AZOP (Croatia) - Decision 14-09-2023: Difference between revisions

From GDPRhub
No edit summary
Tags: Reverted Visual edit
No edit summary
Tags: Reverted Visual edit
Line 7: Line 7:
|DPA_With_Country=AZOP (Croatia)
|DPA_With_Country=AZOP (Croatia)


|Case_Number_Name=Decision 14-9-2023
|Case_Number_Name=Decision 24-9-2023
|ECLI=
|ECLI=


|Original_Source_Name_1=AZOP
|Original_Source_Name_1=AZOP
|Original_Source_Link_1=https://azop.hr/upravne-novcane-kazne-zbog-neovlastene-obrade-osobnih-podataka-putem-kolacica/
|Original_Source_Link_1=https://azop.hr/upravna-novcana-kazna-u-iznosu-od-15-000-eura-izrecena-hotelu/
|Original_Source_Language_1=Croatian
|Original_Source_Language_1=Croatian
|Original_Source_Language__Code_1=HR
|Original_Source_Language__Code_1=HR
Line 19: Line 19:
|Original_Source_Language__Code_2=
|Original_Source_Language__Code_2=


|Type=Investigation
|Type=Complaint
|Outcome=Violation Found
|Outcome=Upheld
|Date_Started=
|Date_Started=
|Date_Decided=01.09.2023
|Date_Decided=01.09.2023
|Date_Published=14.09.2023
|Date_Published=26.09.2023
|Year=2023
|Year=2023
|Fine=20000
|Fine=15000
|Currency=EUR
|Currency=EUR


|GDPR_Article_1=Article 6(1) GDPR
|GDPR_Article_1=Article 6(1) GDPR
|GDPR_Article_Link_1=Article 6 GDPR#1
|GDPR_Article_Link_1=Article 6 GDPR#1
|GDPR_Article_2=Article 7 GDPR
|GDPR_Article_2=Article 13(1) GDPR
|GDPR_Article_Link_2=Article 7 GDPR
|GDPR_Article_Link_2=Article 13 GDPR#1
|GDPR_Article_3=Article 13(1) GDPR
|GDPR_Article_3=Article 13(2) GDPR
|GDPR_Article_Link_3=Article 13 GDPR#1
|GDPR_Article_Link_3=Article 13 GDPR#2
|GDPR_Article_4=Article 13(2) GDPR
|GDPR_Article_4=Article 32(1) GDPR
|GDPR_Article_Link_4=Article 13 GDPR#2
|GDPR_Article_Link_4=Article 32 GDPR#1
|GDPR_Article_5=
|GDPR_Article_5=Article 32(4) GDPR
|GDPR_Article_Link_5=
|GDPR_Article_Link_5=Article 32 GDPR#4
|GDPR_Article_6=
|GDPR_Article_6=Article 38(6) GDPR
|GDPR_Article_Link_6=
|GDPR_Article_Link_6=Article 38 GDPR#6
|GDPR_Article_7=
|GDPR_Article_Link_7=
|GDPR_Article_8=
|GDPR_Article_Link_8=


|EU_Law_Name_1=ePrivacy Directive
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Name_2=
|EU_Law_Link_2=
|EU_Law_Link_2=
|EU_Law_Name_3=
|EU_Law_Link_3=


|National_Law_Name_1=
|National_Law_Name_1=
Line 53: Line 55:
|National_Law_Link_2=
|National_Law_Link_2=


|Party_Name_1=Unknown
|Party_Name_1=Hotel*
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=
|Party_Name_2=
Line 65: Line 67:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=
|Initial_Contributor=Karlo Paljug
|
|
}}
}}


Croatian personal data protection agency imposed fine to gambling and betting company due to illegal data processing via cookies on its website.
The DPA has imposed an administrative fine in the amount of EUR 15,000.00 to the hotel due to multiple violations of the GDPR provisions.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Agency imposed administrative fine on data controller (gambling and betting company) in the amount of EUR 20,000.00 due to three identified violations GDPR regarding cookies installation.
The Agency received a report from a data subject who stated that when booking accommodation in the hotel, it had been requested CVV of the credit card (via a form) through completely unprotected channels (via e-mail). Also, he was not informed in the terms of the article 13.
The hotel had three options for booking accommodation:
- through the service provider,
- online reservation through a web form, and
- through e-mail,
(*through the web form and e-mail only reservation can be made without payment)
 
When making a reservation via the web form, it was necessary to enter: name, surname, e-mail address, address and financial data (card number, date and year until which the card is valid, CVV number and name of the card holder), while for the reservation via e-mail, it was necessary to submit the specified information and a copy of a valid identification document with a photo, all for the reason that there would be no misuse of the bank card by third parties, as claimed by the hotel.


