State Data Protection Inspectorate published a summary of inspections of rental companies and evaluated the implementation of the data minimization principle and the obligation to inform the data subjects about the processing of personal data.
An inspection revealed that:
– 8 companies out of 16 audited do not properly implement the data minimization principle, i.e., the wrong data is being processed for achieving the required purposes.
– 14 companies out of 16 audited do not properly inform the data subjects about the processing of their personal data.
Read more about the violations found during the investigation here.
Recommendations of ECOVIS ProventusLaw
Regarding the results of an inspection by the State Data Protection Inspectorate, we kindly suggest companies to review the following processes:
1. Regarding the specific purposes of the processing of personal data, it is necessary to assess whether the processing of data is not too excessive. Special attention is paid to the companies processing the personal identity documents. According to the State Data Protection Inspectorate, if the company needs a part of the information contained in the personal identity document, only that part of the personal data may be lawfully processed and not a complete personal identity document.
3. When personal data is not obtained from data subjects, their processing shall be notified at the latest when the data subject was first contacted.
4. With automated decision making, including profiling, review whether information is provided on the rationale for such decision, as well as the implications and the intended consequences for the data subject of processing such data.
To this day, more than 91 fines of 404 million euros have already been imposed on GDPR violations in Europe. The financial sector suffered the most.
All the summaries and remarks made by the State Inspection are consistent with European practices. According to the published statistics regarding the fines for non-compliance with GDPR, GDPR Article 5 (data minimization principle) and 13-14 (information that has to be provided to the data subject) are among top 5 for which the most fines are imposed.