The Polish Ministry of Digital Affairs recently issued an EU General Data Protection Regulation guidebook addressed to financial technology companies. This is the third brochure published by the MDA’s Personal Data Protection Working Group this year, following one pertaining specifically to the health care sector and another one aimed generally toward entrepreneurs.
In a 20-odd page document in the form of a Q&A, the MDA experts tackle several personal data-processing issues occurring in the context of activities of businesses from the fintech sector. Arguably, the guidelines fall into the scope of interest of a much broader audience, as they regard many universal matters.
Granularity of consents in marketing activities
One opinion expressed by the MDA in the context of the Polish telecommunications and electronic services laws (both implementing EU directives) is that there is no need to acquire separate consents from a data subject for sending them unsolicited marketing emails and making direct marketing calls. According to the MDA, “the rule of not covering several purposes with one formula [of consent] should not be read as a requirement to separately ask for consent for any kind of activity that may be a means to achieve that [single] purpose.”
Whereas the cited opinion is correct as a rule of thumb, since the GDPR indeed does not require separate consents for a bunch of related processing activities, all aiming to achieve the same purpose, in the context in which it was presented, some may argue that it may lead to an erroneous conclusion that sending unsolicited marketing emails and initiating marketing phone calls are the same purpose. The two means of communication differ significantly, both in the form of delivery of marketing content to the data subject and in the level of intrusion of the data subject’s privacy. The data subject may very well be willing to agree to receive emails that they can read at any given time but, at the same time, resent being “harassed” by phone calls at times chosen by another party. Suggesting that consent for both those purposes may be collected jointly may also, in some cases, be contrary to the rule of granularity and as such may jeopardize the attempt of a controller to collect a lawful consent for processing.
Processing special categories of data received without request
In the activities of the fintech sector, some doubts may arise in relation to situations when data subjects send the controller unsolicited information constituting special categories of personal data. According to the MDA guidelines, having received the information, for instance, in the course of correspondence with a client, the controller — not being able to separate it from other, necessary information — should simply refrain from using the information, secure it with appropriate technical and organizational means, not share it with anyone, and delete as soon as possible. What is interesting is that the MDA argues that simply receiving such data, i.e., without actively seeking it, should not be treated as "processing" in the meaning of the GDPR, as it does not fall into the category of "collecting." The possible controversy here relates to a commonly accepted approach that simply storing personal data on the controller’s infrastructure, without actively acting upon it, falls within the scope of GDPR regulation, especially because that sole circumstance poses a potential threat to the data subject’s rights and freedoms, in particular, in the case of unauthorized access to the data.
It is even more clearly the case when dealing with special categories of personal data, which are potentially the most harmful to the data subject when disclosed to third parties. It is true that there are situations — like the example of a bank client transferring membership fees to a political party — when the controller becomes in possession of a piece of sensitive data without a visible basis for processing it. Whereas such circumstances are indeed problematic, they should be approached with appropriate diligence and analyzed on a case-by-case basis, as there is no universal, clear-cut solution, like the interpretation proposed by the MDA.
Deleting data from backup copies
The MDA acknowledges technical difficulties regarding complying with data subject’s requests (in particular concerning deletion of data) in the scope referring to information stored in backups. As a consequence, the ministerial experts argue that the acceptable solution is to keep the personal data until either the bases for processing expire in relation to all personal data contained in the given backup, or the backup is no longer required. The brochure also includes a statement that creating and maintaining backups is merely a technical means to secure personal data, and as such it does not require a separate legal basis.
As to the first assertion, it brings about doubts regarding the rule of storage limitation, which seems disregarded in that respect, as the GDPR provides no explicit exceptions referring to backup copies of data. Referring to the second claim, the established practice is to indicate the process of maintaining backups as a separate item in the controller’s record of processing activities and to treat it like any other case of processing. It seems prudent and justified, particularly taking into account that stored backups may be — by themselves — a target of a cyberattack and their vulnerability poses an independent risk to the rights and liberties of data subjects.
Prevailing power of national legislation
The MDA states in the guidelines that national laws, such as banking law, telecommunications law and/or insurance law, have priority over general provisions of the GDPR, provided that they are not in contradiction with the GDPR.
What may concern a privacy professional reading the above opinion is not the acceptable conclusion that national legislation may include specific provisions regulating more in-depth particular situations of processing, including those typical for a specific sector of the market (which is expressly permitted by the GDPR), but the choice of words, which could be read as a suggestion of admissibility of passing national legislation which may prevail over the GDPR, as long as it is specific enough to exclude the more general provisions of the GDPR and "constitutes a higher level of personal data processing security." It is desirable to refrain from such, even remote, suggestions, as they might result in misinterpretation of applicable laws by the obliged entities and/or confusion as to the scope of applicable obligations. Responding to questions of entrepreneurs, like the ones included in the MDA guidelines, should require a particularly unambiguous explanation of applicable rules of legal primacy and an extremely careful choice of words.
To sum up, the Polish MDA conducts a praiseworthy activity of supporting Polish controllers and/or processors of personal data in interpreting and implementing GDPR requirements in their business activity. The visible idea showing through their publications is to facilitate business operations and assure a smooth transition from the old data protection laws to the reality of the GDPR. Nonetheless, the interpretations being the product of this activity could lead to the occurrence of new, interesting questions to be discussed by the obliged parties and the privacy professionals community.