UOOU - UOOU-00196/20

From GDPRhub
UOOU - UOOU-00196/20
LogoCZ.jpg
Authority: UOOU (Czech Republic)
Jurisdiction: Czech Republic
Relevant Law: Article 5(1)(f) GDPR
Article 6(1)(a) GDPR
Article 12(1) GDPR
Article 12(2) GDPR
Article 12(3) GDPR
Article 14 GDPR
Type: Complaint
Outcome: Upheld
Decided: 28.04.2021
Published: 28.05.2021
Fine: 22864 EUR
Parties: n/a
National Case Number/Name: UOOU-00196/20
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Czech
Original Source: UOOU (in CS)
Initial Contributor: n/a

The Czech DPA fined a company €22,864 for publishing on its website personal data scraped from public registers without any legal basis and without informing data subjects about the processing.

English Summary[edit | edit source]

Facts[edit | edit source]

The DPA received six complaints against a company that aggregated on its website personal data from public registers without any legal basis.

The DPA found a violation of

  • Article 6(1) GDPR, as the mere "scraping" of the public register did not fulfill the condition of necessity processing of personal data declared by the company and therefore the legal title referred to in Article 6(1)(f) GDPR.
  • Article 5(1)(a) GDPR, as the company processed personal data without having any of the legal titles listed in Article 6(1) GDPR,
  • Article 12(3) GDPR, as some of the complainants were not informed in any way about the way in which their data were processed.
  • Article 12(2) GDPR because the company did not facilitate the exercise of the rights of data subjects under Articles 15 to 22 GDPR.
  • Article 14 GDPR, as mere publication of information under Article 14 GDPR on the company's website cannot be considered sufficient fulfillment of information obligation.

Holding[edit | edit source]

The DPA fined the controller CZK 500,000 for above mentioned violations. Additionally, during the inspection, the company was fined CZK 100,000 for non-cooperation.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Czech original. Please refer to the Czech original for more details.

Processing of personal data on websites by flipping data from public registers (UOOU-00196/20)
Company
 
 
 
The Office received a total of six complaints against the company, which opposed the processing of personal data aggregated on the company 's website, in the form of their simple flipping from publicly accessible registers (eg ARES, Commercial Register, Trade Register, etc.) 

The subject of the inspection was compliance with the obligations set out in the General Regulation and Act No. 110/2019 Coll., On the processing of personal data, in connection with the processing of personal data on the Internet, respecting the right to delete and the right to information on personal data processing the extent of the complaints filed, as well as the general fulfillment of the rights of data subjects in the processing of their personal data in the Internet environment. 

In the inspection report, the Office found a violation of: (i) Article 6 (1) of the General Regulation, as such processing is illegal in the case of a simple flipping of the trade and business register by the controlled company, as the mere "flipping" of the public register did not fulfill the condition of necessity processing of personal data declared by the company and therefore the legal title referred to in Article 6 (1) (a). (ii) Article 5 (1) (f) of the General Regulation could not be applied to the processing in question; (iii) Article 12 (3) of the General Regulation, as some of the complainants were not informed in any way about the way in which they were processed; their requests for deletion of personal data [ie the company did not provide data subjects with information on the measures taken under Articles 15 to 22 of the General Regulation], (iv) Article 12 (2) of the General Regulation because the company did not facilitate the exercise of the rights of complainants (data subjects) under Articles 15 to 22 of the General Regulation; Article 14 of the General Regulation, as the audited company did not fulfill its information obligation under this Article [mere publication of information under Article 14 of the General Regulation on the company's website cannot be considered fulfilled]. No objections were lodged against the inspection report. as the audited company has not fulfilled its information obligation pursuant to this article [mere publication of information pursuant to Article 14 of the General Regulation on the company's website cannot be considered as fulfilled]. No objections were lodged against the inspection report. as the audited company has not fulfilled its information obligation pursuant to this article [mere publication of information pursuant to Article 14 of the General Regulation on the company's website cannot be considered as fulfilled]. No objections were lodged against the inspection report. 

In conclusion, the inspection was followed by an administrative proceeding in which an injunction was issued imposing remedial measures and a fine of CZK 500,000, and that during the inspection the company was fined CZK 100,000 for non-cooperation [for violation Article 15 (1) (a) a) of the Control Rules].