Sports betting operator – €380,000 Fine (Croatia, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Croatian sports betting company was fined EUR 380,000 for collecting bank card copies without a valid reason. The company failed to inform users properly about how their data was used and did not protect it adequately. This case emphasizes the importance of having a clear legal basis for data collection and ensuring data security.
What happened
The sports betting operator collected copies of bank cards without a valid legal basis and failed to inform users adequately.
Who was affected
Customers of the sports betting operator whose bank card copies were collected without proper legal justification.
What the authority found
The authority determined that the company unlawfully collected bank card copies and did not provide sufficient information to users about data processing.
Why this matters
This case serves as a reminder that companies must have a clear legal basis for collecting personal data and must inform users transparently about data use. It also stresses the need for strong data protection measures, especially for sensitive financial information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Croatian DPA (AZOP) has imposed a fine of EUR 380,000 on a sports betting operator. AZOP had received a complaint from a data subject, stating that the controller had obtained a copy of their bank card. During its investigation, AZOP found that the controller had collected personal data (including copies of bank cards) of data subjects without a valid legal basis. In 2022, players had the option to have their winnings paid out not only via their bank account but also via their Visa card. The controller collected copies of the bank cards with the intention of complying with requirements of the national Money Laundering Act. However, AZOP found that the collection of the copies was not necessary to comply with the requirements of the Money Laundering Act and that the processing of the data was therefore unlawful. In this context, AZOP also found that the controller had not sufficiently informed the data subjects about the processing of their personal data, in particular, it was expressly stated that the data controller does not store bank card numbers and that the numbers are not accessible to the unauthorized persons. Accordingly, the information provided to the data subjects was missing information on the legal basis, purpose of collection and retention period of the personal data. The controller also failed to take sufficient technical and organizational measures to protect personal data relating to the establishment of payment processes via Visa bank cards, as well as for the storage of data contained in the controller's databases. As a result, in 2022 the controller collected copies of a total of 2078 bank cards, of which 655 copies were fully accessible. In assessing the fine amount, AZOP took into account as an aggravating factor that financial data is particularly sensitive data and the controller therefore should have taken special measures to protect it. As a mitigating circumstance, it was taken into account that the controller had announced that it wou
Related Enforcement Actions (0)
No other enforcement actions found for Sports betting operator in HR
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
18 May 2023
Authority
Agencija za zaštitu osobnih podataka
Fine Amount
€380,000
Enforcement Tracker ID
ETid-1859
About this data
Cite as: Cookie Fines. Sports betting operator - Croatia (2023). Retrieved from cookiefines.eu
Last updated: