Betting company – €20,000 Fine (Croatia, 2024)

The Croatian DPA (AZOP) has imposed a fine of EUR 20,000 on a data controller operating in the gambling and betting sector. The data controller collected and processed personal data of data subjects through cookies without providing them the opportunity to give or withdraw consent for such processing in an informed and voluntary manner, violating Art. 6 (1) a) GDPR and Art. 7 GDPR. In cases where personal data processing relies on consent and serves multiple purposes, the consent mechanism, such as the cookie banner, must be clearly distinguishable, easily accessible, and use language that is clear and simple to understand. However, in this specific case, the data controller failed to separate the cookie banner, preventing data subjects from giving clear consent for different purposes like marketing or analytics. Moreover, the DPA found that the controller processed personal data of data subjects as soon as they accessed the webpage, even before they consented to certain cookies. This practice was considered unfair since the data subjects were unaware that their personal data was being collected at the time of website access. Such unfair processing violates the principle of lawful, fair, and transparent processing of personal data outlined in Art. 5 (1) GDPR. Furthermore, an examination of the privacy policy of the data controller revealed deficiencies. This document lacked information regarding the legal basis for data processing, types of cookies used, the purpose of each cookie, and the duration of cookie storage. Consequently, data subjects were not adequately informed about the processing of their personal data, breaching Art. 13 (1) and (2) GDPR. This failure to inform data subjects about cookie processing violated the transparency principle, depriving website visitors of crucial information about how their data was handled.