Betting company – €20,000 Fine (Croatia, 2023)
A betting company in Croatia was fined €20,000 for collecting personal data from website visitors without proper consent. The ruling is significant because it reinforces the need for clear cookie consent practices. Website operators should ensure they provide detailed information about cookies and allow users to choose their preferences.
What happened
The betting company collected and processed personal data from website visitors through cookies without a valid legal basis.
Who was affected
Website visitors who interacted with the betting company's site were affected by the improper data collection.
What the authority found
The Croatian DPA found that the company violated GDPR by not obtaining valid consent and failing to provide clear information about cookie usage.
Why this matters
This ruling sets a precedent for cookie consent practices, emphasizing that users must have the option to give separate consent for different types of cookies. Website operators should review their cookie policies to comply with these requirements.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Croatian DPA (AZOP) has imposed a fine of EUR 20,000 on a company engaged in gambling and betting activities due to three identified violations of the GDPR. As noted by AZOP, the controller collected and processed personal data of data subjects, i.e. website visitors through cookies without a valid legal basis, thereby violating Art. 6 (1) GDPR. Furthermore, the controller also failed to provide data subjects with appropriate information or enable data subjects to provide or withdraw consent voluntarily, thereby violating Art. 7 GDPR. AZOP noted that the visitor should give separate consent for each type of cookie according to their functionality, that is, consent cannot be given for „all types of cookies“. In these cases, there was no option for separate granting or revocation of consent for each type of cookie. Lastly, it was determined that the controller did not adequately inform data subjects (website visitors) about the processing of personal data, particularly regarding data processing through cookies, thereby violating Art. 13 (1), (2) GDPR. The controller did not inform transparently on matters such as the legal basis, the function of each cookie, and the cookie retention period.
Violations (5)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
Users cannot select or deselect individual cookie categories; consent is presented as all-or-nothing.
Art. 4(11) GDPR
No accessible mechanism exists for users to withdraw previously given cookie consent.
Art. 7(3) GDPR
Related Enforcement Actions (3)
Other enforcement actions involving Betting company in HR
Fine
€20K
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
14 September 2023
Authority
Agencija za zaštitu osobnih podataka
Fine Amount
€20,000
Enforcement Tracker ID
ETid-2061
About this data
Cite as: Cookie Fines. Betting company - Croatia (2023). Retrieved from cookiefines.eu
Last updated: