Based on the appeal of the controller, the imposed fine for several GDPR violations has been increased almost 15 times!

19.07.2021

By filing an appeal against the first-instance decision, the controller worsened its situation when the supervisory body increased the amount of the financial sanction almost 15 times! The principle of prohibition of reformatio in peius (prohibition of tightening up of the previous decision) is one of the essential principles of criminal proceedings, but in administrative proceedings, the tightening up of the first instance administrative decision is allowed.

The Slovak Office for Personal Data Protection imposed to the bank a € 900 fine. The bank challenged the decision by an appeal. By the decision on appeal, the supervisory authority further tightened up the sanction, as it imposed a total fine of € 13,300 to the bank and at the same time imposed a measure to eliminate the identified infringements. The bank can still defend itself by filing a court action.

The administrative procedure was initiated based on a request from the data subject. The case dates back to 2019, when the bank's marketing offer was delivered to the data subject postal address. The data subject was not a client of the bank at the time of delivery of the marketing offer (it was a former client). After the delivery of the marketing offer, the data subject exercised his right of access pursuant to Art. 15 GDPR. The data subject later also filed a motion to initiate proceedings on the protection of his personal data.

The Slovak Office for Personal Data Protection has identified several breaches: (i) breach of the principles of fairness and transparency under Art. 5 par. 1 letter a) GDPR by the bank informing the data subjects pursuant to Art. 14 GDPR on the marketing purpose of processing personal data obtained from a publicly available source – real estate cadastral portal, while from 25.05.2018 the bank no longer performed this processing activity; (ii) violation of the principle of legality under Art. 5 par. 1 letter a) GDPR by sending a marketing offer to the data subject's home postal address; (iii) violation of Art. 12 par. 1 in conjunction with Art. 15 GDPR by non-transparent processing of the data subject's request for access to data, as the bank did not provide relevant information in its reply and did not explain the lawfulness of the data processing to the data subject in a clear and transparent manner.

In addition to the financial sanction, the supervisory body ordered the controller to update the information provided to the data subjects pursuant to Art. 13/14 GDPR.

The decision is also interesting in that, by filing an appeal against the first-instance decision, the bank worsened its situation when the supervisory body increased the amount of the financial sanction. In the Slovak Republic, the principle of prohibition of reformatio in peius (prohibition of tightening up of the previous decision) is one of the essential principles of criminal proceedings, but in administrative proceedings, the tightening up of the first instance administrative decision is allowed.

 

Article provided by: Miroslav Chlipala and Stefan Pilar (Bukovinský & Chlipala, Slovakia)

 

 

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.