Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Croatia: AZOP fines sports betting company €380,000 for unauthorized processing of personal data

On May 18, 2023, the Personal Data Protection Agency (AZOP) announced that it had imposed a fine of €380,000 on a sports betting company for violations of Articles 6(1), 13(1), 13(2), 25(1), 25(2), and 32(1)(a) of the General Data Protection Regulation (GDPR), following an anonymous report.

Background to the case

In particular, the AZOP highlighted that it received a two-sided copy of a bank card through email, which was provided to the company by customers for payments of bet winnings.

Findings of the AZOP

Following its investigation, the AZOP found that the company made illegal copies of bank cards and stored such copies without appropriate technical and organizational measures. Further, the company did not inform customers about the storage of bank cards, thereby violating Articles 13(1) and 13(2) of the GDPR, through the lack of transparency about the legal basis, purpose, and storage period for such processing.

The AZOP detailed that in its privacy policy, the company provided that the data controller did not store bank card numbers and that the numbers were not accessible to unauthorized persons, despite allowing for the contrary. Therefore, the company violated Article 6(1) of the GDPR through the absence of an appropriate legal basis.

The AZOP also found that multiple employees had full access to the entirety of 655 bank card copies and more limited access to 2,078 bank card copies. Thus, AZOP established that the company violated Articles 25(1) and 25(2) of the GDPR by failing to implement appropriate technical and organizational measures limiting internal access.

Finally, the AZOP noted that the data contained within the bank card copies is considered sensitive personal data, constituting a high risk to the rights and freedoms of the data subjects. In failing to apply technical encryption measures to such personal data the AZOP found the company violated Article 32(1)(a) of the GDPR.


As a result, the AZOP imposed a fine of €380,000 for the aforementioned violations.

You can read the press release, only available in Croatian, here.