The Office for Personal Data Protection



Important links


Path: Home Page


Visitors reservation systems used by public institutions shall process minimum of client data

23. 12. 2020 – Public institutions must explain the purposes for which they require specific personal data from citizens applying for a visit and why they process these data in a given manner. They also must justify why they used private outsourced supplier. The Office for Personal Data Protection draws attention to this issue on the basis of its investigations.

Presently, many administrative bodies use online reservation systems enabling citizens to fix a visit for a specific time in order to apply for a new ID-card, a new driving licence, etc. Applicants must usually use their e-mail address through which they obtain the visit confirmation and a PIN to be used later at the institution´s premises.

The office has received a complaint from a citizen who used such a reservation system of a municipality office to get a new ID-card. After applying for a specific date and time, he noticed that he was rerouted to a website of a private operator. The municipality´s privacy notice provided neither a clear information as to the private outsourcing of this service nor about the manner in which the personal data would be processed.

Consequently, the transparency principle was breached. Moreover, a data subject´s consent obtained within such a reservation system cannot be regarded as informed.

The investigation has revealed that the municipality also collected, without any obvious purpose, the applicant´s phone numbers even if only an e-mail address was necessary for the reservation confirmation. Provision of the phone number was obligatory. Therefore, the data minimisation principle was violated. The municipality could process phone numbers only as a voluntary item and would have to inform about the purpose. Such a purpose might be cancellation of the fixed visit.


The most frequent shortcomings detected in relation to the online reservation systems operated in the public administration sector: 
  • Collection of excessive personal data not necessary for the purpose,
  • Lack of transparency and clarity of information about the data processing, namely about the fact that the personal data are handled by a private processor,
  • Rerouting to a private website is not accompanied by a sufficient information about the fact itself and the purposes,
  • Failure to meet the conditions for a valid client consent, namely concerning the possibility to withdraw this consent at any time later,
  • Doubts as to the quality of the granted consent in terms of this being really informed.

Finally, it has to be stressed that responsibility for the processing of personal data is always on the controller´s side, even if the service has been outsourced.
Responsible: Mgr. Vojtěch Marcín
Created / changed: 4.1.2021 / 4.1.2021


Placing: Document folders > News

Mode No graphics is currently switched on. Therefore you see the web page with no decorative graphics as well as any advanced formatting. If your browser supports CSS2, you can switch a graphic mode on.

Copyright © 2013 The Office for Personal Data Protection. All rights reserved.
web & design , editorial system