' privacy policies also lacked information about the legal basis for processing, the types of cookies used, the purpose of each cookie and the cookie storage periods. In addition, one of the controllers processed personal data prior to obtaining data subjects' consent.
Holding
The Croatian DPA (AZOP) found that the controllers lacked a legal basis for processing in violation of Article 6(1) GDPR and failed to inform data subjects pursuant to Article 13 GDPR. In addition, one of the controllers violated Article 5(1)(a) GDPR after it began processing data before obtaining consent from data subjects. The AZOP imposed fines of €15,000 and €20,000, respectively, on the controllers.
Where processing is based on consent and has multiple purposes, cookie banners must indicate the purposes in a clear and understandable manner. They also must clearly distinguish the purposes from each other. In this case, the controllers did not distinguish different purposes for processing in obtaining user consent. Such consent, the AZOP found, did not meet the GDPR's requirements. As a result, consent was not a valid legal basis in this case and the controllers violated Article 6(1) GDPR.
The AZOP also found that the controllers failed to properly inform data subjects of the processing pursuant to Article 13(1) and (2) GDPR. In particular, their privacy policies did not contain information about the legal basis for processing, types of cookies, purpose of each cookie or cookie storage period.
Finally, the AZOP also noted that one of the controllers was processing personal data from the moment that the data subject opened the webpage even though it had not yet obtained consent. It considered this a violation of the principle of lawfulness, fairness and transparency under Article 5(1)(a) GDPR.
Comment
This is part of a larger decision. In a separate portion of the decision, the AZOP found that seven hotels, restaurants and hospitality services violated Articles 13 and 27(1) GDPR by using video-surveillance without informing data subjects. Due to the different controllers and violations, this decision has been split into two separate summaries on GDPRhub.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
Nine new administrative fines totaling EUR 51,000
The Personal Data Protection Agency imposed nine new administrative fines in the total amount of 51,000 euros on data controllers for violating the provisions of the General Data Protection Regulation and the Law on the Implementation of the General Data Protection Regulation.
Administrative fines for violating the provisions of the General Data Protection Regulation
Two administrative fines in the amount of 15,000 and 20,000 euros were imposed on managers of gambling and betting activities due to illegal processing of personal data through cookies.
The data controllers collected and processed the personal data of the respondents through cookies without allowing the respondents to give or withdraw their informed and voluntary consent to the processing of personal data through cookies (eng. with which the respondent visited the Internet pages and in that way they remember and monitor his further actions on the Internet pages, and which processing also relates to aspects of personal data), thereby violating Article 6, Paragraph 1, Point a) and, in this connection, Article 7. General regulations on data protection.
In situations where the processing of personal data is based on consent and has multiple purposes, then the text of consent (in this particular case, the cookie banner) must be presented in such a way that it can be clearly distinguished from other purposes, in an understandable and easily accessible form with the use of a clear and simple language. Since in this particular case, the processing managers did not separate the so-called cookie banner and enabled respondents to clearly give consent for different purposes (marketing, analytics/statistics), it is clear that the consent did not meet the legal prerequisites and is therefore not valid as a legal basis.
Upon inspection of the Privacy Policy of both processors, it was determined that the document in question does not contain information about the legal basis, groups/types of cookies, the function/purpose of each cookie, the cookie storage period, that is, the processors did not adequately inform the respondents about the processing of personal data, which Article 13, paragraph 1 and 2 of the General Data Protection Regulation has been violated. Therefore, the processing managers did not inform the respondents about the processing through cookies in accordance with the principle of transparency, and thus the respondents (visitors of the Internet pages) were deprived of information about the processing of their data.
In addition, the data controller, who was fined EUR 20,000, processed the respondents' personal data at the very moment of loading the website, while they had not yet given their consent to the collection of individual cookies, which was unfair, since the respondents did not even know that they already collect their personal data at the moment of accessing the website. This led to unfair processing of personal data of the respondents, which is against the principle of legal, fair and transparent processing of personal data from Article 5, Paragraph 1 of the General Data Protection Regulation.
Administrative fines for violation of the Law on the Implementation of the General Regulation on Data Protection
Seven administrative fines in the total amount of 16,000 euros were imposed on processing managers for not marking the object under video surveillance, i.e. the mark is not visible when entering the recording perimeter and/or the mark does not contain all relevant information. Individual fines from EUR 500 to EUR 4,000 were imposed on hotels, catering establishments and shops.
Namely, in accordance with Article 27, Paragraph 1 of the Act on the Implementation of the General Regulation on Data Protection, the data controller is obliged to mark that the object, i.e., a single room in it, and the external surface of the object are under video surveillance, and the mark must be visible when entering the recording perimeter at the latest.
Paragraph 2 of the aforementioned article stipulates that the notification should contain all relevant information in accordance with the provisions of Article 13 of the General Regulation on Data Protection, and in particular a simple and easy-to-understand image along with the text providing the respondents with the following information:
that the space is under video surveillance
information about the data controller
contact information through which the respondent can exercise his rights
Find more about the processing of personal data through cookies and video surveillance at the link: https://azop.hr/vodici-i-promotivni-materijali-o-zastiti-osobnih-podataka/
