Details:
Summary | The Croatian DPA (AZOP) has imposed a fine of EUR 20,000 on a data controller operating in the gambling and betting sector. The data controller collected and processed personal data of data subjects through cookies without providing them the opportunity to give or withdraw consent for such processing in an informed and voluntary manner, violating Art. 6 (1) a) GDPR and Art. 7 GDPR. In cases where personal data processing relies on consent and serves multiple purposes, the consent mechanism, such as the cookie banner, must be clearly distinguishable, easily accessible, and use language that is clear and simple to understand. However, in this specific case, the data controller failed to separate the cookie banner, preventing data subjects from giving clear consent for different purposes like marketing or analytics.
Moreover, the DPA found that the controller processed personal data of data subjects as soon as they accessed the webpage, even before they consented to certain cookies. This practice was considered unfair since the data subjects were unaware that their personal data was being collected at the time of website access. Such unfair processing violates the principle of lawful, fair, and transparent processing of personal data outlined in Art. 5 (1) GDPR. |
Link: | link |
Related articles: | Art. 6 (1) a) GDPR, Art. 7 GDPR, Art. 13 (1), (2) GDPR |
Type: | Insufficient legal basis for data processing |
Fine: | EUR 20,000 |
Sector | Industry and Commerce |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/