The Hungarian Data Protection Authority (Nemzeti Adatvédelmi és Információszabadság Hatóság, NAIH) has recently published its annual report in which it presented a case where the Authority imposed the highest fine to date of ca. EUR 670,000 (HUF 250 million).
The case involved the personal data processing of a bank (acting as a data controller) which automatically analysed the recorded audio of customer service calls. The bank used the results of the analysis to determine which customers should be called back by analysing the emotional state of the caller using an artificial intelligence-based speech signal processing software that automatically analysed the call based on a list of keywords and the emotional state of the caller. The software then established a ranking of the calls serving as a recommendation as to which caller should be called back as a priority.
The purposes of the processing activity was determined by the bank as quality control based on variable parameters, the prevention of complaints and customer migration, and the development of its customer support’s efficiency. However, according to the Authority, the bank’s privacy notice referred to these processing activities in general terms only, and no material information was made available regarding the voice analysis itself. Furthermore, the privacy notice only indicated quality control and complaint prevention as purposes of the data processing.
The bank based the processing on its legitimate interests to retain its clients and to enhance the efficiency of its internal operations. The data processing activities in connection with these interests, however, were not separated in the privacy notice and in the legitimate interests tests, they became blurred.
In the course of the procedure before the Authority it became evident from the statements of the bank that…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
