Skip to content
7 min read

Processing of personal data in prize games


We must have the voluntary and unequivocal consent of the participant to process personal data.

Limiting the purpose of data processing

Personal data may be processed only for the purpose of conducting the prize draw. For any other purpose, for example direct marketing, special consent must be obtained.

Reduction of the amount of data

Only the data necessary for the implementation of the prize game is processed.

Storage limitation and transparency

Data must be deleted or anonymized after the purpose for which it was collected ceases. Participants have the right to know which categories of their personal data are being processed and by whom.


When conducting a prize game or contest, companies must ensure that the processing of personal data is done in accordance with the General Data Protection Regulation (GDPR). What are the obligations of the organizer and what are the rights of the participants?

The principles of data protection determined by the GDPR apply to all companies and organizations that store or process personal data of European Union citizens. The law regulating the implementation of the GDPR in Croatia is the Law on the Implementation of the General Regulation on Data Protection (OG 42/18). Given that the GDPR is a binding legislative act, we must apply the principles of personal data protection from the very beginning of the realization of the prize game or competition.

In sweepstakes, the controller is most often the organizer of the sweepstakes, and the categories of data processed are: first and last name, residential address, mobile number, e-mail address.

Considering that prize games are regulated by a special Law and Regulations, it is important to note that the organizer also has a legal basis for processing personal data after obtaining the consent of the participants. For example, the winner's name, surname and address are entered in the Winner's Drawing Record submitted to the Ministry of Finance.

If the value of the prize is greater than EUR 663.61, the organizer must submit to the Ministry of Finance proof of receipt of the prize and the OIB of the winner. This means that the organizer has a legal obligation to collect an additional category of personal data (OIB), but not from all participants, but only from those who have become winners of a valuable prize.

Participants have all the rights prescribed by the General Regulation: information, access, correction, withdrawal of consent, right to data portability and right to deletion. Withdrawal of consent to participate in the prize draw entails the loss of the right to participate, as the participant's personal data is then deleted from the database.

It is not allowed to use the personal data of the prize game participants for the purpose of direct marketing, for example sending a newsletter, but for this purpose it is necessary to ask for additional consent.

Although the Rulebook on organizing prize games does not specify the obligation to announce the winners, it is customary to publish the personal data of the winners in order to familiarize all participants with the results of the prize game.

The Personal Data Protection Agency (AZOP) is the body that oversees the implementation of the General Data Protection Regulation. The Agency has already issued several opinions and solutions related to the processing of personal data in prize games.

What should definitely be avoided is the publication of data to an excessive extent. In one of the decisions published by AZOP in 2022, it can be read that an official warning was issued to a bank. After the end of the prize draw, the bank published the full address and OIB of the winner, in addition to the name and surname. Our recommendation is that, in accordance with the opinion of AZOP, after the end of the prize draw, the name and surname, place of residence, will be published. In addition, information on the extracted account number, which does not belong to the category of personal data, can be published.

The current Rulebook on the organization of prize games was adopted in 2009. In the meantime, there has been a great development of social networks and an increase in the amount of information on the Internet. 

The moment of collecting the main prize is a good opportunity to take photos and record. Photos and videos and recorded material can be published by the organizer through ads and on social networks. However, it is necessary to ask for the special consent of the winner for filming.


The organizers of prize games and contests are obliged to process personal data of participants in accordance with the General Data Protection Regulation (GDPR) and the Law on the Implementation of the General Data Protection Regulation in Croatia.

The general regulation did not significantly change the way prize games are conducted, but it additionally emphasized the obligation of transparency and information of participants. The main document with which we achieve this are the quality rules of the prize game.

In every step of the prize draw implementation, we must be aware that consent only applies to the prize draw; limit the amount of data we process to the necessary data, and take care of technical and organizational measures for secure data storage and processing.