Prompted by media reports of sale of personal data, the Commissioner for Information of Public Importance and Personal Data Processing initiated an inspection of compliance with the Law on Personal Data Protection. The inspection procedure is currently an after is completion the Commissioner will, as usual, inform the public about the outcome and the measures he intends to undertake. The inspection procedure will include the companies that are currently known to have been involved in this case, namely Мedis Pharmi and Care Direct, but may be subsequently expanded to include other entities as well.
Care Direct had reported a data file named "Records of Nursing Mothers" to the Commissioner's Central Registry in early 2011. According to the report, Care Direct had been processing such data since 2003, i.e. before the effective date of the Law on Personal Data Protection. However, the records stated that data were used on the basis of consent of data subjects and there were no other data recipients.
The Commissioner would like to underscore that, if a legal entity collects citizens' personal data, it must first inform citizens of all aspects of such processing of their data, including, of course, whether such data wold be made available to third parties as data recipients. Any acting contrary to this requirement constitutes unlawful data processing.
Accordingly, sale of personal data can be permitted only if the data subjects have previously explicitly consented to such processing in writing, in accordance with the provisions of the Law on Personal Data Protection. Otherwise, such processing is unlawful and constitutes a punishable offence.
In this context, not only in connection with this specific case, but on a more general level, the Commissioner would like to advise citizens it is of paramount importance that they pay attention to the different consent forms they sign on various occasions. There have been multiple instances of citizens nonchalantly putting their signatures on documents by which they formally consented to various forms of personal data processing without actually knowing what they were signing. Such indiscretion can have very unpleasant consequences and also precludes or significantly hampers any efforts to protect their rights in the event of data abuse.
