AZOP (Croatia) - Decision 29-06-2022 (bank)

From GDPRhub
Revision as of 09:55, 21 September 2022 by Fz (talk | contribs) (Clarification of the short summary.)
AZOP - Decision of 29 June 2022 - Unknown Bank
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 13 GDPR
Rulebook on organizing prize games
Type: Investigation
Outcome: Violation Found
Started:
Decided: 31.12.2021
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: Decision of 29 June 2022 - Unknown Bank
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: Presido Croatia

The Croatian DPA reprimanded a bank for excessively publishing the personal data of prize game winners on its web page contrary to the principles of lawfulness and fairness of Article 5 GDPR and without a legal basis under Article 6 GDPR.

English Summary

Facts

A bank (the controller) organized prize games for its clients. Considering that it has a large number of clients who live in urban areas where it is not uncommon for different people to have the same first and last name and at the same time have the same address, the controller considered it necessary to undoubtedly establish the identity of the participants. Thus, it collected and processed the winners' data, and published it on the website. The Croatian DPA launched an investigation after it found out that the controller published the personal identification numbers (OIB) and residence addresses of the winners of a prize game. Acting ex officio, the Croatian DPA requested a statement from the controller on the legal basis for the publication of personal data of the list of winners of the prize games. The DPA asked the controller to comment on the method of informing the participants on the processing of their personal data for the stated purposes, all based on the obligation from Article 13 GDPR. To participate in the prize draw, it was necessary to enter the name, surname, OIB, phone number or e-mail address. The above data was requested for identification purposes and thus was fulfilling the obligation of the bank to conduct the prize game in accordance with the Ordinance on the organization of prize games, which also includes notifying the winner about the award.

Holding

The Croatian DPA established that, in this case, the conditions for fair and lawful processing of personal data from Articles 5 and 6 GDPR were not met. The controller did not prove the existence of a legal basis for the publication of personal data consisting of the OIB and residence addresses of the winners of a particular prize game.

Keeping in mind the principles of processing personal data, the controller did not comply with the basic principles of legal, fair and transparent processing of personal data, and especially the principle of reducing the amount of data that stipulates that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes in which are processed. The Croatian DPA decided to issue an official warning to the data controller for the established violation of the right to the protection of the subject personal data.

Comment

Due to inconsistencies in the machine translation of the decision it remains unclear whether the DPA oficially warned or reprimanded the controller.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

1

REPUBLIC OF CROATIA
PROTECTION AGENCY
 PERSONAL DATA
CLASS:
 NUMBER:
 Zagreb, December 31, 2021.
Personal Data Protection Agency based on Article 57 paragraph 1 and Article 58 paragraph
1 and 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection
individuals in connection with the processing of personal data and the free movement of such data, and o
repealing Directive 95/46/EC (hereinafter: General Data Protection Regulation) SL
EU 119, Article 40 and Article 96 of the Law on General Administrative Procedure ("Official Gazette", number:
47/09) ex officio makes the following
SOLUTION
1. It is determined that the processing of the personal data of the prize winner is official
on the Bank's website, as the personal data processing manager, processing took place
(publication) of personal data in an excessive amount contrary to articles 5 and 6. General
regulations on data protection.
2. It is prohibited for the company (bank) as the manager of personal data processing
personal data, i.e. publication of personal data of prize winners on
to the official website in an excessive amount (personal data
identification number-OIB and residential address) contrary to articles 5 and 6. General
regulations on data protection.
3. The company, as the manager of personal data processing, is issued an official warning due to
processing (publishing) personal data of prize winners on the official website
page to an excessive extent contrary to Articles 5 and 6 of the General Regulation on
data protection.
2
Form layout
The Agency for the Protection of Personal Data (hereinafter: the Agency) came to know
how is the company, as the manager of personal data processing on its official internet
published the personal data of the winners of the prize game to an excessive extent, to be more precise
the scope of data on the personal identification number (OIB) and residence address of the winner
prize games.
Acting ex officio, the Agency complies with its tasks and powers
requested a statement from the company on the legal basis for the publication of personal data of the list of winners
prize games. In this regard, the Agency, in its statement, requested the company in question to
in particular, it is evident in relation to the scope of personal data that they have published (OIB and residential address).
Likewise, the company in question was asked to comment on the method of informing the participants
sweepstakes on the processing of their personal data for the stated purposes, all based on the obligation from
Article 13 of the General Data Protection Regulation.
The Personal Data Protection Agency received a statement from the subject company in
to which they state the following:
The prize game is defined, in accordance with the Rulebook on organizing prize games,
with the document "RULES prize game". The participants of the prize game are informed about the processing
of your personal data for the purposes of participating in the prize draw in question, in accordance with the article
13. General regulations on data protection, when registering for that prize game.
To participate in the prize draw, it was necessary to enter the name, surname, OIB, number
phone or e-mail address. The above data is requested for identification purposes and thus works
fulfilling the obligation of the bank to correctly conduct the prize game in question as
organizer in accordance with the Ordinance on the organization of prize games, which also includes notification
the winner about the award. Only those participants who are in
period from 20.11. until 31.12. In 2020, they made a transaction with a bank card at the point of sale
location and online banking transaction and registered for the prize draw. For the raffle,
10,548 participants registered, of which 108 registered with the same first and last name. Conditions
5,905 participants participated in the prize draw, and among them 37 with the same
by first and last name and additionally 4 participants who have the same first and last name as well as the same address
city (it was about two cases in which two people have the same first and last name and are from the same city).
The bank organizes prize games for its clients, considering that it has a large number of clients who live
in urban areas where it is not uncommon for different people to have the same first and last name and at the same time
have the same address and considers it necessary to undoubtedly establish the identity of the participants and thus i
collect and process the winner's data, and thus publicly publish the winner's data containing the name,
surname, ID number and address.
Namely, in accordance with the Rulebook on the organization of prize games, the organizer of the prize game
has an obligation to ensure a public drawing of prizes, and the bank fulfilled this obligation by defining that
the names of the winners will be published on the website within seven days from the day of the draw.
The name of the winner refers to all the data needed to determine the identity of the winner
(it is indisputable that the name alone does not identify a person), that is, to the data for which it is defined
to the subject "Rules of the prize game" that they will be included in the record that will be drawn up
3
during the prize draw. In addition, it is clearly stated in the tender application that the personal
data provided for the purposes of participation in the prize game in question, thus participation
it also implies the fulfillment of the public's obligation to publish information about the winners on the bank's side as well
organizer of the prize game, and which public announcement is defined in the document "Rules of the prize
games".
Without public announcement of the winner of the prize game, the bank, as the organizer of the prize game, cannot
to fulfill its obligation to the public to conduct the prize game, which it has an obligation to do based on the Regulations
on the organization of prize games, and what is the obligation of the public for the purpose of transparency of the whole
procedure of each individual prize game. This is especially in terms of informing all participants, but also
to the public to ensure that each sweepstakes is conducted correctly and in accordance
obligations of the organizer of the prize game arising from the Ordinance on the organization of prize games
and thus at the same time it is possible for each participant to protect his rights before the competent municipal authorities
by the court in case it considers that the prize draw was not actually conducted.
Following on from the above, we point out that from May 25, 2018, in all states
to the members of the European Union, including in the Republic of Croatia, it is directly and bindingly applied
Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals
in connection with the processing of personal data and the free movement of such data and the placement
out of force of Directive 95/46/EC (General Data Protection Regulation) SL EU 119.
In article 4.1. The General Data Protection Regulation states that personal data is all data
which refer to an individual whose identity has been determined or can be determined ("the respondent"); individual
whose identity can be determined is a person who can be identified directly or indirectly, esp
with the help of identifiers such as name, identification number, location data, network
identifier or with the help of one or more factors specific to physical, physiological, genetic,
mental, economic, cultural or social identity of that individual
Pursuant to Article 4.2. General data protection regulations, processing means any procedure or
a set of procedures performed on personal data or on sets of personal data,
either by automated or non-automated means such as collecting, recording,
organization, structuring, storage, adaptation or modification, finding, performing insights,
use, disclosure by transmission, dissemination or otherwise making available,
matching or combining, limiting, deleting or destroying.
Article 5 of the General Data Protection Regulation stipulates how personal data must be
lawfully, fairly and transparently processed with respect to the respondent, collected in special,
express and lawful purposes, appropriate, relevant and limited to what is necessary in relation to
