Legitimacy: DPA Austria Finds Non-Compliant Disclosure of Personal Data

-
 
Establishing Legal Grounds for Processing, Defining Data Processing
A sports association published, on its website, the personal data (name, telephone number and email address) of the team leader of a sports team; the publication was unlawful because the data did not have any access restrictions (the details were published in the unrestricted areas, where a user was not required to log in), and the legitimate interests of the individual outweighed those of the association (which could not justify its claim of efficiency by disclosing the unrestricted personal data). 
 

  
Background Facts:
  • the Austrian Data Protection Authority ("DPA") reviews a complaint against a sports association ("Association"), alleging violations of the: 

Relevance to Business Activities:
  • establishing legal grounds for processing and defining data processing considerations:
    • background:
      • an individual ("Complainant") alleged that the Association unlawfully processed his personal data by publishing it on its website:
        • including his:
          • name;
          • telephone number; and
          • email address.
        • which can be accessed by all website visitors.
      • the Complainant is a team leader in the Association's sports team:
        • details of the team and their leaders are published on the Association's website as a standard practice.
    • legal framework:
      • GDPR:
        • article 6 states that processing shall be lawful if the:
          • data subject has given consent to the processing of his or her personal data for one or more specific purposes;Control or
          • processing is necessary:
            • for the:
              • performance of a contract to which the data subject is a party;Control
              • compliance with a legal obligation to which the controller is subject;Control
              • performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;Control or
              • legitimate interests pursued by the controller or third party:Control
                • except where the interests are overridden by the interests or fundamental rights and freedoms of data subjects.Risk
            • in order to:
              • take steps at the request of the data subject prior to entering into a contract;Control or
              • protect the vital interests of the data subject or another natural person.Control
        • article 7(4) states that freely given consent can be assessed by considering if the consent was a prerequisite for the: 
          • performance of a contract or provision of a service;Control and
          • processing of personal data which is not necessary for the performance of that contract.Control
    • findings and outcome:
      • the Association unlawfully processed the Complainant's personal data: 
        • by failing to:
          • restrict the access to personal details of team members to authorized users:
            • the details of the team leaders and members were published in the unrestricted areas, where a user was not required to log in.Risk
          • justify how the communication would be faster or efficient by releasing the personal data of the team members without restrictions:
            • the interests of the Association do not outweigh the Complainant's interests.Risk
        • the deletion of the personal data during the proceedings does not eliminate the infringement or the negative consequences on the Complainant:
          • the personal data was already published in the public domain, even if for a limited period of time.Risk

Comments

Post a Comment

Popular posts from this blog

Olivia: The New Tool from Garante Privacy to Help Protect Your Data

-
Image
In the digital era, data protection has become one of the most critical aspects of business operations. Whether you run a small startup or a multinational corporation, ensuring the privacy and security of customer data is essential. With GDPR (General Data Protection Regulation) in full effect, the challenge for many businesses is how to effectively comply with complex legal requirements. Enter Olivia, a groundbreaking tool launched by Garante Privacy—Italy’s data protection authority—that aims to make GDPR compliance easier for everyone. What is Olivia? Olivia is a powerful and intuitive tool designed to assist businesses in meeting their data privacy obligations under GDPR. Developed by Garante Privacy, the Italian authority responsible for protecting personal data, Olivia provides automated features and guidance to help companies safeguard personal information, avoid costly data breaches, and ensure full regulatory compliance. Key Features of Olivia 1. Automated GDPR Audits Olivia s...
Read more

Navigating the Future of Recruitment: Understanding ICO recommendations on AI Tools

-
Image
  Artificial intelligence (AI) is revolutionizing recruitment by offering faster and more efficient processes while claiming to reduce human biases. However, as highlighted in the UK Information Commissioner’s Office (ICO) report published in November 2024, using AI in hiring comes with ethical and legal responsibilities. HR professionals must ensure compliance, safeguard candidate rights, and foster trust by aligning their practices with these recommendations. The ICO's audit of AI tools, conducted between August 2023 and May 2024, exposed both strengths and risks in their application. While some providers showed positive efforts in monitoring bias and accuracy, others revealed alarming practices, such as excessive data collection and opaque decision-making. With nearly 300 recommendations outlined, the report provides a clear roadmap for HR teams and AI developers to improve compliance. Addressing Key HR Activities with AI Tools The ICO's findings emphasize the need for HR te...
Read more

Italy: Garante's new guidelines on cookies and similar tracking technologies

-
Image
    The Italian data protection authority ('Garante') launched, on 10 December 2020, a public consultation on its draft guidelines on cookies and other similar tracking technologies 1 ('the Guidelines'). In particular, the Guidelines aim to illustrate the legislation applicable to the storing of information, or the gaining of access to information already stored, in the terminal equipment of users, as well as to specify the lawful means to provide the cookie policy and collect online consent of data subjects, where necessary, in light of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In addition, the Guidelines note that the Garante's previous guidance on Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies 2 , while maintaining its relevance, need to be integrated with specific reference to certain aspects such as scrolling as a lawful means to collect consent for profiling cookies ...
Read more