Why is compliance with data protection regulations important?
A key aspect of data protection is the reduction of risks associated with non-compliance and security breaches. From a company’s perspective, data protection fosters trust among customers and employees, safeguards reputation, and maintains financial stability.
Failure to comply with relevant regulations can lead to legal sanctions and a loss of market trust. In today’s world, investing in data protection has become essential for business sustainability.
This article presents practical examples that companies may encounter in their daily operations.
Key definitions
The Personal Data Protection Act defines personal data as any information relating to a natural person whose identity is determined or determinable, directly or indirectly, especially based on an identity marker such as a name, identification number, location data, an identifier in electronic communication networks, or one or more characteristics of their physical, physiological, genetic, mental, economic, cultural, or social identity.
The processing of personal data is defined as any action or set of actions performed, whether automated or non-automated, on personal data or data sets. These actions include, for example, collection, recording, classification, grouping, structuring, storage, adaptation or alteration, disclosure, access, use, transmission, duplication, dissemination, or otherwise making data available, as well as comparison, restriction, deletion, or destruction.
As you can see, the definitions are extensive. This is precisely why understanding real-world examples helps in comprehending the legal regulations governing data protection, whether it is the domestic Personal Data Protection Act or the GDPR.
Furthermore, a data controller is defined as a natural or legal person, or a public authority, that alone or jointly with others determines the purpose and means of processing personal data.
Personal data must be processed lawfully, fairly, and transparently in relation to the individual concerned. Data processing must be necessary and limited to the purpose of processing, in line with the principle of data minimization.
Among the fundamental provisions, Article 12 of the Personal Data Protection Act specifies the conditions under which data processing is lawful. Processing is considered lawful if at least one of the six prescribed conditions is met.
Video surveillance and personal data protection
The Commissioner for Personal Data Protection determined in one case that a data controller violated legal provisions while securing premises through video surveillance. The violation occurred because the surveillance cameras allowed real-time access to third parties via an application. This example is cited in Publication No. 9 – Personal Data Protection: Opinions and Views of the Commissioner, No. 072-04-2514/2023-07.
In this case, the Commissioner issued a warning to the data controller, referencing provisions of the Personal Data Protection Act related to the principles of lawfulness, fairness, transparency, and data minimization. Additionally, Article 31 of the Private Security Act was cited, which stipulates that technical means used in private security must not infringe on others’ privacy.
If an objective can be achieved through less intrusive methods than continuous employee monitoring via video surveillance, then those less invasive methods should be used. Data must be collected for specific, explicit, justified, and lawful purposes. The principle of data minimization dictates that collected data should be adequate, relevant, and limited to what is necessary for processing.
In practice, the Commissioner determined that timely response by medical staff to emergency calls and dispatcher requests can be achieved through less intrusive methods than continuous monitoring of employees’ actions and behavior via video surveillance (Publication No. 6 – Personal Data Protection: Opinions and Views of the Commissioner, No. 072-04-1409/2020-07, dated 31.8.2020).
European case law
In case No. 0603-47/2023/5, the Slovenian Commissioner for Personal Data Protection ruled on 24.10.2023 that the scope of workplace video surveillance by a data controller was excessive and could not be justified by legitimate interest.
In case Deliberation No. 47FR/2021, dated 01.12.2021, the Luxembourg Data Protection Commissioner fined a transport company €6,800 for violating the data minimization principle. The company failed to limit the field of view of its video surveillance system and did not adequately inform employees and third parties about the system’s presence.
In case No. 2.1.-4/22/2585, dated 06.12.2022, the Estonian Commissioner for Personal Data Protection ruled that CCTV surveillance of employees cannot be based on consent but only on legitimate interest under Article 6(1)(f) of the GDPR, provided that a valid interest assessment is conducted.
Is it justified to collect biometric data for employee attendance tracking?
Article 17(1) of the Personal Data Protection Act prohibits the processing of data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the unique identification of an individual, health data, or data concerning a person’s sex life or sexual orientation.
However, the processing of such data is exceptionally allowed in cases prescribed by law and when the individual concerned has given consent for one or more specific purposes of processing (except in cases where processing is legally required to be conducted without consent).
According to Publication No. 6 – Personal Data Protection: Opinions and Views of the Commissioner, No. 073-14-1929/2019-02, dated 05.11.2019, when it comes to using biometric data for monitoring employees’ compliance with work obligations, consent cannot be considered a voluntary declaration of will under the law due to the clear imbalance of power between employer and employee. Therefore, consent would not be a lawful legal basis for data processing in this context.
The Personal Data Protection Act defines consent as a voluntary, specific, informed, and unambiguous expression of will by an individual, given through a statement or a clear affirmative action, allowing the processing of their personal data.
However, there is a major “but”—a declaration of consent given without the possibility of modification or withdrawal cannot be considered valid consent.
Audit and data protection
The first issue we encountered in practice relates to statutory audits and the question of whether the audited entity, as the data controller, and the auditing firm, as the data processor, should enter into a data processing agreement or if the auditing firm acts as a third party when conducting the audit.
To clarify definitions—a controller is defined as a person who, alone or jointly with others, determines the purpose and manner of processing personal data, while a processor is a person who processes personal data on behalf of the controller. Whether an entity is classified as a controller or a processor is determined on a case-by-case basis, depending on the specific circumstances.
According to the Commissioner’s opinion (Publication No. 8 – Personal Data Protection: Opinions, Views, and Practice of the Commissioner, No. 073-14-233/2022-02), a company performing a statutory audit of financial statements and processing personal data necessary for fulfilling legal obligations acts as a controller in accordance with Article 12(1)(3) of the Personal Data Protection Act. The Commissioner further noted that an auditing firm may, in some cases, be considered a joint controller or processor for other services it provides, but in the context of statutory audits, it is considered a controller.
The role of each participant in data processing must always be determined based on the specific circumstances of the case. This is particularly relevant when assessing whether companies providing audit and accounting services act as controllers or processors in their relationships with clients and whether they are required to conduct a data protection impact assessment when processing special categories of personal data.
For statutory audits, the answer has already been provided. However, in this case, the Commissioner has taken a clear stance (Publication No. 6 – Personal Data Protection: Opinions and Views of the Commissioner, No. 073-14-2406/2019-02), stating that If an audit and accounting firm operates independently in providing the services for which it has been engaged and determines the purpose or manner of processing (or if these are defined by law), then the firm should be considered a controller.
On the other hand, if the audit and accounting firm follows the client’s instructions and processes data while providing services in accordance with a contract, thereby fulfilling its contractual or legal obligation, it is considered a processor for that specific processing activity.
Once again, the classification of roles must be determined individually for each case. If there is any doubt about the correct classification, it is always advisable to consult a law firm specializing in personal data protection.
European case law
The Spanish Data Protection Authority fined an audit firm €3,000 for a security incident. The Commissioner found a violation of Article 5(1)(f) because personal data had been leaked without the data subject’s consent. Additionally, the Commissioner found a violation of Article 32(1) because the audit firm lacked appropriate technical and organizational measures to ensure adequate protection in such situations (Case No. PS/00483/2020).
When should a Data Protection Impact Assessment be conducted?
Article 54 of the Personal Data Protection Act states that if a type of processing—particularly one involving new technologies—is likely to pose a high risk to the rights and freedoms of individuals, the controller must conduct a Data Protection Impact Assessment before initiating the processing activities.
Furthermore, when carrying out a Data Protection Impact Assessment, the controller must seek the opinion of the Data Protection Officer (DPO), if one has been appointed.
The law specifies cases in which an Assessment is mandatory. These include:
- Systematic and extensive evaluation of personal aspects of an individual using automated processing (including profiling), where decisions are made that significantly affect the individual’s legal position or otherwise impact them in a similar manner.
- Systematic monitoring of publicly accessible areas on a large scale.
- Processing of special categories of personal data as defined in Article 17(1) (e.g., racial or ethnic origin, political opinions, genetic data, etc.), Article 18(1), and personal data related to criminal convictions and offenses under Article 19, provided that the processing is carried out on a large scale.
If a Data Protection Impact Assessment conducted under Article 54 indicates a high risk that cannot be mitigated through additional measures, the controller must, under Article 55, seek the Commissioner’s opinion before starting the processing activities. This requirement does not apply to processing carried out by competent authorities for specific purposes.
When must a legal entity with fewer than 250 employees maintain a record of processing activities?
Article 47 of the Personal Data Protection Act establishes the obligation to maintain records of processing activities. However, it states that this requirement does not apply to businesses and organizations with fewer than 250 employees, unless the processing is likely to pose a high risk to the rights and freedoms of individuals and the processing is not occasional.
Publication No. 6 – Personal Data Protection: Opinions and Views of the Commissioner, No. 073-14-1788/2019-02, clarifies that the number of employees is not the only criterion. Even if a business has fewer than 250 employees, it must maintain processing records if it carries out regular personal data processing activities.
Regardless of whether this obligation applies in a given case, maintaining records of processing activities is a valuable tool that allows controllers and processors to demonstrate compliance with legal requirements.
Transfer of business operations and data protection
What happens when an entire business operation is transferred from one legal entity, which processes a large amount of personal data as a controller, to another legal entity? Specifically, does this raise questions about the validity of previously given consent for data processing? Should consent be obtained again, or is it sufficient to transparently notify individuals about the change in the controller?
According to the Commissioner’s opinion (Publication No. 7 – Personal Data Protection: Opinions and Views of the Commissioner for Information of Public Importance and Personal Data Protection No. 073-14-2509/2021-02), every controller must ensure a valid legal basis for processing personal data. This means that consent cannot be transferred or assigned to another controller. Before initiating any processing activity (including the transfer or any other form of making personal data available), an appropriate legal basis must be established.
When assessing whether consent was specifically given for data processing, it is important to consider whether the execution of a contract, including the provision of services, was conditioned upon giving consent that was not necessary for the contract’s execution.
If personal data is transferred to other countries or international organizations, the conditions outlined in Articles 63 to 72 of the Personal Data Protection Act must also be met.
The answer to this question is not straightforward and depends on the specific circumstances of each individual case.
From European practice
In case no. 9860553, the Italian Data Protection Commissioner fined AssitecaSpa, an insurance company, €120,000 on December 15, 2022, for unlawful data processing due to lack of consent and prolonged data retention. The violations stemmed from issues related to IT system integration following a company merger and business transfer.
When issuing this decision, the Italian Commissioner identified four key issues:
- Post-merger data retention – AssitecaSpa retained data from nearly 9,700 users of the previous company without their knowledge, exposing them to potential unauthorized processing for promotional purposes, even without proper consent. The Commissioner found that system errors led to incorrect implementation of users’ preferences, as consent was unintentionally registered after users accessed promotional emails for car insurance offers. The company argued that this was due to technical issues.
- Lack of clear and transparent information – The information provided to users was unclear, especially regarding third-party transfers and profiling. The company later updated its privacy notice to offer a clearer explanation of processing activities and legal bases.
- Failure to define data retention periods – The company did not have pre–defined retention periods for specific purposes, violating Article 5(1)(e) of the GDPR.
- Inadequate technical measures – Although the Commissioner noted the absence of sufficient technical measures, no fine was issued in this regard due to the recent integration of two corporate systems and the company’s efforts to remediate the situation.
Note: This text does not constitute legal advice but represents the personal opinion of the author.