the purposes for which they are processed (principle of reducing the amount of data), accurate and, if necessary, up-to-date,
processed in a way that ensures adequate security of personal data, including
protection against unauthorized or illegal processing and against accidental loss, destruction or damage
by applying appropriate technical or organizational measures (principle of integrity and
confidentiality).
4
It is also necessary to refer to Article 6, paragraph 1 of the General Data Protection Regulation, which
stipulates that the processing of personal data is legal only if and to the extent that it is
at least one of the following is fulfilled: the respondent has given his consent for the processing of his personal data
data for one or more special purposes; processing is necessary for the execution of the contract in which it is
the respondent party or in order to take actions at the request of the respondent before concluding the contract;
processing is necessary to comply with the legal obligations of the controller; processing is necessary in order to
protect the key interests of the legal obligations of the controller; processing is necessary to perform the task
in the public interest or when exercising the official authority of the data controller; processing is necessary for
the needs of the legitimate interests of the data controller or a third party.
Respecting the principles of fair and transparent processing, the data controller complies with the article
13 of the General Regulations on Data Protection, if personal data is collected from respondents, obliged
provide its subjects with all information about the processing of their personal data (for example: o
their identity, about the data protection officer, to inform them of the purpose and legal basis
for processing personal data, about recipients or categories of recipients of personal data) u
in a concise, comprehensible and easily accessible form, with the use of clear and simple language and them
familiarize themselves with their rights that belong to them in accordance with the General Data Protection Regulation
(right to information, right to access, right to correction and deletion, right to restriction
processing, the right to portability, the right to object and automated decision-making).
In the specific case, the Law on Games of Chance ("Official Gazette" no
87/09, 35/13, 158/13, 41/14, 143/14) which, in Article 69, defined prize games as games
which are organized by trading companies and other legal entities for the purpose of promoting their products and services
natural persons entrepreneurs, whereby the organizer undertakes to distribute to the drawn winners
prizes in goods or services, without the participant being required to make a separate payment for participation
in the game.
Furthermore, more detailed conditions for holding prize games are prescribed by the Ordinance on
to the organization of prize games ("Narodne novine" number 8/10) in which it is stated that the right
trading companies and other legal and natural persons, entrepreneurs, are responsible for organizing the raffle
after obtaining the approval of the Ministry of Finance, the purpose of which is to promote theirs
products and services in order to improve the sale of products and the use of services (Article 3, paragraph 1.
of the said Rulebook). While Article 8 stipulates that the participant in the prize game is a physical person
a person who accepts and fulfills the conditions for participation in the prize game established by the rules
organizer of the prize game, and in order to participate in the prize game, the participant agrees to give
your personal data (name and surname and residential address).
When we talk about the publication of personal data of the winners, it is important to emphasize that the organizer
obliged to organize the raffle so that the prizes are necessarily drawn at the public draw
winners of all prizes, and the determined prize fund to be distributed in full to the participants of the prize
games (Article 13 of the cited Rulebook).
As a result of the above, in this administrative matter it was determined how the company, as a leader, is
processing of personal data and as the organizer of the prize game processed the personal data of the winners
5
prize games that are defined in accordance with the Ordinance on organizing prize games,
document "Rules prize game". Personal data of the winners of the prize game who
processed during the public announcement on the official website of the company in question are the name,
surname, ID number, address and place of residence.
According to the above, related to the publication of the personal data of the winners of the prize game
we state that in addition to the purpose, there must also be a relevant legal basis in the sense of Article 6. General
regulation on data protection, which may be consent, execution of the legal obligation arising from
of a special regulation, the legitimate interest of the organizer, etc.
Therefore, for the collection of personal data of the participants of the prize game, in the sense of the article
6 of the General Data Protection Regulation, there was a valid legal basis taking into account
the provisions of the Law on Games of Chance and the Regulations on the Organization of Prize Games.
However, as a result of the above, in this administrative matter it was determined that in the concrete
in this case, the conditions for fair and lawful processing of personal data from Articles 5 and 6 were not met.
General regulations on data protection, since the subject company in the conducted procedure is not
proved the existence of a legal legal basis for the publication of personal data within the scope of OIB and
residence addresses of the winners of a particular prize game. So, keeping in mind the principles of processing
personal data and the behavior of the company in question as a data controller, we believe that
the company in question did not comply with the basic principles of legal, fair and transparent processing
personal data, and especially the principle of reducing the amount of data that stipulates that personal
data must be adequate, relevant and limited to what is necessary in relation to the purposes in
which are processed.
In this regard, we maintain that from the aspect of the regulations regulating the protection of personal data
data and for the purpose of achieving transparency in the conduct of the prize draw, in accordance with the principle
proportionality in data processing, it is possible to make available only the necessary amount of data which
enables the achievement of a legally established purpose, for example name and surname, place of residence.
Precisely for the above-mentioned reasons in the entire administrative procedure from
on the part of this Agency, it was determined that the company is the manager of personal data processing
acted contrary to Article 5 and Article 6 of the General Data Protection Regulation, since it is the subject
the company processed (published) the personal data of the winners of the prize draw to an excessive extent
without citing a justified reason for the public announcement of the same, i.e. without the company in question
proved the existence of a legal basis and legitimate purpose in the specific case.
Since in this administrative matter it was established that the company's actions led to
violation of the right to the protection of personal data of the winners of the prize draw, i.e. until publication
of their personal data to an excessive extent, this Agency decided to the company as
to issue an official warning to the data controller for the established violation of the right to the protection of the subject
personal data. In view of the established violation, the Agency proceeded to pronounce the official
admonitions to the company in question, considering it sufficiently expedient, effective and
with a sufficient measure that will influence society so that in the future it no longer acts contrary to the General
regulations on data protection.
Following the above, it was decided as in the sentence of the decision.
6
LEGAL REMEDY
No appeal is allowed against this decision, but an administrative dispute can be initiated before
by the Administrative Court in Rijeka within 30 days from the date of delivery of the decision.

DEPUTY DIRECTOR
 Igor Vulje