What are the most common breaches of the right to personal data protection (personal data misuse)?
Misuse of personal data is done in order to inflict harm to another person (harm to good name and reputation or violation of privacy)EXAMPLE: Person A creates a fake Facebook account as person B, publishes a photograph of person B and their personal data known to Person A—name, surname, age, etc. Person A then goes on to publish inappropriate and/or vulgar content on this Facebook account, casting Person B in a bad light.
Personal data can be misused to commit some offences; e.g. fraud or use of someone’s personal data to gain an undue advantage, such as use of someone’s personal data to conclude fake contracts (the so-called identity theft).
EXAMPLE: Person A uses Person B’s personal data to conclude a “fake” contract with a telecommunications operator; acting as Person B, Person A concludes a contract on behalf of Person B, but to Person A’s benefit, to obtain a mobile phone and a mobile phone number and incurs expenses which they do not cover, while the debt is borne by Person B, who has nothing to do with the said contract since the contract was concluded under false pretences, by using their personal data.
Individuals can be convinced to provide their personal data, for example by making them believe that they have received a large inheritance or won in a prize competition, all with the aim to gain an undue advantage.
EXAMPLE: A person receives a notification on a social media platform that they have won in a prize competition. To be able to receive their prize, they need do provide a copy of the front and back side of their ID card. The ID card copy is then misused to remotely conclude a fake subscription contract.
We recommend that you are particularly careful, responsible and discerning with your personal data and that you do not send your data, especially online, to unknown persons or persons you do not know very well if you do not have reliable information about their identity.
! The more personal data are required from you by someone online (for example, a full copy of your ID card), the greater the possibility of unlawful disclosure of your personal data, identity theft and other personal data misuses. Please keep in mind that only competent authorities and legal persons are entitled and authorised to request your ID card and data from it pursuant to special regulations and operating terms and conditions; i.e. the police and service providers—banks, telecommunications operators—for the purpose of unambiguous identification of citizens/clients (presenting the ID card to the salesperson who is selling you alcohol and tobacco products, when checking-in in accommodation facilities, using rent-a-car services, etc.). Employers may also request their employees’ ID cards under the conditions prescribed by law.
Breaches of the right to personal data protection furthermore pertain to: disclosure of personal data in the media, disclosure of personal data on the building noticeboard, provision of medical records to unauthorised persons, processing of personal data by installing a CCTV security system in shared facilities of apartment buildings without valid legal grounds, processing of personal data with CCTV security systems on the employer’s business premises, keeping of inaccurate personal data about service users in enforcement proceedings for the purpose of collection of payment for those services, i.e. processing of someone’s PIN (OIB) or identification document number in case of persons with the same name and surname, which leads to mistaken identification of the debtor and confusion between the identities of the persons, provision of personal data to other users for their use without legal grounds, such as provision of the co-owners’ PINs (OIBs) to potential building managers, failure to introduce appropriate safeguards for personal data kept by banks on their clients to protect them from unauthorised access and use, etc.