=== Holding ===
=== Holding ===
The data controller collected and processed the data of website visitors through cookies without a legal basis, which violated Art. 6, paragraph 1 of the GDPR.  
In the case in question, and taking into account the established violations, the Agency decided to impose an administrative fine due to the existence of a high risk for the rights and freedoms of the respondents, which the data controller was obliged to take into account before processing the personal data in question. So, we are talking about a data controller whose business consists of processing personal data, and through the aforementioned procedure, personal data was collected without the existence of an appropriate legal basis, and personal data were collected that are not necessary for the purpose for which they were collected from the respondents during the reservation of hotel accommodation.
 
The existence of a legal basis has not been proven for the processing of the CVV number of the bank card and a copy of the personal document, which violates Article 6, paragraph 1 of the GDPR. .
The controller did not inform the data subject in a clear/transparent way about the processing of personal data. In the specific case, the hotel did not adequately provide information on the processing of personal data to guests who booked accommodation at the hotel.
 
At the same time, the form "Consent to the use of personal data", which the controller submits for the purpose of providing information to the data subjects about the processing of their personal data when booking accommodation via e-mail, does not contain accurate or complete information.


In the same way, the data controller did not adequately provide information to the data subjects, i.e. voluntarily give and/or withdraw their consent, which violated Article 7. Namely, the visitor must give separate consent for each type of cookie according to their functionality, that is, consent cannot be combined for all types of cookies, and in specific cases there was no option to give/withdraw consent separately for each type of cookie.
By not taking appropriate organizational and technical protection measures in the processing of the personal data there was a violation of Article 32. The controller did not take appropriate technical and organizational measures, all to ensure an adequate level of security with regard to the risk, including, among other things, encryption of personal data and the implementation of processes for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures.


It was established that the data controller did not adequately inform the website visitors about the processing of personal data, i.e. about the processing of data through cookies, which violated Art. 13, paragraphs 1 and 2.
By appointing the hotel manager as a DPO, the data controller acted contrary to the provisions of Article 38, paragraph 6. Namely, the data protection officer can fulfill other tasks and duties, however, the data controller ensures that such tasks and duties do not lead to a conflict of interest.
When deciding on the imposition of administrative fines and their amounts, attention is paid to the provisions specified in Article 83 paragraph 2, such as the nature, severity and duration of the violation; whether the violation is intentional or negligent; the degree of responsibility of the data controller, etc.


== Comment ==
== Comment ==
Line 94: Line 107:


<pre>
<pre>
The Agency for the Protection of Personal Data imposed two administrative fines on data processors, gambling and betting companies in the amount of EUR 20,000.00 (HRK 150,690.00) and EUR 30,000.00 (HRK 226,035.00), due to three identified violations General regulations on data protection in both cases:
The Personal Data Protection Agency imposed an administrative fine in the amount of EUR 15,000.00 (113,017.50 kuna) to the hotel's processing manager (that is, the legal entity within which the hotel in question operates), due to the following violations of the General Data Protection Regulation:
 
The processing manager processed the personal data of the respondent (hotel guest) to an excessive extent, namely data on the security number of the bank card (CVC number), as well as copies of personal documents when booking hotel accommodation via the hotel's online form and by e-mail. The existence of a legal basis has not been proven for the processing of the CVC number of the bank card and a copy of the personal document, which violates Article 6, paragraph 1 of the General Data Protection Regulation. The hotel had no obligation to collect the CVC number from the bank card of the persons who made the reservation of the accommodation unit, considering that the reservation of the accommodation was possible even without submitting the data in question.
The controller did not inform the respondents in a clear/transparent way about the processing of their personal data through the General Terms and Conditions document, which is available on the hotel's website, and regarding the collection of personal data when booking hotel accommodation via an online form and via e-mail, and what contrary to the provisions of Article 13, paragraphs 1 and 2 of the General Data Protection Regulation. In the specific case, the hotel did not adequately provide information on the processing of personal data to guests who booked accommodation at the hotel, including information on the collection of data on the CVC number and a copy of the identification document. Bearing in mind the provisions of the regulations governing the protection of personal data, the hotel was obliged to inform the guest what types of personal data it collects for what purpose, the legal basis for personal data processing, how personal data is used, that is, who uses personal data and what measures protection of personal data undertaken. The hotel was obliged to provide all information about the processing of personal data in a concise, comprehensible and easily accessible form, using clear and simple language, and was obliged to inform the respondent of all his rights according to the General Data Protection Regulation.
At the same time, the form "Consent to the use of personal data", which the controller submits for the purpose of providing information to respondents about the processing of their personal data when booking accommodation via e-mail, does not contain accurate or complete information, thus the controller acted contrary to the provisions of Article 13. paragraph 1 and 2 of the General Data Protection Regulation.
By not taking appropriate organizational and technical protection measures in the processing of the personal data of the respondents by the processing manager, there was a violation of Article 32, paragraph 1. a) and d) and paragraph 4 of the General Regulation on Data Protection. The controller did not take appropriate technical and organizational measures, all to ensure an adequate level of security with regard to the risk, including, among other things, encryption of personal data and the implementation of processes for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of processing.
By appointing the hotel manager as a data protection officer, the data controller acted contrary to the provisions of Article 38, paragraph 6 of the General Data Protection Regulation. Namely, the data protection officer can fulfill other tasks and duties, however, the data controller ensures that such tasks and duties do not lead to a conflict of interest. When appointing a data protection officer, the controller had to be aware that there is a conflict of interest in relation to the tasks and duties he performs. From the job description of the hotel manager, it is evident that he is largely responsible for making management decisions at the level of personal data processing, while on the other hand, as a data protection officer, he is obliged to monitor the compliance of the business in the processing of personal data with the regulations governing the protection of personal data.
The Agency for the Protection of Personal Data received a report from a citizen who stated that when booking accommodation in the hotel in question, confirmation of the reservation is requested by sending a CVC credit card (via a form) through completely unprotected channels (via e-mail). Likewise, in the received application, it was stated that the potential guest was not informed who has access to his personal data, i.e. the personal document that he is obliged to send when requesting a hotel in order to be able to charge his credit card.


The processing managers collected and processed the personal data of respondents or website visitors through cookies without a legal basis, which violated Art. 6, paragraph 1 of the General Data Protection Regulation. Namely, in order for the processing of personal data to be legal, the existence of at least one of the legal bases from the article in question is necessary, which in this particular case the processing managers did not fulfill, that is, they did not prove the existence of a legal basis for the processing of personal data through cookies (cookies - small files that The Internet browser stores on the computer, mobile device or other device with which the respondent visited the Internet pages, and in this way they remember and monitor his further actions on the Internet pages, and which processing is also related to aspects of personal data).
Namely, the hotel in question had three options for booking accommodation - through the service provider, online reservation through a web form on the hotel's website and through e-mail, with a note that only the reservation was made through the web form and e-mail, and not the payment.


In the same way, the data controllers did not adequately provide information to the respondents, i.e. enable the respondents to be sufficiently informed, i.e. voluntarily give and/or withdraw their consent, which violated Article 7 of the General Data Protection Regulation. Namely, the visitor must give separate consent for each type of cookie according to their functionality, that is, consent cannot be combined for all types of cookies, and in specific cases there was no option to give/withdraw consent separately for each type of cookie.
When making a reservation via the web form, it was necessary to enter the guest's personal data: name, surname, e-mail address, address and financial data (card number, date and year until which the card is valid, CVC number and name of the card holder), while for the reservation via e-mail, it was necessary to submit the specified information and a copy of a valid identification document with a photo, all for the reason that there would be no misuse of the bank card by third parties, as claimed by the hotel.


It was established that the data controllers did not adequately inform the respondents (website visitors) about the processing of personal data, i.e. about the processing of data through cookies, which violated Art. 13, paragraphs 1 and 2 of the General Data Protection Regulation. Namely, the processing managers did not inform the respondents about the subject processing in accordance with the principle of transparency, and thus the respondents (website visitors) were deprived of information about data processing such as the legal basis, the function of each cookie and the cookie storage period.
In the case in question, and taking into account the established violations, the Agency decided to impose an administrative fine due to the existence of a high risk for the rights and freedoms of the respondents, which the data controller was obliged to take into account before processing the personal data in question. So, we are talking about a data controller whose business consists of processing personal data, and through the aforementioned procedure, personal data was collected without the existence of an appropriate legal basis, and personal data were collected that are not necessary for the purpose for which they were collected from the respondents during the reservation. hotel accommodation. Also, the Agency believes that the imposition of a fine will lead to the controller fulfilling its obligations in the field of personal data protection in a timely and appropriate manner.
When deciding on the imposition of administrative fines and their amounts, attention is paid to the provisions specified in Article 83 paragraph 2 of the General Data Protection Regulation, such as the nature, severity and duration of the violation; whether the violation is intentional or negligent; the degree of responsibility of the data controller, etc.
</pre>
</pre>

Revision as of 20:57, 1 November 2023

AZOP - Decision 24-9-2023
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 6(1) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 32(1) GDPR
Article 32(4) GDPR
Article 38(6) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 01.09.2023
Published: 26.09.2023
Fine: 15000 EUR
Parties: Hotel*
National Case Number/Name: Decision 24-9-2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: Karlo Paljug

The DPA has imposed an administrative fine in the amount of EUR 15,000.00 to the hotel due to multiple violations of the GDPR provisions.

English Summary

Facts

The Agency received a report from a data subject who stated that when booking accommodation in the hotel, it had been requested CVV of the credit card (via a form) through completely unprotected channels (via e-mail). Also, he was not informed in the terms of the article 13. The hotel had three options for booking accommodation: - through the service provider, - online reservation through a web form, and - through e-mail, (*through the web form and e-mail only reservation can be made without payment)

When making a reservation via the web form, it was necessary to enter: name, surname, e-mail address, address and financial data (card number, date and year until which the card is valid, CVV number and name of the card holder), while for the reservation via e-mail, it was necessary to submit the specified information and a copy of a valid identification document with a photo, all for the reason that there would be no misuse of the bank card by third parties, as claimed by the hotel.

Holding

In the case in question, and taking into account the established violations, the Agency decided to impose an administrative fine due to the existence of a high risk for the rights and freedoms of the respondents, which the data controller was obliged to take into account before processing the personal data in question. So, we are talking about a data controller whose business consists of processing personal data, and through the aforementioned procedure, personal data was collected without the existence of an appropriate legal basis, and personal data were collected that are not necessary for the purpose for which they were collected from the respondents during the reservation of hotel accommodation.

The existence of a legal basis has not been proven for the processing of the CVV number of the bank card and a copy of the personal document, which violates Article 6, paragraph 1 of the GDPR. . The controller did not inform the data subject in a clear/transparent way about the processing of personal data. In the specific case, the hotel did not adequately provide information on the processing of personal data to guests who booked accommodation at the hotel.

At the same time, the form "Consent to the use of personal data", which the controller submits for the purpose of providing information to the data subjects about the processing of their personal data when booking accommodation via e-mail, does not contain accurate or complete information.

By not taking appropriate organizational and technical protection measures in the processing of the personal data there was a violation of Article 32. The controller did not take appropriate technical and organizational measures, all to ensure an adequate level of security with regard to the risk, including, among other things, encryption of personal data and the implementation of processes for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures.

By appointing the hotel manager as a DPO, the data controller acted contrary to the provisions of Article 38, paragraph 6. Namely, the data protection officer can fulfill other tasks and duties, however, the data controller ensures that such tasks and duties do not lead to a conflict of interest.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details. 

