In its resolution NAIH-2857/2021 of 27 October 2021, Hungary’s Data Protection Authority (NAIH) examined a customer satisfaction survey performed by a car dealership and car importer, uncovered violations and fined the importer HUF 5 million (EUR 13,600).
The following complaint prompted the investigation: the complainant, who approached NAIH, had provided its email address to the dealership that serviced his car. The complainant then received an unsolicited e-mail from the importer requesting that a customer satisfaction survey be completed. The individual then received a reminder due to a lack of response.
An important takeaway from the decision is that it is not unlawful to send customer satisfaction surveys solely on the basis of a "legitimate interest" as defined in Article 6 (1) (f) GDPR, but it is important to provide transparent information to the potential recipients, which makes clear their right to object (i.e. opt-out) in advance.
Shortcomings identified by the NAIH?
Lack of adequate privacy information. The car importer company processed the potential recipient's email address, home address, telephone number, and vehicle technical identification without providing adequate data privacy information in advance.
Invalidity of the legal basis for the customer satisfaction survey. The legal basis for sending the survey was the company's legitimate interest in verifying, as the sole importer of this type of vehicle in Hungary, that the Hungarian dealership and service partners meet the required quality requirements. However, because the potential recipient was not adequately informed of his privacy rights, he could not reasonably have foreseen being sent the customer satisfaction survey email and hence did not have the opportunity to opt-out from such emails in advance.
Breach of the data minimisation principle. The main purpose of the customer satisfaction survey was statistical and trend measurement. According to the NAIH, however, much of the information requested in the survey (e.g. the recipient's name, home address, telephone number, age and gender) was not necessary for this purpose.
What must companies measuring customer satisfaction pay attention to?
In light of the above NAIH findings, companies must:
Review and document the expectations of the potential recipients of a customer satisfaction survey in the related legitimate interest assessment test (LIA) – in particular, companies should review whether there is a direct customer-seller or another type of relationship between the potential recipient and the sender.
Verify and document in the LIA data minimisation related to the customer satisfaction survey. A company should process only the personal data necessary for the survey.
Provide increased information at the end of customer satisfaction survey emails. This information should include the identity of the sender as data controller, the legal basis under the GDPR for sending the email, the data source of the recipient’s information and a link to the sender’s detailed privacy notice. The information can also include the opt-out link.
Providing adequate privacy notice and ensuring the right of the recipients of the customer satisfaction survey to object to data processing. Companies must verify that their privacy notice on the customer satisfaction survey is available for the potential recipients, contains the mandatory elements required by Articles 13 and 14 of the GDPR, and ensures that the potential recipient can object to the receipt of the relevant emails (i.e. opt-out) in advance.
For more information on this ruling and data protection laws in Hungary, contact your CMS client partner or local CMS experts.