UOOU - UOOU-00196/20
From GDPRhub
UOOU - UOOU-00196/20 | |
---|---|
Authority: | UOOU (Czech Republic) |
Jurisdiction: | Czech Republic |
Relevant Law: | Article 5(1)(f) GDPR Article 6(1)(a) GDPR Article 12(1) GDPR Article 12(2) GDPR Article 12(3) GDPR Article 14 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 28.04.2021 |
Published: | 28.05.2021 |
Fine: | 22864 EUR |
Parties: | n/a |
National Case Number/Name: | UOOU-00196/20 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Czech |
Original Source: | UOOU (in CS) |
Initial Contributor: | n/a |
The Czech DPA fined a company €22,864 for publishing on its website personal data from public registers without any legal basis and without informing data subjects about the processing.
English Summary
Facts
The DPA received six complaints against a company that aggregated on its website personal data from public registers without any legal basis.
The DPA found a violation of
- Article 6(1) GDPR, as, as the mere "scrapping" of the public register did not fulfill the condition of necessity processing of personal data declared by the company and therefore the legal title referred to in Article 6(1) GDPR.
- Article 5(1)(f) GDPR could not be applied to the processing in question;
- Article 12(3) GDPR, as some of the complainants were not informed in any way about the way in which their data were processed
- Article 12(2) GDPR because the company did not facilitate the exercise of the rights of data subjects under Articles 15 to 22 GDPR;
- Article 14 GDPR, as mere publication of information under Article 14 GDPR on the company's website cannot be considered sufficient fulfillment of information obligation.
Holding
The DPA fined the controller CZK 500,000 for abovementioned violations. Additionally, during the inspection the company was fined CZK 100,000 for non-cooperation.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Czech original. Please refer to the Czech original for more details.
Processing of personal data on websites by flipping data from public registers (UOOU-00196/20) Company The Office received a total of six complaints against the company, which opposed the processing of personal data aggregated on the company 's website, in the form of their simple flipping from publicly accessible registers (eg ARES, Commercial Register, Trade Register, etc.) The subject of the inspection was compliance with the obligations set out in the General Regulation and Act No. 110/2019 Coll., On the processing of personal data, in connection with the processing of personal data on the Internet, respecting the right to delete and the right to information on personal data processing the extent of the complaints filed, as well as the general fulfillment of the rights of data subjects in the processing of their personal data in the Internet environment. In the inspection report, the Office found a violation of: (i) Article 6 (1) of the General Regulation, as such processing is illegal in the case of a simple flipping of the trade and business register by the controlled company, as the mere "flipping" of the public register did not fulfill the condition of necessity processing of personal data declared by the company and therefore the legal title referred to in Article 6 (1) (a). (ii) Article 5 (1) (f) of the General Regulation could not be applied to the processing in question; (iii) Article 12 (3) of the General Regulation, as some of the complainants were not informed in any way about the way in which they were processed; their requests for deletion of personal data [ie the company did not provide data subjects with information on the measures taken under Articles 15 to 22 of the General Regulation], (iv) Article 12 (2) of the General Regulation because the company did not facilitate the exercise of the rights of complainants (data subjects) under Articles 15 to 22 of the General Regulation; Article 14 of the General Regulation, as the audited company did not fulfill its information obligation under this Article [mere publication of information under Article 14 of the General Regulation on the company's website cannot be considered fulfilled]. No objections were lodged against the inspection report. as the audited company has not fulfilled its information obligation pursuant to this article [mere publication of information pursuant to Article 14 of the General Regulation on the company's website cannot be considered as fulfilled]. No objections were lodged against the inspection report. as the audited company has not fulfilled its information obligation pursuant to this article [mere publication of information pursuant to Article 14 of the General Regulation on the company's website cannot be considered as fulfilled]. No objections were lodged against the inspection report. In conclusion, the inspection was followed by an administrative proceeding in which an injunction was issued imposing remedial measures and a fine of CZK 500,000, and that during the inspection the company was fined CZK 100,000 for non-cooperation [for violation Article 15 (1) (a) a) of the Control Rules].