Background information
Date of final decision: 27 October 2021 (deadline for appeals: 3 December 2021)
Cross-border case or national case: National case
Controller: Decision to be published anonymously after the deadline for appeal
Legal Reference: lawful and transparent processing under Article 5(1)(a); information to data subjects under Article 12(1) and Article 13 of the GDPR; data minimisation under Article 5(1)(c); legal basis under Article 6(1)
Decision: finding an infringement of the GDPR, order to bring practices into line with the GDPR, data protection fine of HUF 5 million (approx. EUR 14 000)
Key words: information to data subject, legitimate interest, data minimisation
Summary of the Decision
Origin of the case
After the Applicant had its car inspected/serviced by the Respondent as a specialist car garage, the Applicant provided the Respondent its email address at the request of the Respondent. The Applicant subsequently received an unsolicited email asking him to complete a satisfaction questionnaire in relation to the above service provided and then another email asking him to complete the questionnaire again due to his lack of response. The emails included the chassis number of the Applicant's car, but the emails were not from the Applicant, but from a third party sender. The Applicant's consent for the transfer was not requested and the Applicant was also not informed.
Key Findings
The emails in question were sent by the Importer, who has a contractual relationship with the Applicant, as the exclusive importer in Hungary of cars of the same type as the Applicant's car, via a data processor. The emails contained only the name of the data processor and the generic description "your <brand of car> dealer" and "the email was sent by <data processor> on behalf of <brand of car>", from which the Applicant could not know to whom and for what reason his or her email address and the data of his or her car had been sent. The data controller for the email in question was not the Respondent but the Importer. This information is usually provided with the work documentation, which was not provided in this case. According to the information provided, the data could also be transmitted to the car manufacturer, but the facts revealed during the investigation that this is only done in the form of anonymous statistics, so this - otherwise cross-border - subject matter was not examined by the Authority. The Authority extended the procedure ex officio to the general data processing practices of the importer in relation to the satisfaction measurement. The original application against the Respondent was rejected as it was not the data controller.
Decision
In the individual case, based on the declarations of the Importer and the Respondent, the Respondent did not receive any information on the data processing. In the absence of adequate information and effective rights of the data subject, the importer could not have a legitimate interest in the individual case.
With regard to the data processing practices, in the absence of adequate information and excessive processing of personal data, there cannot be a legitimate interest of the Importer to know the satisfaction of its customers for the purposes of monitoring and quality assurance of its service and trading partners. The Importer could not demonstrate how the following processed data are related to the stated purposes of satisfaction measurement and complaint management: the customer's name, email address, home address, telephone number, age, gender, chassis number, registration number, technical data of the vehicle, the name of the dealer partner used, the date of the service used and the content of the feedback. In the absence of customer feedback or in the case of non-negative feedback, the processing of data other than statistical data on the vehicle and the service provided, and in the case of negative feedback and individual requests, data other than the personal data necessary for complaint handling, is unlawful and therefore the modification of the pertinent data processing practice was ordered and a fine was imposed.
For further information: Decision anonymously available after the deadline for appeals at https://www.naih.hu/hatarozatok-vegzesek
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.