BlnBDI (Berlin) - 521.11.871: Difference between revisions
No edit summary |
No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 71: | Line 71: | ||
}} | }} | ||
The DPA of Berlin (BInBDI) issued a reprimand to a controller for violating Article 17(1) GDPR by not erasing personal data after a request for ersaure was received, | The DPA of Berlin (BInBDI) issued a reprimand to a controller for violating Article 17(1) GDPR by not erasing personal data after a request for ersaure was received, even though there was no legal basis for further processing the data. | ||
== English Summary == | == English Summary == | ||
Line 78: | Line 78: | ||
The controller is Outfittery GmbH an online clothing store for men. The data subject was a customer of the controller- | The controller is Outfittery GmbH an online clothing store for men. The data subject was a customer of the controller- | ||
On 23 August 2019, the data subject sent the controller an email requesting the controller to erase | On 23 August 2019, the data subject sent the controller an email requesting the controller to erase his data. The controller confirmed the erasure of data on the same day. On 23 September 2019, the controller sent an e-mail to the data subject with information about a merger with Curated Shopping GmbH. The controller informed the data subject about the data transfer from Curated Shopping GmbH to its systems, unless the data subject does not object to this transfer within two weeks of notice. | ||
After receiving this email, the data subject requested an explanation about why he was still registered as a customer in the database of the controller. Moreover, he objected to the further use of his data and again requested its erasure. | |||
=== Holding === | === Holding === | ||
The DPA held that the controller violated [[Article 17 GDPR#1a|Article 17(1)(a) GDPR]], since | The DPA held that the controller violated [[Article 17 GDPR#1a|Article 17(1)(a) GDPR]], since it should fulfill the erasure request without undue delay, if the processing is no longer necessary. | ||
The Berlin DPA pointed out that with their request on 23 August 2019, the data subject had requested the data deletion and expressed their wish to no longer being contacted by Outfittery GmbH. The erasure request was not denied for any other reason. In fact, the erasure was confirmed by the controller. Notwithstanding that, the personal data was used again by the controller on 23 September 2019. The DPA further held that the controller had violated [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. According to this provision, the personal data should be processed lawfully, when there is a consent of the data subject or on the grounds of another legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]]. In the present case the personal data was used, although it should have been erased. There was no legal basis for denying the request and for further storing the data. | The Berlin DPA pointed out that with their request on 23 August 2019, the data subject had requested the data deletion and expressed their wish to no longer being contacted by Outfittery GmbH. The erasure request was not denied for any other reason. In fact, the erasure was confirmed by the controller. Notwithstanding that, the personal data was used again by the controller on 23 September 2019. The DPA further held that the controller had violated [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. According to this provision, the personal data should be processed lawfully, when there is a consent of the data subject or on the grounds of another legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]]. In the present case the personal data was used, although it should have been erased. There was no legal basis for denying the request and for further storing the data. |
Latest revision as of 10:52, 30 June 2022
BlnBDI - 521.11.871 | |
---|---|
Authority: | BlnBDI (Berlin) |
Jurisdiction: | Germany |
Relevant Law: | Article 5(1)(a) GDPR Article 6(1) GDPR Article 17(1) GDPR Article 17(1)(a) GDPR Article 58(2)(b) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 21.06.2021 |
Fine: | n/a |
Parties: | A Outfittery GmbH |
National Case Number/Name: | 521.11.871 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | Marieta Gencheva |
The DPA of Berlin (BInBDI) issued a reprimand to a controller for violating Article 17(1) GDPR by not erasing personal data after a request for ersaure was received, even though there was no legal basis for further processing the data.
English Summary
Facts
The controller is Outfittery GmbH an online clothing store for men. The data subject was a customer of the controller-
On 23 August 2019, the data subject sent the controller an email requesting the controller to erase his data. The controller confirmed the erasure of data on the same day. On 23 September 2019, the controller sent an e-mail to the data subject with information about a merger with Curated Shopping GmbH. The controller informed the data subject about the data transfer from Curated Shopping GmbH to its systems, unless the data subject does not object to this transfer within two weeks of notice.
After receiving this email, the data subject requested an explanation about why he was still registered as a customer in the database of the controller. Moreover, he objected to the further use of his data and again requested its erasure.
Holding
The DPA held that the controller violated Article 17(1)(a) GDPR, since it should fulfill the erasure request without undue delay, if the processing is no longer necessary.
The Berlin DPA pointed out that with their request on 23 August 2019, the data subject had requested the data deletion and expressed their wish to no longer being contacted by Outfittery GmbH. The erasure request was not denied for any other reason. In fact, the erasure was confirmed by the controller. Notwithstanding that, the personal data was used again by the controller on 23 September 2019. The DPA further held that the controller had violated Article 5(1)(a) GDPR. According to this provision, the personal data should be processed lawfully, when there is a consent of the data subject or on the grounds of another legal basis under Article 6(1) GDPR. In the present case the personal data was used, although it should have been erased. There was no legal basis for denying the request and for further storing the data.
