In a very recent case the Hungarian data protection authority (the “NAIH”) imposed the highest fine for one of the largest Hungarian edm servicers. In the so-called “Optimus” case the NAIH found several serious violations of data controlling rules by marketing data controllers. The decision can be used as a learning for all companies using marketing data, either for those that build their own marketing data by organising own promotional games or for those buying marketing database from an edm service provider.
The complaint
The high-profile case started with one individual complaint of a private individual. The person argued that he received a marketing material to his e-mail address but he had not provided any consent for the use of the address for marketing purposes. The NAIH started its investigation with the involvement of IT experts and carried out a serious and exhaustive investigation. It finally came to the conclusion that the data controller bought the database from Optimus.
The construction of data lease agreements
Optimus built its database through organising promotional games on the internet, and the individuals who registered provided consent for the marketing use and commercial transfer to third parties of their data. Then Optimus signed a data lease agreement with other companies and sold the commercial database after specific selection of the data. Based on the so-called data lease agreements, the companies could use the data of Optimus but after the use they had to delete the database, and Optimus could “rent” it to other companies again.
Findings of the NAIH
The NAIH found that the data lease agreements Optimus used were not in accordance with the Hungarian requirements. It suggested that if Optimus remained the sender of the data but the other companies (lessors) just remained passive that would have been the rightful operation of a data lease agreement. Besides the unlawful operation of the data lease, the NAIH found several other serious violations of data controlling requirements, such as the absence of proper data protection policies, the lack of the list of technical data processors, the poor wording of consent and more seriously the failure to make notification to the National Data Processing Registry and the failure of making notifications on the amendments therein.
The proper building of a marketing database
In order to mitigate the risks of being fined by the authority it is important to comply with all principles of the Privacy Act. The proper consent and appropriate data processing and data security policy is a must but not enough. Even if there is a carefully worded consent and a fully regulated policy, it is important the owner of the database registers it at the National Data Processing Registry and that it keeps the database clean and updated, it deletes the data if the private individual asked for it, and it is highly recommended that the companies are well prepared for a potential dawn raid by the authority.
As in the case of other authorities it is highly recommended that data controllers prepare an action plan for a possible investigation and designate data protection officers who can quickly react to any inquiry in a professional manner, not only to the request of private individuals but to the potential inquiries of the authority as well. The Optimus case also shows that the high-profile data controlling activities should be analysed / audited by a privacy lawyer.
For further information contact:
BWSP Gobert&Partners
1061 Budapest, Andrássy út 10.
Tel: +361-270-9900
Dr. Andrea Soós
Data protection IP/IT lawyer
andrea.soos@gfplegal.com
Dr. Arne Gobert
Managing Partner
arne.gobert@gfplegal.com