IMY (Sweden) - DI-2020-10547: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
| Line 79: | Line 79: | ||
First, the DPA pointed out the applicable provisions. | First, the DPA pointed out the applicable provisions. | ||
It noted that the processing of personal data must meet at least one of the conditions set out in [[Article 6 GDPR|Article 6(1) GDPR.]] Also, the DPA considered the rights of data subjects to object to processing of their personal data. Namely, according to [[Article 21 GDPR|Article 21(1)]], the data subject shall have the right to object at any time to the processing of personal data relating to him or her based on [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]] or [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. In such a case, controllers may no longer process the personal data unless they can demonstrate compelling legitimate reasons for the processing which override the interests of the data subjects. Additionally, under [[Article 21 GDPR#2|Article 21(2) GDPR]], data subjects have the right at all times to object to their personal data being used for direct marketing purposes. Pursuant to [[Article 21 GDPR|Article 21(3) GDPR]], if an objection is made to direct marketing, the personal data may no longer be processed for such purposes. [[Article 12 GDPR|Article 12(3) GDPR]] requires requests under [[Article 21 GDPR]] to be dealt with without undue delay and in any event within one month at the latest. | It noted that the processing of personal data must meet at least one of the conditions set out in [[Article 6 GDPR|Article 6(1) GDPR.]] Also, the DPA considered the rights of data subjects to object to processing of their personal data. Namely, according to [[Article 21 GDPR|Article 21(1) GDPR]], the data subject shall have the right to object at any time to the processing of personal data relating to him or her based on [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]] or [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. In such a case, controllers may no longer process the personal data unless they can demonstrate compelling legitimate reasons for the processing which override the interests of the data subjects. Additionally, under [[Article 21 GDPR#2|Article 21(2) GDPR]], data subjects have the right at all times to object to their personal data being used for direct marketing purposes. Pursuant to [[Article 21 GDPR|Article 21(3) GDPR]], if an objection is made to direct marketing, the personal data may no longer be processed for such purposes. [[Article 12 GDPR|Article 12(3) GDPR]] requires requests under [[Article 21 GDPR]] to be dealt with without undue delay and in any event within one month at the latest. | ||
Second, the DPA assessed the case and held that the controller's failure to cancel the e-mail subscription was in violation of the GDPR. The DPA first examined the legal basis of processing used by the controller, which were performance of contract ([[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]) and legitimate interest ([[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]). | Second, the DPA assessed the case and held that the controller's failure to cancel the e-mail subscription was in violation of the GDPR. The DPA first examined the legal basis of processing used by the controller, which were performance of contract ([[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]) and legitimate interest ([[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]). | ||
Revision as of 15:51, 25 October 2022
| IMY - DI-2020-10547 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 6(1) GDPR Article 12(3) GDPR Article 21 GDPR Article 58(2)(b) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 01.04.2022 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | DI-2020-10547 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | EDPB (in EN) |
| Initial Contributor: | Lauren |
Following an Article 60 GDPR cooperation procedure, the Swedish DPA issued a reprimand against a newspaper subscription service which violated Articles 6(1), 12(3) and 21(2) GDPR by failing to stop sending marketing emails despite the data subject's objection.
English Summary
Facts
Prompted by a complaint, the Swedish DPA initiated supervision pursuant to Article 56 GDPR in accordance with the Article 60 GDPR cooperation mechanism. The handover of the complaint was made by a German DPA, where the data subject lodged his complaint. The concerned supervisory authorities were located in Germany, Norway, Spain, Denmark, Poland, Italy, and Portugal.
The concerned controller provided a subscription service for the digital distribution of newspapers and magazines in an app. On 5 November 2019, the data subject registered as a customer and user of the controller’s service but simultaneously declined to receive e-mails from the controller. Nevertheless, in the following days the data subject received e-mails from the controller. The data subject stated in the complaint that the date of the infringement was 12 November 2019. It was not until the data subject contacted the company's customer service on 28 November 2019 that the controller stopped sending e-mails.
The controller confirmed that the data subject contacted it on 28 November 2019. It sent the data subject an e-mail on 29 November 2019, confirming that the data subject's e-mail address was unsubscribed from all future e-mails. The controller further stated that the mistake was caused by human error and fixed as soon as the data subject reached out. The controller claimed that the legal basis for processing of mailing was either based on the performance of contract (Article 6(1)(b) GDPR) or legitimate interest (Article 6(1)(f) GDPR), if the mailing was considered marketing.
Holding
First, the DPA pointed out the applicable provisions.
It noted that the processing of personal data must meet at least one of the conditions set out in Article 6(1) GDPR. Also, the DPA considered the rights of data subjects to object to processing of their personal data. Namely, according to Article 21(1) GDPR, the data subject shall have the right to object at any time to the processing of personal data relating to him or her based on Article 6(1)(e) GDPR or Article 6(1)(f) GDPR. In such a case, controllers may no longer process the personal data unless they can demonstrate compelling legitimate reasons for the processing which override the interests of the data subjects. Additionally, under Article 21(2) GDPR, data subjects have the right at all times to object to their personal data being used for direct marketing purposes. Pursuant to Article 21(3) GDPR, if an objection is made to direct marketing, the personal data may no longer be processed for such purposes. Article 12(3) GDPR requires requests under Article 21 GDPR to be dealt with without undue delay and in any event within one month at the latest.
Second, the DPA assessed the case and held that the controller's failure to cancel the e-mail subscription was in violation of the GDPR. The DPA first examined the legal basis of processing used by the controller, which were performance of contract (Article 6(1)(b) GDPR) and legitimate interest (Article 6(1)(f) GDPR).
The DPA found that the main purpose of the contract between the data subject and the controller was the ability to read newspapers and magazines digitally. The DPA noted that several of the e-mails have contained information on how the data subject could further optimize the service according to the data subjects personal interests and receive personalized recommendations based on their reading history. The DPA considered that it could not be assumed that an average user would understand understand or perceive this to be a necessary part of the service. Moreover, the fact that the controller also offered the opportunity to unsubscribe from such e-mails suggested that the processing was not necessary for the performance of the contract. Therefore, the DPA did not consider Article 6(1)(b) GDPR to be a valid legal basis.
Subsequently, the DPA considered that the e-mails were primarily intended to improve the access to the service and that individually adapted content constituted direct marketing. The data subject therefore had the right to object to the processing under Article 21(2) GDPR. The controller was also obliged to stop sending the e-mails. Since the data subject still received marketing e-mails for another 23 days after unsubscribing, the controller failed to act without undue delay and therefore violated Article 21(3) and 12(3) GDPR. When a data subject objects to direct marketing, further processing of his or her personal data is no longer permitted for such purposes.
Therefore, there was also no lawful basis for processing for direct marketing purposes in violation of Article 6(1) GDPR. The DPA considered that the infringement was negligent. The DPA determined that the controller had taken action when it understood the data subject's intentions. The DPA therefore issued a reprimand pursuant to Article 58(2)(b) instead of imposing fines.
Comment
The EDPB only provides an unofficial translation of the Swedish Authority for Privacy Protection’s (IMY) final decision 2022-04-1, no. DI-2020-10547. Only the Swedish version of the decision is deemed authentic.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
1(7)
Notice: This document is an unofficial translation of the
Swedish Authority for Privacy Protection’s (IMY) final
decision 2022-04-1, no. DI-2020-10547. Only the Swedish
version of the decision is deemed authentic.
Ref no:
DI-2020-10547, IMI case no. Supervision under the General Data
116489
Protection Regulation – Readly AB
Date of draft decision:
2022-04-01
Date of translation:
2022-04-04 Decision of the Swedish Authority for Privacy
Protection
The Swedish Authority for Privacy Protection finds that Readly AB has violated
1
Article 21(3) and 12(3) of the General Data Protection Regulation by
continuing to process personal data for direct marketing purposes after the
complainant objected to such processing on 5 November 2019 in accordance
with their right under Article 21(2).
Article 6.1 of the General Data Protection Regulation by sending direct
marketing e-mails to the complainant the 12, 15, 19 and 23 November 2019
without having a lawful basis for the processing.
The Swedish Authority for Privacy Protection gives Readly AB a reprimand in
accordance with Article 58(2)(b) of the General Data Protection Regulation for the
infringement of Article 21(3), 12(3), 6(1).
Report on the supervisory report
The Swedish Authority for Privacy Protection (IMY) has initiated supervision regarding
Readly AB (Readly or the company) due to a complaint. The complaint has been
submitted to IMY, as responsible supervisory authority for the company’s operations
pursuant to Article 56 of the General Data Protection Regulation (GDPR). The
handover has been made from the supervisory authority of the country where the
complainant lodged their complaint (Germany) in accordance with the Regulation’s
provisions on cooperation in cross-border processing.
The investigation in the case has been carried out through correspondence. In the light
Postal address: of a complaint relating to cross-border processing, IMY has used the mechanisms for
Box 8114 cooperation and consistency contained in Chapter VII GDPR. The supervisory
104 20 Stockholm authorities concerned have been the data protection authorities in Germany, Norway,
Website: Spain, Denmark, Poland, Italy and Portugal.
www.imy.se
E-mail:
imy@imy.se 1Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with respect to the
Phone: processing of personal data and on the free flow of such data and repealing Directive 95/46/EC
(General Data Protection Regulation).
08-657 61 00Privacy Protection Authority Our ref: Di-2021-10547 2(7)
Date:2022-04-01
The complaint
Complaint from Germany with national reference number: 521.12106/ 631.145
The company provides a service, ‘Readly’, for digital distribution of newspapers and
magazines.
The complaint essentially states the following. The complainant registered as a
customer and user of the company’s service on 5 November 2019 and declined to
receive e-mails from the company on the same day through their user account.
Nevertheless, the complainant received e-mails from the company on 12, 15, 19 and
23 November 2019. The complainant also received an e-mail on 6 November 2019 but
states in the complaint that they can allow that mailing to pass. The complainant also
states in the complaint that the date of the infringement is 12 November 2019. It was
not until the complainant contacted the company's customer service on 28 November
2019 that the mailings stopped.
What Readly AB has stated
The company essentially states the following.
On 28 November 2019, the complainant contacted the company's customer service
and, on the same day, the company took steps to make sure the complainant would
not receive further e-mails. The company’s customer service confirmed by e-mail to
the complainant on 29 November 2019 that the complainant's e-mail address was
unsubscribed from all future e-mails. On 2 December 2019, the complainant requested
an explanation of why they had received e-mails even though they had unsubscribed.
On 3 December 2019, the company informed the complainant that it was a mistake
caused by human error, which the company took measures on, on 28 November 2019.
The company states that they make a distinction between mailings that have the
contract as a lawful basis, from mailings for marketing purposes, which are based on
legitimate interest. The e-mails received by the complainant were intended to
communicate with the user about the service and have the customer contract as a
lawful basis. The e-mails are part of the company’s welcome routine for newly
registered users. The purpose of the e-mails is to explain to the user how the service
works and what functionality the service contains. The company argues that the e-
mails received by the complainant are necessary in order to, and in accordance with
the contract, provide the user with individually tailored content, e.g. to recommend
newspapers and magazines that the user is likely to be interested in, based on the
user’s reading history. According to the company, users normally expect the service to
adapt the content based on the customer’s use of the service. Since the e-mails have
been part of the service, the processing of personal data as a result of the mailings
has been necessary and thus had the contract as a lawful basis. The company offers
users to unsubscribe from these e-mails, which is offered as a part of the service.
Readly, therefore, takes the view that the complainant's personal data was not
processed for marketing purposes. If the mailings were to be regarded as marketing
and the processing of personal data cannot be based on a contract as a lawful basis,
the company believes that the processing of personal data instead has the purpose of
communicating with the user for marketing purposes and relies on the company’s
legitimate interests.Privacy Protection Authority Our ref: Di-2021-10547 3(7)
Date:2022-04-01
Justification of the decision
Applicable provisions, etc.
In order for personal data processing to be considered lawful, at least one of the
conditions set out in Article 6(1) GDPR must be fulfilled. This means either that the
data subject has given consent to the processing referred to in point (a) which fulfils
the conditions set out in Article 4(11) and Article 7 or that the processing is necessary
in one of the contexts listed in points (b) to (f), for example, for the performance of a
contract to which the data subject is party or to take action at the request of the data
subject prior to the conclusion of such a contract (point (b)) or for the purposes of the
legitimate interests of the controller or a third party, unless the interests or fundamental
rights and freedoms of the data subject overrun and require the protection of personal
data (point (f)). There may be several applicable legal bases for the same treatment. 2
Under Article 21(1), an individual shall have the right, on grounds relating to his or her
specific situation, to object aany time to the processing of personal data relating to
him or her based on Article 6(1)(e) (data carried out in the public interest or the
exercise of official authority) or (f) (legitimate interest), including profiling based on
those provisions. The controller may no longer process the personal data unless it can
demonstrate compelling legitimate reasons for the processing which override the
interests, rights and freedoms of the individual or for the establishment, exercise or
defence of legal claims.
Under Article 21(2), individuals have the right at all times to object to their personal
data being used for direct marketing purposes. If an objection is made to direct
marketing, the personal data may no longer be processed for such purposes, as
follows from Article 21(3).
Article 12(3) requires requests under Article 21 to be dealt with without undue delay
and in any event within one month at the latest. This period may, if necessary, be
extended by a further two months, taking into account the complexity of a request and
the number of requests received.
Assessment of the Authority for Privacy Protection (IMY)
Starting points on contract as a lawful basis under Article 6(1) General Data
Protection Regulation
Where a contract is to provide a lawful basis for the processing of personal data, the
processing of personal data must be necessary either for the performance of the
contract with the data subject or for taking steps at the request of the data subject prior
to entering into a contract.
When assessing whether the processing is necessary, account shall be taken to the
nature of the service, the expectations of the average user in relation to the contractual
terms and conditions and how the service is marketed, and whether the service can be
provided without that specific processing. However, just the mere fact that a
processing of personal data is mentioned in a contract does not automatically mean
that the processing is necessary for the performance of the contract. The processing
must be objectively necessary for the performance of the specific contract. It is not
enough that the processing is “useable”. A controller should be able to demonstrate
2Judgement of 9 March 2017, Manni398/15, EU:C:2017:197, paragraph 42.Privacy Protection Authority Our ref: Di-2021-10547 4(7)
Date:2022-04-01
that the main purpose of the specific contract cannot in practice be achieved if the
processing in question is not carried out. 3
As a general rule, the processing of personal data for the purpose of providing
behavioural advertising is not necessary for the performance of an online service
contract. If a user has paid a service provider to have certain goods or/and services
delivered without the intention of having their preferences and lifestyle profiled through
click history on a website, it is difficult to claim that the contract could not have been
4
performed without the behavioural advertising.
Has the company infringed Article 12.3 and 21 of the General Data Protection
Regulation?
In the present case, in the light of the complaint, IMY has to assess whether canceling
the e-mail subscription 23 days after the complainant’s request, made by declining
through their account on 5 November 2019, was in accordance with the GDPR.
The first question for IMY to examine is whether the complainant had a right to object
to that specific type of mailing and which lawful basis the processing is based on. The
company claims, first, that the processing is based on the contract with the
complainant and, in the alternative, on its legitimate interests.
Readly AB provides a subscription service for the digital distribution of newspapers
and magazines in an app. Therefore, the specific service purchased by a user by
entering into a contract with the company is the ability to read newspapers and
magazines digitally, which IMY finds to be the main purpose of the contract. A review
of Readly’s website (landing page) shows that their service is mainly marketed as
following:
• a digital subscription service without a binding time,
• the possibility to use offline mode,
• access to the latest and previous editions;
• unlimited reading at a low cost and
• the possibility of family sharing.
On the basis of the contract, the company processes its customers’ personal data in
order to provide the service and for payment purposes. In order for the company to be
able to process the personal data for other purposes with the contract as a lawful
basis, the company needs to be able to demonstrate that the processing is necessary
for the performance of the contract with the data subject.
In the present case, the company has sent an e-mail to the complainant with the
purpose of communicating about the service, which the company believes can rely on
the contract as a lawful basis. However, it should be noted that several of the e-mails
have contained information on how the complainant can further optimize the service
according to the complainant's personal interests and receive personalized
recommendations based on their reading history. At least one of the e-mails contained
individually tailored suggestions that stated "Find your favorite magazines and discover
similar titles. Start with these ones we’ve highlighted just for you".
3European Data Protection Board’s Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR
in the context of the provision of online services to data subjects, para. 57.
4Article 29 Data Protection Working Party - Guidelines on Automated individual decision-making and Profiling for the
purposes of Regulation 2016/679 p. 13-14 and
5Accessed from the company’s website, https://.com/gb-21 (visited 2021-10-20); Translated by IMYPrivacy Protection Authority Our ref: Di-2021-10547 5(7)
Date:2022-04-01
The company states on its website that they offer suggestions for recommended
reading when purchasing an online subscription. Although the company informs that
they offer personalized content, it cannot be assumed that an average user
understands or perceives this to be a necessarily part of the service. The fact that the
company also offers the opportunity to unsubscribe from such e-mails suggests that
the processing of personal data was not necessary for the performance of the contract.
According to IMY, the e-mails received by the complainant with individually tailored
content are not objectively necessary to fulfill the main purpose of the contract, i.e.
providing a digital newspaper and magazine subscription. IMY finds that these e-mails
cannot be supported on article 6(1)(b) GDPR.
IMY considers that the e-mails are primarily intended to improve the access to and
experience of the service and that the individually adapted content constitutes direct
marketing . The complainant therefore had the right to object to the processing of their
personal data under Article 21(2) and, after receiving such an objection, the company
was obliged to stop sending e-mails for direct marketing purposes.
After the complainant unsubscribed they still received marketing e-mails for another 23
days, which according to the company was due to an oversight and human error on
their part. IMI finds that the company has not, in this case, acted without undue delay
and therefore violated Article 21(3) and 12(3) of the GDPR.
The company's statement, that if the processing of personal data cannot be based on
a contract as a lawful basis, it may instead support the processing on legitimate
interest, does not affect IMY:s assessment of the violation of Article 21(3) and 12(3).
Has the company infringed Article 6.1 of the General Data Protection
Regulation?
In the present case, in the light of the complaint, IMY has to assess whether the
processing complained of by the complainant has been carried out in accordance with
the GDPR. It is clear from the complaint that it does not cover the mailing on 6
November. IMY’s assessment is therefore focused on whether the company has had a
lawful basis for the e-mails sent between 12 and 23 November 2019.
When a data subject objects to direct marketing, further processing of his or her
personal data is no longer permitted for such purposes.
That means that there is then no lawful basis for the processing. In order to determine
when the company has ceased to have a lawful basis for the processing, it must be
assessed when the objection should in any event have been dealt with.
Where a data subject objects to direct marketing pursuant to Article 21(2), the
controller shall cease mailings for direct marketing purposes. Since that right is
unconditional, there is no need for individual examination of such an objection. The
6
The GDPR does not define the terms ‘marketing’ or ‘direct marketing’. However, recital 47 mentions direct marke ing
as an example of what may be a legitimate interest under Article 6(1)(f). In the Swedish Marke ing Act (2008:486)
marketing is defined as: "advertising and other measures in the course of business activities which are intended to
promote the sale of and access to products including a trader’s actions, omissions or other measures or behaviour
before, during or after sale or delivery of products to consumers or traders." The International Chamber of Commerce
(ICC) Advertising and marketing communication code (ICC Code), 2018 edition, Chapter C, define the term “direct
marketing” as " communication, by whatever means, of advertising or marketing material carried out by a direct
marketer itself or on its behalf, and which is directed to particular
individuals using their personal contact information (including mailing address, telephone number, email address,
mobile phone number, facsimile, personal social media account handle, and the like." Available here; icc-advertising-
and-marketing-communications-code-int.pdf (iccwbo.org)Privacy Protection Authority Our ref: Di-2021-10547 6(7)
Date:2022-04-01
objection should therefore be dealt with promptly and routinely. The company also has
an automated system that aims to easily capture the data subject’s intention, i.e. to
object to direct marketing. The complainant's intention to object to direct marketing
was therefore not unclear to the company. This suggests that the time limit within
which the objection should have been dealt with in this case is short.
According to Article 12(3) a request under Articles 15 to 22 shall be dealt with without
undue delay. The complainant objected on 5 November 2019 pursuant to Article 21
and thereafter received marketing e-mails on 12, 15, 19 and 23 November 2019.
Between 5 and 12 November six days passed.
In view of the foregoing, IMY considers that the company should have handled the
complainant’s objection at least after six days. It therefore did not handle the objection
without undue delay and, consequently, had no lawful basis for processing the
complainant’s personal data for direct marketing purposes. The direct marketing
mailings on 12, 15, 19 and 23 November 2019 meant that the company processed the
complainant’s personal data in violation of Article 6(1) of the GDPR.
Choice of corrective measure
Pursuant to Article 58(2)(i) and Article 83(2) IMY has the authority to impose
administrative fines in accordance with Article 83. Depending on the circumstances of
the individual case, administrative fines may be imposed in addition to or instead of the
other measures referred to in Article 58(2). Furthermore, Article 83(2) states which
factors should be taken into account in decisions on whether administrative fines
should be imposed and when determining the amount of the fine. In case of a minor
infringement, IMY may, as stated in Recital 148, instead of imposing a sanction fee,
issue a reprimand pursuant to Article 58(2)(b). In this assessment, regard shall be
taken to aggravating and mitigating circumstances in the case, such as the nature of
the infringement, severity and duration as well as previous infringement of relevance.
IMY notes that the time passed before the company acted was relatively short. The
data in question was not special category data nor other types of particularly integrity-
sensitive data. The infringement was negligent, and when the company understood the
complainant's intentions actions were taken. Against this background IMY considers
that it is a matter of a minor infringement within the meaning of recital 148 and that
Readly AB should be given a reprimand pursuant to Article 58(2)(b) of the GDPR for
the stated infringement.
This decision has been made by the specially appointed decision-maker
after presentation by legal advisor .Privacy Protection Authority Our ref: Di-2021-10547 7(7)
Date:2022-04-01
How to appeal
If you want to appeal the decision, you should write to the Authority for Privacy
Protection. Indicate in the letter which decision you appeal and the change you
request. The appeal must have been received by the Authority for Privacy Protection
no later than three weeks from the day you received the decision. If the appeal has
been received at the right time, the Authority for Privacy Protection will forward it to the
Administrative Court in Stockholm for review.
You can e-mail the appeal to the Authority for Privacy Protection if it does not contain
any privacy-sensitive personal data or information that may be covered by
confidentiality. The authority’s contact information is shown in the first page of the
decision.
