Croatian Data Protection Authority (azop)-Sports betting operator (5/18/2023)

During its investigation, AZOP found that the controller had collected personal data (including copies of bank cards) of data subjects without a valid legal basis. In 2022, players had the option to have their winnings paid out not only via their bank account but also via their Visa card. The controller collected copies of the bank cards with the intention of complying with requirements of the national Money Laundering Act. However, AZOP found that the collection of the copies was not necessary to comply with the requirements of the Money Laundering Act and that the processing of the data was therefore unlawful.

In this context, AZOP also found that the controller had not sufficiently informed the data subjects about the processing of their personal data, in particular, it was expressly stated that the data controller does not store bank card numbers and that the numbers are not accessible to the unauthorized persons. Accordingly, the information provided to the data subjects was missing information on the legal basis, purpose of collection and retention period of the personal data.

The controller also failed to take sufficient technical and organizational measures to protect personal data relating to the establishment of payment processes via Visa bank cards, as well as for the storage of data contained in the controller’s databases.

As a result, in 2022 the controller collected copies of a total of 2078 bank cards, of which 655 copies were fully accessible.

In assessing the fine amount, AZOP took into account as an aggravating factor that financial data is particularly sensitive data and the controller therefore should have taken special measures to protect it.

As a mitigating circumstance, it was taken into account that the controller had announced that it would bring its processing procedures in line with the GDPR and had deleted all secured copies of the bank cards.