Interest Balancing Test Assessment on the processing of the copies of data subjects driving licences for the MOL Limo service

Similar documents
Biometric Data, Deidentification. E. Kindt Cost1206 Training school 2017

EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

IAB Europe Guidance THE DEFINITION OF PERSONAL DATA. IAB Europe GDPR Implementation Working Group WHITE PAPER

The EU's new data protection regime Key implications for marketers and adtech service providers Nick Johnson and Stephen Groom 11 February 2016

Wireless Sensor Networks and Privacy

GDPR Awareness. Kevin Styles. Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals

2

Robert Bond Partner, Commercial/IP/IT

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Ocean Energy Europe Privacy Policy

Privacy Policy SOP-031

End-to-End Privacy Accountability

Continuing Healthcare Patient Choice and Resource Allocation Policy

DATA PROTECTION POLICY

NHS CONTINUING HEALTH CARE:

Official Journal of the European Union L 21/15 COMMISSION

Patient Choice and Resource Allocation Policy. NHS South Warwickshire Clinical Commissioning Group (the CCG)

Herefordshire CCG Patient Choice and Resource Allocation Policy

Personal Research Data. 25 Sept 2018 Solveig Fossum-Raunehaug (Research Support Office)

Photography and Videos at School Policy

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

(Non-legislative acts) DECISIONS

Personal Data Protection Competency Framework for School Students. Intended to help Educators

Ministry of Justice: Call for Evidence on EU Data Protection Proposals

GDPR Implications for ediscovery from a legal and technical point of view

2018 / Photography & Video Bell Lane Primary School & Children s Centre

European Charter for Access to Research Infrastructures - DRAFT

EU-GDPR The General Data Protection Regulation

ARTICLE 29 Data Protection Working Party

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: T:Drive. Safeguarding Policy Data Protection Policy

510 Data Responsibility Policy

D2. Results of the feasibility analysis

clarification to bring legal certainty to these issues have been voiced in various position papers and statements.

IMPORTANT NOTICE: PLEASE READ CAREFULLY BEFORE INSTALLING THE SOFTWARE: THIS LICENCE AGREEMENT (LICENCE) IS A LEGAL AGREEMENT BETWEEN

Lexis PSL Competition Practice Note

Interaction btw. the GDPR and Clinical Trials Regulation

Spectrum Licence Wireless Cable Service (500 & 600 MHz Band)

EE Limited - Public Wireless Network Licence Company Registration no First Issued: 26/03/93 - Licence Number: Rev: 20-10/01/17

European Union General Data Protection Regulation Effects on Research

ICC POSITION ON LEGITIMATE INTERESTS

Assemblies according to the Pressure Equipment Directive - a consideration provided by the PED-AdCo Group 1 -

LAW ON TECHNOLOGY TRANSFER 1998

1. The Office of Communications (Ofcom) grants this wireless telegraphy licence ( the Licence ) to

TECHNICAL AND OPERATIONAL NOTE ON CHANGE MANAGEMENT OF GAMBLING TECHNICAL SYSTEMS AND APPROVAL OF THE SUBSTANTIAL CHANGES TO CRITICAL COMPONENTS.

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework

QUALITY CHARTER FOR THE RESEARCHER S MOBILITY PORTAL

ENTSO-E Draft Network Code on High Voltage Direct Current Connections and DCconnected

Draft Policy and Procedures Ngāti Whanaunga Member Registration & Voting Eligibility

Incentive Guidelines. Aid for Research and Development Projects (Tax Credit)

Fiscal 2007 Environmental Technology Verification Pilot Program Implementation Guidelines

GEOGRAPHICAL AREA: The Italian territory, the territories of the European Union and all non-eu countries.

UNOFFICIAL TRANSLATION

MUSEUM SERVICE ACT I. BASIC PROVISIONS

Children s rights in the digital environment: Challenges, tensions and opportunities

Details of the Proposal

LAW ON RECORDS OF BIRTHS, DEATHS AND MARRIAGES

Position Paper.

This Licence document replaces the version of the Licence issued by the Office of Communications (Ofcom) on 23 March 2015 to EE Limited.

