BlnBDI (Berlin) - 521.13874: Difference between revisions

BlnBDI (Berlin) - 521.13874
Authority:	BlnBDI (Berlin)
Jurisdiction:	Germany
Relevant Law:	Article 6(1)(a) GDPR Article 6(1)(f) GDPR Article 12(3) GDPR Article 15(1) GDPR Article 28 GDPR § 7(2)(3) UWG § 7(3)(4) UWG
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	15.10.2021
Published:
Fine:	None
Parties:	n/a
National Case Number/Name:	521.13874
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	German
Original Source:	Datenanfragen.de (decision) (in DE) Datenanfragen.de (complaint text) (in DE)
Initial Contributor:	Benjamin Altpeter (Baltpeter)

The DPA of Berlin (the BlnBDI) issued a reprimand to an eBay-shop for violating Article 6(1) GDPR since they sent newsletters to a customer without consent, Article 12(3) GDPR for not responding to their access request within one month, and Article 15(1) GDPR for not providing all information listed in the provision.

English Summary

Facts

A data subject placed an online order with a shop (the controller) on eBay. More than half a year later, the controller started sending them weekly newsletters via email. Although the controller's privacy policy claimed that newsletters would only be sent if the data subject had given consent, Article 6(1)(a) GDPR, the data subject had never consented.

On 5 November 2020, the data subject sent an access request to the controller, invoking their right laid down in Article 15(1) GDPR. Since the controller did not reply, the data subject sent a reminder on 7 December 2020. Again, the controller did not reply.

Initially, the controller didn't respond to the DPA's request for a statement. Only after the DPA issued an administrative notice forcing the company to answer the access request and threatened a penalty payment did the controller respond to the data subject.

However, this initial response only mentioned the categories of processed personal data and did not include a copy of the personal data. Only after another reclamation by the data subject did the controller provide a copy.

Holding

The DPA held that the controller violated Article 6(1) GDPR, since the newsletter was sent without a legal basis. First, the data subject had not given consent, Article 6(1)(a). Moreover, the DPA held that the controller could not rely on a legitimate interest, Article 6(1)(f). While the term "legitimate interest" is to be interpreted broadly, it can no longer be assumed if the processing violates another legal norm.

§ 7(2)(3) UWG (German Act against Unfair Competition) declares advertising using electronic mail without the addressee's prior express consent as an "unacceptable nuisance". The exemption under § 7(3)(4) UWG only applies if the controller clearly and unequivocally informed the data subject, at the time of the collection of the email address, that it will be used for advertising purposes. The controller had not done that by their own admission. Thus, the DPA concluded that the data subject's interests and fundamental rights overrode the controller's and no legitimate interest could be assumed. Hence, the controller violated Article 6(1) GDPR.

The DPA further held that the controller had violated Article 12(3) GDPR by not responding to the data subject's access request within a period of one month.

Lastly, the DPA held that the controller violated Article 15(1) GDPR, since they provided an incomplete response to the data subject's access request. In addition to the abstract categories of data, the controller must provide the actual personal data processed. Furthermore, the controller did not inform the data subject about the recipients of the personal data, Article 15(1)(c). The DPA held that this has to include processors according to Article 28 GDPR. Finally, the controller provided incomplete information about the period for which the personal data is stored, Article 15(1)(d). The controller had only mentioned that the period was based on legal retention periods according to § 257 HGB and § 147 AO but the DPA held that this did not fulfil the requirements of Article 15(1)(d) GDPR. The controller either has to state the actual period or name the particular events (like the conclusion of a contract) that influence it.

The DPA issued a reprimand to the controller, Article 58(2)(b).

Comment

Notably, the DPA's decision derives the right to a copy only from Article 15(1) GDPR, while other DPAs have held that Article 15(1) GDPR only applies to the meta information and that Article 15(3) GDPR is a separate right (also see OLG München - 3 U 2906/20).

An official English translation of the UWG is available at: https://www.gesetze-im-internet.de/englisch_uwg/englisch_uwg.html

Further Resources

• Reporting on the decision by Datenanfragen.de (German)

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

               Berlin representative
   D) for data protection Fa
                                                                               NG 22 OCT.
               and freedom of information



 Berlin Commissioner for atenschu and Freedom of Information
 Friedric 219, 1969 Berlin

                                                    Registration number: .13874.13
                                                    (given)








                                                   Date October 15, 2021




Completion message
Your complaint dated December 21, 2021



Dear Sir or Madam,

We hereby inform you that the complaint is passed on to you.
examination procedure is completed. a violation of the General Data Protection Ordinance

(GDPR) when processing your personal data also EEE
we have based on the information provided to us for the following reasons
can determine.

Reason:


I.
We have established the following facts:

You ordered goods from the company in January 2020 via the Ebay platform. From Octo-
You received various promotional emails through December 2020, including on October 31 and November 7
ber, November 14th, November 21st, November 27th, December 5th, December 12th and December 18th

ber.

On December 5, 2020, you asked the company for information about your personal information
Data according to Article 15 GDPR. By e-mail dated December 7, 2020, you reminded you of your concern.
There was no response to either of the e-mails. The company has reported
is the mistake of an employee who did not reply to "the e-mail" correctly.

tete, which is why it then disappeared from the overview of the emails to be processed.

In response to our address, the company then sent you an email of April 21, 2021
Information about the data categories stored by the company. This information lies
before us.


You then notified the company in an email dated April 24, 2021 that the
Information is incomplete because it does not contain the specifically stored data
the company then supplemented it with an email dated April 26, 2021.


 Berlin commissioner, speaking at 15 o'clock, Telef03013889-0 ‚Anfami public transport center:
 Data corruption information freDonnersta-1Uhr Telef030 155050 U-BahLin6e tationhstr.
                           Visitor entrance Elgem.3aAbs.VwVIGöffnuBusLinM29und 248
 Friedrich219. Puttkamers16-18 mailbox@datenschutz-berlin.de
 1096Berlin wheelchair-accessible https «// datenschutz-berliu .dell.

The facts determined are legally assessed as follows:

Illegal processing by sending advertising emails


According to Article 6 (1) GDPR, the processing and use of personal data is only
permissible as long as this can be supported on a legal basis.

A legitimate interest of the company in accordance with Article 6 (1) (f) GDPR for advertising

Your data was not used here. Although the term is legitimate interest
However, a legitimate interest can no longer be assumed in any case.
if the data processing violates other legal norms.


According to Article 7 (2) No. 3 UWG, emails for the purpose of direct marketing are
presumable harassment if the recipient has not given their consent. he exception
According to Section 4, Number 4 UWG, metatStock requires, among other things, that the person concerned
the use of the data is clearly indicated that the advertising is being used. The enterprise
himself admitted that this was not the case here. That was the end of the promotional emails

not permitted according to Section 7WG. Accordingly, prevail in the weighing of interests
Article 6 (1) (f) GDPR, your fundamental rights and interests. No consent was given.

The advertising use of his e-mail address constitutes a violation of Article 6 Paragraph 1 DS-

GMOs.

No response to requests for information

According to Article 12, Paragraph 3, Clause 1 of the GDPR, the person responsible has the

about the measures taken in accordance with Articles 15 to 22 GDPR
to be made available in each case but within one month of receipt of the
sluggish.


Your request for information of December 5, 2020 was answered on April 21, 2021
delayed. amit is in violation of Article 12 (3) GDPR.

Incomplete information


According to Article 15, Paragraph 1.2. HS. Every data subject has the GDPR in the event of processing
your data a right to information about this data as well as the under lita) - h)
Information, in particular categories of personal data (litb).
but should be put in a position to check the data processing and, if necessary, to

to assert further rights, e.g. to correction or deletion. It must therefore be next to
the abstract data categories and those specifically stored for the individual
information about these personal data ("Information about this personal data").


In its information dated April 21, 2021, however, the company only has the processed
communicated to the processed data categories. You will only have specific data after a new request.
standing.

In addition, the additional information to be provided in accordance with Article 15 (1) a) to) DS-

GMO incomplete:

    e According to Article 15 Paragraph 1 lit. c) GDPR, those affected must inform about the recipients of their

      . personal data are informed. This also includes processors i.S.
       d.Art.28 GDPR. In its information, the company has not given any information on this.
       power. e Pursuant to Article 15 (1) (d) GDPR, those affected must, as far as possible, be informed about the

       planned duration for which the personal data will be stored or, if so
       is not possible to be informed of the criteria for determining this duration.

       The information must be so precise that it can be seen by the data subject
       how long your data will be processed. Insofar as an indication of the deletion time

       t it is not possible, at least the duration of storage periods and the start of these
       Deadline between the triggering event (e.g. termination of a contract, expiry
       warranty period, etc.). The mere reference to the statutory retention
       notice period is not sufficient.

       The notification of the planned storage period is based on the legal

       retention periods according to $ 257 HGB and 8 147 AO do not meet these requirements.

Il.
We inform the company of this legal assessment. Oppose the company
we issue a warning in accordance with Article 58 (2) GDPR. Further regulatory

We reserve the right funds, especially in the case of repetition.

As far as your complaint is concerned, the matter is considered to be closed.
sen.

Legal appeal

An action against this decision is admissible before the Berlin Administrative Court. ie is-
within one month after notification of this decision to the administrative court
lin, irchstraße 7, 10557 Berlin, in writing and as an electronic document by means of his
qualified electronic signature (QES) - or for the record of the clerk
gain. It should be noted that in the event of a written complaint, the deadline for the action is only

is then respected if the action was received by the administrative court within this period
is.

Kind regards