Croatia: AZOP issues orders to company for lack of legal basis in conducting telephone surveys
The Personal Data Protection Agency ('AZOP') published, on 21 January 2022, its decision, as issued on 8 April 2020, in which it issued compliance orders to an unnamed company for violations of Articles 5(1)(a), 5(1)(f), 6, 14, and 17 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint regarding the same.
Background to the decision
In particular, the AZOP stated that it had carried out an investigation after receiving a complaint from an individual who had received telephone calls from the company to participate in a survey, despite their telephone number not being publicly published in any telephone directory. Furthermore, the AZOP noted that, in the company's response, it had claimed that the legal basis for processing the complainant's personal data had been the legitimate interest of the company, and that, if the complainant had agreed to conduct the survey, then further processing would be based on consent. In addition, the AZOP outlined that the company had noted that the complainant's number had been collected from a phone book rather than from a third party and that the survey should not be considered to promote or sell products or services. Finally, according to the AZOP, the company had highlighted that it had been checking the Do Not Call ('DNC') Registry, but in this particular case, human error had occurred.
Findings of the AZOP
Based on the established facts, the AZOP determined that the company did not have a legal basis for processing the complainant's number and that the basis of legitimate interest required the company to conduct a balancing test. Additionally, the AZOP further suggested that the company's legitimate interests had been negated by the fact that the complainant's number had been entered into the DNC Registry. Moreover, the AZOP added that the company failed to prove that the complainant's number had been in a telephone directory and to put in place appropriate safeguards to prevent human errors while checking the DNC Registry. Finally, the AZOP highlighted that the company had failed to adequately inform the complainant about the processing of their personal data.
In light of the above, the AZOP confirmed that the company had violated Articles 5(1)(a), 5(1)(f), 6, 14, and 17 of the GDPR, ordering the company to:
- cease any further processing of any personal data belonging to the complainant or any other persons whose personal data it possesses without a legal basis and a lawful purpose; and
- delete the complainant's number from their storage system, pursuant to Article 17 of the GDPR.