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

GENERAL DESCRIPTION OF THE CMC SERVICES

National Standard of the People s Republic of China

Type Approval JANUARY The electronic pdf version of this document found through is the officially binding version

This Licence replaces the licence issued by Ofcom on 22 April 2013 to British Telecommunications PLC.

SATELLITE NETWORK NOTIFICATION AND COORDINATION REGULATIONS 2007 BR 94/2007

EUROPASS DIPLOMA SUPPLEMENT

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

This Licence replaces the licence issued by Ofcom on 25 April 2006 to Manx Telecom Limited.

EXPLANATORY MEMORANDUM for the Regulation on a Common Monetary System for Curaçao and Sint Maarten

MINISTRY OF HEALTH STAGE PROBITY REPORT. 26 July 2016

BBMRI-ERIC WEBINAR SERIES #2

TERMS AND CONDITIONS. for the use of the IMDS Advanced Interface by IMDS-AI using companies

UK Broadband Limited Company Reg No: Spectrum Access 3.5 GHz Licence First Issued: 28/02/17 Licence Number: Rev 1: 11/01/18

Invitation to take part in the MEP-Scientist Pairing Scheme 2015

Submission to the Governance and Administration Committee on the Births, Deaths, Marriages, and Relationships Bill

SAUDI ARABIAN STANDARDS ORGANIZATION (SASO) TECHNICAL DIRECTIVE PART ONE: STANDARDIZATION AND RELATED ACTIVITIES GENERAL VOCABULARY

D1.10 SECOND ETHICAL REPORT

MEMORANDUM OF UNDERSTANDING BETWEEN ANCI AND THE MINISTRY OF COMMUNICATIONS

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT. pursuant to Article 294(6) of the Treaty on the Functioning of the European Union

COMMITMENT OF QUALITY ASSURANCE FOR THE RESEARCHER S MOBILITY PORTAL (ERACAREERS: )

Statement of the Communications Authority

Commonwealth Data Forum. Giovanni Buttarelli

COUNCIL OF THE EUROPEAN UNION. Brussels, 19 May 2014 (OR. en) 9879/14 Interinstitutional File: 2013/0165 (COD) ENT 123 MI 428 CODEC 1299

Justice Select Committee: Inquiry on EU Data Protection Framework Proposals

DECISION no.658 of November 28, 2005 on the procedure of requesting and granting the licences for the use of radio frequencies

AGREEMENT on UnifiedPrinciples and Rules of Technical Regulation in the Republic of Belarus, Republic of Kazakhstan and the Russian Federation

Proposal for a COUNCIL DECISION

***I DRAFT REPORT. EN United in diversity EN. European Parliament 2016/0027(COD)

Legal Aspects of Identity Management and Trust Services

1. The Office of Communications (Ofcom) grants this wireless telegraphy licence ( the Licence ) to

EUROPASS DIPLOMA SUPPLEMENT

INTRODUCTION TO THE RESULTS OF THE IMO PUBLIC CONSULTATION ON ADMINISTRATIVE REQUIREMENTS IN MARITIME REGULATIONS

What does the revision of the OECD Privacy Guidelines mean for businesses?

Privacy Impact Assessments

First Components Ltd, Savigny Oddie Ltd, & Datum Engineering Ltd. is pleased to provide the following

Policies for the Commissioning of Health and Healthcare

Spectrum Release Plan

Principles and Rules for Processing Personal Data

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

TechAmerica Europe comments for DAPIX on Pseudonymous Data and Profiling as per 19/12/2013 paper on Specific Issues of Chapters I-IV

BEMFV. Order on the procedure for providing proof as regards limiting exposure to. electromagnetic fields

Transcription:

