Blog » RECORD DATA PROTECTION FINE – 5 MISTAKES THAT LED TO IT
RECORD DATA PROTECTION FINE – 5 MISTAKES THAT LED TO IT
31 October 2017
The Hungarian Data Protection Authority just published his decision about the unlawful data processing activities of the Church of Scientology Hungary. The Authority imposed the maximum level fine of 20Million Forints against the Church, taking into account the huge number of the persons concerned and the gravity of the infringements. Luckily for the Church, the decision was not based on the GDPR, otherwise the fine would not be 20 Million Forints but 20 Million Euros. Nevertheless, the mistakes of the Church would also infringe the GDPR, thus it is worth to mention and learn from them.
Forwarding PD to the “unsafe” 3rd countries
In order to become a member of the Church and receive services (eg. purification program) the applicants should fill out certain kinds of application forms. In the application form the applicant has given consent to forward his PD to the US Church or any other 3rd country-based organization of the Scientology Church.
The Church could not have forwarded PD to a 3rd country where the adequate level of protection of the PD is not ensured. Furthermore, the consent of the applicants could not be considered as freely given, since they would not be able to start the purification program until they have given consent to forward their PD to 3rd countries.
To avoid such infringements, make sure that you only forward PD to such countries where the adequate level of protection is ensured.
Processing 3rd persons data without their knowledge
The applicants and members of the Church had to fill out questionnaires, take part on interviews and share the most confidential issues of their private life such as sexual behaviour, criminal activities, drug abuse. Not only had to share the members this kind of information about themselves but also about their family members and friends. For example, the members had to name persons with whom they ever had sexual relationships.
Thus, the Church obtained and processed personal data of 3rd person who did not even know that their personal data has been disclosed to the Church. By processing the PD of these 3rd persons without their knowledge and without any legal basis (eg. consent) the Church infringed the lawfulness of the processing.
Always make sure that you have a valid legal basis to process personal data. In most cases this legal basis is the consent of the data subject, but processing of PD is also possible if it is necessary to fulfil a contract concluded with the data subject.
Requesting unnecessary sensitive data from employees
Persons who applied for a job at the Church had to fill out a questionnaire with ca. 130 questions which among others concerned their relationships, political beliefs, sexual orientation, health issues or even whether they have claimed back money from religious associations. Not only the key employees had to fill out this questionnaire, but the Authority found that even administrative employees (kind of mailman) have filled it out.
Collecting the above sensitive data from the candidates is not necessary for the establishment and performance of the employment relationship. Thus, the Church was not compliant with the principles of purpose limitation and data minimisation.
Keep in mind to collect only such personal data from your employees which is necessary for the job and when possible avoid requesting sensitive data or keep it on a minimum level.
Risk the misuse of credit cards
In case the members paid the member fee with credit card or purchased books with it, the Church has recorded the number of the credit card, its expiration date, the CID / CCV code and the signature of the applicant. Basically, they collected all the data which makes it possible to make payments with the credit card. Those data have also been forwarded to the US.
This practice of the Church infringes the principle of data security as recording, storing and forwarding all credit card data makes it possible to misuse it.
Be very cautious with collecting credit card data and store it only until it is necessary for the fulfilment of the contract. Further ensure the adequate level of protection to avoid the possibility of misuse.
Processing PD for marketing purposes without consent
The Church provided the possibility for the applicants to make online personality tests and based on its results promised to establish personal development action plans. The applicants could only make the test if they have given consent to process their PD. Although the Church informed the applicants that their PD would be processed for marketing purposes, too, he has not requested specific consent for this kind of data processing.
Since the applicant would not have the possibility to give separate consent to the data processing for marketing purposes, the Church processed these data without the freely given, specific and unambiguous consent of the data subjects.
If you want to process PD for marketing purposes, make sure that you informed the data subject about it and that he has given a specific consent.
Legal notice: The parts of the article about the infringements of the Church of Scientology Hungary were solely based on the findings of the decision (no. NAIH/2017/148/98/H.) of the Hungarian Data Protection Authority which may be subject to judicial review. The Law Firm is not able to judge the accuracy of the findings thus they cannot be considered as the statements or opinion of the Law Firm.
CAN YOUR DEBTOR ESCAPE LIQUIDATION BY SETTING OFF CLAIMS IN HUNGARY?
The initiation of a liquidation procedure is an effective debt collection method, since the debtor may only avoid being liquidated by paying the claim if the conditions specified in the Act on Bankruptcy Proceedings and Liquidation (Bankruptcy Act) are met. For this reason, in the case of liquidation, one of the most common defences of the debtor is the reference to offsetting. But can the debtor refer to offsetting without limitation during liquidation? In our short article we answer this question.Read more »
SZIGET FESTIVAL FINED RECORD HUF 30 MILLION FOR GDPR BREACHES – WHAT WENT WRONG?
A few days prior to the first anniversary of the entry into force of the GDPR the Hungarian Data Protection Authority imposed the biggest data protection fine in Hungary so far. The target was the biggest Hungarian festival organizer company thanks to whom the public may enjoy the SZIGET, the VOLT or the Balaton Sound Festival. The Data Protection Authority reviewed the check-in system of the festival and the data processing in relation with the check-in. In our short article we summarize the mistakes the Authority identified.Read more »
CONSTRUCTION TRUSTEESHIP IN HUNGARY - GETTING PAID IN CONSTRUCTION PROJECTS AS SUBCONTRACTOR
Construction trusteeship, as mandatory collateral management of major private construction projects in Hungary, strives for protecting subcontractors against non-paying general contractor, by allowing direct payments from employer under certain conditions. How does it work in practice and what are the limits of subcontractor protection? We address these issues in this article.Read more »