NAIH (Hungary) - NAIH-2732-2-2023: Difference between revisions

From GDPRhub
(Past tenses, shortened a bit)
No edit summary
 
(8 intermediate revisions by 3 users not shown)
Line 77: Line 77:
}}
}}


The Hungarian DPA held a beauty salon liable for a major GDPR infringement including employee and client surveillance, mishandling of sensitive data and using data for marketing purposes without proper consent.
The Hungarian DPA held a beauty salon liable for major GDPR infringements including cameras monitoring employees and clients, the mishandling of sensitive data and the use of data for marketing purposes without proper consent. The DPA imposed a fine of €80,000.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The controller was a Budapest-based company that operates the Spandora Beauty Centre (spandora.hu), where facial and body treatments and medical aesthetic procedures are performed in 2 diagnostic rooms and 15 treatment rooms. The controller also distributed cosmetic products.
The controller was a Budapest-based company that operated the [https://spandora.hu/ Spandora Beauty Centre], where facial and body treatments and medical aesthetic procedures were performed. The controller also distributed cosmetic products.


The DPA received several notifications in which clients and employees of the controller complained that the controller had cameras recording image and sound in all premises (offices, treatment rooms, corridors, reception) at its headquarters. Furthermore, in the manager's office, both employees and guests were reportedly intercepted.
The DPA received several notifications in which clients and employees of the controller complained about cameras recording image and sound in all premises (offices, treatment rooms, corridors, reception) at its headquarters.


The controller, although informing the data subjects of the presence of cameras did not provide information about the audio recording and the purpose of the surveillance. The data subjects argued that the purpose of the audio recording was to monitor the treatment staff, to obtain information about the clients and to sell them more treatments and facial products based on the information obtained.
The DPA launched an official investigation on 19 October 2021 and carried out an on-site visit on 20 October 2021. The main issues arising from the very detailed investigation can be summarized as follows: 


The complaints also indicated that the controller also engaged in a referral practice whereby guests are asked to provide the names and contact details of their contacts and this information is used to offer free treatments to the data subjects so contacted.
First, the cameras were monitoring the room where the staff eats, the training rooms and customer treatment rooms (implying that clients were often seen in incomplete clothing). The purpose of this processing was however not clearly defined nor communicated.


The DPA launched an official investigation on 19 October 2021 and carried out an on-site visit on 20 October 2021.
Second, the controller explained that only a few specific people had access to the recordings. However, the on-site visit showed that the camera images were also seen by the sales manager, who used them to check that the staff was communicating properly with the clients. The recordings were available on a computer in an unlocked room. To access them, one could click on a shortcut and enter a username which was written on a piece of paper stuck to the monitor.


=== Holding ===
Third, all clients had to fill in and sign a consultation form which mentioned the placement of cameras for the purpose of protecting clients and staff. It however did not mention the recording of audio. The investigation also showed that there was no mention of the cameras in the privacy notice in force.
First, the DPA investigated the methodology of CCTV surveillance and related information giving practices. During the on-site inspection, the DPA examined each camera image separately and found that the quality of the images and audio recordings identified the individuals subject to the CCTV surveillance. On the one hand, the controller operated the cameras in premises where employees worked, so that the cameras in the employees' workstations and in the operators' and training rooms also monitored employees while they were working and in the control room while they were eating, and in the operators' and customer service rooms, the cameras also continuously monitored guests in addition to employees, so that they were often seen in incomplete clothing during treatments.  


According to the controller's declaration, the manager, the financial manager, the HR manager, and the warehouse manager had access to the recordings. However, according to the on-site visit, the camera images were also seen by the sales manager, who said that he used them to check that the therapists providing the treatments were communicating properly with the clients.
Fourth, the controller stored health data in the client database, including Covid vaccination status, pregnancy, and sicknesses.  


