Blog » RECORD DATA PROTECTION FINE – 5 MISTAKES THAT LED TO IT
RECORD DATA PROTECTION FINE – 5 MISTAKES THAT LED TO IT
31 October 2017
The Hungarian Data Protection Authority just published his decision about the unlawful data processing activities of the Church of Scientology Hungary. The Authority imposed the maximum level fine of 20Million Forints against the Church, taking into account the huge number of the persons concerned and the gravity of the infringements. Luckily for the Church, the decision was not based on the GDPR, otherwise the fine would not be 20 Million Forints but 20 Million Euros. Nevertheless, the mistakes of the Church would also infringe the GDPR, thus it is worth to mention and learn from them.
Forwarding PD to the “unsafe” 3rd countries
In order to become a member of the Church and receive services (eg. purification program) the applicants should fill out certain kinds of application forms. In the application form the applicant has given consent to forward his PD to the US Church or any other 3rd country-based organization of the Scientology Church.
The Church could not have forwarded PD to a 3rd country where the adequate level of protection of the PD is not ensured. Furthermore, the consent of the applicants could not be considered as freely given, since they would not be able to start the purification program until they have given consent to forward their PD to 3rd countries.
To avoid such infringements, make sure that you only forward PD to such countries where the adequate level of protection is ensured.
Processing 3rd persons data without their knowledge
The applicants and members of the Church had to fill out questionnaires, take part on interviews and share the most confidential issues of their private life such as sexual behaviour, criminal activities, drug abuse. Not only had to share the members this kind of information about themselves but also about their family members and friends. For example, the members had to name persons with whom they ever had sexual relationships.
Thus, the Church obtained and processed personal data of 3rd person who did not even know that their personal data has been disclosed to the Church. By processing the PD of these 3rd persons without their knowledge and without any legal basis (eg. consent) the Church infringed the lawfulness of the processing.
Always make sure that you have a valid legal basis to process personal data. In most cases this legal basis is the consent of the data subject, but processing of PD is also possible if it is necessary to fulfil a contract concluded with the data subject.
Requesting unnecessary sensitive data from employees
Persons who applied for a job at the Church had to fill out a questionnaire with ca. 130 questions which among others concerned their relationships, political beliefs, sexual orientation, health issues or even whether they have claimed back money from religious associations. Not only the key employees had to fill out this questionnaire, but the Authority found that even administrative employees (kind of mailman) have filled it out.
Collecting the above sensitive data from the candidates is not necessary for the establishment and performance of the employment relationship. Thus, the Church was not compliant with the principles of purpose limitation and data minimisation.
Keep in mind to collect only such personal data from your employees which is necessary for the job and when possible avoid requesting sensitive data or keep it on a minimum level.
Risk the misuse of credit cards
In case the members paid the member fee with credit card or purchased books with it, the Church has recorded the number of the credit card, its expiration date, the CID / CCV code and the signature of the applicant. Basically, they collected all the data which makes it possible to make payments with the credit card. Those data have also been forwarded to the US.
This practice of the Church infringes the principle of data security as recording, storing and forwarding all credit card data makes it possible to misuse it.
Be very cautious with collecting credit card data and store it only until it is necessary for the fulfilment of the contract. Further ensure the adequate level of protection to avoid the possibility of misuse.
Processing PD for marketing purposes without consent
The Church provided the possibility for the applicants to make online personality tests and based on its results promised to establish personal development action plans. The applicants could only make the test if they have given consent to process their PD. Although the Church informed the applicants that their PD would be processed for marketing purposes, too, he has not requested specific consent for this kind of data processing.
Since the applicant would not have the possibility to give separate consent to the data processing for marketing purposes, the Church processed these data without the freely given, specific and unambiguous consent of the data subjects.
If you want to process PD for marketing purposes, make sure that you informed the data subject about it and that he has given a specific consent.
Legal notice: The parts of the article about the infringements of the Church of Scientology Hungary were solely based on the findings of the decision (no. NAIH/2017/148/98/H.) of the Hungarian Data Protection Authority which may be subject to judicial review. The Law Firm is not able to judge the accuracy of the findings thus they cannot be considered as the statements or opinion of the Law Firm.
CAN THE EMPLOYER EXPAND THE EMPLOYEES’ DUTIES WITHOUT CHANGING THE JOB DESCRIPTION IN HUNGARY?
The position and tasks of the employee are one of the key elements of the employment contract and are typically recorded in the job description. It is often a matter of dispute between the parties whether the employer can unilaterally modify the job description at all, and if so, to what extent. In a recent court decision, a Hungarian appellate court addressed the above question in a situation where the employer supplemented the employee's tasks with new tasks similar to his existing tasks. In this article, we analyse the recent decision on this matter.Read more »
CAN A HARSH FACEBOOK COMMENT BE A LAWFUL GROUND FOR DISMISSAL IN HUNGARY?
Social media platforms significantly changed the ways how people express their opinions: sharing views became easier than ever. On the one hand, this is positive, but on the other hand, it is also dangerous in the employment context, as the employee's opinion may be prejudicial to the employer's interests. A recent decision of the Hungarian Supreme Court gives answer to the question whether the employer can dismiss the employee for expressing his opinion on Facebook.Read more »
NEW EU – US DATA PRIVACY FRAMEWORK - SIMPLIFIED DATA TRANSFER TO THE US
With the Schrems II judgment, which invalidated the Privacy Shield, the CJEU (Court of Justice of the European Union) make it more difficult to comply with the GDPR for companies transferring personal data from the EU to the US. However, the new EU-US Data Privacy Framework (or “Framework”) adopted on 10 July aims to put an end to this situation. But how does the Framework make data transfers between the EU and US easier? In this short article, we explain the basics of the new Framework and answer the above question.Read more »