Blog » RECORD DATA PROTECTION FINE – 5 MISTAKES THAT LED TO IT
RECORD DATA PROTECTION FINE – 5 MISTAKES THAT LED TO IT
31 October 2017
The Hungarian Data Protection Authority just published his decision about the unlawful data processing activities of the Church of Scientology Hungary. The Authority imposed the maximum level fine of 20Million Forints against the Church, taking into account the huge number of the persons concerned and the gravity of the infringements. Luckily for the Church, the decision was not based on the GDPR, otherwise the fine would not be 20 Million Forints but 20 Million Euros. Nevertheless, the mistakes of the Church would also infringe the GDPR, thus it is worth to mention and learn from them.
Forwarding PD to the “unsafe” 3rd countries
In order to become a member of the Church and receive services (eg. purification program) the applicants should fill out certain kinds of application forms. In the application form the applicant has given consent to forward his PD to the US Church or any other 3rd country-based organization of the Scientology Church.
The Church could not have forwarded PD to a 3rd country where the adequate level of protection of the PD is not ensured. Furthermore, the consent of the applicants could not be considered as freely given, since they would not be able to start the purification program until they have given consent to forward their PD to 3rd countries.
To avoid such infringements, make sure that you only forward PD to such countries where the adequate level of protection is ensured.
Processing 3rd persons data without their knowledge
The applicants and members of the Church had to fill out questionnaires, take part on interviews and share the most confidential issues of their private life such as sexual behaviour, criminal activities, drug abuse. Not only had to share the members this kind of information about themselves but also about their family members and friends. For example, the members had to name persons with whom they ever had sexual relationships.
Thus, the Church obtained and processed personal data of 3rd person who did not even know that their personal data has been disclosed to the Church. By processing the PD of these 3rd persons without their knowledge and without any legal basis (eg. consent) the Church infringed the lawfulness of the processing.
Always make sure that you have a valid legal basis to process personal data. In most cases this legal basis is the consent of the data subject, but processing of PD is also possible if it is necessary to fulfil a contract concluded with the data subject.
Requesting unnecessary sensitive data from employees
Persons who applied for a job at the Church had to fill out a questionnaire with ca. 130 questions which among others concerned their relationships, political beliefs, sexual orientation, health issues or even whether they have claimed back money from religious associations. Not only the key employees had to fill out this questionnaire, but the Authority found that even administrative employees (kind of mailman) have filled it out.
Collecting the above sensitive data from the candidates is not necessary for the establishment and performance of the employment relationship. Thus, the Church was not compliant with the principles of purpose limitation and data minimisation.
Keep in mind to collect only such personal data from your employees which is necessary for the job and when possible avoid requesting sensitive data or keep it on a minimum level.
Risk the misuse of credit cards
In case the members paid the member fee with credit card or purchased books with it, the Church has recorded the number of the credit card, its expiration date, the CID / CCV code and the signature of the applicant. Basically, they collected all the data which makes it possible to make payments with the credit card. Those data have also been forwarded to the US.
This practice of the Church infringes the principle of data security as recording, storing and forwarding all credit card data makes it possible to misuse it.
Be very cautious with collecting credit card data and store it only until it is necessary for the fulfilment of the contract. Further ensure the adequate level of protection to avoid the possibility of misuse.
Processing PD for marketing purposes without consent
The Church provided the possibility for the applicants to make online personality tests and based on its results promised to establish personal development action plans. The applicants could only make the test if they have given consent to process their PD. Although the Church informed the applicants that their PD would be processed for marketing purposes, too, he has not requested specific consent for this kind of data processing.
Since the applicant would not have the possibility to give separate consent to the data processing for marketing purposes, the Church processed these data without the freely given, specific and unambiguous consent of the data subjects.
If you want to process PD for marketing purposes, make sure that you informed the data subject about it and that he has given a specific consent.
Legal notice: The parts of the article about the infringements of the Church of Scientology Hungary were solely based on the findings of the decision (no. NAIH/2017/148/98/H.) of the Hungarian Data Protection Authority which may be subject to judicial review. The Law Firm is not able to judge the accuracy of the findings thus they cannot be considered as the statements or opinion of the Law Firm.
CORONAVIRUS: GOVERNMENTAL MEASURES PROTECTING COMMERCIAL LESSEES IN HUNGARY
The worldwide coronavirus epidemic is causing serious problems in the economy as well, businesses in sensitive sectors fear a total loss of income for months. For this reason, the Hungarian Government introduced a ban on termination and rent increase for commercial lease contract in case the lessee operates in specific, sensitive sectors. However, there are several legal uncertainties surrounding the measure, which will be discussed in our brief article.Read more »
HUNGARY: CHOICE OF LAW BY CONDUCT IN LITIGATION? – JUDGMENT OF SUPREME COURT
Can the conduct of the parties during litigation amount to an implied choice-of-law agreement based on the Rome I Regulation? We analyse the fresh judgment of the Hungarian Supreme Court in this article.Read more »
LABOUR LAW CHANGES DURING THE CORONAVIRUS EPIDEMIC – 4 MEANS AVAILABLE FOR HUNGARIAN EMPLOYERS
The coronavirus is already having its unfortunate impacts in the whole world and there is almost no sector which has not been rocked by the effects of the virus. In this rather difficult situation, it is questionable for the employer how to manage their resources and how to protect their employees. The decree of the government effective from 19th March 2020 gives certain tools to the employers which may help them to optimize their operations and to defend their employees. In our short article we summarize these measures.Read more »