AZOP (Croatia) - Decision 18-05-2023
|AZOP - Decision 18-05-2023|
|Relevant Law:||Article 6(1) GDPR|
Article 13(1) GDPR
Article 13(2) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
|National Case Number/Name:||Decision 18-05-2023|
|European Case Law Identifier:||n/a|
|Original Source:||AZOP (in HR)|
English Summary[edit | edit source]
Facts[edit | edit source]
A sports betting agency, acting as the controller, offered players (the data subjects) the possibility to receive payments directly to their credit cards, instead of receiving a bank transfer. To do so, it required them to submit a copy of both sides of the credit card by email. A citizen brought the facts to the attention of the Croatian DPA, which initiated an ex officio investigation due to the high risk to the rights and freedoms of the data subjects.
Holding[edit | edit source]
At the end of the investigations, DPA found that there was no legal basis for the processing of both sides of the data subjects' credit card. In particular, the processing was not necessary for the fulfillment of the obligations foreseen in the Anti-Money Laundering Law. Therefore, none of the legal bases of Article 6 GDPR could be claimed.
In addition, the DPA pointed out that the controller failed to inform the data subjects about the legal basis for the processing, its purposes and the period of storage of the data, violating the principle of transparency. It highlighted that financial data is considered a special category of data and its processing entails a high risk. Despite this, data subjects were not aware of all the information regarding the processing of their data, which infringes Article 13 GDPR.
Finally, the DPA found that controller did not implement technical encryption measures to the stored data and did not regularly assessed the effectiveness of technical and organizational measures to ensure the security of the processing, violating Article 32(1)(a) and (d) GDPR.
As mitigating circumstances, the DPA considered that the controller cooperated with the investigations and committed to adjust its conduct to the GDPR and to adopt measures to reduce the risks of handling financial information. For example, it committed to investing in the security of payment processing so that it would be no longer necessary to send both sides of the credit card. In addition, the controller committed to deleting the stored data and to training and monitoring its employees.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.