AZOP (Croatia) - Decision of 21 January 2022

From GDPRhub
AZOP (Croatia) - Decision of 21 January 2022
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(f) GDPR
Article 14 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 21.01.2022
Fine: None
Parties: n/a
National Case Number/Name: Decision of 21 January 2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Croatian
Original Source: AZOP Decision Database (in HR)
Initial Contributor: Giel Ritzen

The Croatian DPA held that a company violated Article 5, 6, and 14 GDPR for calling a phone number which was on an official "do-not-call" registry to conduct a survey, and failing to provide the data subject with adequate information related to the processing of their data for this purpose.

English Summary[edit | edit source]

Facts[edit | edit source]

The controller is a company that called data subject with the request to partake in a survey. Data subject’s telephone number, however, was listed in an official “Do-not-call” registry. The controller stated that it did not know data subject’s name, and that they had a legitimate interest and thus their legal basis for processing was Article 6(1)(f) GDPR. Moreover, it claimed that, if the person would agree to partake in the survey, they would only further process the personal data with consent of the data subject. Finally, the controller claimed that data subject was called because of a human error, and it was not the intention to call someone whose number is listed in an official “Do-not-call” registry.

The data subject then filed a complaint with the DPA.

Holding[edit | edit source]

First, the DPA considered that the data subject was not a user or client of the controller. Hence, the controller had to prove that it conducted a balancing test that showed that their legitimate interest overrode the data subject’s interests, rights and freedoms, pursuant to Article 6(1)(f) GDPR. In this regard, the DPA found that the data subject’s phone number was listed in a “Do-not-call” registry was the decisive factor that the data subject’s interests were not overridden. In this regard, it was not relevant that data subject was called because of a human error. If anything, the DPA notes, this showed that the controller did not take appropriate technical and organisational measures to ensure compliance with the principles listed in Article 5 GDPR. Hence, the DPA concluded that the controller did not have a legal basis to process data subject’s phone number, and violated Article 5 and Article 6 GDPR.

Second, the DPA found that data subject was insufficiently informed about the processing of their personal data, and the controller thus also violated Article 14 GDPR. However, the DPA did not use any of their corrective powers as listed in Article 58(2) GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

