Datatilsynet (Denmark) - 2019-431-0018: Difference between revisions
No edit summary |
No edit summary |
||
Line 62: | Line 62: | ||
===Holding=== | ===Holding=== | ||
The DPA found that in the context of the controller’s marketing and sale activity, personal data was processed without a valid consent and without a specific, legitimate and explicit purpose. Therefore, it was contrary to Article 5(1)(b) and 6 GDPR. In addition, the DPA found that the controller did not comply with its obligation to provide information under Articles 13 and 14 GDPR because it did not provide precise information regarding the processing of personal data. | The DPA found that in the context of the controller’s marketing and sale activity, personal data was processed without a valid consent and without a specific, legitimate and explicit purpose. Therefore, it was contrary to [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] and [[Article 6 GDPR]]. In addition, the DPA found that the controller did not comply with its obligation to provide information under [[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR|14 GDPR]] because it did not provide precise information regarding the processing of personal data. | ||
==Comment== | ==Comment== |
Revision as of 16:29, 6 December 2023
Datatilsynet (Denmark) - 2019-431-0018 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 5(1)(b) GDPR Article 6(1)(f) GDPR Article 13 GDPR Article 14 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 21.11.2019 |
Fine: | None |
Parties: | Burda Nordics magazines |
National Case Number/Name: | 2019-431-0018 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Danish |
Original Source: | Datatilsynet (in DA) |
Initial Contributor: | n/a |
The Datatilsynet issued a decision on the importance of the valid consent, the purpose limitation principle and the information to be provided to the data subject.
English Summary
Facts and questions arising
The DPA carried out an investigation against Burda Nordics magazines –the controller– after having found that the controller was recording an important amount of telephone conversations through its sales and marketing activity.
Holding
The DPA found that in the context of the controller’s marketing and sale activity, personal data was processed without a valid consent and without a specific, legitimate and explicit purpose. Therefore, it was contrary to Article 5(1)(b) GDPR and Article 6 GDPR. In addition, the DPA found that the controller did not comply with its obligation to provide information under Articles 13 and 14 GDPR because it did not provide precise information regarding the processing of personal data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the Danish original for more details.
Burda Nordic's recording of telephone conversations Published 21-11-2019 Decision Private companies The Danish Data Protection Agency expresses serious criticism that Burda Nordic's processing of personal data in connection with telephone conversations regarding the sale and marketing of publisher's magazines has been done without valid consent of the data subjects and that Burda Nordic has not complied with the publisher's obligation to provide information. Journal number: 2019-431-0018Agency Summary In January 2019, the Danish Data Protectioninitiated a case of its own operation against Burda Nordic, as the Danish Data Protection Agency had become acquainted with Burda Nordic's recording of telephone conversations during the sale and marketing of Burda Nordic's magazines. On November 21, the Data Inspectorate decided on the case. The audit found that Burda Nordic's processing of personal data in connection with recording telephone calls was done without a valid consent. In addition, the Data Inspectorate found that Burda Nordic did not comply with the publisher's disclosure obligation pursuant to Articles 13 and 14. of the Data Protection Regulation. Burda Nordic has stated that the recordings are used solely to document contractual agreements. To this end, the Data Inspectorate noted that there must always be a real purpose for recording telephone calls, and that companies must therefore consider whether the pursued purpose can be achieved with less intrusive means, e.g. by sending order confirmations via email. Decision The Danish Data Protection Agency hereby returns to the case regarding Burda Nordic A / S 'processing of personal data in connection with telephone conversations regarding the sale and marketing of Burda Nordic's magazines. The Data Inspectorate must note that the Authority can only decide on data protection law issues. Therefore, the Data Inspectorate has not decided on consumer law issues in connection with the case. 1. Decision After reviewing the case, the Data Inspectorate finds that there are grounds for making serious criticism that Burda Nordic's processing of personal data has not been done in accordance with the rules inof the Data Protection1) Article 6 (Regulation. 1, as well as Articles 13 and 14. Below is a detailed examination of the case and a justification for the Authority's decision. 2. Presentation of the case After a number of specific inquiries, the Data Inspectorate became aware of the processing of personal data in connection with telephone conversations regarding the sale and marketing of Burda Nordic's magazines. By letter dated 9 January 2019, the Data Inspectorate asked Burda Nordic a number of questions with a view to the Danish Data Protection Agency's handling of the case. On February 2, 2019, Burda Nordic submitted its comments to the Authority, including screenshots of consent declarations for the collection of personal data in connection with competitions. It appears that recording of telephone calls in connection with inquiries from the sales agencies is done on the basis of the consent given by the data subject in connection with participation in a competition. Burda Nordic processes information about potential new customers including know that lead agencies collect contact information through competitions where the registrants, as part of the competition conditions, agree that Burda Nordic must make inquiries by telephone, e-mail, letter and sms. Participation in the lead agencies' competitions requires that the registrants accept the competition conditions, including accepting that a number of partners must subsequently contact the registrants for the sale and marketing of their products. It is also clear that the registrants - before accepting the terms of competition - can click in and see which partners can subsequently contact the registrants. In the list of partners it is possible to unsubscribe from individual companies. Thus, if the registrants do not actively unsubscribe from the companies, they agree to be contacted by all the competition partners according to the competition conditions. 2.1. Burda Nordic's comments Burda Nordic has stated in the case that, for example, the publishing and marketing of subscriptions to their magazines only processes non-sensitive personal information, including information about name, address, telephone number and e-mail address. The information is processed on the basis of Article 6 (2) of the Data Protection Regulation. 1 (a), on consent. The consent is obtained through lead agencies who collect contact information on registered persons through competitions. When the registrants participate in the lead agency's competition and accept the terms of the competition, they consent to being contacted by Burda Nordic. It is stated in the consent declaration that Burda Nordic can contact the registered person regarding subscription to sewing and fashion magazines. In addition, Burda Nordic has stated that they use external sales agencies to contact the registrants through the contact information purchased from the lead agencies. The external sales agencies contact potential customers by telephone on Burda Nordic's behalf in order to sell subscriptions to the publisher's magazines. Data processing agreements have been made with the sales agencies. On recording telephone calls, Burda Nordic has stated that parts of the conversation between the sales agencies and the registered person are recorded and saved if a purchase agreement is made. Burda Nordic has stated that the registrants, when accepting the terms of competition, are informed that the conversation can be recorded. The recording is used solely as evidence that an agreement has been made between the publisher and the data subject. Burda Nordic also sends an order confirmation to the registered person by mail. By extension, Burda Nordic has stated that an order confirmation by mail is not as good documentation of a contract as an audio recording, since an order confirmation, for example. can end up in a spam filter. Regarding disclosure requirements, Burda Nordic states that the publisher buys contact information on potential customers through lead agencies and that it is the lead agencies that comply with the disclosure obligation pursuant to Article 14. of the Data Protection Regulation. Burda Nordic has stated in this connection that lead agencies are independently responsible for the collection of personal data. , and that the information is subsequently purchased by Burda Nordic, who becomes the data controller for the publisher's processing of personal data. 3. Justification for the Authority's decision 3.1. The basis for processing when recording telephone calls The Danish Data Protection Agency initially observes that it is the Authority's practice that recording and storage of telephone calls should, as a starting point, be made on the basis of the consent of the persons being processed information in accordance with Article 6 (2) of the Data Protection Regulation. The Danish Data Protection Agency has based its decision that, when recording the telephone calls in question, only non-sensitive personal data covered by Article 6 of the Data Protection Regulation are processed and that Burda Nordic processes information about the data subjects on the basis of Article 6 of the Data Protection Regulation. PCS. 1, point a. Furthermore, the Data Protection Agency assumed that Burda Nordic process personal information on registered based on the consent form shown in competition in leadbureauers sweepstakes attached a copy of Annex 7, 8 and 9 to Burda Nordic consultation of 20 February 2019. The conditions for a valid consent are set out in Article 4 (11) of the Data Protection Regulation. [2] and Article 7. In order to be valid, consent must be voluntary, specific and informed, and express an unambiguous expression of will. A specific consent means that the consent must not be generally formulated or without precise indication of the purposes of processing personal data and what personal data will be processed. A consent must also be informed so that the data subject is aware of what consent is given. Thus, the data controller must provide the data subject with a number of information to ensure that the data subject can make his or her decision on an informed basis. In addition, consent must be expressed in an unambiguous expression of will. Thus, the consent given must not cause doubt why silence or inaction is not sufficient to constitute an unambiguous expression. After reviewing the case, the Data Inspectorate finds that the declaration of consent submitted does not meet the conditions of Article 4 (11) and Article 7 of the Data Protection Regulation. In this connection, the Data Inspectorate emphasizes that inactivity, including already checked boxes, is not sufficient to constitute a unambiguous disclosure and such pre-ticked fields therefore do not meet the conditions of Article 4 (11) of theRegulation. The Data ProtectionData Inspectorate further finds that the Statement of Consent, according to its wording, is considered only to deal with Burda Nordic's processing of personal data in connection with the telephone inquiry with the for the purpose of selling and marketing the publisher's titles. In the opinion of the Data Inspectorate, the consent declaration cannot be extended to other processing of personal data, including among other things. recording phone calls. In view of the above, the Data Inspectorate finds serious criticism that Burda Nordic's processing of personal data has not taken place in accordance with Article 6 (2) of the Data Protection Regulation. 1 (a), since recording the telephone conversations with the data subjects in connection with sales has not been done with a valid consent. 3.1.2. Basic processing principles In addition, the Data Inspectorate should note that Article 5 of the Data Protection Regulation contains a number of basic principles which data controllers must always adhere to when processing personal data. Pursuant to Article 5 (1) of the Data Protection Regulation. 2. For the purposes of paragraph 1 (b), personal data shall be collected for explicit and legitimate purposes. Subsequent treatment must not be incompatible with these purposes ('purpose limitation'). Pursuant to Article 5 (2). 2. In accordance with paragraph 1 (c), personal data shall be sufficient, relevant and limited to what is necessary in relation to the purposes of processing the data ('data minimization'). Thus, there must always be a legitimate purpose for recording telephone calls, and companies must consider whether the pursued purpose can possibly be achieved with less intrusive means. In view of the fact that recording of the interviews takes place solely to be able to document that an agreement has been concluded between the publisher and the customer in the event of a dispute regarding payment and that an order confirmation is also sent to the data subject by mail, is the Danish Data Inspectorate's opinion that documentation for Burda Nordic's conclusion of agreements can be made with less intervention which does not require processing of information in the form of recording telephone calls. The Data Inspectorate points out that the basic conditions of Article 5, as described above, also apply, even if there was a valid processing secret in Article 6 (1) (a) of the Data Protection Regulation on consent. 3.2 The duty of disclosure When collecting personal data on data subjects, data controllers must comply with the duty of disclosure pursuant to Articles 13 and 14. of the Data Protection Regulation. Where personal data is collected from the data subject, it follows from Article 13 (1) of the Data Protection Regulation. 1 and 2, it is incumbent upon the data controller to provide registered information on a number of information. Where personal data has not been collected from the data subject, it follows from Article 14 (2) of the Regulation. 1-3 that it is the responsibility of the data controller to provide the data subject with a number of information. It is the opinion of the Data Inspectorate that Burda Nordic has an independent obligation to fulfill the duty of disclosure pursuant to Articles 13 and 14. As a data subject, the Danish Data Protection Authority has emphasized that there is no data processor relationship between the lead agencies and Burda Nordic. talk about the transfer of personal data between two independent data controllers. Burda Nordic is thus, in the opinion of the Authority, obliged to comply with the obligation to provide information pursuant to Article 14 of the Data Protection Regulation when the publisher collects personal data in connection with the procurement of leads. The Data Inspectorate has also emphasized that Burda Nordic has not stated that the company fulfills the obligation to provide information when the sales agencies contact the data subjects by telephone and collect personal data through them. In the opinion of the Authority, Burda Nordic is obliged to comply with the duty of disclosure pursuant to Article 13 of the Data Protection Regulation and in this connection on its own initiative, inter alia, to inform that the conversation is being recorded. Thus, it is not sufficient to state that the conversation can be recorded if the conversation is actually recorded. In view of the above, the Data Protection Authority finds serious criticism of Burda Nordic's failure to comply with Articles 13 and 14 of the 4. Insight Data Protection Regulation.For the sake of good reason, the Data Protection Authority must note that data subjects are entitled to access to data pursuant to Article 15 of the Data Protection Regulation. personal information about themselves. The right of access also includes recorded telephone calls. As a rule, registrants may require a written copy of the recording, ie a copy of the interview. However, the right of insight can also be fulfilled by Burda Nordic handing out the recording as an audio file. Such an audio file must be sent to the data subject in a commonly used standard format. Burda Nordic has stated that registrants can gain insight into the audio recordings, including having a copy of the audio file forwarded if the customer pre-identifies himself by submitting an ID with a picture. In this connection, the Data Inspectorate should note that, in accordance with Article 12 (1) of the Data Protection Regulation. 6, it follows that data controllers, if there is reasonable doubt as to the identity of a data subject making a request for access, may request additional information necessary to verify the data subject's identity. Article 12 (2) 6, requires the data controller to make a concrete assessment of whether there is reasonable doubt as to the identity of a data subject in connection with each request for access.a general procedure for ID validation prior to responding to objectiondoes not comply with Article 12. Furthermore,requestsA request for additional information in order to identify a data subject must also be proportionate, in accordance with Article 5 (2) of the Regulation. Therefore, the data controller may not require more information than is necessary in the specific situation. The Data Inspectorate recommends that Burda Nordic consider whether the image of a data subject is necessary to ensure the identity of the person in specific cases of doubt. [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such information and repealing Directive 95/46 / EC (general data protection regulation). [2] See preamble recital 32 of the Data Protection Regulation.