Commissioner for Information of Public Importance and; Personal Data Protection (hereinafter: Commissioner) by the decision on 17/06/2022 permanently prohibited the company "ITX RS" doo Beograd (hereinafter: Controller) from processing personal data and especially data on the document number (identity card/passport), which were being collected from natural persons during online shopping of goods on the following websites:
https://www.oysho.com/rs; https://www.massimodutti.com/rs; https://www.stradivarius.com; https://www.zara.com/rs/;
https://www.zarahome.com/rs/; https://www.pullandbear.com/rs/ и https://www.bershka.com/rs/.
During the inspection supervision, it was established that the Controller collects the concerned data for (potential) customer refunds and that the data are prematurely processed, that is, they are being processed before the moment of refund, meaning that the time of disputed data collection process is not legal, because the legal obligation of the Controller arises only at the moment of refunding the money to the customer for already purchased goods or services, or at the moment of withdrawing from the purchase in the case of a previously paid advance.
Regarding that, in a letter on July 6, 2022, the Controller informed the Commissioner that he had fully complied with the aforementioned decision, and stated that he had stopped further collection of identification document numbers of natural persons, as well as that he had deleted all the insofar collected data.
The commissioner also takes this opportunity to warn all data controllers, processors, and other persons to process personal data exclusively in a legal manner and only for the purpose for which the data are collected, i.e. not to collect from citizens more data than necessary to achieve the purpose.