REPUBLIC OF CROATIA 
PROTECTION AGENCY PERSONAL 
DATA CLASS: 
REGISTRATION NUMBER: 
Zagreb, April 8, 2020
Personal Data Protection Agency pursuant to Articles 57 (1) and 58 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC SLEU L119 (hereinafter referred to as the "General Regulation") and Art. Of the Act on the Implementation of the General Regulation on Data Protection (Official Gazette 42/18) and Art. 96.st.1. Of the General Administrative Procedure Act (Official Gazette No. 47/09), upon the request for protection of the applicant's rights, issues the following
SOLUTION 
1. The request for a violation of the applicant's right to protection of personal data is founded. 
2. It has been established that the processing of the applicant's personal data by Company x violated Article 5 (1) (a) and (f), 6, 14 and 17 of the General Data Protection Regulation. 
3. The company x shall be prohibited from any further processing of the personal data of the applicant and all other persons whose personal data they possess without a legal basis and lawful purpose. 
4. The company x is ordered to delete the personal data of the applicant, specifically the telephone number, from the storage system, all pursuant to Article 17 of the General Data Protection Regulation. 
5. A period of 15 days shall be set for the procedure referred to in item 4 of the pronouncement, and the Agency shall be notified thereof. 
Reasoning 
The Personal Data Protection Agency (hereinafter: the Agency) received a request for a violation of the applicant's right to protection of personal data in which the applicant states that she received a call from the telephone number… even though her number is in She did not give her consent to contact the "Don't Call" registry. In support of her application, the applicant submitted proof of entry in the "Do not call" register, as well as proof of a call to the telephone number. 
The request is founded. Acting upon the received request, the Agency carried out supervisory actions and it was determined that the phone number in question is not publicly published in the telephone directory. Furthermore, the supervisory activities established that the number… from which the telephone calls were made was owned by the company x and the statement of the company in question on the processing of the applicant's personal data was requested. 
The mentioned company commented on the letter stating that on January 2, 2020, an employee of the company called the telephone number in order to interview the person he called on the number li whether he wants to participate in the survey, after which the respondent said he did not want to participate in the survey and the conversation was not resumed nor was the person called again. Furthermore, in their statement they state that they have no information to whom the disputed number refers and that they have the disputed number and city in their database without any personal data (name, surname, etc.). They also state that the legal basis for the processing of personal data is the legitimate interest of the company as the controller, and if the person agreed to conduct the survey then further processing would be based on the consent of respondents and that the number was collected from the phone book. They emphasize that inviting people to conduct a survey is not considered to promote or sell products or services. Finally, they state that they are doing a check in the Do Not Call Registry, but that in this particular case it is a human error and that the disputed number was not provided to a third party. 
In accordance with Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC: General Data Protection Regulation personal data must be processed legally, fairly and transparently with regard to the respondent (principle of legality, fairness and transparency); collected for special, explicit and legitimate purposes and may not be further processed in a way that is not in accordance with those purposes (purpose limitation principle); appropriate, relevant and limited to what is necessary for the purposes for which they are processed (data reduction principle); accurate and, where appropriate, up-to-date (principle of accuracy); kept in a form that allows the identification of respondents only for as long as necessary for the purposes for which personal data are processed (storage restriction principle); processed in a way that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage through the application of appropriate technical or organizational measures (principle of integrity and confidentiality).
The said General Data Protection Regulation, in Article 4 (1) (1), provides that personal data are all data relating to an identified or identifiable individual, and an identifiable individual is an identifiable person. directly or indirectly, in particular by means of identifiers such as name, identification number, location data, network identifier or by one or more factors specific to that individual's physical, physiological, genetic, mental, economic, cultural or social identity.
Article 6 of the General Data Protection Regulation stipulates that processing is lawful only if and to the extent that at least one of the following is met: the respondent has consented to the processing of his or her personal data for one or more special purposes; processing is necessary for the performance of the contract to which the respondent is a party or in order to take action at the request of the respondent prior to the conclusion of the contract; processing is necessary to comply with the legal obligations of the processing manager; processing is necessary to protect the key interests of the respondent or other natural person; processing is necessary for the performance of a task of public interest or in the performance of the official authority of the controller; processing is necessary for the legitimate interests of the controller or a third party, except when those interests are stronger than the interests or fundamental rights and freedoms of respondents who require the protection of personal data.
Article 17 (1) of the General Regulation stipulates that the data subject has the right to obtain from the controller the deletion of personal data relating to him without undue delay and that the controller has the obligation to delete personal data without undue delay if one of the following conditions is met: a) personal data are no longer necessary for the purposes for which they were collected or otherwise processed; (b) the respondent withdraws the consent on which the processing is based in accordance with Article 6 (1) (a) or Article 9 (2) (a) and if there is no other legal basis for the processing; (c) the respondent objects to the processing in accordance with Article 21 (1) and there are no compelling legitimate reasons for the processing, or the respondent objects to the processing in accordance with Article 21 (2); (d) personal data have been unlawfully processed; (e) personal data must be deleted in order to comply with a legal obligation under Union law or the law of the Member State to which the controller is subject; (f) personal data have been collected in connection with the provision of information society services referred to in Article 8 (1).
