IMY (Sweden) - DI-2021-3399: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
| Line 71: | Line 71: | ||
}} | }} | ||
In an [[Article 60 GDPR]] decision, the Swedish DPA reprimanded a company selling rollators and wheelchairs for violations of [[Article 6 GDPR|Articles 6]] and [[Article 13 GDPR|13(1)(e) GDPR]]. The company | In an [[Article 60 GDPR]] decision, the Swedish DPA reprimanded a company selling rollators and wheelchairs for violations of [[Article 6 GDPR|Articles 6]] and [[Article 13 GDPR|13(1)(e) GDPR]]. The company sent the data subject's order confirmation to the e-mail domain provider, since the data subject had provided an invalid e-mail address and could not be reached by the controller. Also, in its privacy policy, the controller only referred to its processor, which it had enlisted for anti-fraud purposes, by stating it as an '''external resource''<nowiki/>', which was not specific enough according to the DPA. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject ordered a product from the German website of Trionic, a company selling wheelchairs among other products. At a certain point, the data subject claimed that the controller had become suspicious of his email address | The data subject ordered a product from the German website of Trionic, a company selling wheelchairs among other products. At a certain point, the data subject claimed that the controller had become suspicious of his email address he had used to place the order. It is not clear from the decision how the data subject noticed that the controller had doubts about this email address. It is however clear from the decision that the data subject decided to cancel his order at a certain point. | ||
According to the data subject, the controller then sent a copy of his order confirmation to the domain provider of the data subject's email | According to the data subject, the controller then sent a copy of his order confirmation to the domain provider of the data subject's email provider. The data subject communicated his dissatisfaction about this practice to the controller. The data subject also complained about some other practices, such as the fact that the controller was sharing personal data with another company, despite the fact that this was not mentioned in the privacy policy. | ||
The controller clarified its several processing operations and the legal bases used for these processing operations. It also replied to several allegations from the data subject. | The controller clarified its several processing operations and the legal bases used for these processing operations. It also replied to several allegations from the data subject. | ||
<u>First</u>, the controller suspected at first that the data subject had provided an incorrect personal e-mail address for this order. When the controller tried to contact the data subject with the provided telephone number, this | <u>First</u>, the controller suspected at first that the data subject had provided an incorrect personal e-mail address for this order. When the controller tried to contact the data subject with the provided telephone number, this did not work. It turned out that the data subject had provided a fax number instead of a telephone number. Because there was no other way to contact the data subject, <u>the controller decided to send the order confirmation to the 'info' e-mail address of the data subject's e-mail domain</u>. Besides the fact that the controller claimed that this was the only way to contact the data subject, the controller also stated that it was legally obligated to do so pursuant to [[Article 5 GDPR|Article 5(1)(d) GDPR]]. The controller did not explicitly mention [[Article 6 GDPR|Article 6(1)(c)]] GDPR, but it did mention that it was using the legal bases of 'legal obligation'. | ||
The controller also clarified that its customers were generally around 60–90 years old. It was common for these customers to make unintentional errors when ordering from the controller's online store. | |||
On an unspecified date, the data subject filed a complaint at a German DPA (not specified which German DPA). On another unspecified date, | <u>Second</u>, the controller allowed its customers to pay with invoice in the German market. However, the controller had experienced before that these invoices were not always paid. To prevent this from happening again, <u>the controller shared several categories of the data subject's personal data with its processor, providing fraud control services</u>. The controller's legal basis for this processing was [[Article 6 GDPR|Article 6(1)(f) GDPR]], for the controller's legitimate interest to prevent fraud. It also provided its assessment why its interests outweighed the interests of the data subject. However, the controller merely referred to this processor in its privacy policy as '''external resources''<nowiki/>', without any further explanation. | ||
On an unspecified date, the data subject filed a complaint at a German DPA (not specified which German DPA). On another unspecified date, his German DPA then transferred the decision to the Swedish DPA, which was the lead supervisory authority in this decision. The concerned supervisory authorities were the DPA's of Denmark, Norway and a German DPA. | |||
=== Holding === | === Holding === | ||
The DPA assessed the processing operations of the controller and determined for each of these operations if the controller's use of the applicable legal basis was lawful. | The DPA assessed the processing operations of the controller and determined for each of these operations if the controller's use of the applicable legal basis was lawful. | ||
<u>First</u>, with regard to the sending of the e-mail to the info address of the data subject's email domain, the DPA acknowledged that the controller had to comply with [[Article 5 GDPR|Article 5(1)(d) GDPR]]. However, this provision also only permitted the processing of personal data that was strictly necessary. In this case, the DPA held that there were less coercive measures which the controller could have taken | <u>First</u>, with regard to the sending of the e-mail to the info address of the data subject's email domain, the DPA acknowledged that the controller had to comply with [[Article 5 GDPR|Article 5(1)(d) GDPR]]. However, this provision also only permitted the processing of personal data that was strictly necessary. In this case, the DPA held that there were less coercive measures which the controller could have taken, such as sending a fax to the data subject, which would have been possible. The processing was therefore not necessary. The DPA determined that [[Article 6 GDPR|Article 6(1)(c) GDPR]] and no other legal basis could be used for this processing. Therefore, the controller violated [[Article 6 GDPR|Article 6(1)GDPR]]. | ||
<u>Second</u>, the DPA held that the controller could rely on [[Article 6 GDPR|Article 6(1)(f) GDPR]] for sharing personal data with its processor for anti-fraud purposes. The DPA assessed the following three criteria of the assessment of legitimate interest. ''First'', the DPA noted that the interest of preventing fraud was justified at the time of processing'','' given the fact that it was an actual interest and not just hypothetical at that time and considering the fact that the term 'legitimate interest' should be interpreted broadly''. Second'', the DPA determined that sharing this data with its processor was also necessary for the controller to prevent fraud, because it could not fulfil this purpose in an equally effective manner. It could for example not make a fraud assessment on its own, it needed the processor for this reason. Also, the disclosure of this data was not too extensive or privacy-sensitive in itself. ''Third,'' based on several factors, the DPA determined the interests of the data subject did not outweigh the legitimate interests of the controller. The DPA considered that the controller's interest weight heavily since the data subject's order was paid with a credit purchase. This interest had to be compared with the data subject's interest in preventing their data processed. The DPA considered in this regard that the data subject could reasonably expect the processing by the controller when making a credit purchase on invoice, despite the minor deficiencies of the privacy policy (see below). The DPA also considered that the processing did not appear to be severely privacy invasive and that the data itself was not privacy-sensitive. | |||
For this reason, the controller was allowed to use [[Article 6 GDPR|Article 6(1)(f) GDPR]] for sharing personal data with its processor for anti-fraud purposes. | |||
However, the DPA did determine a violation of [[Article 13 GDPR|Article 13(1)(e) GDPR]] because the processor was only mentioned in the controller's privacy policy as one of it's '''external resources''<nowiki/>' for fraud prevention. The DPA held that this description was not specific enough. | |||
The Swedish DPA determined that this was a minor infringement and issued a reprimand pursuant to [[Article 58 GDPR|Article 58(2)(b) GDPR]]. | The Swedish DPA determined that this was a minor infringement and issued a reprimand pursuant to [[Article 58 GDPR|Article 58(2)(b) GDPR]]. | ||
== Comment == | == Comment == | ||
This summary only includes | This summary only includes the considerations of the DPA where a violation was found. The parts where the DPA did not find a violation were left out. | ||
It is unclear from the decision when the original decision was filed. It is also unclear at which German DPA was filed. Furthermore, it is also unclear when the decision was transferred to the Swedish DPA, the LSA in this decision. | It is unclear from the decision when the original decision was filed. It is also unclear at which German DPA was filed. Furthermore, it is also unclear when the decision was transferred to the Swedish DPA, the LSA in this decision. | ||
Revision as of 08:51, 28 February 2023
| IMY - DI-2021-3399 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 6(1) GDPR Article 6(1)(c) GDPR Article 6(1)(f) GDPR Article 13(1)(e) GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | |
| Decided: | 10.10.2022 |
| Published: | 21.02.2023 |
| Fine: | n/a |
| Parties: | Trionic Sverige AB |
| National Case Number/Name: | DI-2021-3399 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English English |
| Original Source: | EDPB (in EN) EDPB (in EN) |
| Initial Contributor: | n/a |
In an Article 60 GDPR decision, the Swedish DPA reprimanded a company selling rollators and wheelchairs for violations of Articles 6 and 13(1)(e) GDPR. The company sent the data subject's order confirmation to the e-mail domain provider, since the data subject had provided an invalid e-mail address and could not be reached by the controller. Also, in its privacy policy, the controller only referred to its processor, which it had enlisted for anti-fraud purposes, by stating it as an 'external resource', which was not specific enough according to the DPA.
English Summary
Facts
The data subject ordered a product from the German website of Trionic, a company selling wheelchairs among other products. At a certain point, the data subject claimed that the controller had become suspicious of his email address he had used to place the order. It is not clear from the decision how the data subject noticed that the controller had doubts about this email address. It is however clear from the decision that the data subject decided to cancel his order at a certain point.
According to the data subject, the controller then sent a copy of his order confirmation to the domain provider of the data subject's email provider. The data subject communicated his dissatisfaction about this practice to the controller. The data subject also complained about some other practices, such as the fact that the controller was sharing personal data with another company, despite the fact that this was not mentioned in the privacy policy.
The controller clarified its several processing operations and the legal bases used for these processing operations. It also replied to several allegations from the data subject.
First, the controller suspected at first that the data subject had provided an incorrect personal e-mail address for this order. When the controller tried to contact the data subject with the provided telephone number, this did not work. It turned out that the data subject had provided a fax number instead of a telephone number. Because there was no other way to contact the data subject, the controller decided to send the order confirmation to the 'info' e-mail address of the data subject's e-mail domain. Besides the fact that the controller claimed that this was the only way to contact the data subject, the controller also stated that it was legally obligated to do so pursuant to Article 5(1)(d) GDPR. The controller did not explicitly mention Article 6(1)(c) GDPR, but it did mention that it was using the legal bases of 'legal obligation'.
The controller also clarified that its customers were generally around 60–90 years old. It was common for these customers to make unintentional errors when ordering from the controller's online store.
Second, the controller allowed its customers to pay with invoice in the German market. However, the controller had experienced before that these invoices were not always paid. To prevent this from happening again, the controller shared several categories of the data subject's personal data with its processor, providing fraud control services. The controller's legal basis for this processing was Article 6(1)(f) GDPR, for the controller's legitimate interest to prevent fraud. It also provided its assessment why its interests outweighed the interests of the data subject. However, the controller merely referred to this processor in its privacy policy as 'external resources', without any further explanation.
On an unspecified date, the data subject filed a complaint at a German DPA (not specified which German DPA). On another unspecified date, his German DPA then transferred the decision to the Swedish DPA, which was the lead supervisory authority in this decision. The concerned supervisory authorities were the DPA's of Denmark, Norway and a German DPA.
Holding
The DPA assessed the processing operations of the controller and determined for each of these operations if the controller's use of the applicable legal basis was lawful.
First, with regard to the sending of the e-mail to the info address of the data subject's email domain, the DPA acknowledged that the controller had to comply with Article 5(1)(d) GDPR. However, this provision also only permitted the processing of personal data that was strictly necessary. In this case, the DPA held that there were less coercive measures which the controller could have taken, such as sending a fax to the data subject, which would have been possible. The processing was therefore not necessary. The DPA determined that Article 6(1)(c) GDPR and no other legal basis could be used for this processing. Therefore, the controller violated Article 6(1)GDPR.
Second, the DPA held that the controller could rely on Article 6(1)(f) GDPR for sharing personal data with its processor for anti-fraud purposes. The DPA assessed the following three criteria of the assessment of legitimate interest. First, the DPA noted that the interest of preventing fraud was justified at the time of processing, given the fact that it was an actual interest and not just hypothetical at that time and considering the fact that the term 'legitimate interest' should be interpreted broadly. Second, the DPA determined that sharing this data with its processor was also necessary for the controller to prevent fraud, because it could not fulfil this purpose in an equally effective manner. It could for example not make a fraud assessment on its own, it needed the processor for this reason. Also, the disclosure of this data was not too extensive or privacy-sensitive in itself. Third, based on several factors, the DPA determined the interests of the data subject did not outweigh the legitimate interests of the controller. The DPA considered that the controller's interest weight heavily since the data subject's order was paid with a credit purchase. This interest had to be compared with the data subject's interest in preventing their data processed. The DPA considered in this regard that the data subject could reasonably expect the processing by the controller when making a credit purchase on invoice, despite the minor deficiencies of the privacy policy (see below). The DPA also considered that the processing did not appear to be severely privacy invasive and that the data itself was not privacy-sensitive.
For this reason, the controller was allowed to use Article 6(1)(f) GDPR for sharing personal data with its processor for anti-fraud purposes.
However, the DPA did determine a violation of Article 13(1)(e) GDPR because the processor was only mentioned in the controller's privacy policy as one of it's 'external resources' for fraud prevention. The DPA held that this description was not specific enough.
The Swedish DPA determined that this was a minor infringement and issued a reprimand pursuant to Article 58(2)(b) GDPR.
Comment
This summary only includes the considerations of the DPA where a violation was found. The parts where the DPA did not find a violation were left out.
It is unclear from the decision when the original decision was filed. It is also unclear at which German DPA was filed. Furthermore, it is also unclear when the decision was transferred to the Swedish DPA, the LSA in this decision.
The Swedish DPA and the controller mentioned several legal bases throughout the decision, sometimes without mentioning the specific GDPR provision. For the purposes of this summary, these GDPR provisions have been added.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
1(11)
Notice: This document is an unofficial translation of the
Swedish Authority for Privacy Protection’s (IMY) final
decision 2022-10-10, no. DI-2021-3399. Only the Swedish
version of the decision is deemed authentic.
Ref no:
Final decision under the General Data
DI-2021-3399, IMI case no.
115749
Protection Regulation – Trionic
Date of final decision:
2022-10-10 Sverige AB
Date of translation:
2022-10-11
Decision of the Swedish Authority for Privacy
Protection (IMY)
The Swedish Authority for Privacy Protection (IMY) finds that Trionic Sverige AB has
processed personal data in breach of
• Article 6(1) of the General Data Protection Regulation (GDPR) by disclosing
the complainant’s personal data with a third party without it being necessary
to comply with a legal obligation,
• Article 13(1)(e) by providing the complainant with insufficiently specific
information about recipients or categories of recipients of the personal data
when processing data for the purpose of combating fraud.
The Swedish Authority for Privacy Protection issues Trionic Sverige AB a reprimand
pursuant to Article 58(2)(b) of the GDPR for the infringement of Articles 6(1) and
13(1)(e) of the GDPR.
Presentation of the supervisory case
The Swedish Authority for Privacy Protection (IMY) has initiated supervision regarding
Trionic Sverige AB (Trionic or the company) due to a complaint. The complaint has
been submitted to IMY, as responsible supervisory authority for the company’s
operations pursuant to Article 56 of the General Data Protection Regulation (GDPR).
The handover has been made from the supervisory authority of the country where the
complainant has lodged their complaint (Germany) in accordance with the Regulation’s
provisions on cooperation in cross-border processing.
The investigation in the case has been carried out through correspondence. In the light
Postal address: of a complaint relating to cross-border processing, IMY has used the mechanisms for
Box 8114
104 20 Stockholm cooperation and consistency contained in Chapter VII GDPR. The supervisory
Website: authorities concerned have been the data protection authorities in Denmark, Norway
www.imy.se and Germany.
E-mail:
imy@imy.se 1
Phone: Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the
and repealing Directive 95/46/EC (General Data Protection Regulation). data and on the free movement of such data,
08-657 61 00Privacy Protection Authority Our ref: DI-2021-3399 2(11)
Date:2022-10-10
The complaint
The complaint states the following.
On behalf of the complainant, a product was ordered via Trionic’s German website.
According to the complainant Trionic, for some reason became suspicious of the e-
mail address used for the order and therefore sent a copy of the order confirmation to
the info-e-mail address provided in the domain where the complainant has their e-mail
address.
Trionic also sent information about the order to a company even though it was not
apparent from the privacy policy that data will be shared with that company.
Furthermore, as of 1 July 2018, the privacy policy is not easily accessible. Clicking on
the “Privacy Policy” link on Trionic’s website opens a new page on the website that
links further to the policy located on another website.
Trionic also reportedly Google searched the name, address and contact details of the
complainant's representative and possibly linked that information to the complainant's
data. Trionic has also stored the entire IPv6 number used when ordering. The privacy
policy states that IP numbers are only processed for operation and maintenance
purposes. Trionic has also continued to store the IP number even after the
complainant canceled the order.
What Trionic Sverige AB has stated
Trionic has mainly stated the following. The company is the data controller for the
processing to which the complaint relates.
Transfer to info-e-mail address on the basis of a legal obligation
Trionic sent a copy of the complainant’s order to an info-e-mail address on the basis of
a legal obligation. Trionic is obliged to take all reasonable steps to ensure that
personal data that are inaccurate in relation to the purposes for which they are
processed are deleted or rectified without delay (cf. Art. 5(1)(d) GDPR). Trionic’s main
target group is people in the age range 60-90 years. It is common for the company’s
customers to make unintentional errors when ordering form in the company’s online
store.
When the company checked the details of the complainant’s order, it reacted to the
fact that the e-mail address contained Trionic’s company name and the company
therefore believed that the buyer had provided an invalid e-mail address. The company
then attempted to contact the customer through the given telephone number in order
to correct the e-mail address provided. The phone number turned out to be a fax
number. In the absence of other contact details, the company visited the domain name
of the email address. There the company found the info-e-mail address that the
company, for valid reasons, thought was the correct e-mail address. The company
then replaced the customer’s e-mail address with the one found and sent the order
confirmation to that e-mail address. At the time, the company considered that it was its'
only possibility to correct the customer’s contact details and that the measure therefore
was necessary.
When Trionic became aware of the mistake, the company found that it was unlikely
that it had resulted in any risk to the complainant’s personal integrity. The reason for
this was, in particular, that the circumstances indicated that the complainant’s personal
data had been disclosed to a very limited circle of (other than the complainant) a family
member and that it was personal data of relatively limited integrity value.Privacy Protection Authority Our ref: DI-2021-3399 3(11)
Date:2022-10-10
Legal basis for disclosure to combat fraud
Trionic has disclosed personal data relating to the complainant to a provider of fraud
control services on the basis of a legitimate interest which, at the time, acted as a data
processor to the company.
The information disclosed consisted of the complainant’s name, e-mail address,
information that it is the complainant's first purchase from Trionic, the complainant’s e-
mail domain name, telephone number, order number, number of items purchased,
currency of the purchase, the value of the purchase, the complainant's invoice,
delivery and IP address.
On the German market, Trionic offers its customers to pay by invoice. It is Trionic that
issues the invoice and accounts for the credit risk. Over the years, Trionic has been
subject to a number of frauds and fraud attempts in the form of customers who choose
to purchase products with invoice payment without the intention to actually pay the
invoice. In order to prevent fraud (the purpose of the processing), Trionic has therefore
used the services of the provider. The data in question have been disclosed to the
service provider on the basis of Trionic’s legitimate interest to prevent fraud. Following
a balancing test considering the complainant’s interests and fundamental rights and
freedoms as set out below, Trionic considers that it has had a legal basis for the
processing.
The processing was necessary to achieve the purpose on the following grounds. The
complainant chose to pay by invoice. The data provided by the customer differed from
the norm, in that the fax number had been entered instead of a regular telephone
number and the e-mail address contained the word “Trionic”. Trionic is responsible for
the credit risk of invoice purchases on the German market and fraud attempts are
2
common for credit purchases in e-commerce. About two percent of all purchases in
Trionic’s online store have been flagged as suspicious by the supplier. Furthermore,
Trionic lacks the competence and resources to perform the type of analysis offered by
the supplier. Against this background, there were no alternatives to the processing in
order to achieve the objective of fraud prevention.
As regards to what the data subject can reasonably expect, the company notes that
the type of analysis offered by the supplier in the context of credit purchases is
common in e-commerce on the European market. The aim is to prevent fraud. It
constitutes a type of supplement to credit assessment. A credit assessment can show
that a buyer is creditworthy, but not that the buyer is indeed the person to whom the
credit assessment relates and that the buyer has a real intention to pay for the
purchase. Therefore, in the case of online credit purchases, consumers must expect
this type of assessment to be carried out.
Regarding the nature of the data, Trionic argues that the supplier’s analysis was based
entirely on the above-mentioned personal data that Trionic shared with the supplier.
This data typically has a relatively limited integrity value, as in many cases it is publicly
available.
As regards the negative consequences, according to Trionic, the potentially negative
consequence of the processing for the complainant is that the credit purchase would
be refused, which is a relatively mild consequence that should not affect the outcome
of the balancing of interests.
2See for example: https://www.svenskhandel.se/sakerhetscenter/amnesomraden/bedragerier/Privacy Protection Authority Our ref: DI-2021-3399 4(11)
Date:2022-10-10
Legal basis for the processing and storage of IP address prior to cancellation
The complainant’s IP address was stored and transferred to the supplier for the
purpose of analysing the complainant’s geographical location at the time of ordering.
These processing operations were carried out for the purposes of fraud prevention
(Objective 1) and for the purpose of identifying and asserting legal interests (Objective
2).
The purpose of fraud prevention is a legitimate interest of Trionic. With regard to the
necessity of the processing, it can be noted that in the case of fraud attempts, the
place of purchase and delivery often does not match the location of the IP address and
the customer’s connection. Along with other warning signs, such as incorrect phone
numbers and a possible IP address connected via anonymisation services, it helps
Trionic avoid fraud. Often, fraudulent buyers have several different e-mail addresses
but usually do not exchange IP address. Therefore, by saving and processing buyers’
IP addresses, Trionic can check the total amount of orders made in the web shop with
the same IP address. Without saving the IP address, none of this would have been
possible.
With regard to what the data subject reasonably can expect, reference is made to the
corresponding assessment regarding the disclosure of anti-fraud data as set out
above.
As for the purpose of establishing and exercising legal claims, Trionic has a legitimate
interest in storing the IP address used in purchases in order to establish and enforce
legal claims, both civil (debt collection) and criminal law (as a plaintiff in fraud
investigations). As regards the necessity of processing, in the case of online credit
purchases without the use of e-identification, there is no better opportunity to establish
the actual identity of the buyer than to document the IP address used in the purchase.
Proof of the identity of the buyer is directly necessary in order to recover past due
claims and to obtain conviction in the event of fraud.
Regarding what the data subject can reasonably expect, Trionic has made the
assessment that from the point of view of the data subject it should appear more or
less obvious that e-commerce companies save the IP address of the credit purchaser
in connection with purchases in order to be able, if necessary, to establish the identity
of the buyer and to recover past due claims and to be able to pursue criminal claims in
the event of fraud. Furthermore, Trionic has considered that the IP address has a
limited privacy value that does not outweigh Trionic’s need to establish and enforce
legal claims and that the processing does not risk to cause any significant
consequences for buyers. The most obvious consequence may be that the purchase
will be denied.
Legal basis for continued storage of IP address after cancellation
Trionic continued to save the complainant’s IP address for the purchase after the order
was cancelled. However, Trionic deleted it after receiving the complaint, which it
interpreted as a request for deletion.
Trionic considers that the company has a legitimate interest in saving the IP address
used for the purchase in order to establish and enforce legal claims, both civil
(receivable recovery) and criminal law (as plaintiff in fraud investigations). This also
applies in the case of cancellations as it may have civil and criminal implications within
the limitation period.Privacy Protection Authority Our ref: DI-2021-3399 5(11)
Date:2022-10-10
The processing is necessary in the same way as before cancellation.
Concerning what the data subject could reasonably expect, it is the same as for
storage prior to cancellation, with the addition that, in Trionic’s view, the assessment is
not affected by the fact that it concerns a cancelled purchase, since it may have civil
and criminal implications within the limitation period. However, as mentioned above,
after receiving the complaint, Trionic decided to delete the complainant’s IP address.
Easily accessible information to the data subject
Trionic states that before confirming the purchase, the complainant had the opportunity
to read Trionic’s Privacy Policy by clicking on a link in the text “[I] have read the Terms
and Conditions and Privacy Policy and approves them.” It was then also possible for
the complainant to access the Privacy Policy by clicking on a link on the company’s
website. Due to a loading error, at the time of the complaint, two clicks were required
to reach the privacy policy, which has since been corrected. The policy could also be
accessed by just one click on a link to the policy at the bottom of the footer of the
Trionic website.
Information on the processing to combat fraud and the storage of IP addresses
As regards information on anti-fraud, the processing activities section states:
“Data processing is carried out using computers or IT-based systems in accordance
with organisational procedures, which are specifically aimed at the stated purposes. In
addition to the responsible person, other internal personnel (personnel management,
sales, marketing, legal department, system administrators), or external resource —
with the responsible person as principal (such as technical service providers, delivery
companies, hosting providers, IT companies or communication agencies) — may
operate this website and thus have access to the information. An up-to-date list of
3
these participants may be requested at any time from the provider (Trionic).”
Trionic is aware of its obligation under Article 13 of the GDPR to inform about the
recipients or categories of recipients who are to access the personal data. The text
above states, inter alia, that Trionic may pass on personal data to external resources.
With the complainant’s complaint, the company has reviewed the privacy policy and
decided to amend it to explicitly indicate that personal data may be disclosed to
companies that analyse the fraud risk of credit purchases.
With regard to information about the storage of the IP address, the Privacy Policy
specifies which data is processed by Trionic or by third parties. It states that so-called
“user data” is stored when it is provided voluntarily by the user or collected
automatically when using the online store and includes the user’s IP address.
Furthermore, it is clear that collected personal data may be processed in order to
safeguard Trionic’s rights and interests. Trionic informed about this in the same way as
in the case of anti-fraud.
3Unofficial translation made by the Swedish Authority for Privacy Protection. Original wording: Databehandlingen
utförs med hjälp av datorer eller IT-baserade system enligt organisatoriska förfaranden, som är specifikt inriktade på
de angivna syftena. Förutom den ansvariga personen kan annan intern personal (personalhantering, försäljning,
marknadsföring, juridisk avdelning, systemadministratörer), eller extern resurs - med den ansvariga person som
uppdragsgivare (såsom leverantörer av tekniska tjänster, leveransföretag, värdleverantörer, IT-företag eller
kommunikationsbyråer) - driva denna webbplats och därmed ha tillgång till informationen. En aktuell lista över dessa
deltagare kan när som helst begäras från leverantören (Trionic).Privacy Protection Authority Our ref: DI-2021-3399 6(11)
Date:2022-10-10
Search for the applicant’s data via search engines
Trionic has not sought the stated contact details on Google and brought them together
with the complainant’s data as alleged in the complaint.
Justification of the decision
Applicable provisions, etc.
Article 6(1) of the GDPR contains a list of possible legal bases for processing of
personal data. One of the legal bases set out in this paragraph must be applicable in
order for the processing to be lawful. The points applicable in the case are points
6(1)(c) and (f).
According to Article 6(1)(c), processing is lawful if it is necessary for the performance
of a legal obligation incumbent the controller.
In order for processing to be based on Article 6(1)(f), all three conditions provided
therein must be fulfilled, namely, firstly, that the controller or third party has a legitimate
interest (legitimate interest), secondly that the processing is necessary for purposes of
legitimate interest (necessary) and third that the interests or fundamental rights and
freedoms of the data subject do not weigh heavier and require the protection of
personal data (balance of interest).
Recital 47 of the GDPR states that processing of personal data strictly necessary for
the purposes of preventing fraud also constitutes a legitimate interest of the data
4
controller concerned. Furthermore, the Article 29 Working Party has previously stated
that preventing abuse is a legitimate interest under the corresponding rules of the
previously applicable Data Protection Directive, as long as the interest is "acceptable
5
under the law" in the broadest sense of the term.
Article 13 sets out the information to be provided by the controller to the data subject
where the personal data are collected from the data subject. Under Article 13(1)(e) the
controller shall provide the data subject with information on the recipients or categories
of recipients of the personal data. According to Article 4(9), the term “recipient” means
for an example a natural or legal person to whom the personal data are disclosed,
whether a third party or not.
Assessment of the Authority for Privacy Protection (IMY)
Legal basis
Transfer to the info e-mail address on the basis of a legal obligation
Trionic stats that the sending of the complainant’s order confirmation to the info-e-mail
address — which was a different e-mail address from the one that the complainant
filled in — was made on the basis of a legal obligation. The obligation is to comply with
the obligation under Article 5(1)(d) GDPR to take all reasonable steps to ensure that
personal data that are inaccurate in relation to the purposes for which they are
processed are deleted or rectified without delay.
4The Working Party was established under Article 29 of Directive 95/46/EC and was an independent EU advisory
body on data protection and privacy issues. With the entry into force of the GDPR, he Working Party has been
replaced by the European Data Protection Board (EDPB) (see Articles 68 and 94(2) of the GDPR).
5Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of
Directive 95/46/EC of 9 April 2014, WP 217, p. 25.Privacy Protection Authority Our ref: DI-2021-3399 7(11)
Date:2022-10-10
IMY notes that although Article 5(1)(d) constitutes a legal obligation for Trionic, it only
permits the processing of personal data that is necessary. IMY observes that there
were less coercive measures which the company could have taken that would have
led to a lower risk of unauthorised disclosure of the complainant's data. For example,
Trionic could have sent the order to the stated e-mail address and consider further
measures, for example, if the company received an automatic e-mail server response
that the message could not be delivered. The company could also have, for example,
refrained from processing the order until the complainant contacted them again, send
a regular letter to the address filled in by the complainant or send a fax to the fax
number indicated. IMY therefore concludes that the processing was not necessary and
that the company did not demonstrated that the processing could be based on this
legal basis.
Since it has not been established that Trionic had any other legal basis for the
processing, the company has therefor processed the complainant’s personal data in
breach of Article 6(1) and thus not met the requirement to have a legal basis for the
processing.
Legal basis for disclosure to combat fraud
The investigation shows that Trionic has disclosed the complainant's personal data to
a provider offering anti-fraud services. Trionic argues that the processing had a legal
basis in the company’s legitimate interest in preventing fraud, i.e. Article 6(1)(f) of the
GDPR.
IMY notes that it is therefore necessary for the company to be able to demonstrate that
three conditions are met:
• there are one or more legitimate interests
• the processing of personal data is necessary for a purpose relating to the
legitimate interests
• the interests or fundamental rights and freedoms of data subjects do not
outweigh the company’s legitimate interests (balance of interests).
IMY notes that what may be a legitimate interest should be interpreted broadly. The
decisive factor is whether the interest is permitted by law or otherwise generally
recognised in the rule of law. Insignificant interests do not weigh as heavily as
important or compelling interests, but are important only in the balancing of interests.
However, if an interest is not justified and legitimate, the balancing of interests shall
not be carried out, as the initial threshold of this legal basis will not be reached.
It must also be an actual interest at the time of the processing and not an interest
which is hypothetical at that time. If there are evidence that the interest is not
hypothetical, the condition is satisfied, but it may also be sufficient that the interest
typically appears to be factual.
IMY finds that the interest presented by Trionic — to prevent fraud — was justified (cf.
recital 47 of the GDPR) and actual at the time of processing.
IMY notes that the requirement of necessity means that the interests which the
processing is intended to protect could not reasonably be protected in an equally
effective manner by other means less intrusive on the fundamental rights and
freedoms of data subjects. The condition must be examined together with the principlePrivacy Protection Authority Our ref: DI-2021-3399 8(11)
Date:2022-10-10
of data minimisation which means, among other things, that personal data should not
be processed unnecessarily.
According to IMY, the processing — the disclosure of the data to the anti-fraud service
provider — was necessary in order to fulfil the purpose which Trionic could not
reasonably fulfil in an equally effective manner by, for example, carrying out such an
assessment itself. This assessment also considers the fact that the disclosure was not
too extensive or privacy sensitive in itself.
IMY notes that the third condition under Article 6(1)(f), balancing of interests, is carried
out by making an overall assessment, considering in particular:
• the seriousness of the violation that the processing entails for the data subject
• what data subjects reasonably can expect in that situation and
• what security measures have been taken.
When balancing the company's legitimate interests on one hand against the
complainant's interests, rights and freedoms on the other, IMY finds that the
company's interests weighs heavily especially considering it is a credit purchase. This
must be weighed against the complainant’s interest in not having their data processed
or not risking being denied the purchase of the credit.
The processing appears, in IMY’s view, to be something that the complainant could
reasonably expect when making a credit purchase on invoice, despite the minor
deficiencies in the information identified below by IMY in relation to the information
provided on that category of recipients of the data. With regard to the seriousness of
the violation, IMY finds that the processing does not appear to be highly violating of
privacy and that the data itself is not privacy sensitive. When it comes to protective
measures, there has been no evidence of relevance for the assessment in this case.
In an overall assessment IMY finds that the company has shown that the
complainant’s interests or fundamental rights and freedoms do not outweigh the
company's legitimate interests for the processing.
In conclusion, the company has demonstrated that the conditions laid down in Article
6(1)(f) are met and the company therefore had a legal basis for the processing.
Legal basis for the processing and storage of IP address prior to cancellation
Trionic states that it processed and stored the complainant’s IP address prior to
cancellation on the basis of the legitimate interests of (1) preventing fraud and (2)
being able to establish and enforce legal interests.
IMY has already considered that the disclosure of, inter alia, the complainant’s IP
number in order to prevent fraud had a legal basis. There has been no reason to make
any other assessment regarding Trionic’s own continued processing and storage of
that information before the complainant cancelled their order.
Furthermore, IMY considers that there were no grounds for calling into question the
legality of Trionic’s processing before the cancellation was made in order for Trionic to
be able to establish and enforce legal claims.
The processing of the complainant's IP number therefore had a legal basis.Privacy Protection Authority Our ref: DI-2021-3399 9(11)
Date:2022-10-10
Legal basis for processing and storing IP address after cancellation
Trionic states that the complainant’s IP address was also saved for a certain period
after the order was cancelled, on the basis of its legitimate interest of being able to
establish and enforce legal claims. However, the data was deleted after the
complainant's request.
In view of the fact that Trionic deleted the data in response to the complainant’s
request and thereby satisfied the complainant’s rights, IMY considers that the subject
matter of the complaint has been examined to the extent appropriate. IMY does not
therefore investigate whether Trionics had a legal basis for storing the complainant’s
IP number after the cancellation or whether the company’s general storage periods are
well balanced.
Easily accessible information to the data subject
It is apparent from the company’s own information that, at the time of the complaint,
two clicks were required for the complainant (considering the links the complainant
chose to fallow) to be able to access Trionic’s privacy policy on its website. The
investigation also shows that the information was accessible on the website with fewer
clicks (one) in two other ways.
Against this background, and the fact that Trionic also has taken steps to ensure that
the policy requires only one click, IMY considers that the subject matter of the
complaint in this part has been investigated to the extent appropriate.
Information to the data subject on the processing for the purposes of combating
fraud and storage of IP address
The investigation shows that Trionic has disclosed the complainant’s data to a supplier
for the purpose of combating fraud. In order to comply with the obligation to provide
information to the complainant, Trionic had indicated in its privacy policy at the time
that personal data could be passed on to ‘external resources’. Trionic has now
changed this information so that it is explicitly stated that personal data may be
disclosed to companies that analyse the fraud risk of credit purchases.
IMY considers that the information provided to the complainant — “external resources”
— was not sufficiently specific to meet the requirement of Article 13(1)(e) GDPR to
inform the data subject about the recipient (the actual provider) or the categories of
recipients (anti-fraud service providers) who would receive the personal data in the
case. Trionic therefore infringed Article 13(1)(e).
Searching for the complainant’s data on search engines
The complainant has stated that Trionic has searched contact details on a search
engine and gathered them together with the complainant’s data. The statement was
rejected as by Trionic.
IMY considers that there has been no reason to question the company’s statement.
The investigation in the case does not therefore show that Trionic has processed the
complainant’s personal data in breach of the General Data Protection Regulation in
this part.
Choice of corrective measure
It follows from Article 58(2)(i) and Article 83(2) of the GDPR that the IMY has the
power to impose administrative fines in accordance with Article 83. Depending on thePrivacy Protection Authority Our ref: DI-2021-3399 10(11)
Date:2022-10-10
circumstances of the case, administrative fines shall be imposed in addition to or in
place of the other measures referred to in Article 58(2), such as injunctions and
prohibitions. Furthermore, Article 83(2) provides which factors are to be taken into
account when deciding on administrative fines and in determining the amount of the
fine. In the case of a minor infringement, as stated in recital 148, IMY may, instead of
imposing a fine, issue a reprimand pursuant to Article 58(2)(b). Factors to consider are
the aggravating and mitigating circumstances of the case, such as the nature, gravity
and duration of the infringement and past relevant infringements.
IMY notes the following relevant facts. The violations have affected one person, the
personal data in question was not privacy-sensitive and the company has not
previously been found to have infringed the GDPR. Furthermore, Trionic Sverige AB
has improved its information to data subjects and acted in response to the complaint.
Against this background IMY considers that it is a minor infringement within the
meaning of recital 148 and that Trionic Sverige AB must be given a reprimand
pursuant to Article 58(2)(b) of the GDPR.
This decision has been made by the specially appointed decision-maker
after presentation by legal advisor .Privacy Protection Authority Our ref: DI-2021-3399 11(11)
Date:2022-10-10
How to appeal
If you want to appeal the decision, you should write to the Authority for Privacy
Protection. Indicate in the letter which decision you appeal and the change you
request. The appeal must have been received by the Authority for Privacy Protection
no later than three weeks from the day you received the decision. If the appeal has
been received at the right time, the Authority for Privacy Protection will forward it to the
Administrative Court in Stockholm for review.
You can e-mail the appeal to the Authority for Privacy Protection if it does not contain
any privacy-sensitive personal data or information that may be covered by
confidentiality. The authority’s contact information is shown in the first page of the
decision.