According to the information on the consultation forms (which all clients were required to fill in at the reception desk before starting treatment), the purpose of the monitoring was to protect clients and salon staff. On the other hand, in the privacy notice, as amended by the controller following the opening of the DPA procedure, the purpose of the camera surveillance was to improve the service and to monitor the work of the employees. In its statement in the DPA procedure, the controller added the purposes of service improvement and employee monitoring to the purposes of effective response to possible complaints and protection of property. Finally, it also referred to these processing purposes in its legitimate interest assessment.
Fifth, the controller stated that the signature of the consultation form constituted a consent to the processing of their data for a marketing purpose. Later, the controller held that this processing was based on legitimate interest, and then in a further contradictory declaration, it stated that it did not use client data for such purposes  


The controller had thus not clearly defined the purposes of its surveillance processing, as the purposes indicated to the data subjects in the consultation forms and the purposes described in the information provided by the controller on its website were not consistent with each other, nor were they consistent with the purposes stated in the controller’s declaration to the DPA in the course of the procedure.
=== Holding ===
The DPA assessed the compliance of the monitoring in the light of the different elements of the investigation.  


According to the statements of the controller, employees were informed about the on-camera processing verbally and through the privacy notice. In contrast, the controller’s privacy notice in force in the period prior to the DPA procedure did not contain a section on CCTV. In its updated version of the privacy notice during the procedure, the controller inserted a paragraph in the privacy policy of its website stating that "the salon was equipped with camera surveillance for the purpose of improving the services of the controller and monitoring the work of its employees". In addition, a floor plan of the beauty salon was included in the document in JPEG format, with the location of the cameras marked with an X. Due to the small size of the image, the location of the cameras was barely visible, and this information was not suitable for the identification of the location and the angle of view of the cameras by the workers concerned.
First, the DPA stated that the monitoring was performed for an unclear purpose and without settings that minimized the processing. The controller referred to the purposes in general terms and with contradictory statements. Consequently, the DPA concluded that the controller had breached the purpose limitation principle under [[Article 5 GDPR#1b|Article 5(1)(b) and (c) GDPR]]. The DPA, therefore, prohibited the processing of data by the camera in operators and in diagnostic and examination rooms and instructed the controller to delete in a documented manner the video recordings made in operators and in diagnostic and examination rooms.


In relation to the privacy notice, the DPA found that it did not comply with the requirements of the GDPR as it did not provide information on the location of each camera and its purpose, the area or object it monitored, or whether the employer was carrying out direct or fixed surveillance with the camera. It also did not provide for the specific duration of the storage of the recordings, the rules for viewing the recordings, or the purposes for which the recordings could be used by the employer.
''Second,'' Regarding the people who could access the cameras, the DPA found that the controller did not guarantee the confidentiality of the data processing and did not take measures to protect personal data. Indeed, the images of the cameras and the stored recordings could be easily accessed. The DPA found that by failing to provide the default settings for the operation of the camera system that minimize data processing, the means necessary to ensure the highest possible level of protection of personal data, the controller violated [[Article 5 GDPR#1|Article 5(1) GDPR]] in [[Article 24 GDPR]] and [[Article 25 GDPR]], as well as [[Article 32 GDPR#1b|Article 32(1)(b) GDPR]] and [[Article 32 GDPR#2|Article 32(2) GDPR]], and instructed the controller to take appropriate technical and organizational measures to ensure that its processing operations comply with the legal provisions.


Furthermore, the controller only referred to the different data processing purposes in general terms on the spot and in its declarations and balancing of interests and did not explain in any of them in detail which specific data processing purposes were being monitored in each room, with which cameras, and for which specific purposes.
Third, concerning the information, the DPA found that the privacy notice did not comply with the requirements of the GDPR as it did not provide information on the location of each camera and its purpose, the area or object it monitored, or whether the employer was carrying out direct or fixed surveillance with the camera. It also did not provide for the specific duration of the storage of the recordings, the rules for viewing the recordings, or the purposes for which the recordings could be used by the employer. The consultation forms could not either be considered as compliant since they contained misleading information. The controller therefore didn't comply with the requirement of transparent processing under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], and [[Article 13 GDPR|Article 13(1) and (2)]].  The DPA instructed the controller to provide adequate, clear, and transparent information to data subjects about all processing.


Consequently, the DPA concluded that the controller had breached the purpose limitation principle under [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]], the requirement of transparent processing under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], and [[Article 6 GDPR#1|Article 6(1) GDPR]] by failing to provide a specific legal basis for the processing.
Fourth, regarding the collection and storage of health data, the DPA recalled that the processing of sensitive data is possible if the data subject has given his or her explicit consent or if the processing complies with [[Article 9 GDPR#2|Article 9(2) GDPR]]. In this case, the controller neither demonstrated that the processing of certain health data was indispensable for the performance of the services nor to have collected a valid consent. Thus, the DPA found that the controller had violated [[Article 6 GDPR]] and [[Article 9 GDPR#2|Article 9(2) GDPR]] and prohibited the processing of the health data and to delete the personal health data from the records.


The DPA, therefore, prohibited the processing of data by the camera in operators and in diagnostic and examination rooms and instructed the controller to delete in a documented manner the video recordings made in operators and in diagnostic and examination rooms.
Fifth, the DPA found that there was no checkbox on the consultation form to consent to the processing for marketing purposes. The clients therefore did not consent to the processing for this purpose. The controller also failed to demonstrate a legitimate interest. The DPA concluded that, as the controller processed the data for marketing purposes without a legal basis, it had breached [[Article 6 GDPR#1|Article 6(1) GDPR]] in relation to this processing. For these reasons, the DPA instructed the controller to cease the unlawful processing and to bring the processing operation into compliance with the legal provisions by justifying the legal basis for the processing of the guests' data for marketing purposes.


Second, the DPA investigated access rights to the cameras. According to the controller’s statement, the controller’s Managing Director, Head of HR, Finance Manager, and Warehouse Manager had access to the recordings but did not justify the need for their access rights, despite the DPA's request. During the on-site inspection, the DPA found that, in practice, the images from the cameras were accessible to any employee by clicking on the shortcut icon of the camera management software and entering a password that matched the username, as was the case with the image from the cameras on the monitors in the open server room. In addition, there was a computer in the warehouse from which the cameras could be accessed, so that anyone who entered the warehouse also had unrestricted access to the recordings, which could be viewed and downloaded for no specific purpose. According to the declaration of the controller and the documents submitted, there was no policy on camera data management, and employees were given a one-off verbal briefing on the operation of the camera system upon entry.
Taking into account that the controller had not previously committed GDPR violations and that it implemented compliance measures, the DPA ordered a fine of HUF30,000,000 (approx. €80,000).  


On the basis of what was observed on the spot and on the basis of the documents submitted and the statements of the controller, the DPA found that the controller did not guarantee the confidentiality of the data processing and did not take measures to protect personal data in the operation of the camera system, as the server cabinet was left open and the images of the cameras and the stored recordings could be easily accessed without any purpose by entering the username on a piece of paper stuck to the monitor.
== Comment ==
 
At the publication of this case summary, the privacy notice in question is still accessible from the website of the controller, it was amended following the investigation and now contains for example a truly illegible camera location drawing.  
The DPA found that by failing to provide the default settings for the operation of the camera system that minimize data processing, the means necessary to ensure the highest possible level of protection of personal data, the controller had violated [[Article 5 GDPR#1|Article 5(1) GDPR]] in [[Article 24 GDPR|Article 24 GDPR]] and [[Article 25 GDPR|Article 25 GDPR]], as well as [[Article 32 GDPR#1b|Article 32(1)(b) GDPR]] and [[Article 32 GDPR#2|Article 32(2) GDPR]], and instructed the controller to take appropriate technical and organizational measures to ensure that its processing operations comply with the legal provisions.
 
Third, the DPA investigated the handling of sensitive data. The controller also recorded and stored the health data of the data subjects in the comments section of the consultation forms and in the database of guests. In this respect, the controller argued that the processing of these sensitive data was necessary to ensure that guests did not lose their pre-booked appointments.
 
The controller also recorded data relating to sickness, pregnancy, coronavirus vaccination in the “comments" field of the "records" field in its database. According to the Controller's statement, these data were processed because the treatment could not be started if the guest was ill, but the appointment was not lost. Conversely, if a guest did not attend a treatment and did not indicate the reason for their absence, the treatment was considered to have been used. Consultation forms may also contain information on the health status of guests, if the boxes for herpes, allergies, pregnancy, surgical procedures were ticked.
 
The processing of health data, as personal data that are by their very nature particularly sensitive, is only possible in specific cases and in compliance with the stricter rules of the GDPR. In this context, the processing of sensitive data is possible if the data subject has given his or her explicit consent or if the processing complies with [[Article 9 GDPR#2|Article 9(2) GDPR]].
 
The DPA stressed that consent would be "explicit" if the data subject confirmed his or her consent in some way, and it also means that the data subject is unequivocally aware that the processing will relate to his or her special categories of data and consents to the processing.
Since the controller did not demonstrate in its replies either that the processing of certain health data was indispensable for the performance of the services it provides or that it was not otherwise possible to postpone the treatment dates, the DPA concluded that the controller did not lawfully process the personal health data of the data subjects.
 
The DPA found that the controller had violated [[Article 6 GDPR|Article 6 GDPR]] and [[Article 9 GDPR#2|Article 9(2) GDPR]] by recording the health data of the guests and therefore prohibited the processing of the health data of the guests in connection with the records and ordered the controller to immediately stop recording the health data in the records in its database and to delete the personal health data of the data subjects from the records in a documented manner.
 
Fourth, the DPA analyzed the use of data for marketing purposes. On 5 April 2022, the controller declared on the legal basis that it processed guest data for marketing purposes based on the consent given in the consultation form, then on 28 September 2022 it declared that the controller processed guest data for marketing purposes based on legitimate interest, and then in a contradictory declaration on 14 October 2022, it stated that it did not use guest data for such purposes, as data processing for marketing purposes only takes place in relation to models used for advertising and employees, then only in the form of videos on social media.
 
As there was no section in the attached consultation forms that contained consent to direct marketing inquiries and contracts for the shooting of commercials did not constitute processing for the purpose of directly contacting guests, the DPA did not accept the controller's claims that the data subjects who filled in the consultation forms had given their written consent to the processing of their personal data for marketing purposes.
 
The DPA found that there was no statement or checkbox on the consultation forms to authorize marketing inquiries, so that the data subjects who did not apply for processing online but in person could not be considered to have given their consent voluntarily to marketing inquiries. While the possibility to tick the checkbox is available for online applicants, the DPA did not find in the partner database any indication of which guests had consented to the processing for marketing purposes and which had not.
 
Nor had the controller provided the DPA with a balance of interests for marketing data processing.
 
The DPA concluded that, as the controller processed the guests' data for marketing purposes without a legal basis, it had breached [[Article 6 GDPR#1|Article 6(1) GDPR]] in relation to this processing. For these reasons, the DPA instructed the controller to cease the unlawful processing and to bring the processing operation into compliance with the legal provisions by justifying the legal basis for the processing of the guests' data for marketing purposes.
 
In conclusion, the DPA found that the controller had infringed Article 13(1) to (2) of the GDPR by providing incorrect or misleading information to data subjects in its prospectus and consultation form about the processing of their personal data, and therefore the DPA instructed the controller to provide adequate, clear, and transparent information to data subjects about all processing and the circumstances of such processing.


== Comment ==
At the publication of this case summary, the privacy notice in question is still accessible from the website of the controller, for instance the truly illegible camera location drawing is there as well:
https://spandora.hu/wp-content/uploads/2021/12/Spandora-Adatkezele%CC%81si-Ta%CC%81je%CC%81koztato%CC%81-.pdf
https://spandora.hu/wp-content/uploads/2021/12/Spandora-Adatkezele%CC%81si-Ta%CC%81je%CC%81koztato%CC%81-.pdf



Latest revision as of 15:14, 26 April 2023

NAIH - NAIH-2732-2-2023
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 5(1) GDPR
Article 6(1) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 24 GDPR
Article 25 GDPR
Article 32(1)(b) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started: 19.10.2021
Decided: 06.02.2023
Published: 06.02.2023
Fine: 30000000 HUF
Parties: n/a
National Case Number/Name: NAIH-2732-2-2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: Ábel Kaszián

The Hungarian DPA held a beauty salon liable for major GDPR infringements including cameras monitoring employees and clients, the mishandling of sensitive data and the use of data for marketing purposes without proper consent. The DPA imposed a fine of €80,000.

English Summary

Facts

The controller was a Budapest-based company that operated the Spandora Beauty Centre, where facial and body treatments and medical aesthetic procedures were performed. The controller also distributed cosmetic products.

The DPA received several notifications in which clients and employees of the controller complained about cameras recording image and sound in all premises (offices, treatment rooms, corridors, reception) at its headquarters.

The DPA launched an official investigation on 19 October 2021 and carried out an on-site visit on 20 October 2021. The main issues arising from the very detailed investigation can be summarized as follows:

First, the cameras were monitoring the room where the staff eats, the training rooms and customer treatment rooms (implying that clients were often seen in incomplete clothing). The purpose of this processing was however not clearly defined nor communicated.

Second, the controller explained that only a few specific people had access to the recordings. However, the on-site visit showed that the camera images were also seen by the sales manager, who used them to check that the staff was communicating properly with the clients. The recordings were available on a computer in an unlocked room. To access them, one could click on a shortcut and enter a username which was written on a piece of paper stuck to the monitor.

Third, all clients had to fill in and sign a consultation form which mentioned the placement of cameras for the purpose of protecting clients and staff. It however did not mention the recording of audio. The investigation also showed that there was no mention of the cameras in the privacy notice in force.

Fourth, the controller stored health data in the client database, including Covid vaccination status, pregnancy, and sicknesses.

Fifth, the controller stated that the signature of the consultation form constituted a consent to the processing of their data for a marketing purpose. Later, the controller held that this processing was based on legitimate interest, and then in a further contradictory declaration, it stated that it did not use client data for such purposes

Holding

The DPA assessed the compliance of the monitoring in the light of the different elements of the investigation.

First, the DPA stated that the monitoring was performed for an unclear purpose and without settings that minimized the processing. The controller referred to the purposes in general terms and with contradictory statements. Consequently, the DPA concluded that the controller had breached the purpose limitation principle under Article 5(1)(b) and (c) GDPR. The DPA, therefore, prohibited the processing of data by the camera in operators and in diagnostic and examination rooms and instructed the controller to delete in a documented manner the video recordings made in operators and in diagnostic and examination rooms.

Second, Regarding the people who could access the cameras, the DPA found that the controller did not guarantee the confidentiality of the data processing and did not take measures to protect personal data. Indeed, the images of the cameras and the stored recordings could be easily accessed. The DPA found that by failing to provide the default settings for the operation of the camera system that minimize data processing, the means necessary to ensure the highest possible level of protection of personal data, the controller violated Article 5(1) GDPR in Article 24 GDPR and Article 25 GDPR, as well as Article 32(1)(b) GDPR and Article 32(2) GDPR, and instructed the controller to take appropriate technical and organizational measures to ensure that its processing operations comply with the legal provisions.

Third, concerning the information, the DPA found that the privacy notice did not comply with the requirements of the GDPR as it did not provide information on the location of each camera and its purpose, the area or object it monitored, or whether the employer was carrying out direct or fixed surveillance with the camera. It also did not provide for the specific duration of the storage of the recordings, the rules for viewing the recordings, or the purposes for which the recordings could be used by the employer. The consultation forms could not either be considered as compliant since they contained misleading information. The controller therefore didn't comply with the requirement of transparent processing under Article 5(1)(a) GDPR, and Article 13(1) and (2). The DPA instructed the controller to provide adequate, clear, and transparent information to data subjects about all processing.

Fourth, regarding the collection and storage of health data, the DPA recalled that the processing of sensitive data is possible if the data subject has given his or her explicit consent or if the processing complies with Article 9(2) GDPR. In this case, the controller neither demonstrated that the processing of certain health data was indispensable for the performance of the services nor to have collected a valid consent. Thus, the DPA found that the controller had violated Article 6 GDPR and Article 9(2) GDPR and prohibited the processing of the health data and to delete the personal health data from the records.

Fifth, the DPA found that there was no checkbox on the consultation form to consent to the processing for marketing purposes. The clients therefore did not consent to the processing for this purpose. The controller also failed to demonstrate a legitimate interest. The DPA concluded that, as the controller processed the data for marketing purposes without a legal basis, it had breached Article 6(1) GDPR in relation to this processing. For these reasons, the DPA instructed the controller to cease the unlawful processing and to bring the processing operation into compliance with the legal provisions by justifying the legal basis for the processing of the guests' data for marketing purposes.

Taking into account that the controller had not previously committed GDPR violations and that it implemented compliance measures, the DPA ordered a fine of HUF30,000,000 (approx. €80,000).

Comment

At the publication of this case summary, the privacy notice in question is still accessible from the website of the controller, it was amended following the investigation and now contains for example a truly illegible camera location drawing.

https://spandora.hu/wp-content/uploads/2021/12/Spandora-Adatkezele%CC%81si-Ta%CC%81je%CC%81koztato%CC%81-.pdf

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.