Article 14 stipulates that if personal data relating to the data subject are collected from the data subject, the controller shall provide the data subject with all of the following information at the time of collection: (a) the identity and contact details of the controller and, if applicable, (b) the contact details of the Data Protection Officer, if applicable if applicable, the intention of the controller to transfer personal data to the recipient in a third country or international organization and the existence or non-existence of a Commission decision on adequacy, or in the case of Article 46 transfers; 47, or the second subparagraph of Article 49 (1), reference to appropriate or appropriate safeguards and the means of obtaining a copy thereof or the place where they are made available. In addition to the information referred to in paragraph 1, the controller shall, at the time the personal data are collected, provide the respondent with the following additional information necessary to ensure fair and transparent processing: (a) the period during which the personal data will be stored; (b) the existence of the right to request the controller to access personal data and to correct or delete personal data or to restrict processing relating to the respondent or the right to object to the processing of such data and the right to data portability; ) if the processing is based on Article 6 (1) (a) or Article 9 (2) (a), the existence of the right to withdraw consent at any time without prejudice to the lawfulness of the processing based on consent before it is withdrawn, (d) the right to object to the supervisory authority, (e) the source of personal data and, where applicable, whether they come from publicly available sources; (f) the existence of automated decision-making, which includes the creation of the profiles referred to in Article 22 (1) and (4) and, at least in these cases, meaningful information on the logic involved and the importance and intended consequences of such processing for the respondent. The controller shall provide the information referred to in paragraphs 1 and 2 of the said Act, inter alia, within a reasonable time after receiving personal data, and no later than one month taking into account the special circumstances of personal data processing. the moment personal information is first disclosed. Paragraph 4 of the same article stipulates that if the controller intends to further process personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the respondent with information on that other purpose and all other relevant information referred to in paragraph 2 of Article 14 of the General Regulation.
The respondent has the right, at any time based on his / her special situation, to object to the processing of personal data concerning him / her in accordance with Article 6 (1) (e) or (f), including the creation of a profile based on these provisions. . The controller may no longer process personal data unless the controller demonstrates that there are compelling legitimate reasons for the processing that go beyond the interests, rights and freedoms of the respondent or to set, exercise or defend legal claims. If personal data is processed for the purposes of direct marketing, the respondent has the right to object at any time to the processing of personal data relating to him for the purposes of such marketing, which includes creating a profile to the extent associated with such direct marketing. At the latest at the time of the first communication with the respondent, the respondent must be explicitly drawn to the law referred to in paragraphs 1 and 2 and this must be done in a clear and separate manner from any other information (Article 21).
Consequently, based on the established facts in this administrative matter, company x as the controller did not have a legal basis for the processing of personal data, specifically the telephone number of the applicant. Namely, the allegation that the legal basis for the processing of the applicant's personal data is a legitimate interest within the meaning of Article 6 § 1 (f). The General Data Protection Regulation does not have its legal basis in this particular case as it has not been established that the applicant is a user / client of the said manager. Also, the processing manager's call for a legitimate interest is not enough, but the processing manager must be able to prove it by conducting a balance test in which he proves that the processing manager's interest prevails over the interest or rights and freedoms of respondents. Also, the decisive fact in this administrative matter was the fact that the applicant's number was entered in the Register "Do not call" before contacting the company so that a legitimate interest can not be a valid legal basis in this case.
The mentioned company also did not prove that the number is in the telephone directory, and the fact that it admitted that calling the number in the Register "Do not call" was due to human error proves that the mentioned company as a processing manager does not take appropriate protection measures to process personal data was lawful and fair, in breach of the provisions of Articles 5 and 6 of the General Data Protection Regulation. 
In addition, it follows from the described procedure that the applicant was not adequately informed about the processing of personal data in the manner required by Article 14 of the General Data Protection Regulation.
As the company in question processed the applicant's personal data without the legal basis of Article 6 of the General Data Protection Regulation without taking care that the number is in the Do Not Call Registry, the applicant's personal data was ordered deleted from its databases (storage systems). whereas, in accordance with Article 17 of the General Data Protection Regulation, there are no stronger legitimate reasons for the further processing of personal data and personal data are also unlawfully processed.
LEGAL REMEDY
No appeal is allowed against this decision, but an administrative dispute may be initiated before the Administrative Court in Zagreb within 30 days from the day of delivery of the decision.
DIRECTOR Anto Rajkovača