AZOP (Croatia) - Decision 18-05-2023

From GDPRhub
AZOP - Decision 18-05-2023
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 6(1) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Type: Complaint
Outcome: Upheld
Published: 18.05.2023
Fine: 380000
Parties: n/a
National Case Number/Name: Decision 18-05-2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: Presido_Croatia

A controller that collected and stored copies of both sides of data subjects' credit cards was fined €380,000 for violating Articles 6(1), 13(1) and (2), and 25(1) and (2) and 32(1)(a) and (d) GDPR.

English Summary


A sports betting agency, acting as the controller, offered players (the data subjects) the possibility to receive payments directly to their credit cards, instead of receiving a bank transfer. To do so, it required them to submit a copy of both sides of the credit card by email. A citizen brought the facts to the attention of the Croatian DPA, which initiated an ex officio investigation due to the high risk to the rights and freedoms of the data subjects.


At the end of the investigations, DPA found that there was no legal basis for the processing of both sides of the data subjects' credit card. In particular, the processing was not necessary for the fulfillment of the obligations foreseen in the Anti-Money Laundering Law. Therefore, none of the legal bases of Article 6 GDPR could be claimed.

The DPA also found that the controller stored these data for a period longer than necessary and contrary to the provisions of its own privacy policy, which stated that financial data would not be stored. It also found that the controller's employees, in the period between June and December 2022, had access to complete information on more than 655 copies of a total of 2078 collected copies of credit cards. Thus, it held that sufficient techniques and organization were not implemented to protect the rights of data subjects, in violation of Article 25(1) and (2) GDPR.

In addition, the DPA pointed out that the controller failed to inform the data subjects about the legal basis for the processing, its purposes and the period of storage of the data, violating the principle of transparency. It highlighted that financial data is considered a special category of data and its processing entails a high risk. Despite this, data subjects were not aware of all the information regarding the processing of their data, which infringes Article 13 GDPR.

Finally, the DPA found that controller did not implement technical encryption measures to the stored data and did not regularly assessed the effectiveness of technical and organizational measures to ensure the security of the processing, violating Article 32(1)(a) and (d) GDPR.

As mitigating circumstances, the DPA considered that the controller cooperated with the investigations and committed to adjust its conduct to the GDPR and to adopt measures to reduce the risks of handling financial information. For example, it committed to investing in the security of payment processing so that it would be no longer necessary to send both sides of the credit card. In addition, the controller committed to deleting the stored data and to training and monitoring its employees.

Still, a fine of €380,000 was imposed for the violation of Articles 6(1); 13(1) and (2); and 25(1) and (2) GDPR.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

The Agency for the Protection of Personal Data imposed an administrative fine on the data controller - a trading company for organizing games of chance - betting games (sports betting) in the amount of EUR 380,000.00 due to the following violations of the General Data Protection Regulation:

The data controller processed personal data, i.e. copies of bank cards of the respondents, for which no legal basis was proven, which violated Article 6, paragraph 1 of the General Regulation on Data Protection;
The data controller did not adequately inform the respondents about the processing of personal data, i.e. about the processing of data contained on copies of bank cards, which violated Article 13, paragraphs 1 and 2 of the General Data Protection Regulation;
When creating a new business process for a quick payment service to a VISA bank card, the data controller did not implement appropriate technical and organizational measures, which violated Article 25, paragraph 1 and 2 of the General Data Protection Regulation;
The controller did not apply a technical encryption measure to the personal data of the respondents stored in the controller's databases and did not regularly assess the effectiveness of technical and organizational measures to ensure the security of the processing, which violated Article 32, paragraph 1, points a) and d) of the General Regulation on Protection data.
Namely, the Agency received a citizen's submission about the collection of a two-sided copy of the bank card via electronic mail by the processing manager in question. Pursuant to its powers, the Agency initiated the procedure ex officio due to the high risk to the rights and freedoms of the respondents (players, users of the service).

In the case in question, it was established that from June to December 2022, the processing manager provided the players with an additional service of paying out winners to a VISA card, in addition to the already existing possibilities of paying out funds from the user's account to a bank account. It was determined that the processing or collection of copies of bank cards is not necessary in order to comply with legal obligations arising from the Law on Prevention of Money Laundering, since the in-depth analysis of players can be carried out without collecting copies of both sides of bank cards. As a result of the above, the processing manager illegally processed copies of bank cards using inadequate means of processing and stored them without applying appropriate technical and organizational measures.

Also, the data controller did not inform the respondents about the processing in question (storage of copies of bank cards) in accordance with the principle of transparency, and thus the respondents were deprived of basic information about data processing such as the legal basis, purpose and storage period. Namely, in the Statement on personal data protection measures, which forms part of the Privacy Policy, it was expressly stated that the data controller does not store bank card numbers and that the numbers are not accessible to unauthorized persons.

However, employees of the processing manager in the period June - December 2022 had access to 655 copies of bank cards on which the full extent of data was visible out of a total of 2078 copies of bank cards collected. Such processing resulted in a high-risk violation of a third of the total processed data, and the respondents were not even aware that this data was stored in databases.

Given that financial data is considered a sensitive category of personal data, which depending on the context and scope of processing can cause a high risk for the rights and freedoms of the data subject, the controller was obliged to pay special attention to the security and legality of the processing, which was taken taken into account as an aggravating circumstance.

As a mitigating circumstance in the specific procedure, the degree of responsibility shown by the data controller after the supervision was carried out - on his own initiative, he informed the Agency about the way in which he plans to harmonize the processing with the provisions of the General Data Protection Regulation. Thus, the processing manager made additional investments in payment processes in such a way that the system was improved and that the delivery of a copy of the bank card is no longer requested, and that all stored copies of the bank cards were deleted. Also, the processing manager stated that he improved the business processes of monitoring the processing of personal data and educated employees.