The DPA issued a reprimand to the controller, under Article 58 (2)(b) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Berlin Commissioner for 521.11871 Data Protection and 631.375 Freedom of Information CR 52519 10969 Berlin. 219 Visitors’ entrance: Puttkamer Str. 16-18 FINAL DECISION The building is fully accessible to disabled members of the public. Berlin, 21 June 2021 OUTFITTERY GmbH Contact us Phone: +49 (0)30 13889-0 Management Board Fax: +49 (0)30 215 50 50 [redacted] Use our encrypted contact form Leuschnerdamm 31 for registering data protection 10999 Berlin complaints: schwerde.htmltz-berlin.de/be- For information: For all other enquiries, please ISiCO Datenschutz GmbH send an e-mail to: [redacted] mailbox@privacy.de Am Hamburger Bahnhof 4 Fingerprint of our 10557 Berlin PGP-Key: D3C9 AEEA B403 7F96 7EF6 C77F B607 1D0F B27C 29A7 Reprimand Office hours Complainant: [redacted] Your letters of 15 January 2020, 30 June 2020, and 30 September 2020 Daily from 10 am to 3 pm, Thursdays from 10 am to 6 pm (your reference IS-0472-10) (or by appointment) Dear [redacted], How to find us The underground line U6 to We hereby issue a reprimand to your company for a violation of the Kochstraße / Bus number M29 General Data Protection Regulation (GDPR). and 248 Reasoning: Visit our Website https://privacy.de This decision is based on the following considerations I. The Berlin DPA has established the following facts: The above-mentioned complainant requested Outfittery GmbH to erase his data by email from the email address [redacted-email address 1] on 23 Au- gust 2019. Outfittery GmbH confirmed the erasure of the complainant's data by email on the same day. On 23 September 2019, you sent the complainant an email to [redacted- email address 1] from team@modomoto.de with information about the mer- ger of Curated Shopping GmbH with Outfittery GmbH, which was entered in the commercial register on 27 June 2019, and the transfer of his data to, - 2 - the system of Outfittery GmbH, unless he objects within two weeks of re- ceipt of the notification. By email from [redacted-email address 1] of 23 September 2019, the com- plainant requested an explanation from you and Curated Shopping GmbH as to why the erasure of his data had not taken place, objected to the fur- ther use of his data and again requested its erasure. Furthermore, the com- plainant stated that he had not had a business relationship with Curated Shopping GmbH. In the above-mentioned statements, you credibly stated that the complain- ant had two customer accounts with Curated Shopping GmbH under the email addresses [redacted-email address 1] and [redacted-email address 2], independently of his customer account with Outfittery GmbH. You in- formed the complainant of this after receiving his renewed erasure request and confirmed to him in an email dated 26 September 2019 that you would also erase this data for his email address [redacted-email address 2]. II. Legally, we assess the facts as follows. Your company has violated the General Data Protection Regulation (GDPR). Pursuant to Article 17(1)(a) GDPR, The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay. The controller also shall have the obligation to erase personal data without undue delay if it is no longer necessary in rela- tion to the purposes for which they were collected or otherwise processed. According to Article 5(1)(a) GDPR, personal data shall be processed law- fully. In order for the processing to be lawful, personal data must be pro- cessed either with the consent of the data subject or on grounds of a legal basis, in accordance with Article 6(1) sentence 1 GDPR. By email addressed to [redacted-email address 1], Curated Shopping GmbH with the email address team@modomoto.de informed the complain- ant on 23 September 2019 about the merger with Outfittery GmbH and the transfer of his data into the system of Outfittery GmbH, unless he objected within two weeks after receipt of the notification. However, this aforemen- tioned email of 23 September 2019 is also attributable to Outfittery GmbH as the controller, since the merger with Curated Shopping GmbH was al- ready entered in the commercial register on 27 June 2019. Through his erasure request of 23 August 2019, the complainant has ex- pressed that he is no longer interested in being contacted by Outfittery GmbH. Further storage of his data for the business purposes of Outfittery GmbH was thus no longer necessary. The erasure request was also not denied for other reasons. However, an erasure did not take place with regard to the complainant's personal data taken over by Curated Shopping GmbH with effect from 27 June 2019 by Outfittery GmbH. Rather, his data was used again by Outfit- tery GmbH on 23 September 2019, although it should have already been erased. The use of the data and the continued storage thus took place with- out legal grounds., - 3 - Outfittery GmbH has thus violated Article 17(1), Article 5(1)(a) and Article 6(1) GDPR. III. As a result, we have decided not to take any further supervisory measures due to the violation, but to leave it at a reprimand. The reprimand is based on Article 58(2)(b) GDPR. Taking into account the specific circumstances of the established facts, we consider a reprimand to be appropriate after completing our investigation. We have again identified a violation on your part. In the certain expectation that you will comply with the data protection regu- lations in the future, we consider the matter closed. Kind regards, [redacted]