Background information
- Date of final decision: 15 August 2022
- Cross-border case
- LSA: Hungarian SA
- and CSAs: Belgian, Norwegian, Swedish, Portuguese, Danish, Italian, German, Spanish, Polish SAs
- Controller: airline company
- Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing), Article 9 (Processing of special categories of personal data), Article 15 (Right to access by the data subject)
- Decision: Reprimand
- Key words: Reprimand to processor, Right of access, Lawfulness of processing, Personal data breach, Right of access
Summary of the Decision
Origin of the case
The Complainant flew on one of the Company’s flights. He lodged a complaint with the Company in which he mentioned information about his health. The Complainant’s flight ticket was booked by a travel agency.
The Company sent its information on the handling of the complaint and the list of documents required for the handling of the complaint and also the complaint itself to the e-mail address which was used to book the ticket so the Complainant’s data was transferred to a third party. After the Complainant became aware of the data transfer, he requested information on the legal basis on which the Company transferred his personal data to third parties. The Company incorrectly informed the Complainant about the transfer of his personal data. The complainant claimed that his personal data, including his personal health data, were transferred unlawfully by the data controller (hereinafter: Company).
Key Findings
The Hungarian SA established that the transfer of the Complainant’s personal data to a third party was a data protection breach. The transfer or communication of personal data also constitutes processing and it can therefore be lawful only if it has a legal basis under Article 6(1) GDPR. Where the processing also involves special categories of personal data, the controller must have a legal basis under Article 6(1) GDPR and the processing must also comply with one of the situations set out in Article 9(2) GDPR.
The Company’s reply to the request of access contained incorrect, faulty and misleading information, as the Company's employee wrongly informed the Complainant that the travel agency that booked the flight had the right to participate in the complaint procedures in connection with the trip, while the Complainant could request that the communication be sent directly to him.
Decision
The Company infringed Article 5(1)(f) GDPR by unauthorized disclosure of the Complainants personal data – including health data – to a third party.
The Company, due to the negligence of its employee, unlawfully forwarded the Complainant's complaint, including his health data, to a third party, without a proper legal basis, in violation of Article 6(1) GDPR and Article 9(1) GDPR in relation to health data.
The Company also infringed Article 15 (1) GDPR by failing to provide information on the legal basis for the transfer of his data and instead providing incorrect information on the complaint handling process.
Because of these infringements, the Authority reprimanded the Company based on Article 58(2)(b) GDPR.
For further information: national decision
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.