The Personal Data Protection Agency imposed an administrative fine in the amount of EUR 15,000.00 (113,017.50 kuna) to the hotel's processing manager (that is, the legal entity within which the hotel in question operates), due to the following violations of the General Data Protection Regulation:

The processing manager processed the personal data of the respondent (hotel guest) to an excessive extent, namely data on the security number of the bank card (CVC number), as well as copies of personal documents when booking hotel accommodation via the hotel's online form and by e-mail. The existence of a legal basis has not been proven for the processing of the CVC number of the bank card and a copy of the personal document, which violates Article 6, paragraph 1 of the General Data Protection Regulation. The hotel had no obligation to collect the CVC number from the bank card of the persons who made the reservation of the accommodation unit, considering that the reservation of the accommodation was possible even without submitting the data in question.
The controller did not inform the respondents in a clear/transparent way about the processing of their personal data through the General Terms and Conditions document, which is available on the hotel's website, and regarding the collection of personal data when booking hotel accommodation via an online form and via e-mail, and what contrary to the provisions of Article 13, paragraphs 1 and 2 of the General Data Protection Regulation. In the specific case, the hotel did not adequately provide information on the processing of personal data to guests who booked accommodation at the hotel, including information on the collection of data on the CVC number and a copy of the identification document. Bearing in mind the provisions of the regulations governing the protection of personal data, the hotel was obliged to inform the guest what types of personal data it collects for what purpose, the legal basis for personal data processing, how personal data is used, that is, who uses personal data and what measures protection of personal data undertaken. The hotel was obliged to provide all information about the processing of personal data in a concise, comprehensible and easily accessible form, using clear and simple language, and was obliged to inform the respondent of all his rights according to the General Data Protection Regulation.
At the same time, the form "Consent to the use of personal data", which the controller submits for the purpose of providing information to respondents about the processing of their personal data when booking accommodation via e-mail, does not contain accurate or complete information, thus the controller acted contrary to the provisions of Article 13. paragraph 1 and 2 of the General Data Protection Regulation.
By not taking appropriate organizational and technical protection measures in the processing of the personal data of the respondents by the processing manager, there was a violation of Article 32, paragraph 1. a) and d) and paragraph 4 of the General Regulation on Data Protection. The controller did not take appropriate technical and organizational measures, all to ensure an adequate level of security with regard to the risk, including, among other things, encryption of personal data and the implementation of processes for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of processing.
By appointing the hotel manager as a data protection officer, the data controller acted contrary to the provisions of Article 38, paragraph 6 of the General Data Protection Regulation. Namely, the data protection officer can fulfill other tasks and duties, however, the data controller ensures that such tasks and duties do not lead to a conflict of interest. When appointing a data protection officer, the controller had to be aware that there is a conflict of interest in relation to the tasks and duties he performs. From the job description of the hotel manager, it is evident that he is largely responsible for making management decisions at the level of personal data processing, while on the other hand, as a data protection officer, he is obliged to monitor the compliance of the business in the processing of personal data with the regulations governing the protection of personal data.
The Agency for the Protection of Personal Data received a report from a citizen who stated that when booking accommodation in the hotel in question, confirmation of the reservation is requested by sending a CVC credit card (via a form) through completely unprotected channels (via e-mail). Likewise, in the received application, it was stated that the potential guest was not informed who has access to his personal data, i.e. the personal document that he is obliged to send when requesting a hotel in order to be able to charge his credit card.

Namely, the hotel in question had three options for booking accommodation - through the service provider, online reservation through a web form on the hotel's website and through e-mail, with a note that only the reservation was made through the web form and e-mail, and not the payment.

When making a reservation via the web form, it was necessary to enter the guest's personal data: name, surname, e-mail address, address and financial data (card number, date and year until which the card is valid, CVC number and name of the card holder), while for the reservation via e-mail, it was necessary to submit the specified information and a copy of a valid identification document with a photo, all for the reason that there would be no misuse of the bank card by third parties, as claimed by the hotel.

In the case in question, and taking into account the established violations, the Agency decided to impose an administrative fine due to the existence of a high risk for the rights and freedoms of the respondents, which the data controller was obliged to take into account before processing the personal data in question. So, we are talking about a data controller whose business consists of processing personal data, and through the aforementioned procedure, personal data was collected without the existence of an appropriate legal basis, and personal data were collected that are not necessary for the purpose for which they were collected from the respondents during the reservation. hotel accommodation. Also, the Agency believes that the imposition of a fine will lead to the controller fulfilling its obligations in the field of personal data protection in a timely and appropriate manner.
Retrieved from "https://gdprhub.eu/index.php?title=AZOP_(Croatia)_-_Decision_14-09-2023&oldid=36095"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki