AZOP (Croatia) - Decision 18-05-2023

From GDPRhub
Revision as of 07:44, 22 May 2023 by Presido croatia (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Croatia |DPA-BG-Color= |DPAlogo=LogoHR.png |DPA_Abbrevation=AZOP |DPA_With_Country=AZOP (Croatia) |Case_Number_Name=Decision of 18 May 2023 - sports betting company |ECLI= |Original_Source_Name_1=AZOP |Original_Source_Link_1=https://azop.hr/sportskoj-kladionici-izrecena-upravna-novcana-kazna-od-380-000-eura/ |Original_Source_Language_1=Croatian |Original_Source_Language__Code_1=HR |Original_Source_Name_2= |Original_Source_Link_2= |Origin...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AZOP - Decision of 18 May 2023 - sports betting company
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 6(1) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 18.05.2023
Fine: 380000
Parties: n/a
National Case Number/Name: Decision of 18 May 2023 - sports betting company
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: Presido_Croatia

Following an investigation after data subject's complaint (regarding the collection of copies of bank cards), the DPA imposed a fine of EUR 380,000 for GDPR violations for sports betting company.

English Summary

Facts

DPA received a complaint about the collection of a two-sided copy of the bank card via electronic mail by the controller in question. Pursuant to its powers, the DPA initiated the procedure ex officio due to the high risk to the rights and freedoms of the respondents (players, users of the service).

In the case in question, it was determined that from June to December 2022, the data controller provided players with the additional service of paying out winners to a VISA card, and in addition to the already existing possibilities of paying out funds from the user's account to a bank account.

Holding

The Croatian DPA imposed an administrative fine on the data controller - s company for sports betting in the amount of EUR 380,000.00 due to the following violations of the General Data Protection Regulation:

The data controller processed personal data, i.e. copies of bank cards of the data subjects, for which no legal basis was proven, which violated Article 6, paragraph 1 of the General Regulation on Data Protection; The data controller did not adequately inform the data subjects about the processing of personal data, i.e. about the processing of data contained on copies of bank cards, which violated Article 13, paragraphs 1 and 2 of the General Data Protection Regulation; When creating a new business process for a quick payment service to a VISA bank card, the data controller did not implement appropriate technical and organizational measures, which violated Article 25, paragraph 1 and 2 of the General Data Protection Regulation; The controller did not apply a technical encryption measure to the personal data of the respondents stored in the controller's databases and did not regularly assess the effectiveness of technical and organizational measures to ensure the security of the processing, which violated Article 32, paragraph 1, points a) and d) of the General Regulation on Protection data.

DPA determined that the processing or collection of copies of bank cards is not necessary in order to comply with legal obligations arising from the Anti-Money Laundering legislation, since the in-depth analysis of players can be carried out without collecting copies of both sides of bank cards. As a result of the above, the controller illegally processed copies of bank cards using inadequate means of processing and stored them without applying appropriate technical and organizational measures.

Also, the data controller did not inform the data subjects about the processing in question (storage of copies of bank cards) in accordance with the principle of transparency, and thus the data subjects were deprived of basic information about data processing such as the legal basis, purpose and storage period. Namely, in the Statement on personal data protection measures, which forms part of the Privacy Policy, it was expressly stated that the data controller does not store bank card numbers and that the numbers are not accessible to unauthorized persons.

However, employees of the controller in the period June - December 2022 had access to 655 copies of bank cards on which the full extent of data was visible out of a total of 2078 copies of bank cards collected. Such processing resulted in a high-risk violation of a third of the total processed data, and the data subjects were not even aware that this data was stored in databases.

Given that financial data is considered a sensitive category of personal data, which depending on the context and scope of processing can cause a high risk for the rights and freedoms of the data subject, the controller was obliged to pay special attention to the security and legality of the processing, which was taken taken into account as an aggravating circumstance.

As a mitigating circumstance in the specific procedure, the degree of responsibility shown by the data controller after the supervision was carried out - on his own initiative, he informed the Agency about the way in which he plans to harmonize the processing with the provisions of the General Data Protection Regulation. Thus, the controller made additional investments in payment processes in such a way that the system was improved and that the delivery of a copy of the bank card is no longer requested, and that all stored copies of the bank cards were deleted. Also, the controller stated that he improved the business processes of monitoring the processing of personal data and educated employees.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

The Agency for the Protection of Personal Data imposed an administrative fine on the data controller - a trading company for organizing games of chance - betting games (sports betting) in the amount of EUR 380,000.00 due to the following violations of the General Data Protection Regulation:

The data controller processed personal data, i.e. copies of bank cards of the respondents, for which no legal basis was proven, which violated Article 6, paragraph 1 of the General Regulation on Data Protection;
The data controller did not adequately inform the respondents about the processing of personal data, i.e. about the processing of data contained on copies of bank cards, which violated Article 13, paragraphs 1 and 2 of the General Data Protection Regulation;
When creating a new business process for a quick payment service to a VISA bank card, the data controller did not implement appropriate technical and organizational measures, which violated Article 25, paragraph 1 and 2 of the General Data Protection Regulation;
The controller did not apply a technical encryption measure to the personal data of the respondents stored in the controller's databases and did not regularly assess the effectiveness of technical and organizational measures to ensure the security of the processing, which violated Article 32, paragraph 1, points a) and d) of the General Regulation on Protection data.
Namely, the Agency received a citizen's submission about the collection of a two-sided copy of the bank card via electronic mail by the processing manager in question. Pursuant to its powers, the Agency initiated the procedure ex officio due to the high risk to the rights and freedoms of the respondents (players, users of the service).

In the case in question, it was established that from June to December 2022, the processing manager provided the players with an additional service of paying out winners to a VISA card, in addition to the already existing possibilities of paying out funds from the user's account to a bank account. It was determined that the processing or collection of copies of bank cards is not necessary in order to comply with legal obligations arising from the Law on Prevention of Money Laundering, since the in-depth analysis of players can be carried out without collecting copies of both sides of bank cards. As a result of the above, the processing manager illegally processed copies of bank cards using inadequate means of processing and stored them without applying appropriate technical and organizational measures.

Also, the data controller did not inform the respondents about the processing in question (storage of copies of bank cards) in accordance with the principle of transparency, and thus the respondents were deprived of basic information about data processing such as the legal basis, purpose and storage period. Namely, in the Statement on personal data protection measures, which forms part of the Privacy Policy, it was expressly stated that the data controller does not store bank card numbers and that the numbers are not accessible to unauthorized persons.

However, employees of the processing manager in the period June - December 2022 had access to 655 copies of bank cards on which the full extent of data was visible out of a total of 2078 copies of bank cards collected. Such processing resulted in a high-risk violation of a third of the total processed data, and the respondents were not even aware that this data was stored in databases.

Given that financial data is considered a sensitive category of personal data, which depending on the context and scope of processing can cause a high risk for the rights and freedoms of the data subject, the controller was obliged to pay special attention to the security and legality of the processing, which was taken taken into account as an aggravating circumstance.

As a mitigating circumstance in the specific procedure, the degree of responsibility shown by the data controller after the supervision was carried out - on his own initiative, he informed the Agency about the way in which he plans to harmonize the processing with the provisions of the General Data Protection Regulation. Thus, the processing manager made additional investments in payment processes in such a way that the system was improved and that the delivery of a copy of the bank card is no longer requested, and that all stored copies of the bank cards were deleted. Also, the processing manager stated that he improved the business processes of monitoring the processing of personal data and educated employees.