Betting company – €15,000 Fine (Croatia, 2024)

The Croatian DPA (AZOP) has imposed a fine of EUR 15,000 on a data controller operating in the gambling and betting sector. The data controller collected and processed personal data of data subjects through cookies without providing them the opportunity to give or withdraw consent for such processing in an informed and voluntary manner, violating Art. 6 (1) a) GDPR and Art. 7 GDPR. In cases where personal data processing relies on consent and serves multiple purposes, the consent mechanism, such as the cookie banner, must be clearly distinguishable, easily accessible, and use language that is clear and simple to understand. However, in this specific case, the data controller failed to separate the cookie banner, preventing data subjects from giving clear consent for different purposes like marketing or analytics. Furthermore, an examination of the privacy policy of the data controller revealed deficiencies. This document lacked information regarding the legal basis for data processing, types of cookies used, the purpose of each cookie, and the duration of cookie storage. Consequently, data subjects were not adequately informed about the processing of their personal data, breaching Art. 13 (1) and (2) GDPR. This failure to inform data subjects about cookie processing violated the transparency principle, depriving website visitors of crucial information about how their data was handled.