Unlawful processing of data by a compensation law firm

The main business of the compensation law firm was provision of legal assistance to clients injured in traffic accidents by representing them before insurance companies, courts and other entities, in order to obtain compensation, damages or pensions for them, including reimbursement for medical treatment and rehabilitation costs. 

After finding out that controllers might have breached data protection regulations, the President of the PDPO launched an inspection. 

On the basis of the evidence gathered in the case, it was established that the partners in the law firm, as controllers, violated personal data protection laws when processing personal data, namely Article 6(1) and Article 9(2) read together with Article 5(1)(a) and Article 9(1) of Regulation 2016/679, by processing, without a legal basis, the personal data of potential clients of the compensation law firm, including data concerning health, in particular without obtaining their prior consent to data processing.

Therefore, the President of the PDOP initiated ex officio administrative proceedings with regard to the identified irregularities in order to clarify the circumstances of the case.

The inspection revealed that consent to the processing of the personal data of potential clients was only given verbally during the initial telephone conversation or face-to-face conversation with the partners, representatives or employees of the law firm. If a potential client did not give consent to the processing of their data, the conversation with them was interrupted. 

Interestingly, measures aimed at collecting personal data and initiating contacts with potential clients were carried out based on press news, internet publications, including social media content, as well as information provided or distributed by charitable organisations, e.g. foundations. At the same time, the law firm’s partners did not present evidence confirming that the persons supported by those foundations had given them consent to collecting their personal data.

The partners also collected personal data during face-to-face conversations with e.g. data subjects’ neighbours. This allowed them to identify the residence addresses of potential clients so that the compensation law firm could then contact them directly and submit a service proposal. 

The President of the PDPO held that the data of potential clients could be processed in the way the partners did it only based on explicit consent to the processing of special categories of data (data concerning health), in line with Article 9(2)(a) of Regulation 2016/679.

The President of the PDPO concluded that processing of special categories of data was not necessary for carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law (Article 9(2)(b) of Regulation 2016/679). 

Neither was the processing necessary to protect the vital interests of the data subject or of another natural person since the partners did not prove during the inspection that the data subjects, i.e. the potential clients of the compensation law firm, were physically or legally incapable of giving consent to processing (Article 9(2)(c) of Regulation 2016/679).

Moreover, it follows from the explanations provided by the law firm’s partners and employees that they needed to process the data of potential clients in order to perform contracts with data subjects or undertake certain actions requested by the potential clients before entering into contracts. 

However, according to the standpoint of the President of the PDPO, processing of data for the purpose of performing the contract cannot be regarded as legitimate if the contract with the potential client has not been concluded yet. In the case concerned, it cannot be maintained, either, that the partners acted at the request of potential clients as those persons could not have requested anything whatsoever at the stage of being contacted by the controllers. 

Thus, the controllers collected and processed data only to see if and how profitable it would be for them to conclude a contract with a potential client and to return to the potential clients to find out, based on the intention expressed by them, whether or not those persons wanted to conclude a contract with the controllers.

Furthermore, the controllers did not prove, either, that the personal data concerning the health of the potential clients, which they processed, were manifestly made public by the data subjects (Article 9(2)(e) of Regulation 2016/679) or that such processing was necessary for the establishment, exercise or defence of legal claims or whenever courts were acting in their judicial capacity (Article 9(2)(f) of Regulation 2016/679). Admittedly, the role of the compensation law firm was to establish, exercise and defend claims on behalf of its clients, but the nature of relations between the law firm and its potential clients did not authorise the law firm to process those persons’ health data without their explicit consent.

In addition, as indicated by the partners, the data of a potential client were stored either in electronic format, e.g. as email messages, or in hard copy until the law firm held a meeting with that person and he or she decided on hiring the partners and concluding a contract with the partners. 

If the potential client did not want to conclude a contract, his or her personal data were retained in the above formats for no longer than 5–7 days. This means that the partners collected and processed the data of potential clients before concluding a contract only to enable them to familiarise themselves with the proposals and decide on whether to hire the partners; the collection and processing of the above data was, therefore, not necessary to establish, exercise and defend claims of potential clients.

In such a case, it should be concluded that the legal basis for collecting and processing (including storing) the above data of potential clients is provided only by Article 6(1)(a) and Article 9(2)(a) of Regulation 2016/679 read together with Article 5(1)(a) of Regulation 2016/679. 

This means that the law firm’s partners, who collected data concerning the health of potential clients, should have obtained those persons’ explicit consent to the processing of their personal data. Since, as described above and as stated by the partners and their employees acting as witnesses during the inspection, the partners obtained, for the purpose of processing the data of potential clients, only verbal consent that was not recorded in any manner, e.g. as sound recordings, logs or lists of granted consents and the consenting persons, such a procedure should be regarded as in breach of the personal data protection laws.

Thus, the controllers collected and then processed, for several days, personal data, including data concerning the health of potential clients, without any legal basis and in breach of Article 6(1)(a) of Regulation 2016/679 and Article 9(1) read together with Article 9(2)(a) of Regulation 2016/679. Processing of data subject to special protection, including data concerning health, is generally forbidden, and the partners in the compensation law firm did not fulfil the conditions that allow derogation from that rule as they had not obtained explicit consent for the processing of such data. 

Having regard to the facts and circumstances of the case, the President of the DPDO decided that the controllers breached the personal data processing rules by processing the data of its potential clients without legal basis.