An administrative fine of 380,000 EUR imposed on the sports betting company

18 May 2023

The Croatian Personal Data Protection Agency has issued an administrative fine to the data controller – a trading company for organizing games of chance – betting games (a chain of betting shops) in the amount of EUR 380,000.00 due to the following violations of the General Data Protection Regulation:

  1. The data controller has processed personal data, collected copies of bank cards of the data subjects, for which he didn`t identify no legal basis, which represents a violation of Article 6, paragraph 1 of the General Data Protection Regulation;
  2. The data controller did not adequately inform the data subjects about the processing of their personal data, namely regarding the processing of data contained on copies of bank cards, which is a violation of Article 13, paragraphs 1 and 2 of the General Data Protection Regulation;
  3. When creating a new business process for the fast payment service via VISA bank card, the data controller did not implement appropriate technical and organizational measures, therefore he violated Article 25, paragraph 1 and 2 of the General Data Protection Regulation;
  4. The data controller did not apply a technical encryption measure relating to the personal data of the data subjects collected in the controller’s databases and did not on regular basis assess the effectiveness of technical and organizational measures to ensure the security of the processing, which violated Article 32, paragraph 1, point a) and d) of the General Data Protection Regulation.

Namely, the Agency received a complaint from citizen on collection of a two-sided copy of the bank card via electronic mail by the data controller in subject. Pursuant to its powers, the Agency initiated the procedure ex officio due to the high risk for the rights and freedoms of the data subjects (players, users of the service).

It was established that from June to December 2022, the data controller provided to the players an additional service of paying out winners via VISA card, in addition to the already existing possibilities of paying out funds from the user’s account to a bank account. It was established that the processing, namely collecting copies of bank cards is not necessary to comply with the legal obligations prescribed by the Law on Prevention of Money Laundering, since an in-depth analysis of the player can be carried out without collecting copies of both sides of the bank cards. As a result of the above, it was determined that the data controller has illegally processed the copies of bank cards using inadequate tools for processing and stored them without applying appropriate technical and organizational measures.

Also, the data controller did not inform the data subjects about the mentioned processing (storage of copies of bank cards) in accordance with the principle of transparency, and thus the data subjects were deprived of basic information about data processing such as the legal basis, purpose, and storage period. Namely, in the Statement on personal data protection measures, which forms part of the Privacy Policy, it was expressly stated that the data controller does not store bank card numbers and that the numbers are not accessible to the unauthorized persons.

However, in the period from June to December 2022 employees of the data controller had access to 655 copies of bank cards on which the full extent of data was visible, out of a total of 2078 copies of bank cards collected. Such processing resulted in a high-risk violation of one third of the total processed data, and the data subjects were not even aware that this data was stored in databases.

Taking into account that the financial data is considered as sensitive category of personal data, which depending on the context and scope of processing can cause a high risk for the rights and freedoms of the data subject, the controller was obliged to pay special attention to the security and legality of the processing, which was considered as an aggravating circumstance.

n this specific procedure, as a mitigating circumstance, it was taking in to account a degree of responsibility shown by the data controller after the supervision was carried out – on his own initiative, he informed the Agency about the way in which he plans to harmonize the processing with the provisions of the General Data Protection Regulation. Thus, the data controller made additional investments in payment processes in such a way that the system was improved and that the delivering of a copy of the bank card is no longer requested, and that all stored copies of the bank cards were deleted. Also, the data controller stated that he improved the business processes of monitoring the processing of personal data and educated employees.



Skip to content