NAIH, Hungary’s Authority for Data Protection and Freedom of Information issued guidance on the data protection risks and possible solutions of indirect data collection. (Please click here for a link to the guidance – available in Hungarian only.) As a result of NAIH’s findings, companies that collect third party individuals’ – customers, contact persons – data without their consent should review their privacy notices.
In its guidance, NAIH examined two scenarios:
In the first scenario, the user enters into an online travel agreement and provides the data of third party passengers for this purpose, but the travel service provider does not obtain express consent from the third parties to process their personal data. NAIH stated that because the Civil Code allows people to make legal statements through a representative as well, the travel company may assume – based on the circumstances of the case – that the actual contracting user has the due authorisation from the third parties to provide their personal data. However, if there is any doubt in the process, the company must assume that the relevant third party did not authorise the data provision. NAIH also emphasised that if the underlying contract is not concluded, the third parties’ personal data must be deleted. Unfortunately, NAIH does not address situations when the company may store the data due to a legitimate interest, e.g. if it is reasonable to store the data for a while, if it appears that there may be subsequent claims from the third party due to the cancellation of the contract. NAIH suggests that companies should inform their users on the above assumption in their privacy notices, together with the possible consequences and liability issues. Companies are also advised to develop their systems in a way that they should be able to track who gave the data, and how the company obtained the data.
In the second scenario, NAIH analysed whether, in the process of entering a contract, the personal data of a contact person for a legal entity can be processed lawfully, if the person did not expressly consent to the data processing. In such case, the other contracting party can only assume that the contact person approved the legal entity’s disclosure of his/her data in the contracting process. NAIH agreed that companies usually provide the data of their individual contacts in the contracting process, and whether the contact person’s data was provided lawfully depends on his/her legal relationship with the company (e.g. employment, membership, contract). Unfortunately, NAIH does not provide further details on the assessment of such a relationship from a data protection perspective. However, NAIH confirmed that the contact person has the right to object to the processing of his/her data and also request its deletion if it turns out that the company provided the data unlawfully.