The Personal Data Protection Authority has warned a Fan Company that the recollection of personal data by the client’s control but without informing data subject does not fulfil the personal data protection legislation. The recollection and the usage would also ask a legal basis for the processing.
On the website of the data controller has been noticed a form that, in addition to information about the type of houses and the fan system, was reserving also a space for the information on, for example, the developments of the relationships, the financial situation and the life of the client.
According to information provided by the data controller, the form published on the website of the company was underdevelopment and questions were random fill questions used by the developer of the form in order to help in projecting the form. The form was unvisible for few days. According to the data controller, the form has not been used at any time, for example during visits of clients, in order to recollect personal data.
The recollection of personal data shall be communicated to the data subject in a transparent way
The Authority warns that the personal data processing recollected by clients by the observation would be in breaching of the personal data processing if data subjects are not informed of the recollection and does not exist a legal processing basis.
If the responsible of the processing shall recollect information on clients by observing and not informing them in advance, this would breach the transparency principle of the General Data Protection Regulation. The personal data processing shall be clear and transparent, and the control shall inform the data subject in a comprehensible way on how his/her personal data are recollected and used.
The recollection of personal data by the controlling shall be explained in order that the personal data processing is not a surprise for the data subject. The data subject shall be able to avoid being submitted to the control and to exercise his/her personal data protection rights.
The decision is not final.
TSV Päätös 5417.163.20SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA FINLANDIA