1 Legitimate interest of the controller or a third party: General description of the processing environment Users can commence the registration required for using the MOL LIMO service in the Mobile Application or on the Website. Pursuant to section 4.3 of the General Terms and Conditions of the MOL LIMO service, at the time of registration, the Service Provider will require a copy of the User s driving licence. Controller s interest: It is in the controller s vital interest that the services provided are only used by those who are entitled to it according to the conditions specified by law. The controller also has an interest in being able to comply with the laws applicable to it. Apart from this, due to business reasons, the controller wishes to provide its service to those who have a minimum level of experience as a driver so that they do not cause any damage to the rented passenger car and their environment. The MOL LIMO service is a service based on a remote contract made via the Internet, the business model for which does not allow for personal administration, on-site verification of identity or the presentation of the driving licence in person. A basic feature of the service is that it can be used easily, with a few clicks over the Internet. This is justified on the user s part with convenient administration, and on the service provider s part with cost-efficiency. Justification of the legitimacy of the interest: Section 5 Subsections (2)-(3) of Act I of 1988 on Public Road Transport states that (2) Vehicles may only be driven on public roads by persons who are in a condition fit for safe driving and have the licence required for driving the vehicle. (3) The operator may not allow persons to drive the vehicle and drivers may not surrender driving the vehicle to persons who do not satisfy the conditions mentioned in Subsection (2). Pursuant to section 3.2 of the General Terms and Conditions of the MOL LIMO service The Service is available only to natural persons of at least eighteen (18) years of age, who have a valid driving licence and obtained their licence to drive at least one (1) year prior to the conclusion of the Framework Agreement. The legitimate interest is sufficiently explicit: The legitimate interest is sufficiently explicit, as an act of law requires the operator to make sure that the data subject who uses the service has the licence required for driving the vehicle. For business organisation reasons, the controller is also interested in not being forced to operate a nationwide customer service network for the presentation of driving licences in person. The legitimate interest is real and current: The legitimate interest is real and current, since processing is actually necessary for the controller to comply with its statutory obligation, and to verify the minimum level of experience as a driver.

The interest of a third party affected by processing or the interest of society: Third parties or a part of society are generally interested in processing to the extent that it can be regarded as public interest that the persons taking part in road traffic have the legally required licence and experience as necessary for road safety. As described above, the legitimate interest exists, so the question of necessity is to be examined next. 2 The necessity of processing It must be presented in a clear and straightforward way that processing is strictly necessary and adequate for fulfilment of the interest: Taking into consideration that the volume of personal data processed is restricted to the lowest possible, and the processing is limited to the shortest possible time, with due regard to the laws and the various interests, there is no alternative solution that would ensure the fulfilment of the interest in a less restrictive way. Examination as to whether the interest could be fulfilled by any alternative solution which is less restrictive to the individual: MOL only processes personal data for the purposes defined above, and these purposes cannot be achieved without disproportionate effort and costs. As demonstrated above, the legitimate interest in processing is also necessary, so we can continue with the examination of aspects of proportionality. 3 Balancing test on the proportionality of interests 3.1 Examination of the nature of interests Nature of the controller s legitimate interest: The controller s legitimate interest is cost-efficient, fast and simple administration. Type of the controller s legitimate interest: The controller processes the data subject s data in the interest of the efficient organisation of work, seamless administration and the establishment of the right to drive without doubt. The data subject s interest: The processing affects the data subject s right to informational self-determination, which is ultimately derived from the fundamental human right to human dignity. However, the right to human dignity enjoys absolute, non-limitable protection in conjunction with the right to life. Apart from that, based on the standard practice of the Constitutional Court, rights derived from human dignity, as in our case, the right to informational self-determination, may be restricted in terms of disposition over personal data provided that the principles of necessity and proportionality are observed.

