Sports Betting Company Fined for Storage of Payment Data

The Croatian Data Protection Authority (DPA) have investigated a sports bookmaker after receiving a complaint that credit card information was being collected and stored without a legal basis. The initial complaint stated that a manager had taken a two-sided copy of a credit card via email, stored it and used this information for future transactions.

The processing manager was found to have violated GDPR for a number of reasons. Users were not adequately informed about how their data would be processed. They were not informed of the legal basis for processing, the purpose of the processing or the the length of time their data would be stored for.

Additionally, it was found that users were given false or misleading information regarding the processing of their data. The privacy policy stated that bank card numbers were not stored and that the numbers were not accessible to unauthorized people. Users were therefore not made aware that their credit card data was being kept in databases.

The data was also being stored without the necessary safety measures in place to protect the information. Other employees were able to access 655 copies of bank card data and none of that information was redacted in any way. There was no encryption being used when a payment was being made to a card and there was no assessment as to whether the measures in place were secure enough.


The company have been ordered to pay a fine of €380,000 ($410,783 USD) due to the GDPR violations. A number of factors were considered in this decision:

  • The illegality of the processing of sensitive data
  • The degree of responsibility the company took
    • They informed the DPA about how they planned to bring all processing in line with GDPR without prompting
  • The manager involved took a number of mitigating steps:
    • Invested in the payment processing system
    • Deleted all stored copies of bank cards
    • Improved monitoring of data processing activities
    • Educated their employees
A blue gradient background which is darker in the bottom right and lighter in all other corners. In the centre is a logo for Value Privacy. It is value privacy written in white, privacy is bold, value is not and there is a yellow fullstop after privacy. Underneath this logo is written "Making Privacy Simple" in yellow

Value Privacy’s experts are on hand to make sure that you and your company aren’t caught out by new or existing privacy laws.

You can find out more about the services we offer or just get in touch with us directly with any questions you have about how privacy laws impact you.

Previous Post

Montana Enacts Consumer Data Privacy Act

Next Post

ANPD Find Lack of Privacy Maturity by Pharmacies