Betting company

Description

The Croatian DPA (AZOP) has imposed a fine of EUR 30,000 on a company engaged in gambling and betting activities due to three identified violations of the GDPR. As noted by AZOP, the controller collected and processed personal data of data subjects, i.e. website visitors through cookies without a valid legal basis, thereby violating Art. 6 (1) GDPR. Furthermore, the controller also failed to provide data subjects with appropriate information or enable data subjects to provide or withdraw consent voluntarily, thereby violating Art. 7 GDPR. AZOP noted that the visitor should give separate consent for each type of cookie according to their functionality, that is, consent cannot be given for „all types of cookies“. In these cases, there was no option for separate granting or revocation of consent for each type of cookie. Lastly, it was determined that the controller did not adequately inform data subjects (website visitors) about the processing of personal data, particularly regarding data processing through cookies, thereby violating Art. 13 (1), (2) GDPR. The controller did not inform transparently on matters such as the legal basis, the function of each cookie, and the cookie retention period.