Subscribe to our newsletter
14 June 2022

ÚOOÚ Annual Report 2021

Share this story

Source: Legal Update from the field of GDPR, Spring 2022, Weinhold Legal

The Office for Personal Data Protection (ÚOOÚ, the Office) has issued its annual report on its activities for 2021, which presents the most important results of the Office's supervisory activities in the area of personal data processing, illustrated by examples of selected inspections. We summarise some of them below.

Merchant loyalty programmes

The ÚOOÚ audited the loyalty programmes of retail chains. The audit found no serious misconduct. The scope of data collected (most often title, name, surname, date of birth, address, payment details, e-mail address, telephone number, customer card number), the period of storage of personal data and their security were checked. Other information held by the shops related to the goods purchased, the home store, the use of promotions, the amount of loyalty points and other data, which the Office found to be adequate in relation to the purpose of the processing. However, errors alleged against the inspected sellers concerned the excessive and unjustified retention of personal data – for example, the retention of data on the purchase of foodstuffs for a period of 3 years was found by the Office to be disproportionate. The Office has therefore recommended that this period be shortened in line with the purpose of the retention of the data (e.g. according to the time when the goods can be claimed).

Telemarketing and personal data

Another area of inspection carried out concerned telemarketing, where approximately a quarter of the complaints received by the Office were complaints about the processing of personal data for marketing purposes. One of the inspected telemarketing companies did not respond to the exercise of the data subjects' right of access to personal data under Article 15 of the General Data Protection Regulation ("GDPR"), or only mentioned the random generation of a telephone number as the source of personal data. Upon objection to the processing of personal data pursuant to Article 21 of the GDPR, or after exercising the right to erasure (or right to be forgotten) pursuant to Article 17 of the GDPR, the company either did not respond at all or promised to stop processing personal data for marketing purposes, but even after the expiration of the one-month period for taking action (pursuant to Article 12(3) of the GDPR), the data sub-jects were contacted again in the context of telemarketing.

In the course of the inspection of the telemarketing company, the Office found that it acted as a processor of personal data, not as a controller, when it carried out its activities according to the instructions of the controllers for whom it provided the telemarketing service. Furthermore, the company was found to have breached the obligation laid down in Articles 15-21 GDPR by failing to provide data subjects with relevant information concerning the processing of their personal data. Specifically, this breach consisted in the fact that, when providing information to data subjects, it responded in a uniform manner without taking into account the fact that it was in the position of a processor. The company also failed to indicate in its replies to the applicants the purpose of the call, i.e. that the telephone call was made for the purpose of providing a marketing offer to another entity (a contractual client); furthermore, most of the replies indicated that the legitimate interest of the audited person as a controller of personal data was the legal title for the use of the telephone number, which was not the case here.

Personal data protection impact assessment

A personal data protection impact assessment pursuant to Article 35 of the GDPR is to be carried out by any controller whose processing intention can be assessed as high risk in terms of interference with the rights and freedoms of natural persons in relation to the processing of their personal data. In its report, the Office draws attention to the mistakes made by controllers in this assessment:

  • the balancing test is carried out in such a way that it is not possible to verify the necessity, suitability and proportionality of the processing of personal data;
  • the description of the safeguarding of the rights of data subjects is missing or insufficiently elaborated;
  • the description of the technical and organisational measures adopted is often general and it is often not clear how the administrator arrived at their design (the methodology developed by the ÚOOÚ is not used and the administrator's own methodology is not clear); the consequence is that it is not possible to verify whether the measures adopted are adequate and complete.
Share this story
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram