AZOP (Croatia) - Decision 05-09-2024: Difference between revisions

From GDPRhub
mNo edit summary
 
(2 intermediate revisions by one other user not shown)
Line 63: Line 63:
}}
}}


The DPA found that a bank had no legal basis to process personal data of a former client for the purpose of marketing after their contractual relationship had ceased.
The DPA found that a bank had no legal basis to process personal data of a former client for marketing purposes after their contractual relationship had ended.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A data subject had a contractual relationship with a bank (the controller). In July 2014, the data subject gave their personal data (in particular, his name and email address) to the controller for marketing purposes. After the contractual relationship ended in November 2017, the data subject did not withdraw this consent to processing for marketing purposes.  
A data subject had a contractual relationship with a bank (the controller). In July 2014, the data subject gave their personal data (in particular, his name and email address) to the controller for marketing purposes. After the contractual relationship ended in November 2017, the data subject did not withdraw this consent for the processing for marketing purposes.  


After receiving a marketing offer, the data subject made an inquiry to the controller concerning its use of his data. The controller responded in December 2021, noting that his consent for processing was recorded in the bank’s system for marketing purposes. The controller informed the data subject that it would treat his inquiry as a request for cancellation of consent.  
After receiving a marketing offer, the data subject made an inquiry to the controller concerning its use of his data. The controller responded in December 2021, noting that his consent for processing was recorded in the bank’s system for marketing purposes. The controller informed the data subject that it would treat his inquiry as a request to withdraw the consent.  


However, the controller did not comply by deleting the data. The data subject continued to receive correspondence from the controller requesting updating of the data. It was determined that this occurred due to a technical error in the controller’s system.
However, the controller did not actually delete the data. The data subject continued to receive correspondence from the controller. It was determined that this occurred due to a technical error in the controller’s system.


=== Holding ===
=== Holding ===
The Croatian DPA (AZOP) found that the bank did not have a legal basis to process the data subject’s personal data, finding infringements of [[Article 5 GDPR#1f|Articles 5(1)(b)]] and [[Article 6 GDPR#1|6(1) GDPR.]]  
The Croatian DPA (AZOP) found that, after the withdrawal of the data subject's consent, the bank did not have a legal basis to process the data subject’s personal data, finding infringements of [[Article 5 GDPR#1f|Articles 5(1)(b)]] and [[Article 6 GDPR#1|6(1) GDPR.]]  


First, the AZOP noted that after the termination of the contractual relationship, the bank stopped having a legal basis under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]. This was the case even though banks have authority to process personal data for at least 11 years after the termination of a business or contract relationship pursuant to national law, [https://www.hnb.hr/documents/20182/506024/e-zakon-o-kreditnim-institucijama_npt.pdf Article 160(2) of the Law on Credit Institutions]. Under that law, credit institutions are instructed to store certain data for at least 11 years after termination – but this does not include marketing information.  
First, the AZOP noted that after the termination of the contractual relationship, the bank stopped having a legal basis under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]. This was the case even though banks have authority to process personal data for at least 11 years after the termination of a business or contract relationship pursuant to national law, [https://www.hnb.hr/documents/20182/506024/e-zakon-o-kreditnim-institucijama_npt.pdf Article 160(2) of the Law on Credit Institutions]. Under that law, credit institutions are instructed to store certain data for at least 11 years after termination – but this does not include marketing information.  
Line 83: Line 83:
Given these findings, the AZOP considered that there was no justified purpose on which processing was based in violation of [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]].
Given these findings, the AZOP considered that there was no justified purpose on which processing was based in violation of [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]].


Because the processing had stopped, the AZOP found no need to enact specific measures or impose a fine.
Because the processing had stopped at the time of the decision, the AZOP found no need to enact specific measures or impose a fine.


== Comment ==
== Comment ==

Latest revision as of 12:06, 7 August 2024

AZOP - Decision 05-09-2024
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 5(1)(b) GDPR
Article 6(1) GDPR
Credit Institutions Act
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 09.05.2024
Fine: n/a
Parties: n/a
National Case Number/Name: Decision 05-09-2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: lm

The DPA found that a bank had no legal basis to process personal data of a former client for marketing purposes after their contractual relationship had ended.

English Summary

Facts

A data subject had a contractual relationship with a bank (the controller). In July 2014, the data subject gave their personal data (in particular, his name and email address) to the controller for marketing purposes. After the contractual relationship ended in November 2017, the data subject did not withdraw this consent for the processing for marketing purposes.

After receiving a marketing offer, the data subject made an inquiry to the controller concerning its use of his data. The controller responded in December 2021, noting that his consent for processing was recorded in the bank’s system for marketing purposes. The controller informed the data subject that it would treat his inquiry as a request to withdraw the consent.

However, the controller did not actually delete the data. The data subject continued to receive correspondence from the controller. It was determined that this occurred due to a technical error in the controller’s system.

Holding

The Croatian DPA (AZOP) found that, after the withdrawal of the data subject's consent, the bank did not have a legal basis to process the data subject’s personal data, finding infringements of Articles 5(1)(b) and 6(1) GDPR.

First, the AZOP noted that after the termination of the contractual relationship, the bank stopped having a legal basis under Article 6(1)(b) GDPR. This was the case even though banks have authority to process personal data for at least 11 years after the termination of a business or contract relationship pursuant to national law, Article 160(2) of the Law on Credit Institutions. Under that law, credit institutions are instructed to store certain data for at least 11 years after termination – but this does not include marketing information.

The AZOP also found no legal basis under Article 6(1)(f) GDPR. Because the data subject did not reasonably expect further processing of personal data after the termination of the contractual relationship, including for marketing purposes, the controller could not claim a legitimate interest. The AZOP also observed that the controller’s privacy policy states that processing on the basis of legitimate interest arises in cases of fraud prevention, security and similar scenarios – not marketing.

Given these findings, the AZOP considered that there was no justified purpose on which processing was based in violation of Article 5(1)(b) GDPR.

Because the processing had stopped at the time of the decision, the AZOP found no need to enact specific measures or impose a fine.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

CLASS:
NUMBER:
Zagreb, May 9, 2024.

Personal Data Protection Agency, OIB: 28454963989, on the basis of Article 57 paragraph 1 and Article 58 paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016.
on the protection of individuals in connection with the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC, SL EU L119 (General Data Protection Regulation),
Article 34 of the Act on the Implementation of the General Regulation on Data Protection ("Official Gazette", number: 42/2018) and Articles 41 and 96 of the Act on General Administrative Procedure ("Official Gazette", number:
47/09, 110/21.), and regarding the request to determine the violation of the right to the protection of personal data X OIB: X, issues the following

SOLUTION

1. The request for determining the violation of the right to the protection of personal data X is founded.

2. It is established that the processing of X's personal data, i.e. his name and surname and e-mail address by bank X after the termination of the contractual relationship with bank X, and without a justified purpose and legal basis, resulted in a violation of Article 5.1.b) and of Article 6.1. General regulations on data protection.

Form layout

The Agency for the Protection of Personal Data (hereinafter: the Agency) received a request to determine the violation of the right to the protection of personal data X (hereinafter: the applicant).
It follows from the request in question that the applicant addressed the data protection officer of bank X, requesting the deletion of personal data from the bank's records that are used for marketing purposes, and the bank did not comply with this request.

Correspondence from December 2021 sent from address X to several e-mail addresses of the Bank is attached to the request in question.

The request is founded.

Acting on the subject request, the Bank's statement was requested as to whether the subject personal data of the applicant (his e-mail address) are still in the bank's records as data used for marketing purposes, i.e. whether the same data were deleted, on what date were deleted, i.e. whether the bank acted on the applicant's request for data deletion and informed him about the same in accordance with the obligations from the General Data Protection Regulation.

The bank submitted the requested statement, which states that on December 2, 2021, the applicant approached the bank with an inquiry about the use of personal data by the bank,
what was his reaction to the offer to arrange a current account, sent to e-mail address X from address X, and which message was sent to him in accordance with his consent to be contacted on July 8, 2014. Furthermore, it is noted that the option to unsubscribe has been implemented within the e-mail, and other contact information is provided where clients can contact the bank. The applicant did not use the aforementioned option to log out, nor did any of the aforementioned contacts, but only contacted the e-mail address of the President of the Bank's Management Board with the question in question. Also, it is stated that the applicant in the answer dated 13
In December 2021, he was informed that in the bank's system there is a record of his consent to be informed about the bank's products and services, and his inquiry was interpreted as a request
for the cancellation of consent, which was consequently canceled on December 13, 2021.

Given that the business relationship with the applicant ended on November 30, 2017, when the applicant closed the regular current account, the bank
in accordance with the deadlines from Article 160, paragraph 2 of the Law on Credit Institutions, it is kept for at least eleven years after the end of the year in which the business relationship ended, and about which all clients
the bank informed through the information on the processing of personal data, continuously available on the bank's website.

Finally, it is stated that, due to an error in defining the criteria for retrieving active clients, the applicant was invited in July 2023 to update the data for the purposes of implementing measures to prevent money laundering and terrorist financing. The applicant answered the call and the legal basis for data storage was explained to him, and he was also informed that he could ignore the data update message.

The bank's statement is accompanied by the applicant's consent to the processing of personal data for marketing purposes dated July 8, 2014, and the subject e-mail correspondence between the bank and
of the applicant.

Following on from the above, we point out that from May 25, 2018, in all member states of the European Union, including in the Republic of Croatia, in the area of personal data protection, directly and
the General Data Protection Regulation is binding.

Pursuant to Article 4.2. General data protection regulations, processing of personal data means any process or set of processes performed on personal data or on sets of personal data, whether by automated or non-automated means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval , access, use, disclosure by transfer, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

We state that Article 5.1.a) of the General Regulation on Data Protection stipulates that personal data must be processed legally, fairly and transparently (the principle of legality, fairness and
transparency, while Article 5.1.b) of the General Data Protection Regulation stipulates that personal data must be collected for specific, explicit and lawful purposes and may not be further processed in a way that is inconsistent with these purposes (principle of purpose limitation).

In article 6.1. The general regulations on data protection list the possible legal bases/conditions for the lawful processing of personal data. Thus, the mentioned article stipulates that the processing of personal data is legal only if and to the extent that at least one of the following is fulfilled: a) the respondent has given consent for the processing of his personal data for one or more special purposes, b) the processing is necessary for the execution of a contract in which the respondent is a party or in order to take actions at the request of the respondent before concluding the contract, c) processing is necessary to comply with the legal obligations of the controller, d) processing is necessary to protect the key interests of the respondent or other natural persons, e) processing is necessary for the performance of a task of public interest or
exercising the official authority of the data controller, f) the processing is necessary for the legitimate interests of the data controller or a third party, except when these interests are stronger than interests or fundamental rights and
freedom of respondents who require protection of personal data.
The introductory statement (47) of the General Regulation on Data Protection stipulates that the legitimate interests of the data controller may constitute a legal basis for the processing of personal data under the condition
that the interests or fundamental rights and freedoms of the data subject do not take precedence, taking into account the reasonable expectations of the data subject based on their relationship with the data controller. Interests and
the data subject's fundamental rights could in particular override the controller's interest if the personal data is processed in circumstances where the data subject does not reasonably expect further processing.

Article 180, paragraph 2 of the Law on Credit Institutions (Official Gazette, No. 159/13, 19/15, 102/15, 15/18, 70/19, 47/20, 146/20 , 151/22.), as a special law, which in terms of
Article 6.1.c) of the General Regulation on Data Protection, represents the legal basis for the processing of personal data of respondents/clients, it is stipulated that the bank is obliged to keep accounting documents and contracts establishing a business relationship for at least eleven years from the termination of the business relationship, i.e. documents that regarding opening, closing and changes to accounts.

In this administrative matter, the statements of the parties to the proceedings were taken into account and the attached documentation was reviewed. In this regard, it was established that on July 8, 2014, the applicant gave consent to the personal data processing manager - the bank, for the processing of personal data for marketing purposes, which he did not withdraw after the termination of the contractual relationship on November 30, 2017. Upon inspection of the bank's consent form, it was determined that the same day was separated from other purposes of data processing, while inspection of the e-mail correspondence in question revealed that the applicant was informed on December 13, 2021 that his consent for processing was recorded in the bank's system personal data for marketing purposes and that his inquiry regarding the use of data sent to the bank will be treated as a request for the cancellation of consent, which was consequently canceled on December 13, 2021.

Regarding the receipt of the e-mail related to the data update, it was determined that there was a technical error regarding the retrieval of active clients

In this regard, it was assessed that the bank did not have the legal authority to process the applicant's personal data (his e-mail address), and after the termination of the contractual relationship, although
for at least eleven years after the termination of the business relationship, the bank has the authority to process personal data, i.e. documents and contracts related to the business/contractual relationship (Article 160
paragraph 2 of the Law on Credit Institutions). It is understood that the bank's client/applicant does not reasonably expect further processing after termination of the contractual relationship with the bank
personal data, and in this case there is no place for the existence of a legitimate interest in the processing of personal data, as a legal basis for the processing of the applicant's personal data. Therefore
introductory statement (47) of the General Regulation on Data Protection is applicable. At the same time, from the publicly available Policy on the protection of personal data of the bank, a legitimate interest in data processing emerges
exist in cases of fraud prevention, video surveillance for security reasons, i.e. in cases where the client reasonably expects the processing of personal data, which exceptions do not exist in
in the specific case of processing the applicant's personal data after the termination of the contractual relationship.

In conclusion, in the entire procedure it was determined that the personal data of the applicant (his e-mail address) were not processed legally, i.e. for the processing of personal data
after the termination of the contractual relationship, there was no justified purpose (Article 5.1.b of the General Data Protection Regulation) and legal basis (Article 6.1 of the General Data Protection Regulation).

Since the processing of the applicant's personal data has stopped in the meantime, in this particular case there are no reasons for the adoption of measures to protect the personal data of the respondent, i.e. measures to harmonize the processing manager's (bank's) actions with the provisions of the General Data Protection Regulation.

Therefore, it was decided as in the saying.

LEGAL REMEDY:

No appeal is allowed against this Decision, but an administrative dispute may be initiated before the competent Administrative Court in X within 30 days from the date of delivery of the Decision.

DEPUTY DIRECTOR
Igor Vulje
5
DELIVER:
1. X
2. Bank
3. Stationery, here