State-owned company under investigation for GDPR violation

Autor:

25.01.2019.

The state company found itself under investigation because it seems they used inappropriately personal data in its loyalty program.

Do you want a selfie stick? How about an umbrella? Perhaps a speaker? No problem - join HP's loyalty program and collect points. When you have enough, just redeem rewards from HP's "shop window" and go home happy.

Joining the program is free in the sense that you do not have to pay money for it, but there is something you have to give HP private, personal information, over collection and processing of which the HP will soon be visited by the Personal Data Protection Agency (AZOP) as it has decided that the State-owned company's gathering of personal data is excessive.

Controversial terms of access

To be more specific, in order for clients to join the "My Post" loyalty program, they have to fill out an access form at a post office, where they have to provide personal information.

Name, last name, date of birth and contact information (e-mail and telephone number) is usually required, but the HP also requires information on number of household members and their ages as well as provide information of employment status (clients can choose one of four options - employed, retired, student and other), sex and information on professional qualifications of potential program members.

The form does not explain how or why this information is important for the program, but a skeptical reader contacted JUTARNJI LIST and expressed suspicion that the HP is not acting in line with the General Data Protection Regulation (GDPR).

The AZOP confirmed this and noted that the GDPR requires gathering of data to be appropriate, relevant and limited to what is necessary for the purposes for which the data is processed.

- In the case of HP's gathering of data for the loyalty program, gathering the basic personal data of clients such as identification and contact information, like name and last name, address, year and perhaps date of birth, e-mail and telephone number. Considering the stated purpose of gathering of personal information, we believe that information on number of household members, sex, employment status and professional qualifications is excessive - explained the AZOP and pointed out that it will investigate processing of personal information in line with relevant regulations with the aim of determining whether it is in line with the GDPR.

The HP claims that the AZOP still has not contacted it, adding that membership in the loyalty program is not mandatory.

In addition, the State-owned company stressed that access forms distinguish between required and optional data.

 - Required data includes name, last name, personal identification number (OIB), date of birth and address. Other data is not required and clients do not have to fill those fields. Like many other companies, we use the data gathered through the loyalty program to provide the best experience for our clients and provide them with special offers in line with their interests. We would like to stress that clients are required in the application form to state whether they want to receive such specially created offers. Besides consenting to receive special offers, clients can choose channel of communication through which offers will be sent. So clients have to consent to joining the program and receiving special offers - claims the HP.

No changes

However, the application form that JUTARNJI LIST journalists got from a post office last week contains only one type of field - required data - which includes information on professional qualifications, employment status, number of household members, sex and more.

The AZOP concluded the same and should soon contact the HP in official capacity.