Personal data cannot be processed without a legal basis

The Personal Data Protection Office has imposed an administrative fine of more than PLN 45 000 for infringing the provisions of the GDPR by partners in the civil partnership Kancelaria PIONIER. The Polish SA at the same time ordered to bring processing operations into compliance with GDPR provisions by ceasing to process the personal data of potential clients without a legal basis.

The Polish SA received information indicating that controllers may have infringed data protection provisions. The SA in the first instance undertook verification activities with regard to the controllers, however, due to the lack of sufficient cooperation with the supervisory authority in clarifying the circumstances of the case, the SA found it necessary to conduct an inspection. The scope of the inspection covered the processing by the controllers of personal data of clients and potential clients.

On the basis of the evidence gathered in the case, in the opinion of the Polish SA, the partners in the civil partnership, as controllers, infringed the provisions on personal data protection by processing without a legal basis the personal data of their potential customers , including data concerning their health status, in particular without having their consent to the processing of personal data.

The Polish SA initiated ex officio administrative proceedings in respect of the identified infringements.

How was the data obtained?

It should be emphasised that the activity carried out by the partners consists in providing legal assistance in representing clients injured mainly in traffic accidents before insurance companies, before courts, as well as other entities, in order to obtain compensation, damages and pensions in their favour, as well as reimbursement of medical treatment and rehabilitation costs. The activity of the partners also consists in mediating between clients and medical institutions in acquiring medical services.

The partners obtained personal data and contacted potential customers on the basis of press releases, online publications, including content available on social media, as well as information provided or disseminated by charitable organisations. The partners also obtained data on the basis of direct conversations with, for example, neighbours of the data subjects. In this way, the information obtained allowed the identification of an address of residence and eventually directly contact potential clients and make them an offer to provide services.

During the initial conversation with the potential client, the representative of partners would ask the client to give an oral consent to the obtaining and processing of his or her personal data until possible conclusion of a service contract. If the potential customer gave an oral consent to the processing of his or her data, the conversation continued and other, more precise personal data were obtained, including: name, telephone number. If customer refused to give consent, the conversation was terminated.

Data processing without a legal basis

In the opinion of the Polish SA, the processing of personal data of potential customers, as done by the partners, may take place on the basis that can be demonstrated to the supervisory authority, including their explicit consent to the processing of sensitive data, in this particular case data on health status.

As it was established in the course of the inspection, in the case of potential clients, i.e. persons to whom the  partners is only making an offer, the above consent is obtained only orally, and the obtaining of consents was not recorded in a manner which could constitute evidence for the supervisory authority of their granting (e.g. register of consents).

In addition, it appears from the explanations of the partners as the controller and their employees that they process the data of potential customers because it is necessary for them to perform a contract to which the data subject is a party or to act on the request of potential customers before concluding contracts with them.

In the SA’a view, the premise legalizing the processing of data on the grounds of necessity for the performance of the contract cannot be recognised because the contract is not yet concluded with the potential customer at all. In the case in question, it is also not possible to speak of the partners taking action at the request of potential clients, since at the stage of their contact as a controller with potential clients, there is no mention of "requests" of these persons at all. Thus, the data are only obtained and processed by the controllers for the their own purpose of determining profitability of concluding a contract with a potential customer and for the purpose of contacting him or her again and expressing his/her will whether he or she wants to conclude a contract with the controllers at all or not.

Taking into account all the circumstances of the case, the Polish SA found an infringement of the principles of personal data processing by processing the data of potential customers of the civil partnership without a legal basis.

Full text of the decision in national language