AZOP (Croatia) - Decision 14-09-2023
| AZOP - Decision 14-09-2023 | |
|---|---|
 | |
| Authority: | AZOP (Croatia) |
| Jurisdiction: | Croatia |
| Relevant Law: | Article 6(1) GDPR Article 7 GDPR Article 13(1) GDPR Article 13(2) GDPR ePrivacy Directive |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 01.09.2023 |
| Published: | 14.09.2023 |
| Fine: | 20,000 and 30,000 € |
| Parties: | Unknown |
| National Case Number/Name: | Decision 14-09-2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Croatian |
| Original Source: | AZOP (in HR) |
| Initial Contributor: | n/a |
The Croatian DPA imposed two administrative fines in the amounts of €20,000 and €30,000 on a gambling and a betting company, due to unlawful data processing via cookies on their websites.
English Summary
Facts
The two companies in question, as controllers, made use of cookies on their websites, but failed to inform data subjects visiting their web pages about the legal basis for installing cookies and collected a combined consent for all types of cookies. Information on how to withdraw one's consent was also missing on the cookie banners.
Holding
The AZOP found three GDPR infringements by both controllers.
First, the AZOP held that, failing to prove the existence of a legal basis for processing of personal data of the visitors of their websites through the use of cookies, the controllers acted contrary to Article 6(1) GDPR.
In this, the controllers also failed to collect valid consents by the data subjects visiting their web pages. Namely, the controllers did not require separate consents for each type of cookie according to their functionality and in some cases there was no option to withdraw one's consent. This, according to the AZOP amounted to a violation of Article 7 GDPR.
Further, the AZOP established that the controllers did not adequately inform the website visitors about the processing of personal data, i.e. about the use of cookies, the legal basis therefore and the period of storage of their personal data, thereby violating Article 13(1) GDPR and Article 13(2) GDPR.
Accordingly, the AZOP decided to impose an administrative fine on each company in line with Article 83(2) GDPR, in the amounts of €20,000 and €30,000 respectively.
Comment
This decision is only available as a press-release on the AZOP website, hence little factual background is given.
Also, it is worth noting that the violations found are all based on GDPR provisions and no mention of the national implementation of the e-Privacy Directive is made, which constitutes the primary legal instrument regulating the use of cookies.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
The Agency for the Protection of Personal Data imposed two administrative fines on data processors, gambling and betting companies in the amount of EUR 20,000.00 (HRK 150,690.00) and EUR 30,000.00 (HRK 226,035.00), due to three identified violations General regulations on data protection in both cases: The processing managers collected and processed the personal data of respondents or website visitors through cookies without a legal basis, which violated Art. 6, paragraph 1 of the General Data Protection Regulation. Namely, in order for the processing of personal data to be legal, the existence of at least one of the legal bases from the article in question is necessary, which in this particular case the processing managers did not fulfill, that is, they did not prove the existence of a legal basis for the processing of personal data through cookies (cookies - small files that The Internet browser stores on the computer, mobile device or other device with which the respondent visited the Internet pages, and in this way they remember and monitor his further actions on the Internet pages, and which processing is also related to aspects of personal data). In the same way, the data controllers did not adequately provide information to the respondents, i.e. enable the respondents to be sufficiently informed, i.e. voluntarily give and/or withdraw their consent, which violated Article 7 of the General Data Protection Regulation. Namely, the visitor must give separate consent for each type of cookie according to their functionality, that is, consent cannot be combined for all types of cookies, and in specific cases there was no option to give/withdraw consent separately for each type of cookie. It was established that the data controllers did not adequately inform the respondents (website visitors) about the processing of personal data, i.e. about the processing of data through cookies, which violated Art. 13, paragraphs 1 and 2 of the General Data Protection Regulation. Namely, the processing managers did not inform the respondents about the subject processing in accordance with the principle of transparency, and thus the respondents (website visitors) were deprived of information about data processing such as the legal basis, the function of each cookie and the cookie storage period. When deciding on the imposition of administrative fines and their amounts, attention is paid to the provisions specified in Article 83 paragraph 2 of the General Data Protection Regulation, such as the nature, severity and duration of the violation; whether the violation is intentional or negligent; the degree of responsibility of the data controller, etc.
