AZOP (Croatia) - Decision 29-06-2022 (bank)
AZOP - Decision 29-06-2022 (bank) | |
---|---|
Authority: | AZOP (Croatia) |
Jurisdiction: | Croatia |
Relevant Law: | Article 5 GDPR Article 6 GDPR Article 13 GDPR Rulebook on organizing prize games |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 31.12.2021 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | Decision 29-06-2022 (bank) |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Croatian |
Original Source: | AZOP (in HR) |
Initial Contributor: | Presido Croatia |
The Croatian DPA reprimanded a bank for publishing the personal data of prize game winners on its web page contrary to the principles of lawfulness and fairness of Article 5 GDPR and without a legal basis under Article 6 GDPR.
English Summary
Facts
A bank (the controller) organized prize games for its clients. Considering that it had a large number of clients who lived in urban areas where it is not uncommon for different people to have the same first and last name and at the same time have the same address, the controller considered it necessary to undoubtedly establish the identity of the participants. Thus, it collected and processed the winners' data, and published it on the website.
The Croatian DPA launched an investigation after it found out that the controller published the personal identification numbers (OIB) and residence addresses of the winners of the prize game on its website. Acting ex officio, the Croatian DPA requested a statement from the controller on the legal basis for such publication. The DPA also inquired on the method of informing the participants on the processing of their personal data under Article 13 GDPR.
In response, the bank argued that in order to participate in the prize draw, it was necessary to enter the name, surname, OIB, phone number or e-mail address. The above data was requested for identification purposes and thus was fulfilling the obligation of the bank to conduct the prize game in accordance with the Ordinance on the organization of prize games, which also includes notifying the winner about the award.
Holding
The Croatian DPA established that, in this case, the conditions for fair and lawful processing of personal data from Articles 5 and 6 GDPR were not met. The controller did not prove the existence of a legal basis for the publication of personal data consisting of the OIB and residence addresses of the winners of a particular prize game. This also amounted to a violation of the lawful, fair and transparent processing of personal data, and especially the data minimisation principle. The Croatian DPA decided to reprimand the data controller.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
1 REPUBLIC OF CROATIA PROTECTION AGENCY PERSONAL DATA CLASS: NUMBER: Zagreb, December 31, 2021. Personal Data Protection Agency based on Article 57 paragraph 1 and Article 58 paragraph 1 and 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection individuals in connection with the processing of personal data and the free movement of such data, and o repealing Directive 95/46/EC (hereinafter: General Data Protection Regulation) SL EU 119, Article 40 and Article 96 of the Law on General Administrative Procedure ("Official Gazette", number: 47/09) ex officio makes the following SOLUTION 1. It is determined that the processing of the personal data of the prize winner is official on the Bank's website, as the personal data processing manager, processing took place (publication) of personal data in an excessive amount contrary to articles 5 and 6. General regulations on data protection. 2. It is prohibited for the company (bank) as the manager of personal data processing personal data, i.e. publication of personal data of prize winners on to the official website in an excessive amount (personal data identification number-OIB and residential address) contrary to articles 5 and 6. General regulations on data protection. 3. The company, as the manager of personal data processing, is issued an official warning due to processing (publishing) personal data of prize winners on the official website page to an excessive extent contrary to Articles 5 and 6 of the General Regulation on data protection. 2 Form layout The Agency for the Protection of Personal Data (hereinafter: the Agency) came to know how is the company, as the manager of personal data processing on its official internet published the personal data of the winners of the prize game to an excessive extent, to be more precise the scope of data on the personal identification number (OIB) and residence address of the winner prize games. Acting ex officio, the Agency complies with its tasks and powers requested a statement from the company on the legal basis for the publication of personal data of the list of winners prize games. In this regard, the Agency, in its statement, requested the company in question to in particular, it is evident in relation to the scope of personal data that they have published (OIB and residential address). Likewise, the company in question was asked to comment on the method of informing the participants sweepstakes on the processing of their personal data for the stated purposes, all based on the obligation from Article 13 of the General Data Protection Regulation. The Personal Data Protection Agency received a statement from the subject company in to which they state the following: The prize game is defined, in accordance with the Rulebook on organizing prize games, with the document "RULES prize game". The participants of the prize game are informed about the processing of your personal data for the purposes of participating in the prize draw in question, in accordance with the article 13. General regulations on data protection, when registering for that prize game. To participate in the prize draw, it was necessary to enter the name, surname, OIB, number phone or e-mail address. The above data is requested for identification purposes and thus works fulfilling the obligation of the bank to correctly conduct the prize game in question as organizer in accordance with the Ordinance on the organization of prize games, which also includes notification the winner about the award. Only those participants who are in period from 20.11. until 31.12. In 2020, they made a transaction with a bank card at the point of sale location and online banking transaction and registered for the prize draw. For the raffle, 10,548 participants registered, of which 108 registered with the same first and last name. Conditions 5,905 participants participated in the prize draw, and among them 37 with the same by first and last name and additionally 4 participants who have the same first and last name as well as the same address city (it was about two cases in which two people have the same first and last name and are from the same city). The bank organizes prize games for its clients, considering that it has a large number of clients who live in urban areas where it is not uncommon for different people to have the same first and last name and at the same time have the same address and considers it necessary to undoubtedly establish the identity of the participants and thus i collect and process the winner's data, and thus publicly publish the winner's data containing the name, surname, ID number and address. Namely, in accordance with the Rulebook on the organization of prize games, the organizer of the prize game has an obligation to ensure a public drawing of prizes, and the bank fulfilled this obligation by defining that the names of the winners will be published on the website within seven days from the day of the draw. The name of the winner refers to all the data needed to determine the identity of the winner (it is indisputable that the name alone does not identify a person), that is, to the data for which it is defined to the subject "Rules of the prize game" that they will be included in the record that will be drawn up 3 during the prize draw. In addition, it is clearly stated in the tender application that the personal data provided for the purposes of participation in the prize game in question, thus participation it also implies the fulfillment of the public's obligation to publish information about the winners on the bank's side as well organizer of the prize game, and which public announcement is defined in the document "Rules of the prize games". Without public announcement of the winner of the prize game, the bank, as the organizer of the prize game, cannot to fulfill its obligation to the public to conduct the prize game, which it has an obligation to do based on the Regulations on the organization of prize games, and what is the obligation of the public for the purpose of transparency of the whole procedure of each individual prize game. This is especially in terms of informing all participants, but also to the public to ensure that each sweepstakes is conducted correctly and in accordance obligations of the organizer of the prize game arising from the Ordinance on the organization of prize games and thus at the same time it is possible for each participant to protect his rights before the competent municipal authorities by the court in case it considers that the prize draw was not actually conducted. Following on from the above, we point out that from May 25, 2018, in all states to the members of the European Union, including in the Republic of Croatia, it is directly and bindingly applied Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals in connection with the processing of personal data and the free movement of such data and the placement out of force of Directive 95/46/EC (General Data Protection Regulation) SL EU 119. In article 4.1. The General Data Protection Regulation states that personal data is all data which refer to an individual whose identity has been determined or can be determined ("the respondent"); individual whose identity can be determined is a person who can be identified directly or indirectly, esp with the help of identifiers such as name, identification number, location data, network identifier or with the help of one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that individual Pursuant to Article 4.2. General data protection regulations, processing means any procedure or a set of procedures performed on personal data or on sets of personal data, either by automated or non-automated means such as collecting, recording, organization, structuring, storage, adaptation or modification, finding, performing insights, use, disclosure by transmission, dissemination or otherwise making available, matching or combining, limiting, deleting or destroying. Article 5 of the General Data Protection Regulation stipulates how personal data must be lawfully, fairly and transparently processed with respect to the respondent, collected in special, express and lawful purposes, appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed (principle of reducing the amount of data), accurate and, if necessary, up-to-date, processed in a way that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage by applying appropriate technical or organizational measures (principle of integrity and confidentiality). 4 It is also necessary to refer to Article 6, paragraph 1 of the General Data Protection Regulation, which stipulates that the processing of personal data is legal only if and to the extent that it is at least one of the following is fulfilled: the respondent has given his consent for the processing of his personal data data for one or more special purposes; processing is necessary for the execution of the contract in which it is the respondent party or in order to take actions at the request of the respondent before concluding the contract; processing is necessary to comply with the legal obligations of the controller; processing is necessary in order to protect the key interests of the legal obligations of the controller; processing is necessary to perform the task in the public interest or when exercising the official authority of the data controller; processing is necessary for the needs of the legitimate interests of the data controller or a third party. Respecting the principles of fair and transparent processing, the data controller complies with the article 13 of the General Regulations on Data Protection, if personal data is collected from respondents, obliged provide its subjects with all information about the processing of their personal data (for example: o their identity, about the data protection officer, to inform them of the purpose and legal basis for processing personal data, about recipients or categories of recipients of personal data) u in a concise, comprehensible and easily accessible form, with the use of clear and simple language and them familiarize themselves with their rights that belong to them in accordance with the General Data Protection Regulation (right to information, right to access, right to correction and deletion, right to restriction processing, the right to portability, the right to object and automated decision-making). In the specific case, the Law on Games of Chance ("Official Gazette" no 87/09, 35/13, 158/13, 41/14, 143/14) which, in Article 69, defined prize games as games which are organized by trading companies and other legal entities for the purpose of promoting their products and services natural persons entrepreneurs, whereby the organizer undertakes to distribute to the drawn winners prizes in goods or services, without the participant being required to make a separate payment for participation in the game. Furthermore, more detailed conditions for holding prize games are prescribed by the Ordinance on to the organization of prize games ("Narodne novine" number 8/10) in which it is stated that the right trading companies and other legal and natural persons, entrepreneurs, are responsible for organizing the raffle after obtaining the approval of the Ministry of Finance, the purpose of which is to promote theirs products and services in order to improve the sale of products and the use of services (Article 3, paragraph 1. of the said Rulebook). While Article 8 stipulates that the participant in the prize game is a physical person a person who accepts and fulfills the conditions for participation in the prize game established by the rules organizer of the prize game, and in order to participate in the prize game, the participant agrees to give your personal data (name and surname and residential address). When we talk about the publication of personal data of the winners, it is important to emphasize that the organizer obliged to organize the raffle so that the prizes are necessarily drawn at the public draw winners of all prizes, and the determined prize fund to be distributed in full to the participants of the prize games (Article 13 of the cited Rulebook). As a result of the above, in this administrative matter it was determined how the company, as a leader, is processing of personal data and as the organizer of the prize game processed the personal data of the winners 5 prize games that are defined in accordance with the Ordinance on organizing prize games, document "Rules prize game". Personal data of the winners of the prize game who processed during the public announcement on the official website of the company in question are the name, surname, ID number, address and place of residence. According to the above, related to the publication of the personal data of the winners of the prize game we state that in addition to the purpose, there must also be a relevant legal basis in the sense of Article 6. General regulation on data protection, which may be consent, execution of the legal obligation arising from of a special regulation, the legitimate interest of the organizer, etc. Therefore, for the collection of personal data of the participants of the prize game, in the sense of the article 6 of the General Data Protection Regulation, there was a valid legal basis taking into account the provisions of the Law on Games of Chance and the Regulations on the Organization of Prize Games. However, as a result of the above, in this administrative matter it was determined that in the concrete in this case, the conditions for fair and lawful processing of personal data from Articles 5 and 6 were not met. General regulations on data protection, since the subject company in the conducted procedure is not proved the existence of a legal legal basis for the publication of personal data within the scope of OIB and residence addresses of the winners of a particular prize game. So, keeping in mind the principles of processing personal data and the behavior of the company in question as a data controller, we believe that the company in question did not comply with the basic principles of legal, fair and transparent processing personal data, and especially the principle of reducing the amount of data that stipulates that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes in which are processed. In this regard, we maintain that from the aspect of the regulations regulating the protection of personal data data and for the purpose of achieving transparency in the conduct of the prize draw, in accordance with the principle proportionality in data processing, it is possible to make available only the necessary amount of data which enables the achievement of a legally established purpose, for example name and surname, place of residence. Precisely for the above-mentioned reasons in the entire administrative procedure from on the part of this Agency, it was determined that the company is the manager of personal data processing acted contrary to Article 5 and Article 6 of the General Data Protection Regulation, since it is the subject the company processed (published) the personal data of the winners of the prize draw to an excessive extent without citing a justified reason for the public announcement of the same, i.e. without the company in question proved the existence of a legal basis and legitimate purpose in the specific case. Since in this administrative matter it was established that the company's actions led to violation of the right to the protection of personal data of the winners of the prize draw, i.e. until publication of their personal data to an excessive extent, this Agency decided to the company as to issue an official warning to the data controller for the established violation of the right to the protection of the subject personal data. In view of the established violation, the Agency proceeded to pronounce the official admonitions to the company in question, considering it sufficiently expedient, effective and with a sufficient measure that will influence society so that in the future it no longer acts contrary to the General regulations on data protection. Following the above, it was decided as in the sentence of the decision. 6 LEGAL REMEDY No appeal is allowed against this decision, but an administrative dispute can be initiated before by the Administrative Court in Rijeka within 30 days from the date of delivery of the decision. DEPUTY DIRECTOR Igor Vulje