Based on the appeal of the controller, the imposed fine for several GDPR violations has been increased almost 15 times!
The Slovak Office for Personal Data Protection imposed to the bank a € 900 fine. The bank challenged the decision by an appeal. By the decision on appeal, the supervisory authority further tightened up the sanction, as it imposed a total fine of € 13,300 to the bank and at the same time imposed a measure to eliminate the identified infringements. The bank can still defend itself by filing a court action.
The administrative procedure was initiated based on a request from the data subject. The case dates back to 2019, when the bank's marketing offer was delivered to the data subject postal address. The data subject was not a client of the bank at the time of delivery of the marketing offer (it was a former client). After the delivery of the marketing offer, the data subject exercised his right of access pursuant to Art. 15 GDPR. The data subject later also filed a motion to initiate proceedings on the protection of his personal data.
The Slovak Office for Personal Data Protection has identified several breaches: (i) breach of the principles of fairness and transparency under Art. 5 par. 1 letter a) GDPR by the bank informing the data subjects pursuant to Art. 14 GDPR on the marketing purpose of processing personal data obtained from a publicly available source – real estate cadastral portal, while from 25.05.2018 the bank no longer performed this processing activity; (ii) violation of the principle of legality under Art. 5 par. 1 letter a) GDPR by sending a marketing offer to the data subject's home postal address; (iii) violation of Art. 12 par. 1 in conjunction with Art. 15 GDPR by non-transparent processing of the data subject's request for access to data, as the bank did not provide relevant information in its reply and did not explain the lawfulness of the data processing to the data subject in a clear and transparent manner.
In addition to the financial sanction, the supervisory body ordered the controller to update the information provided to the data subjects pursuant to Art. 13/14 GDPR.
The decision is also interesting in that, by filing an appeal against the first-instance decision, the bank worsened its situation when the supervisory body increased the amount of the financial sanction. In the Slovak Republic, the principle of prohibition of reformatio in peius (prohibition of tightening up of the previous decision) is one of the essential principles of criminal proceedings, but in administrative proceedings, the tightening up of the first instance administrative decision is allowed.
Article provided by: Miroslav Chlipala and Stefan Pilar (Bukovinský & Chlipala, Slovakia)
Dr. Tobias Höllwarth (Managing Director INPLP)