Croatia: AZOP fines sports betting company €380,000 for unauthorized processing of personal data
On May 18, 2023, the Personal Data Protection Agency (AZOP) announced that it had imposed a fine of €380,000 on a sports betting company for violations of Articles 6(1), 13(1), 13(2), 25(1), 25(2), and 32(1)(a) of the General Data Protection Regulation (GDPR), following an anonymous report.
Background to the case
In particular, the AZOP highlighted that it received a two-sided copy of a bank card through email, which was provided to the company by customers for payments of bet winnings.
Findings of the AZOP
Following its investigation, the AZOP found that the company made illegal copies of bank cards and stored such copies without appropriate technical and organizational measures. Further, the company did not inform customers about the storage of bank cards, thereby violating Articles 13(1) and 13(2) of the GDPR, through the lack of transparency about the legal basis, purpose, and storage period for such processing.
The AZOP also found that multiple employees had full access to the entirety of 655 bank card copies and more limited access to 2,078 bank card copies. Thus, AZOP established that the company violated Articles 25(1) and 25(2) of the GDPR by failing to implement appropriate technical and organizational measures limiting internal access.
Finally, the AZOP noted that the data contained within the bank card copies is considered sensitive personal data, constituting a high risk to the rights and freedoms of the data subjects. In failing to apply technical encryption measures to such personal data the AZOP found the company violated Article 32(1)(a) of the GDPR.
As a result, the AZOP imposed a fine of €380,000 for the aforementioned violations.
You can read the press release, only available in Croatian, here.