Blog » RECORD DATA PROTECTION FINE – 5 MISTAKES THAT LED TO IT
RECORD DATA PROTECTION FINE – 5 MISTAKES THAT LED TO IT
31 October 2017
The Hungarian Data Protection Authority just published his decision about the unlawful data processing activities of the Church of Scientology Hungary. The Authority imposed the maximum level fine of 20Million Forints against the Church, taking into account the huge number of the persons concerned and the gravity of the infringements. Luckily for the Church, the decision was not based on the GDPR, otherwise the fine would not be 20 Million Forints but 20 Million Euros. Nevertheless, the mistakes of the Church would also infringe the GDPR, thus it is worth to mention and learn from them.
Forwarding PD to the “unsafe” 3rd countries
In order to become a member of the Church and receive services (eg. purification program) the applicants should fill out certain kinds of application forms. In the application form the applicant has given consent to forward his PD to the US Church or any other 3rd country-based organization of the Scientology Church.
The Church could not have forwarded PD to a 3rd country where the adequate level of protection of the PD is not ensured. Furthermore, the consent of the applicants could not be considered as freely given, since they would not be able to start the purification program until they have given consent to forward their PD to 3rd countries.
To avoid such infringements, make sure that you only forward PD to such countries where the adequate level of protection is ensured.
Processing 3rd persons data without their knowledge
The applicants and members of the Church had to fill out questionnaires, take part on interviews and share the most confidential issues of their private life such as sexual behaviour, criminal activities, drug abuse. Not only had to share the members this kind of information about themselves but also about their family members and friends. For example, the members had to name persons with whom they ever had sexual relationships.
Thus, the Church obtained and processed personal data of 3rd person who did not even know that their personal data has been disclosed to the Church. By processing the PD of these 3rd persons without their knowledge and without any legal basis (eg. consent) the Church infringed the lawfulness of the processing.
Always make sure that you have a valid legal basis to process personal data. In most cases this legal basis is the consent of the data subject, but processing of PD is also possible if it is necessary to fulfil a contract concluded with the data subject.
Requesting unnecessary sensitive data from employees
Persons who applied for a job at the Church had to fill out a questionnaire with ca. 130 questions which among others concerned their relationships, political beliefs, sexual orientation, health issues or even whether they have claimed back money from religious associations. Not only the key employees had to fill out this questionnaire, but the Authority found that even administrative employees (kind of mailman) have filled it out.
Collecting the above sensitive data from the candidates is not necessary for the establishment and performance of the employment relationship. Thus, the Church was not compliant with the principles of purpose limitation and data minimisation.
Keep in mind to collect only such personal data from your employees which is necessary for the job and when possible avoid requesting sensitive data or keep it on a minimum level.
Risk the misuse of credit cards
In case the members paid the member fee with credit card or purchased books with it, the Church has recorded the number of the credit card, its expiration date, the CID / CCV code and the signature of the applicant. Basically, they collected all the data which makes it possible to make payments with the credit card. Those data have also been forwarded to the US.
This practice of the Church infringes the principle of data security as recording, storing and forwarding all credit card data makes it possible to misuse it.
Be very cautious with collecting credit card data and store it only until it is necessary for the fulfilment of the contract. Further ensure the adequate level of protection to avoid the possibility of misuse.
Processing PD for marketing purposes without consent
The Church provided the possibility for the applicants to make online personality tests and based on its results promised to establish personal development action plans. The applicants could only make the test if they have given consent to process their PD. Although the Church informed the applicants that their PD would be processed for marketing purposes, too, he has not requested specific consent for this kind of data processing.
Since the applicant would not have the possibility to give separate consent to the data processing for marketing purposes, the Church processed these data without the freely given, specific and unambiguous consent of the data subjects.
If you want to process PD for marketing purposes, make sure that you informed the data subject about it and that he has given a specific consent.
Legal notice: The parts of the article about the infringements of the Church of Scientology Hungary were solely based on the findings of the decision (no. NAIH/2017/148/98/H.) of the Hungarian Data Protection Authority which may be subject to judicial review. The Law Firm is not able to judge the accuracy of the findings thus they cannot be considered as the statements or opinion of the Law Firm.
LAWFUL DISMISSAL IN HUNGARY - PART VI: TERMINATION WITHOUT NOTICE
In the last two articles of our series on “lawful dismissal” we present the most severe sanction that can be applied to an employee, the immediate (formerly: extraordinary) termination. This measure is applied in serious incidents only, so many employers believe that they will not need to use the sanction. But, as we know, the devil does not sleep and it is in the details, so the employer needs to be prepared for this scenario as well to avoid further inconvenience.Read more »
5 CURRENT GDPR-FINES ACROSS EUROPE – LEARN FROM OTHERS’ MISTAKES
The supervisory authorities in Europe controlling compliance with the GDPR have not sat on their hands in the last couple of months. In this short article we collected five interesting cases from the recent past. The wide discretionary powers of the data protection authority is well illustrated by the fact that sometimes the GDPR fine was only EUR 2000, but in another case a company has been fined for EUR 11,5 Million! Continue reading if you would like to avoid the same or similar expensive errors.Read more »
LAWFUL DISMISSAL IN HUNGARY - PART V: PROTECTION AGAINST DISMISSAL
In the previous articles on the lawful dismissal, we discussed that, ranging from the employee’s behaviour to the employer’s reorganization, there can be many legitimate reasons for dismissal by the employer. However, irrespective of the legitimate reason, the employment relationship cannot be terminated if the employee is protected against dismissal by law (i.e. the Labour Code). From our article, you can learn about these protections.Read more »