Croatian Data Protection Agency (AZOP) imposed €380,000 GDPR fine on a company that organizes games of chance, specifically sports betting.
This is the second fine of such significance issued by AZOP this month. Just a short while ago, AZOP made headlines by imposing a substantial €2.26 million GDPR fine on a debt collection agency – B2 Kapital.
Read AZOP’S release in Croatian: Sportskoj kladionici izrečena upravna novčana kazna od 380.000 eura
The company collected copies of bank account cards…
The Agency received a complaint regarding the collection of copies of bank account cards via email, after which the Agency initiated an official procedure due to the high risk to the rights and freedoms of the individuals.
The investigation confirmed that from June to December 2022, the company provided players with an additional service of paying out winnings to VISA cards and collected copies of bank account cards to provide the service.
However, AZOP determined that the collection of copies of bank account cards was not necessary in order to comply with legal obligations arising from the Anti-Money Laundering Act, as a thorough analysis of players could be conducted without collecting those copies.
Consequently, the company unlawfully processed copies of bank cards using inadequate processing methods and stored them without implementing appropriate technical and organizational measures.
Violation of the transparency principle
Furthermore, the company did not inform the participants about the specific processing (storage of copies of bank cards) in accordance with the principle of transparency, depriving the participants of essential information about the processing, such as the legal basis, purpose, and retention period.
Not just that, but the Privacy Policy explicitly stated that the company does not store bank card numbers and that the data is not accessible to unauthorized individuals.
While in reality, the employees of the data controller had access to 655 copies of bank cards, displaying the full range of data out of 2078 collected copies.
Such processing resulted in a high-risk violation of one-third of the total processed data, with the participants being unaware that their data was being stored in databases.
Summary of violations
- The company processed personal data, specifically copies of bank cards, without demonstrating a legal basis for such processing.
- The company failed to adequately inform the participants about the processing of their personal data, specifically the processing of data contained in the copies of bank cards.
- When creating a new business process for the fast payout service to VISA bank cards, the company failed to implement appropriate technical and organizational measures.
- The company did not apply encryption as a technical measure to the personal data stored in its databases and did not regularly assess the effectiveness of technical and organizational measures to ensure the security of processing,
Aggravating and mitigating circumstances
Considering that financial data is a sensitive category of personal data that, depending on the context and extent of processing, can pose a high risk to the rights and freedoms of the participants, the company was obligated but failed to implement measures to ensure the security and lawfulness of the processing.
As a mitigating circumstance, AZOP mentioned the degree of responsibility shown by the company. The company voluntarily informed the Agency about the measures it planned to take to align the processing with the provisions of the GDPR.
As a result, the company made additional investments in payment processes, improving the system to no longer require the submission of bank card copies.
Want to avoid similar scenarios?
Many companies find themselves grappling with a vague or incomplete understanding of their privacy program.
Demonstrating compliance, identifying areas for improvement, and implementing the necessary technical and organizational measures can prove challenging and resource-intensive.
That is why it can be extremely useful to conduct an independent audit with the help of experts that can pave the way for a robust privacy framework.
State-of-Privacy-Assessment (SOPA) audit is an external independent audit focused on providing you with objective insight into the current state of privacy and data protection affairs within your organization.
The audit assesses your GDPR compliance from an organizational and technical point of view to ensure that you are meeting the highest standards of data protection.
The SOPA aims to identify any areas of non-compliance or potential risks to data protection, providing you with a detailed GDPR compliance maturity report and recommendations for improving your organization’s privacy program focused on organizational and technical security measures and process automation.
