This year, two GDPR fines were in the news, no doubt that it was because of the significant amount of data protection fines. In one case, a beauty salon was fined for HUF 30 million, and in the other case, a retail chain was fined for HUF 90 million. In this article we briefly present one of the cases.
The case against the beauty salon was initiated after a complaint which has stated that the company operated cameras in all rooms (office, operator, corridor, reception), which were also recording sound. And although it had informed the guests about video recording, it did not do so about the audio recording, nor about the real purpose of the surveillance. According to the complaints, the purpose of the audio recording was to check on the staff who were responsible for the treatments and to gather information about the customers, and to sell them more treatments and facial products based on the gathered information. The notifications received by the National Authority for Data Protection and Freedom of Information (hereinafter: “Authority”) indicated that the company also pursued a referral practice whereby they ask their guests to provide the names and contact details of their contacts and then use this data to offer free treatment to the data subjects so contacted.
The beauty salon operated a camera system with a total number of 32 cameras, but did not have a privacy policy for cameras that recorded its employees and guests. The general manager, the financial manager, the HR manager, the warehouse manager and the sales manager had official access to the recordings, but practically anyone could access them with a password stuck onto the monitor.
When a data controller carries out monitoring for more than one purpose, in accordance with the principle of purpose limitation and transparent processing, the purposes of the monitoring must be documented in detail and accurately for each camera in use, per purpose, before the monitoring starts. The company has not defined clearly the purpose of the camera data processing and has not explained in detail the purpose of the surveillance in each room, with which cameras and for which data processing purposes. The purposes indicated to the data subjects in the consultation forms and the purposes described in the information provided on the company’s website were inconsistent with each other, thereby seriously undermining the principle of transparent data processing.
The Authority found that the company’s employees are continuously monitored by the camera system in all premises during their work and also during their rest periods. In the case of surveillance for the purpose of property protection, the employer must demonstrate that there are factual circumstances which justify the installation of individual cameras and that the objective to be achieved cannot be achieved by other means. In addition, the employer must take particular care to ensure that the angle of view of the camera is essentially directed at the property which should be protected and shall not become a mean of monitoring the employees’ work. In the Authority’s view, in case of the storage room, protection of company assets may be a legitimate purpose for the processing of data and the cameras in the corridors and at the back entrance door may also be considered as an adequate security tool. However, the Authority did not recognise asset protection as a legitimate purpose in case of offices, operator rooms, control rooms and the training room used by employees for meals, as the company did not demonstrate what assets were located in these premises and did not provide any justification for the asset protection purpose.
As the camera system also recorded the guests, the Authority also checked whether they were properly informed. During the on-site inspection, the Authority found that there was no information displayed on the premises of the beauty salon that the premises were being monitored by cameras. A one-sentence information on camera surveillance was provided to the customers on the consultation leaflets which stated that „the (…) Beauty Centre continuously records camera footage throughout the salon (excluding toilets and changing rooms)”, but the Authority concluded that this did not meet the criteria for proper information. But most of all, the information on camera recordings did not include the essential information that the camera system records both sound and images. The recording of audio is a different data processing from that of the recording of images; the legality and the legitimate interest should have been separately justified by the company during the procedure. The audio recording results in a more serious invasion of privacy as neither the guests nor the employees can reasonably expect that their voices would be recorded, in particular their private information shared during conversations or other conversations during the treatment.
The Authority also examined the fairness of data processing by the camera system. It was found that the camera system was capable of monitoring workers and their activities on a permanent basis. In its decision, the Authority found that the company had breached the principle of fair processing by continuously monitoring employees in order to influence their work and by continuously recording images and sounds of guests in intimate situations in the treatment rooms.
The decision also pointed out that the company did not guarantee the confidentiality of the data processing and did not take other measures to protect personal data, so that the images from the cameras and the stored recordings could be easily accessed without any purpose.
The beauty salon’s customer referral system was also examined. The point of it was that if customers were satisfied with the service, they could give the company the contact details of their acquaintances for a first contact, but this typically happened without the knowledge or consent of the person they were referring. The data controller cannot be exempted from its responsibility for the data of the recommended persons, so the salon was not able to justify the legal basis for the processing in the absence of the consent of the data subjects, as the statement of the referring person was not sufficient.
According to the company’s privacy policy, the company processes certain personal data for the performance of the contract and uses the name and telephone number data for additional purposes, such as to organise consultation appointments and to provide information on marketing and personalised offers. However, the company has indicated the legal basis for the processing that the personal data are processed in connection with the establishment, maintenance and termination of the contract between the guests and the company. In such a case, if the contract is terminated in its entirety, the processing of the data is no longer necessary for the performance of that contract and the controller must delete the data, unless there is a legal obligation to store the data. In this case, the data subjects must be informed of the period for which the data will be kept for these purposes.
The investigation found that there were thousands of entries in the company’s guest database that could not be linked to guests who had a contractual relationship with the company, and the company could not verify for all guests whether the personal data processed on the basis of a contractual legal basis could be linked to a specific valid contract.
The beauty salon’s data management for marketing purposes was also examined. In its leaflet, the company mentions that it processes personal data for the purposes of “commercial solicitation” and “communication of personalised offers”, but this information does not meet the transparency requirement as it is too general and it is not clear what the nature of the processing is and whether it is adequate for the purpose of the processing. As to the legal basis, the company first stated that it processes guest data for marketing purposes on the basis of the consent given in the consultation form, then stated that it processes guest data for marketing purposes on the basis of the company’s legitimate interest, and then stated that it does not use guest data for such purposes. Finally, it stated that data processing for marketing purposes only takes place in relation to models and employees in the form of video recordings on social media, based on paper consent forms from the individuals in the recordings, which are stored in a lockable cabinet with a key. However, during the investigation, the Authority did not find any part of the consultation forms containing consent to direct marketing enquiries.
The company also recorded and stored data concerning health of the data subjects on the consultation forms. It argued that the processing of this special data was necessary to ensure that the pre-booked appointment was not lost. The processing of health data is only possible in compliance with the stricter rules of the GDPR. For example, the consent of the data subject is not sufficient, but “explicit” consent is required.
Consent will be “explicit” if the data subject confirms his or her consent in some way or is undoubtedly aware that the processing will relate to his or her special data and consents to the processing of such data. Explicit consent is also required where the data subject orders a specific product from the controller, tailored to his or her particular health condition, and where the performance of the contract is impossible without the processing of such special data.
The Authority did not accept as evidence of the guests’ explicit consent the company’s statement that the data subjects consented to the processing of their sensitive data by signing the consultation form, as there was no part of the consultation forms where the guests could have explicitly consented to the processing of their sensitive personal data. In addition, the company did not demonstrate in its replies that the processing of certain health data was indispensable for the performance of the services it provided or that it was not otherwise possible to postpone the treatment dates, and that the processing was therefore unlawful.
The case described above is a good example of the importance of knowing and complying with data protection rules in day-to-day operations. The fine of HUF 30 million imposed on the beauty salon company for breaching privacy is not only high in itself, but it equalled almost to 14% of the company’s total turnover in the previous year.
The second point that the case highlights is that before the Authority’s proceedings in relation to compliance with the GDPR regulation, it is essential to use an expert lawyer who is well versed in the field, who can provide the Authority with the right answers to its questions and can help avoid procedural fines, which was in this case also a quite significant amount of HUF 600,000.