T 0.38 Abuse of Personal Data

Personal data is almost always particularly sensitive information. Typical examples include information about personal or factual circumstances of an identified or identifiable natural person. If the protection of personal data is not sufficiently guaranteed, the danger exists that the person will be impaired in his or her social position or economic conditions.

An abuse of personal data takes place if an institution collects, for example, too much personal data, collects it without legal basis or consent, uses it for purposes different from the objective stated at the time of collecting, deletes personal data too late or discloses such data in an unauthorised manner.

Examples:

• Personal data may be processed only for the purpose for which it was collected or stored for the first time. It is therefore inadmissible to use log files for attendance and monitoring conduct, if they were designed to store information on users' logging on to an IT system and logging off merely for access control.
• Persons who have access to personal data could disclose them in an unauthorised manner. For example, an employee at the front desk of a hotel could sell the guests¿ registration information to advertising companies.