Unauthorized Processing of Personal Data in Connection with a Traffic Accident
The Office’s investigation of this case began following a complaint from the data subject, who claimed that they received a letter from Company CC identifying them as a participant in a traffic accident. The data subject had never owned a motor vehicle nor held a driver’s license and was therefore surprised to find that Company CC was handling their personal data. The letter contained their first name, surname, address, and the accident date, raising questions about the origin of the data and the reasons for Company CC’s processing. When the data subject attempted to contact Company CC to seek an explanation of how the company obtained their personal data, they received only vague and contradictory responses. According to Company CC, the data originated either from publicly available sources or was reported by neighbors.
The Office then requested that Company CC provide a legal basis for processing the data subject’s personal data. Company CC, however, was unable to provide the required evidence, leading to an inspection directly at its premises. The inspection uncovered significant deficiencies in the company’s data processing practices—Company CC had not ensured even the basic requirements for lawful and transparent processing of personal data and lacked any documentation to demonstrate compliance with GDPR.
The inspection highlighted three primary areas in which Company CC violated GDPR:
1. Violation of the Principle of Lawfulness
Company CC processed personal data, such as the first name, surname, address, and accident date, without a demonstrable legal basis, which contravenes Article 6 of the GDPR. Processing personal data requires satisfying at least one of the conditions listed in this article (such as the data subject’s consent or a legitimate interest). Company CC did not possess any of these legal grounds.
2. Violation of the Principle of Transparency
GDPR mandates data controllers to provide data subjects with clear and understandable information about how and why their personal data is processed. However, in the letters sent to data subjects, Company CC did not inform recipients of the purpose or legal basis for processing their personal data, thus breaching the transparency principle set out in Article 5 of the GDPR.
3. Lack of Accountability and Absence of Records
GDPR requires that data controllers maintain records of processing activities to enable oversight and demonstrate GDPR compliance. However, Company CC lacked records or other documents related to personal data processing, which is a violation of Article 30 of the GDPR.
Based on these findings, the Office ordered Company CC to immediately cease unlawful data processing and delete the personal data of data subjects from all internal databases. Furthermore, Company CC was instructed to inform the Office of compliance with these measures within 15 days of the decision becoming final. Given the extent and seriousness of the infringements, the Office also imposed a financial penalty. The fine was set at EUR 7,500, considering it was a repeated violation. Previously, the Office had already mandated measures to improve data protection at Company CC, which it failed to implement. Although the fine is at the lower limit of possible sanctions under Article 83 of the GDPR, the Office considers it sufficient to serve as a deterrent.
The Office’s decision sets a significant precedent and should serve as a warning to all data controllers. Unauthorized handling of data, without a legal basis and without transparency toward data subjects, can result in severe legal and financial consequences. Through this decision, the Office emphasized that any data processing must be grounded in one of the legal bases listed in the GDPR, from the start of processing through to its conclusion. The Office’s commitment to conducting inspections and rigorously sanctioning non-compliance demonstrates that failing to adhere to GDPR can have serious implications for companies. The case of Company CC, therefore, illustrates that in today’s digital world, data protection must be part of responsible business practices and that data protection authorities monitor compliance not only formally but in all practical aspects.
Article provided by INPLP member: Miroslav Chlipala (BCH Advokáti Chlipala, Slovakia)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)