Betting company – €20,000 Fine (Croatia, 2023)
A betting company was fined for collecting personal data from website visitors through cookies without proper consent. This is significant because it emphasizes the importance of clear cookie policies and user consent for online businesses. Companies need to ensure they provide clear information about cookies and obtain consent from users.
What happened
A betting company collected and processed personal data from website visitors through cookies without a valid legal basis.
Who was affected
Website visitors whose personal data was collected by the betting company's cookies without their consent.
What the authority found
The Croatian DPA found that the betting company violated GDPR by not providing clear information and failing to obtain valid consent for cookie usage.
Why this matters
This ruling stresses the need for businesses to have transparent cookie policies and to obtain explicit consent from users. It reflects a growing trend of accountability for online data practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Entities Involved
The Croatian DPA (AZOP) has imposed a fine of EUR 20,000 on a company engaged in gambling and betting activities due to three identified violations of the GDPR. As noted by AZOP, the controller collected and processed personal data of data subjects, i.e. website visitors through cookies without a valid legal basis, thereby violating Art. 6 (1) GDPR. Furthermore, the controller also failed to provide data subjects with appropriate information or enable data subjects to provide or withdraw consent voluntarily, thereby violating Art. 7 GDPR. AZOP noted that the visitor should give separate consent for each type of cookie according to their functionality, that is, consent cannot be given for „all types of cookies“. In these cases, there was no option for separate granting or revocation of consent for each type of cookie. Lastly, it was determined that the controller did not adequately inform data subjects (website visitors) about the processing of personal data, particularly regarding data processing through cookies, thereby violating Art. 13 (1), (2) GDPR. The controller did not inform transparently on matters such as the legal basis, the function of each cookie, and the cookie retention period.
Violations (5)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
Users cannot select or deselect individual cookie categories; consent is presented as all-or-nothing.
Art. 4(11) GDPR
No accessible mechanism exists for users to withdraw previously given cookie consent.
Art. 7(3) GDPR
Related Enforcement Actions (3)
Other enforcement actions involving Betting company in HR
Fine
€20K
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
14 September 2023
Authority
Agencija za zaštitu osobnih podataka
Fine Amount
€20,000
Enforcement Tracker ID
ETid-2061
About this data
Cite as: Cookie Fines. Betting company - Croatia (2023). Retrieved from cookiefines.eu
Last updated: