Persónuvernd (Island) - 2023122032: Difference between revisions
m (Fb moved page Persónuvernd (Island) - 2023122032 to Personuvernd (Island) - 2023122032) |
m (Fb moved page Personuvernd (Island) - 2023122032 to Persónuvernd (Island) - 2023122032 over redirect) |
(No difference)
|
Revision as of 13:07, 6 November 2024
Persónuvernd - 2023122032 | |
---|---|
[[File:|center|250px]] | |
Authority: | Persónuvernd (Island) |
Jurisdiction: | Iceland |
Relevant Law: | Article 6(1)(f) GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 15.10.2024 |
Published: | |
Fine: | n/a |
Parties: | VÍS |
National Case Number/Name: | 2023122032 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Icelandic |
Original Source: | Persónu vernd (in IS) |
Initial Contributor: | wp |
The DPA affirmed a controller’s legitimate interest to cross-check a caller’s phone number with their customer database in order to identify a calling customer. The legitimate interest also covered the submission of a survey to the data subject after the call.
English Summary
Facts
A data subject contacted VÍS (a controller) via phone. During the call the data subject didn’t disclose their identity and asked a general question about a car insurance. Afterwards, they received an e-mail survey from the controller. The survey was aimed to evaluate and improve the contact service with the controller.
The data subject lodged a complaint with the Islandic DPA (Persónuvernd). The data subject claimed they didn’t consent to their phone number being cross-checked with the customer database every time they called the controller. Also the data subject expressed concerns over the lack of possibility to contact the controller anonymously. Moreover, in the opinion of the data subject their phone number was used for a purpose incompatible with the original one.
During the examination proceedings, the controller explained they cross-checked the data subject’s phone number with their customer database to send the e-mail. Once a customer, whose data was stored within the customer database, called the controller, they were automatically identified and the speaker saw the customer’s name and business relation with the controller. The controller claimed they could base this processing on their legitimate interest under Article 6(1)(f) GDPR to send surveys, i.e. increasing the quality of customer service.
Holding
The DPA dismissed the complaint.
According to the DPA, the controller had a legitimate interest in processing the data subject’s phone number by combining it with customer’s database and sending the survey.
The controller’s privacy policy clearly indicated that one of processing purposes was sending surveys by the controller. Thus, the data subject could have expected to receive such a survey from the controller. Furthermore, the data subject, being the controller’s customer, must have been aware that the controller was able to use their database to check their identity. Additionally, the email sent to the data subject contained the reference to the privacy policy and instruction how to object the processing.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Solutions VÍS may send customers a service survey following a call Case no. 2023122032 15.10.2024 There was a dispute over the authority of VÍS to connect the complainant's phone number to the company's customer register, when he called the company to ask a general question, without giving his name, and to use information from there to subsequently send him an email with a service survey. Personal protection came to the conclusion that VÍS had been authorized to do so on the basis of the company's legitimate interests. Was then i.a. considering that the complainant was a customer of VÍS, that it was general personal information and that the processing was in accordance with the clearly stated purpose for the processing of contact information in the company's privacy policy, which includes was referred to in the aforementioned email, where the complainant was also given the opportunity to object to the processing. The Personal Protection Agency therefore considered that the effect of the processing on the complainant had been extremely limited and that his interests did not outweigh the interests of VÍS in this regard. Personal protection also came to the conclusion that the complainant's right to object had been respected, as there were clear instructions in the e-mail about how he could simply object to having the company's service surveys sent in the future. Ruling about a complaint about the processing of personal data by VÍS, in case no. 2023122032: Procedure On December 18, 2023, Personal Data Protection received a complaint from A (hereinafter the complainant) about the processing of Vátyringagafélag Íslands hf. (hereinafter VÍS) on his personal information. More specifically, the complaint relates to the fact that after the complainant's call to VÍS, the company sent him a service survey by e-mail, despite the fact that he had not given his name in the call. The complaint was accompanied by a copy of the email, which is dated the same day. Personal Protection invited VÍS to comment on the complaint by letter on March 15, 2024, and responses were received on April 12, 2024. Personal Protection sent the complainant a letter on the same day and invited him to provide comments on the responses. of the company and received them by letter on April 19, 2024. Personal Protection requested further clarification from VÍS by letter on August 19, 2024. VÍS's response letter together with the company's privacy policy, as it was updated on November 28, 2023, was received by Personal Protection on September 13, 2024. Personal Protection invited the complainant to comment on the presented data and explanations by letter 16. s.m. and his comments were received by letter on 23. s.m. When solving the case, all the above data has been taken into account. Disputes There is a dispute over the authority of VÍS to connect the complainant's telephone number to the company's customer register, when he called the company to ask a general question, without giving his name, and to use information from there to send him an email with a service survey. The circumstances of the case and the available data It is undisputed in the case that the complainant, who was doing business with VÍS, called the company in December 2023 and requested information about car insurance without giving his name, email address or other information so that he could be identified. Subsequently, VÍS sent the complainant a service survey by e-mail. VÍS has informed that when the company's customers call from the phone number registered in the customer register, a so-called customer card appears on the screen of the employee who answers the call, where the name of the caller and that the person is in a business relationship with the company are displayed. Following the call, the customer is sent a service survey by e-mail. In the e-mail the complainant received, he is thanked for contacting VÍS and asked what grade he would give the service. Then it says: "We will use your answers to improve our service." We encourage you to familiarize yourself with your rights and how VÍS handles and protects participants' personal information by reading our Privacy Policy. If you do not want to receive service surveys from us, you can reply to this email and let us know." The word "Privacy policy" contains a link to the company's privacy policy. In VÍS's privacy policy, as it was updated and published on the company's website on November 28, 2023, says that the company processes data that identifies customers and contact information, i.e. on m. names, social security numbers, email addresses and phone numbers. It also says that VÍS processes information about its customers, e.g. to contact them, e.g. with marketing material etc., do market research and analysis, e.g. service surveys to improve the company's services. Party point of view Main views of the complainant The complainant states that he did not provide any information about himself in the call in question, but it was clear that the customer service representative or the company's system had identified which number the call was from. He was repeatedly asked about personally identifiable information but always refused to provide it as he was just asking for general information that the company should be able to provide without knowing anything further. In the end, he got the information he wanted and did not give his name or email address. The complainant then received an email to his email address where he was asked to give his opinion on how VÍS performed. The complainant considers this unauthorized processing of personal information. He is not satisfied with VÍS connecting the phone number that is called from with information that the company has in its business system. The complainant has never knowingly agreed to such a thing and he is dissatisfied with not being able to call the company without being personally identified by the company. The complainant further believes that, following the call, VÍS was not allowed to use his other contact information, which was recorded in the company's business system, to send him the aforementioned email. If VÍS has used the complainant's contact information for a purpose other than the one for which the company obtained it. The main points of view of VÍS VÍS is based on the fact that the said processing was authorized by the company. The complainant is a customer of VÍS, with valid insurance with the company, and therefore his contact information is saved in the company's customer system. The processing of personal information that consists in sending the customer a service survey following a call is necessary due to the legitimate interests of VÍS, cf. Article 9 Act no. 90/2018 on personal protection and processing of personal information and point f of paragraph 1. Article 6 of regulation (EU) 2016/679. It is the goal of VÍS to increase the quality of customer service, and the use of service surveys is part of that. The company has a legitimate interest in contacting its customers and in taking action with the aim of improving its services. It is the opinion of VÍS that the company's legitimate interests in communicating with customers, with the aim of improving the quality of the service, outweigh the interests and fundamental rights of the data subject in not receiving such a survey. The company places great emphasis on the processing of personal information must always comply with the principles of the Personal Protection Act. The personal information that is processed when broadcasting a service survey is the customer's name and email address and the person's answer to the survey if he chooses to answer it. To ensure that processing is legal, fair and transparent towards the data subject, cf. Paragraph 1 Article 8 of the Act, the company's answering machine informs that the call is being recorded and that communication may be recorded. Furthermore, there is a text in the e-mail in question that ensures transparency towards the data subject, where there is a link to the company's privacy policy and the recipient is advised that if he does not want to receive service surveys from the company, he can reply to the e-mail and inform the company. The complainant's contact information was obtained in clearly specified and legitimate purposes, since it is necessary for the company to be able to contact its customers and is a normal part of a business relationship. It is in accordance with the aforementioned purpose to check the quality of the service that the company provides to customers. Customer responses to the service survey are only used to improve the service and such information is never shared with third parties. Assumptions and conclusion Legal environment This case concerns whether VÍS was allowed to link the complainant's telephone number, which appeared when he called the company, to the company's customer register and use information from there, specifically the complainant's email address, in order to subsequently send him a service survey. It concerns the processing of personal data that falls under the scope of Act no. 90/2018 on personal protection and processing of personal information and thus the authority of the Personal Protection Authority, cf. Paragraph 1 Article 4, paragraph 2 Article 1 and paragraph 1 Article 39 Act. VÍS is considered to be the party responsible for the processing, cf. Number 6. Article 3 Act no. 90/2018 and No. 7 Article 4 regulation (EU) 2016/679. All processing of personal data must be covered by one of the authorization provisions of Article 9. Act no. 90/2018, cf. Paragraph 1 Article 6 of regulation (EU) 2016/679. According to number 6 of the legal provision and point f of the regulatory provision, processing may be permitted if it is considered necessary for the legitimate interests of the responsible party or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh. In order for personal data to be processed on the basis of this processing authorization, three conditions must be met. First of all, processing must be carried out in the interests of the legitimate interests of the responsible party or a third party. Secondly, it is required that the processing is necessary for their interests. Thirdly, the interests and fundamental rights and freedoms of the data subject that require the protection of personal data must not outweigh the interests of others from the processing. During the evaluation of interests, according to the third condition, attention has been paid to four factors. First of all, the nature of the legitimate interests of the responsible party is taken into account, and it can then, among other things, be relevant whether the interests concern the employment rights of the responsible party. It can also give more weight to the interests of the data controller if they are combined with the broader public interest. Secondly, the effect of the processing on the data subject is considered. In that regard, the nature of the information processed may, among other things, be significant, including whether it is sensitive personal information. Furthermore, the processing method can be significant, including whether personal information is made available to the public, as well as whether the data subject has himself disclosed the information. The data subject's legitimate expectations may also be relevant in this regard, including taking into account the provisions of the law. The position of the registered and the responsible party must also be considered, e.g. with regard to the potential difference in status between them. Thirdly, it is relevant to the assessment of interests whether the responsible party observes other provisions of the personal protection legislation during the processing, such as regarding proportionality. This can provide an indication of the effect of the processing on the data subject. Fourthly, additional measures taken by the data controller in relation to the processing may be relevant to the interest assessment. When applying the processing authorization, no reservation has been made that the processing may not lead to any negative consequences for the data subject. Section 47 of the preamble of the regulation states, among other things, that the above-mentioned processing authorization can apply when there is a relevant relevant relationship between the data subject and the responsible party, e.g. in cases where the registered person is a client of the responsible party or in his service. In any case, it is necessary to carefully assess whether it is a legitimate interest, i.a. whether the registered person can, when the personal information is collected and in the context of it, have a valid reason to believe that processing will take place for that purpose. The responsible party must ensure that the processing of personal information is always compatible with all principles of personal protection, cf. Paragraph 1 Article 8 Act no. 90/2018 and paragraph 1 Article 5 regulation (EU) 2016/679, including that the processing is fair and transparent towards the data subject, cf. Number 1. of the legal provision and point a of the regulatory provision. That principle includes, among other things, that it should be clear to individuals when personal information about them is collected, used, viewed or processed in another way, and to what extent personal information is or will be processed. According to what is analyzed in article 15, this principle is specifically considered when assessing whether it can be considered permissible to process personal data in the interest of the legitimate interests of the responsible party. legitimate and objective purposes and not further processed for other and incompatible purposes, cf. Number 2. Paragraph 1 Article 8 of the Act and point b of paragraph 1 Article 5 of the regulation. When the processing of personal information is based on the above-mentioned processing authorization, the data subject shall furthermore be permitted to object to the processing in accordance with paragraph 1. Article 21 of the Act and paragraph 1 Article 21 of the regulation. At the latest, when the registered person is first contacted, he must be informed of his right to object to the processing, cf. Paragraph 4 of the regulatory provision. Conclusion Considering that the complainant was a customer of VÍS, Personal Data Protection believes that the company had a legitimate interest in sending him the service survey in question after his call to the company and that the processing, which consisted of connecting the phone number he called from with his other contact information at the company to to direct the service survey to him, was necessary for that purpose. With regard to the interests, fundamental rights and freedoms of the data subject that require the protection of his personal information, it is to be considered that it was specifically disclosed in the current privacy policy of VÍS that customer contact information was processed for the clearly stated purpose of sending them service surveys. In the opinion of the Data Protection Authority, the complainant could therefore expect that his contact information would be processed in this way. Furthermore, the Personal Protection Agency believes that the complainant must have been aware that his telephone number was revealed to his interviewer at VÍS in question, in one way or another, and that it would be possible to look it up in the company's customer register. It is also to be considered that it was general personal information and that the complainant was, with the email, referred to the company's privacy policy and instructed on how he could object to the processing. The Personal Protection Agency believes that the effect of the processing on the complainant was therefore extremely limited. Is it the conclusion of the Data Protection Authority that the interests and fundamental rights and freedoms of the complainant, which require the protection of personal data, did not outweigh the interests of VÍS from the processing, as stated here. With all this in mind, the Personal Protection Authority believes that VÍS was authorized to process the complainant's personal information in accordance with section 6. Article 9 Act no. 90/2018 and point f of paragraph 1. Article 6 of regulation (EU) 2016/679, cf. 1. and 2. numbers. Paragraph 1 Article 8 of the Act and points a and b of paragraph 1. Article 5 of the regulation. Although the complainant did not give his name, email address or other personally identifiable information in the call to VÍS, it is considered unproven that he directly objected to his contact information being used to follow up the call by email. Since there were clear instructions in VÍS's email to the complainant, about how he could object in a simple way to having the company's service surveys sent in the future, the Data Protection Authority believes that the complainant's right to object has been respected, cf. Paragraph 1 Article 21 Act no. 90/2018 and paragraphs 1 and 4 Article 21 of regulation (EU) 2016/679. Ruling: Vátryggingfélagi Íslands hf. was allowed to connect the telephone number of the complainant, A, to the company's customer register, when he called the company to ask a general question, and use information from there to subsequently send him a service survey by e-mail and ensured his right of objection in an appropriate way, cf. provisions of law no. 90/2018 on personal protection and processing of personal data and Regulation (EU) 2016/679 relating to processing authorization and the right to object. Privacy, October 8, 2024 Valborg Steingrímsdóttir Edda Úríður Hauksdóttir