Type and nature of the data: Driving licence: A valid document entitling its holder to drive vehicles in the territory of Hungary in accordance with Government Decree no. 326/2011 (XII. 28.) on public road administration tasks, and the issuing and withdrawal of public transport documents, which complies with the conditions defined in this Decree. The data processed do not comprise any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation, so no special category of personal data as defined in Article 9 of the GDPR is concerned. Pursuant to recital (51) of the GDPR: The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. 3.2 Assessment of the impacts of processing Impacts of processing beneficial and not beneficial to the data subject Although the processing may potentially restrict the data subject s right to informational self-determination over his/her personal data, he/she benefits from not being required to make a personal appearance in an office to present his/her driving licence. The data subject s status: Users of the MOL LIMO service are 18 years of age or more. The controller s status: MOL Nyrt. is a member of the MOL Group, which is active in 30 countries with 25 thousand employees, and is based in Budapest. The MOL Group is a major group of companies in Central and Eastern Europe. Accordingly, it can be established that the controller has significant economic power. Relationship between the data subject and the controller: The relationship between the data subject and the controller is imbalanced in the sense that the service provider unilaterally sets the terms and conditions of the contract, which the person intending to use the service can accept or decline. Impact of the processing on the data subject, in light of his/her relationship to the controller: Due to the slight imbalance of the relationship between the data subject and the controller, it is important to examine the nature and necessity of the legitimate interest more carefully, and to provide transparent and understandable information to the data subject. The means of processing: In accordance with the principles of data minimisation and purpose limitation, the processing is restricted to the scope of data which is strictly necessary for the fulfilment of the legitimate interest. The processed data are used exclusively for the legitimate and explicit purpose, and their accessibility is strictly limited to those employees who need to

know the personal data for the completion of their work. As a result, the impacts of processing are fully foreseeable and predictable. Information provided to the data subject on processing: At the start of processing, the controller provides the data subject with comprehensive, clear and easily understandable information on the scope of personal data to be processed, the ground, means, duration of processing, the data subject s rights related to the processing. 3.3 Other security measures Keeping data for a limited time: The data controller stores the copy of the data subject s driving licence uploaded in the system only for the period absolutely necessary for data verification, for 24 hours after registration, after which it permanently deletes the copy of the driving licence from its system. Restriction on data access: Accessibility of the data subject s personal data is strictly limited to those employees who need to know the personal data for the completion of their work. 4 Outcome of the interest balancing test and its documentation A legitimate interest exists In regard to the processing operations concerned, the controller has a legitimate interest, since it is actually interested in efficient and fast administration, and in proving that the user of the service has a driving licence. It can also be concluded from the above discussion that the legitimate interest is sufficiently explicit, real and current, so the further examination of necessity is correct. The processing is necessary Processing is necessary for the fulfilment of the legitimate interest, since in the absence of data provision, the controller s economic model would not be feasible. The processing represents proportional limitation to the data subject s rights Examination of the nature of interests As it regards the nature of the interest, it can be stated that, although processing potentially limits the data subject s right to informational self-determination in regard to his/her personal data, this right is not absolute and non-limitable, so the limitation is admissible if processing is necessary and proportional. Since necessity is already justified on the grounds described above, the further examination of proportionality is required. On the controller s part, in respect of the nature of interest, other legitimate interest exists, which, when tested for proportionality, can be regarded as a weaker economic and efficiency interest than the exercise of the fundamental right and the public interest, or the culturally or socially recognised interest. In this respect, the nature of the interest tips the

balance for admissibility as it is an interest related to the basic and efficient operation of the controller s organisation. Impact assessment of the processing Taking into account both the negative and the positive impacts on the data subjects, the processing clearly shifts towards admissibility, because while negative impacts are arbitrary and negligible, the impacts supporting simple and cost-efficient administration exist in any case. The status of the parties can influence the scale of proportionality, since the controller has significant economic power, and it has unilaterally established the General Terms and Conditions, so the legal relationship between the controller and the data subject is partially imbalanced. On the other hand, taking into consideration that, already at the time of the collection of data, the data subject is appropriately informed of the processing, and also that, due to the means of processing, the impacts of processing are fully predictable. In this way, the standard of proportionality is shifted towards the admissibility of processing. As a further factor supporting the proportionality of the limitation of right, the controller provides the data subject with comprehensive, clear and easily understandable information upon the collection of data on the scope of personal data to be processed, the ground, means, duration of processing and the data subject s rights related to the processing. Other security measures Proportionality is further enhanced by two security measures: that the data are kept for a limited time, and that access to the data is restricted. Based on the above discussion, as a result of the Interest Balancing Test Assessment, it can be established the data subject s right is not overriding as compared to the controller s legitimate interest, and the processing realises a necessary and proportionate restriction regarding the data subject.

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback