Persónuvernd (Iceland) - 2021102040: Difference between revisions
mNo edit summary |
(→Facts: Language updates) |
||
(5 intermediate revisions by 3 users not shown) | |||
Line 77: | Line 77: | ||
}} | }} | ||
The Icelandic DPA held that a controller did not violate the GDPR by storing the data subject's phone number in its database because their legitimate interest in research outweighed the interests of the data subject. Moreover, the controller could rely on the exception of [[Article 14 GDPR|Article 14(b)(5) GDPR]] to not inform their data subjects about the processing of personal data as this would have caused excessive costs. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The dispute concerns an issue where the research company Gallup (the controller) looks up data subjects' phone numbers on the online database ''www.ja.is'' and stores these in their internal database, to be able to call the data subjects and invite them to participate in surveys. A data subject lodged a complaint against this processing of their personal data, arguing that they never agreed to the processing, nor did the controller inform them about the processing and purposes for the processing. | |||
The controller claimed that the processing of personal data in question was necessary because of their legitimate interests in ensuring sufficient research quality and participation rate, including allowing for all adult citizens to have an equal opportunity to respond to national registry surveys. Even without a database, the controller would have to research and call participants. Further, the controller stored personal data in a do-not-call list to avoid contacting data subjects again who had previously objected to this. The controller concluded that the disadvantages for the processing activities were minimal for the data subjects. | |||
The complaint | === Holding === | ||
The Icelandic DPA rejected the complaint. The DPA noted that pursuant to [[Article 6 GDPR|Article 6 GDPR,]] personal data may be processed if it is necessary for the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data are outweighed. | |||
Based on this provision, the DPA agreed with the controller that if they had to look up the phone numbers of every single person in the national register sample for every survey, it would entail a lot of time-consuming work and could have a negative effect on the quality of research. In addition, Gallup uses the phone number database to keep track of those individuals who have declared to the company's staff that they no longer wish to be invited to participate in the company's research. The DPA therefore held that the controller may therefore have a legitimate interest in saving data subjects' phone numbers in the company's internal database, and the processing may be necessary for those purposes. | |||
The DPA pointed out that there is an obligation to provide data subjects with information pursuant to [[Article 14 GDPR]]. Nevertheless, according to [[Article 14 GDPR|Article 14(b)(5) GDPR]], the obligation does not apply to the extent that its costs would be excessive. In the opinion of the DPA, this exception applies to the controller's processing. All persons who agree to participate in a survey by the controller are informed at the beginning of the call that information on the processing of personal information can be found in the controller's privacy policy on its website. | |||
Pursuant to [[Article 21 GDPR]], data subjects may object to the processing of their data when this is done on the legal basis of legitimate interest. If a data subject raises objections, the controller suppresses their phone number in their database to avoid contacting them again. | |||
Considering everything mentioned above, the DPA held that the controller did not violate the GDPR with its processing. | |||
== Comment == | == Comment == |
Latest revision as of 12:54, 17 December 2022
Persónuvernd - 2021102040 | |
---|---|
Authority: | Persónuvernd (Iceland) |
Jurisdiction: | Iceland |
Relevant Law: | Article 21 of Regulation (EU) 2016/679 Article 5 of regulation (EU) 2016/679 Article 14 of regulation (EU) 2016/679 Article 6 of regulation (EU) 2016/679 Article (9) Act on Data Protection and the Processing of Personal Data Article 17 Act no. 90/2018 Article 21 Act no. 90/2018 Article 8 Act no. 90/2018 |
Type: | Complaint |
Outcome: | Rejected |
Started: | 20.10.2021 |
Decided: | 23.11.2022 |
Published: | 23.11.2022 |
Fine: | n/a |
Parties: | Complainant GI rannsókna ehf. (Gallup) |
National Case Number/Name: | 2021102040 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Icelandic |
Original Source: | Persònurvend (Icelandic Data Protection Authority) (in IS) |
Initial Contributor: | flkaiser |
The Icelandic DPA held that a controller did not violate the GDPR by storing the data subject's phone number in its database because their legitimate interest in research outweighed the interests of the data subject. Moreover, the controller could rely on the exception of Article 14(b)(5) GDPR to not inform their data subjects about the processing of personal data as this would have caused excessive costs.
English Summary
Facts
The dispute concerns an issue where the research company Gallup (the controller) looks up data subjects' phone numbers on the online database www.ja.is and stores these in their internal database, to be able to call the data subjects and invite them to participate in surveys. A data subject lodged a complaint against this processing of their personal data, arguing that they never agreed to the processing, nor did the controller inform them about the processing and purposes for the processing.
The controller claimed that the processing of personal data in question was necessary because of their legitimate interests in ensuring sufficient research quality and participation rate, including allowing for all adult citizens to have an equal opportunity to respond to national registry surveys. Even without a database, the controller would have to research and call participants. Further, the controller stored personal data in a do-not-call list to avoid contacting data subjects again who had previously objected to this. The controller concluded that the disadvantages for the processing activities were minimal for the data subjects.
Holding
The Icelandic DPA rejected the complaint. The DPA noted that pursuant to Article 6 GDPR, personal data may be processed if it is necessary for the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data are outweighed.
Based on this provision, the DPA agreed with the controller that if they had to look up the phone numbers of every single person in the national register sample for every survey, it would entail a lot of time-consuming work and could have a negative effect on the quality of research. In addition, Gallup uses the phone number database to keep track of those individuals who have declared to the company's staff that they no longer wish to be invited to participate in the company's research. The DPA therefore held that the controller may therefore have a legitimate interest in saving data subjects' phone numbers in the company's internal database, and the processing may be necessary for those purposes.
The DPA pointed out that there is an obligation to provide data subjects with information pursuant to Article 14 GDPR. Nevertheless, according to Article 14(b)(5) GDPR, the obligation does not apply to the extent that its costs would be excessive. In the opinion of the DPA, this exception applies to the controller's processing. All persons who agree to participate in a survey by the controller are informed at the beginning of the call that information on the processing of personal information can be found in the controller's privacy policy on its website.
Pursuant to Article 21 GDPR, data subjects may object to the processing of their data when this is done on the legal basis of legitimate interest. If a data subject raises objections, the controller suppresses their phone number in their database to avoid contacting them again.
Considering everything mentioned above, the DPA held that the controller did not violate the GDPR with its processing.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Solutions Processing of personal information by Gallup Case no. 2021102040 23.11.2022 In general, individuals have the right to object to the processing of personal data, and the controller must take care of their right to object. In this case, a person objected to being registered in a company's phone number database, but the controller's processing was based on the company's legitimate interests. The company responded by banning the individual's phone number from the phone number database. ---- Personal data protection ruled in a case where a complaint was made about the processing of personal information by Gallup. More specifically, a complaint was made that the complainant's phone number was saved in the company's phone number database for the purpose of using it in connection with outgoing calls due to an invitation to participate in surveys organized by Gallup. The conclusion of the Personal Protection Agency was that Gallup's processing was in line with the law on personal protection and the processing of personal information. Ruling about a complaint about the processing of personal information by GI research ehf. in case no. 2021102040: i Procedure On October 20, 2021, Personal Protection complaints were received by [A] (hereinafter the complainant), dated 17 and 31 March 2021, regarding the processing of personal information about him by GI research ehf. (hereafter Gallup) but the complaints were forwarded from Fjarskiptastofa. Specifically, both complaints allege that Gallup had stored the complainant's phone number in the company's phone number database for the purpose of using it in connection with outgoing calls for invitations to participate in Gallup surveys. Personal protection invited Gallup to comment on the complaint by letter dated May 4, 2022, and the company's answers were received by letter, dated 3 June s.á. Personal protection requested further clarifications from Gallup by letter dated 24 p.m., and the company's more detailed answers were received by e-mail on July 14 p.m. The complainant was then given the opportunity to provide comments on Gallup's responses by letter dated 15 July s.á., and they were received by e-mail on 12 August s.á. When resolving the case, all the above-mentioned documents have been taken into account, although not all of them are separately explained in the following ruling. ___________________ There is a dispute over Gallup's authorization to save the complainant's phone number in the company's phone number database for the purpose of using it in connection with outgoing calls due to an invitation to participate in surveys. The complainant initially directed his complaints to Fjarskiptastofa due to unsolicited electronic communications. However, the Telecommunications Agency forwarded the complaints to Personal Protection in accordance with paragraph 2. Article 7 administrative law, no. 37/1993, where the organization considered the Gallup calls in question not to meet the conditions of Article 46. the then applicable Electronic Communications Act, no. 81/2003, about being part of marketing, and therefore it would not be an unsolicited electronic transmission which is monitored by the Telecommunications Agency. The complainant relies on the fact that Gallup was not allowed to add his phone number to the company's phone number database on February 3, 2013, by looking it up on the website www.ja.is. The complainant refers to the fact that he did not agree to the processing, in addition to the fact that his telephone number was banned in the telephone directory and therefore it would have been correct to make sure that he agreed to the registration. Also, Gallup did not inform him about the registration or the purpose of the processing, as the company should have done. Gallup is based on the fact that the said processing of personal information is necessary for the company's legitimate interests. It is pointed out that Gallup is a research and information company that for years has been a leader in measuring the attitude of the Icelandic people to diverse issues. The company bases its activities on research and needs to uphold certain quality standards to ensure reliability in its research. The quality of the sample and the participation rate are the basis of research, and therefore the company does everything it can to ensure that all adult citizens have an equal opportunity to answer surveys in the national register sample. Gallup is based on the fact that the company's phone number database contributes to the increased quality of research and the participation rate, as a national register sample is run together with the database, so that it is not necessary to repeatedly search for the phone numbers of survey participants every time, as that would be a lot of work and time consuming. In the company's opinion, this would have a very negative effect on the quality of research, as it would be unworkable to look up all the numbers for every single survey, and the company would thus not have such good sample information. In addition, Gallup uses the phone number database to keep track of information about those individuals who do not want to be invited to participate in the company's research and those individuals are then banned from the phone number database. Gallup also refers to the company's assessment that registration in the telephone number database does not result in significant disadvantages for individuals. Gallup would still look up numbers and contact those individuals who had registered numbers for the purpose of conducting research. The company cannot know if a person, who is not on the National Register's banned list, wants to participate in an investigation until they have been contacted and it is easy to convey that the person does not want to be contacted in the future. Gallup's interests in keeping track of information in the telephone number database outweigh the interests of individuals in not being registered in the database. At the same time, Gallup emphasizes that information from the company's phone number database is only used for the purpose of contacting the individuals who are included in national register samples in Gallup's research and that the processing is disclosed in the company's privacy policy. II. Conclusion 1. Lawfulness of processing This case concerns the processing of personal information about the complainant, which consists in the fact that his phone number has been saved in Gallup's phone number database. It is known that the complainant's telephone number was registered in the telephone number database on February 3, 2013, or during the period of validity of the previous law on personal protection and processing of personal information no. 77/2000. However, since this complaint focuses on a situation that still exists, ie the complainant's phone number is still saved in Gallup's phone number database, the case will be resolved on the basis of Act no. 90/2018. According to the foregoing, this case concerns the processing of personal data that falls under the authority of the Personal Protection Agency. GI research ehf. (Gallup) are considered to be responsible for the processing in question according to Act no. 90/2018, on personal protection and processing of personal data, and Regulation (EU) 2016/679. All processing of personal data must be covered by one of the authorized provisions of Article 9. Act no. 90/2018, cf. Article 6 of regulation (EU) 2016/679. For example, personal data may be processed if it is necessary for the legitimate interests of the responsible party or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data are outweighed, especially when the data subject is a child, cf. Number 6. of the legal provision and section f of the regulatory provision. As is the case here, in the opinion of the Data Protection Authority, it cannot be seen that other processing authorizations according to the aforementioned provision can be considered. In addition to authorization according to the above, the processing of personal data must be compatible with all the principles of paragraph 1. Article 8 Act no. 90/2018, cf. Article 5 of regulation (EU) 2016/679. The principles stipulate, among other things, that personal data must be processed in a lawful, fair and transparent manner towards the data subject, cf. Number 1. of the legal provision and point a of the regulatory provision. Gallup's activities primarily include conducting market and human resources research and opinion polls. It must be agreed with Gallup that if it were necessary to look up the telephone numbers of every single person in the national register sample for every survey, it would entail a lot of time-consuming work and could have a negative effect on the quality of research. In addition, Gallup uses the phone number database to keep track of those individuals who have declared to the company's staff that they no longer wish to be invited to participate in the company's research. In the opinion of the Data Protection Authority, Gallup may therefore have a legitimate interest in saving individuals' telephone numbers in the company's telephone number database, and the processing may be necessary in the interest of those interests. When explaining principle 1. no. Paragraph 1 Article 8 Act no. 90/2018, which pertains to the fair and transparent processing of personal data, among other things, it is necessary to consider the provisions of the law and the regulation on the educational obligation of the responsible party towards the data subject that we have in each case, cf. Article 17 Act no. 90/2018 and Article 14 of regulation (EU) 2016/679. However, the responsible party's training obligation does not apply if and to the extent that it costs excessive effort to provide the training, cf. point b of paragraph 5 Article 14 of the regulation. In that regard, i.a. to take into account the number of registered persons, cf. Section 62 of the preamble of the regulation. In the opinion of the Personal Protection Authority, the exemption clause of paragraph 5. Article 14 of the regulation applies to the processing of personal information by Gallup, which consists in saving the telephone numbers of individuals in the company's telephone number database. All persons who agree to participate in a survey by Gallup are informed at the beginning of the call that information on the processing of personal information by Gallup can be found in the privacy policy, which is available on the company's website, www.gallup.is. Gallup's privacy policy includes, among other things, to find information that, in order to fulfill its role, Gallup keeps track of more specified information, i.e. on m. about the name and phone number of individuals in order to give them the option to participate in surveys. With reference to the above, it will be the same as here to consider that the said processing of personal information is fair and transparent towards the data subject. When the processing of personal data is carried out on the basis of legitimate interests, the data subject is entitled to object to the processing, and the controller must then take care of the data subject's right to object. The provisions of Article 21 apply to the right of objection of registered persons. Act no. 90/2018. According to paragraph 1 of that article, registered persons are permitted, among other things, to object to the processing of personal information about them based on point f, paragraph 1. Article 6 of Regulation (EU) 2016/679 and the controller shall not process the personal data further unless he can demonstrate important legitimate reasons for the processing that override the interests, rights and freedoms of the data subject. In the case, it is known that the complainant's wife was included in a census sample at Gallup. The national registry sample was run against Gallup's phone number database, and subsequently the company used the complainant's home phone number twice for the purpose of contacting his wife. The complainant raised objections with the Gallup employee in the aforementioned calls. According to Gallup, the complainant and his wife have now been banned from Gallup's phone number database and will therefore not be contacted by the company for any purpose. Registration of individuals' telephone numbers in Gallup's telephone number database is thus part of respecting individuals' right to object, cf. Article 21 Act no. 90/2018, but companies need to keep track of when individuals object to receiving further phone calls and respect those objections. With reference to the above, it is the opinion of the Personal Protection Agency that Gallup has responded to the objections of the complainant in an adequate manner. It will therefore not be considered that Gallup has violated its duty according to Article 21. Act no. 90/2018 and Article 21 of regulation (EU) 2016/679. In view of all the above, it is the conclusion of the Personal Protection Authority that the said processing of personal information about the complainant by Gallup was in accordance with Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679. Ruling: Gallup's processing of personal information about [A] complies with the provisions of Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679. Privacy, November 23, 2022 Helga Sigríður Þórhallsdóttir Edda Þuríður Hauksdóttir