Presently, many administrative bodies use online reservation systems enabling citizens to fix a visit for a specific time in order to apply for a new ID-card, a new driving licence, etc. Applicants must usually use their e-mail address through which they obtain the visit confirmation and a PIN to be used later at the institution´s premises.
The office has received a complaint from a citizen who used such a reservation system of a municipality office to get a new ID-card. After applying for a specific date and time, he noticed that he was rerouted to a website of a private operator. The municipality´s privacy notice provided neither a clear information as to the private outsourcing of this service nor about the manner in which the personal data would be processed.
Consequently, the transparency principle was breached. Moreover, a data subject´s consent obtained within such a reservation system cannot be regarded as informed.
The investigation has revealed that the municipality also collected, without any obvious purpose, the applicant´s phone numbers even if only an e-mail address was necessary for the reservation confirmation. Provision of the phone number was obligatory. Therefore, the data minimisation principle was violated. The municipality could process phone numbers only as a voluntary item and would have to inform about the purpose. Such a purpose might be cancellation of the fixed visit.
The most frequent shortcomings detected in relation to the online reservation systems operated in the public administration sector:
- Collection of excessive personal data not necessary for the purpose,
- Lack of transparency and clarity of information about the data processing, namely about the fact that the personal data are handled by a private processor,
- Rerouting to a private website is not accompanied by a sufficient information about the fact itself and the purposes,
- Failure to meet the conditions for a valid client consent, namely concerning the possibility to withdraw this consent at any time later,
- Doubts as to the quality of the granted consent in terms of this being really informed.
Finally, it has to be stressed that responsibility for the processing of personal data is always on the controller´s side, even if the service has been outsourced.