Personal Data Protection Office imposing penalties mainly for unsolicited advertising in first half of 2021
The Office for Personal Data Protection has published an overview of its inspections for the first half of 2021. The office most often and most severely sanctioned sending of unsolicited commercial communications. Penalties were also imposed for incorrectly set consent with cookies or failures to delete the accounts of former employees. The office inspected both private entities and non-profit organisations as well as public administration.
In the area of personal data protection, during its inspections the office most often focused on:
- review of the legal titles for processing personal data
- fulfilment of information obligations of personal data controllers
- excercising the rights of data subjects
- ensuring sufficient security of personal data.
In relation to the security of personal data, the office, e.g., found fault with an insurance company that had not revoked access to the insurance company’s data box to its former employee (the complainant) on the date of termination of employment. Thus, the complainant had access to personal data in the data box of the inspected insurance company even after the termination of employment.
As for the review of legal titles for personal data processing and the fulfilment of information obligations, the office turned its attention to e.g., customer loyalty programmes. For retailers, it primarily checked whether the use of loyalty programmes and cards, including customer family cards, involves the processing of personal data to an adequate, relevant, and necessary extent. In this context, it also assessed whether personal data are processed fairly, transparently and based on lawful grounds. Finally, the office focused on the fulfilment of information obligations towards data subjects, the use of processors and the level of security of customer databases.
The most and highest sanctions were imposed for sending unsolicited commercial communications. Fines ranged from tens of thousands to the lower hundreds of thousands of Czech crowns. During inspections concerning unsolicited commercial communications, the office primarily paid attention to the reasons for sending commercial communications and to the senders’ information obligations.
Considering the inspections’ results, it is recommendable that companies should pay proper attention not only to the fulfilment of their information obligation towards the recipients of the communications, but also to their databases of electronic contacts used for sending commercial communications. They should make sure that these databases contain only contacts that are their customers who have not refused to receive commercial communications or contacts who have given their consent to receive commercial communications. Sufficient control mechanisms should be put in place for this purpose. Companies should not underestimate how their internal processes have been set up and how they comply with personal data protection rules. So, if you find yourself on the Personal Data Protection Office’s radar or just want to be at ease and have everything in order, please do not hesitate to contact us.