Source: Legal Update from the field of GDPR, Spring 2022, Weinhold Legal
The Office for Personal Data Protection (ÚOOÚ, the Office) has issued its annual report on its activities for 2021, which presents the most important results of the Office's supervisory activities in the area of personal data processing, illustrated by examples of selected inspections. We summarise some of them below.
The ÚOOÚ audited the loyalty programmes of retail chains. The audit found no serious misconduct. The scope of data collected (most often title, name, surname, date of birth, address, payment details, e-mail address, telephone number, customer card number), the period of storage of personal data and their security were checked. Other information held by the shops related to the goods purchased, the home store, the use of promotions, the amount of loyalty points and other data, which the Office found to be adequate in relation to the purpose of the processing. However, errors alleged against the inspected sellers concerned the excessive and unjustified retention of personal data – for example, the retention of data on the purchase of foodstuffs for a period of 3 years was found by the Office to be disproportionate. The Office has therefore recommended that this period be shortened in line with the purpose of the retention of the data (e.g. according to the time when the goods can be claimed).
Another area of inspection carried out concerned telemarketing, where approximately a quarter of the complaints received by the Office were complaints about the processing of personal data for marketing purposes. One of the inspected telemarketing companies did not respond to the exercise of the data subjects' right of access to personal data under Article 15 of the General Data Protection Regulation ("GDPR"), or only mentioned the random generation of a telephone number as the source of personal data. Upon objection to the processing of personal data pursuant to Article 21 of the GDPR, or after exercising the right to erasure (or right to be forgotten) pursuant to Article 17 of the GDPR, the company either did not respond at all or promised to stop processing personal data for marketing purposes, but even after the expiration of the one-month period for taking action (pursuant to Article 12(3) of the GDPR), the data sub-jects were contacted again in the context of telemarketing.
In the course of the inspection of the telemarketing company, the Office found that it acted as a processor of personal data, not as a controller, when it carried out its activities according to the instructions of the controllers for whom it provided the telemarketing service. Furthermore, the company was found to have breached the obligation laid down in Articles 15-21 GDPR by failing to provide data subjects with relevant information concerning the processing of their personal data. Specifically, this breach consisted in the fact that, when providing information to data subjects, it responded in a uniform manner without taking into account the fact that it was in the position of a processor. The company also failed to indicate in its replies to the applicants the purpose of the call, i.e. that the telephone call was made for the purpose of providing a marketing offer to another entity (a contractual client); furthermore, most of the replies indicated that the legitimate interest of the audited person as a controller of personal data was the legal title for the use of the telephone number, which was not the case here.
A personal data protection impact assessment pursuant to Article 35 of the GDPR is to be carried out by any controller whose processing intention can be assessed as high risk in terms of interference with the rights and freedoms of natural persons in relation to the processing of their personal data. In its report, the Office draws attention to the mistakes made by controllers in this assessment: