Blog » RECORD DATA PROTECTION FINE – 5 MISTAKES THAT LED TO IT
RECORD DATA PROTECTION FINE – 5 MISTAKES THAT LED TO IT
31 October 2017
The Hungarian Data Protection Authority just published his decision about the unlawful data processing activities of the Church of Scientology Hungary. The Authority imposed the maximum level fine of 20Million Forints against the Church, taking into account the huge number of the persons concerned and the gravity of the infringements. Luckily for the Church, the decision was not based on the GDPR, otherwise the fine would not be 20 Million Forints but 20 Million Euros. Nevertheless, the mistakes of the Church would also infringe the GDPR, thus it is worth to mention and learn from them.
Forwarding PD to the “unsafe” 3rd countries
In order to become a member of the Church and receive services (eg. purification program) the applicants should fill out certain kinds of application forms. In the application form the applicant has given consent to forward his PD to the US Church or any other 3rd country-based organization of the Scientology Church.
The Church could not have forwarded PD to a 3rd country where the adequate level of protection of the PD is not ensured. Furthermore, the consent of the applicants could not be considered as freely given, since they would not be able to start the purification program until they have given consent to forward their PD to 3rd countries.
To avoid such infringements, make sure that you only forward PD to such countries where the adequate level of protection is ensured.
Processing 3rd persons data without their knowledge
The applicants and members of the Church had to fill out questionnaires, take part on interviews and share the most confidential issues of their private life such as sexual behaviour, criminal activities, drug abuse. Not only had to share the members this kind of information about themselves but also about their family members and friends. For example, the members had to name persons with whom they ever had sexual relationships.
Thus, the Church obtained and processed personal data of 3rd person who did not even know that their personal data has been disclosed to the Church. By processing the PD of these 3rd persons without their knowledge and without any legal basis (eg. consent) the Church infringed the lawfulness of the processing.
Always make sure that you have a valid legal basis to process personal data. In most cases this legal basis is the consent of the data subject, but processing of PD is also possible if it is necessary to fulfil a contract concluded with the data subject.
Requesting unnecessary sensitive data from employees
Persons who applied for a job at the Church had to fill out a questionnaire with ca. 130 questions which among others concerned their relationships, political beliefs, sexual orientation, health issues or even whether they have claimed back money from religious associations. Not only the key employees had to fill out this questionnaire, but the Authority found that even administrative employees (kind of mailman) have filled it out.
Collecting the above sensitive data from the candidates is not necessary for the establishment and performance of the employment relationship. Thus, the Church was not compliant with the principles of purpose limitation and data minimisation.
Keep in mind to collect only such personal data from your employees which is necessary for the job and when possible avoid requesting sensitive data or keep it on a minimum level.
Risk the misuse of credit cards
In case the members paid the member fee with credit card or purchased books with it, the Church has recorded the number of the credit card, its expiration date, the CID / CCV code and the signature of the applicant. Basically, they collected all the data which makes it possible to make payments with the credit card. Those data have also been forwarded to the US.
This practice of the Church infringes the principle of data security as recording, storing and forwarding all credit card data makes it possible to misuse it.
Be very cautious with collecting credit card data and store it only until it is necessary for the fulfilment of the contract. Further ensure the adequate level of protection to avoid the possibility of misuse.
Processing PD for marketing purposes without consent
The Church provided the possibility for the applicants to make online personality tests and based on its results promised to establish personal development action plans. The applicants could only make the test if they have given consent to process their PD. Although the Church informed the applicants that their PD would be processed for marketing purposes, too, he has not requested specific consent for this kind of data processing.
Since the applicant would not have the possibility to give separate consent to the data processing for marketing purposes, the Church processed these data without the freely given, specific and unambiguous consent of the data subjects.
If you want to process PD for marketing purposes, make sure that you informed the data subject about it and that he has given a specific consent.
Legal notice: The parts of the article about the infringements of the Church of Scientology Hungary were solely based on the findings of the decision (no. NAIH/2017/148/98/H.) of the Hungarian Data Protection Authority which may be subject to judicial review. The Law Firm is not able to judge the accuracy of the findings thus they cannot be considered as the statements or opinion of the Law Firm.
Hungary: Steps Towards Differentiating Between Domestic and International Procedural Public Policy
Drawing a well-defined line of demarcation between domestic and international public policy when enforcing foreign arbitral awards sends a clear pro-arbitration message from national courts in any jurisdiction. Does Hungarian case law come close to this level of sophistication? This post analyses this question in the context of procedural public policy, and it does so based on two recent appellate court decisions rendered in the context of enforcement of arbitral awards in accordance with the New York Convention.Read more »
EU ISSUED NEW GDPR STANDARD CONTRACTUAL CLAUSES – WHEN AND HOW TO USE THEM?
During summer 2021, the European Commission published two new "standard contractual clauses" on data protection regulation, which can be applied on the one hand, to the legal relationship between data controllers and data processors covered by the GDPR , and to the transfers of personal data to third countries, on the other. In this article, we answer the questions: what these SCCs regulate, how do they differ from the previous SCCs and how can your company use the new SCCs?Read more »
CAN THE NON-COMPETITION AGREEMENT BE VALID WITHOUT A PRECISE COMPENSATION IN HUNGARY?
The non-compete agreement may provide protection of the legitimate economic interests of the employer even after the termination of employment relationship. However, the Hungarian Labour Code lays down strict requirements for the agreement. In our article we analyse a recent decision of the Supreme Court about the importance of the precise determination of the compensation, so you as an employer can conclude a valid non-compete agreement.Read more »