Rejsekort A/S (a Danish company providing a united electronic ticketing system and travel pass for passengers travelling by bus, train and metro thereby making it more simple for passengers to use public transport services in Denmark) has on several occasions experienced that passengers’ trips are incorrectly registered on their travel passes when ‘checking in’ or ‘checking out’ in the ticketing system due to e.g. bus drivers’ inadequate setting of routes. Human errors may of course occur, however, according to the GDPR principle about “accuracy”, the company must in such incidents rectify the incorrect registrations on travel passes, which according to Rejsekort A/S only happened if passengers approached Rejsekort A/S themselves.
The rectification provided by Rejsekort A/S in the ticketing system was made by means of additional information about the passengers’ actual trip and thereby not by means of an actual rectification, which would have been the case if the incorrect ‘check-ins’ and ‘check-outs’ had been replaced with the actual ones. Rejsekort A/S has explained that technically the system cannot provide for rectifying information in such way. It was for this reason that the Danish DPA decided that Rejsekort A/S did not comply with the obligation that passengers have a “right to rectification”.
In addition, the DPA found that the way in which Rejsekort A/S processed data about passengers’ location, did not in general comply with the GDPR principles on “lawfulness, fairness and transparency” and “data minimisation”.
Hence, the DPA has also ordered Rejsekort A/S to produce a statement on how and when IT support pertaining to passengers’ travel passes will be made consistent with the GDPR.
The decision helps clarify the interpretation of article 16 of the GDPR: ”Right to rectification”. According to the provision, the data subject shall have the right to “obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.” According to the DPA, a supplementary statement fails to meet the obligation incumbent on the data controller about “rectification” of personal data.
In January, several photos were disclosed of the home of Prince Harry and Meghan, Duchess of Sussex, i.a. photos of their living room and bedroom. Splash News had taken the photos using a helicopter to get quite close to the house, which according to the royal couple’s attorney was a rented house due to its “high level of privacy”. Since the incident, neither Prince Harry nor the Duchess have felt safe in their home.
The fact that the British royal family is surrounded by paparazzi is not a novelty; however, it was quite a novelty that they would sue the agency claiming that processing of their personal data - i.e. the photos - constituted illegal data processing according to the GDPR. To which extent this indeed was and is the case remains unanswered, seeing that the parties agreed to conclude a settlement by means of a substantial compensation to the royal family and an apology in which Splash News declared that such incident would not be repeated, and they admitted having violated i.a. the GDPR.
Although the issue did not end up in court, it should be expected that investigations will be made as to whether there were any legitimate grounds for taking and disclosing the photos, and whether the photos were taken and disclosed according to the GDPR principle on “lawfulness, fairness and transparency”.
The case shows what the GDPR is particularly all about: an implementation of Article 8 of the Charter of Fundamental Rights of the European Union, which states that “Everyone has the right to the protection of personal data concerning him or her”. To which extent there were any legitimate grounds for processing personal data in this case, remains unclarified.
A Lithuanian e-bank, MisterTango, has been imposed with a fine, first of all for not having processed personal data in compliance with the GDPR principles, secondly for not having provided sufficient organisational and technical measures, and thirdly for not having notified the Lithuanian supervisory authority about a violation during the summer of 2018.
In respect to the first issue, in connection with money transfers, MisterTango did not only store data on account numbers, currencies and other necessary data needed for carrying out the transaction, however also stored other - irrelevant - data such as the name of the person’s pension fund. Furthermore, the e-bank stored all data for 216 days despite a policy stating that it was only necessary to store data for 10 minutes. Hence, the case resembles the case from March 2019 about the Danish taxi company, Taxa 4x35, seeing that MisterTango, too, did not comply with the fundamental GDPR principles about data minimisation and storage limitation.
Regarding the other two issues, a list stating transactions had by mistake been made available online for more than two days to the public through the company’s website, thereby constituting a breach of the GDPR, which should generally be notified to the supervisory authority. MisterTango failed to do so. In connection with investigating the breach, it was found that the entire IT infrastructure and thereby also the inconsistent functions like for example maintenance on the one hand and control on the other were managed by the one and same employee. Hence, it was decided that there were inappropriate organisational and technical measures ensuring the requirement for “secure processing” and the principle on “integrity and confidentiality”.
The decision demonstrates the importance of not only declaring through policies or similar, how personal data are and should be processed, but also how it should be executed in practice.