Persónuvernd - 2020010577

From GDPRhub
Revision as of 16:21, 13 April 2021 by Msm (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Persónuvernd - 2020010577
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 6(1)(a) GDPR
Article 7 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 10.03.2021
Published: 26.03.2021
Fine: None
Parties: Bland.is
Wedo ehf.
National Case Number/Name: 2020010577
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Personuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA ordered an operator of a sale website to stop the processing of users' personal data. According to the DPA, the consent was not sufficiently informed.

English Summary

Facts

The complainant stated that when registering on the sales website Bland.is, he had to identify himself with an ID number and a bank account which was to be deleted after identification. However, this information had been used to obtain further information about the complainant, including his address. It was later published on his advertisement on Bland.is. In the complainant's view, the personal information was collected without his authorization. He was deceived into consenting to it under false pretenses and added to the advertisement without his knowledge.

Wedo, an operator of the website, replied that when users identify themselves on Bland.is, the company looks up the user's address in the national register. The company considered itself to be processing personal information about the complainant's address on the basis of consent.

Dispute

Was the consent informed enough?

Holding

In the opinion of the DPA, the complainant's authorization to remove an address in the user settings on the website does not fulfill conditions of the consent under Article 7 GDPR. The declaration of approval offered by the controller does not provide enough information. Contrary to the privacy policy that stated that contact information will be obtained from users, the company obtained it from the National Registry. The processing did not comply with Article 6(1)(a) GDPR.

In accordance with this conclusion, the DPA ordered the controller to stop the processing of personal information about the address of the Bland.is users until the company sends the DPA an explanation on which basis the processing took place and the DPA confirms that the processing complies with the provisions of the law.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Ruling

On March 10, 2021, the Board of the Data Protection Authority issued a ruling in case no. 2020010577:

I.

Procedure

1.

Complaint

On 13 January 2020, the Data Protection Authority received a complaint from […] (hereinafter the complainant) about the processing of personal information about him by Wedo ehf., Which operates the website Bland.is.

By letter dated November 5, 2020, the Data Protection Authority of Wedo ehf. about the complaint and gave the company an opportunity to comment on it. The answer was by letter dated. 23. sm

In resolving this case, the above data has been taken into account, although not all of them are explained separately.

The handling of the case by the Data Protection Authority has been delayed due to mining.

2.

The complainant's views

The complaint states that when registering on the sales website Bland.is, the complainant had to identify himself with an ID number and a bank account which, according to the complaint, was to be deleted after identification. The complaint states that this information has been used to obtain further information about the complainant, e.g. á m. information about his address and that that information was published with his advertisement on Bland.is. In the complainant's opinion, the personal information was collected without authorization and the complainant was deceived into obtaining it on false pretenses and added to the advertisement without his knowledge.

3.

The views of Wedo ehf.

In the answer of Wedo ehf. says that when users identify themselves on the sales page Bland.is, the company looks up the user's address in the national register. This is done in order to better serve the intermediary role that Bland.is plays. This is done by placing the seller's postcode with products that are put up for sale, as it is in the buyer's interest to know where in the country the seller is located, ie. whether the product is located in Garðabær or in the Westman Islands. The company's response refers to its privacy policy, which states that information that the company collects about its users includes contact information, such as information on name, ID number, gender, address, e-mail address and telephone number.

The purpose of collecting contact information is also stated in the privacy policy:

"We do this in order to be able to deliver products and services to you and to be able to send you notifications (by e-mail or SMS message) in connection with the purchase of goods and offers of goods and services. We collect contact information from you via, telephone, offline (such as calling a customer service center), website or e-mail, or in any other way where you have provided this information voluntarily. "

The company's privacy policy also states in general terms about the purpose of gathering information:

"To be able to provide you with the services you request, whether it is sending them products to your door or receiving payments and / or in connection with other products and services that we offer or mediate. In other respects to enforce our terms. "

In the answer of Wedo ehf. says that in view of the above, the company has received the user's consent to publish his postal code on the web, but also says that if a user chooses not to provide a postal code, he is in a position to delete the address from user settings.

The reply also states that following the complaint, two changes were made to the education of users of the sales website Bland.is. On the one hand, when identifying, users are instructed that the address is looked up when registering and that it is used for convenience in decision-making for both buyers and sellers. However, users will be instructed in the user settings of the website that postcodes will be displayed with advertisements.

II.

Assumptions and conclusion

1.

Scope - Responsible party

Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act and Art. of the Regulation, and thus the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.

Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him / her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation.

Processing refers to an operation or series of operations where personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation.

This case concerns the collection and publication of information about the complainant on the sales website Bland.is. In this respect and in the light of the above provisions, this case concerns the processing of personal data which falls within the competence of the Data Protection Authority.

The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. In the privacy policy published on the website Bland.is, the company Wedo ehf. specified as the responsible party for the personal information processed on the website. As such, Wedo ehf. therefore be responsible for the processing in question.

2.

Legality of processing

All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018 and Article 6. Regulation (EU) 2016/679. It may be mentioned that personal data may be processed if a registered individual has given his or her consent for the processing of his or her personal data for the benefit of one or more specific purposes, cf. 1. tölul. Article 9 of the Act and point a of the first paragraph. Article 6 of the Regulation, or if the processing is necessary due to legitimate interests that the responsible party or a third party safeguards, unless the interests and fundamental rights of the data subject that require the protection of personal data outweigh, cf. 6. tölul. Article 9 of the Act and item f of the first paragraph. Article 6 of the Regulation. As in this case, in the opinion of the Data Protection Authority, it will not be seen that other processing authorizations according to the aforementioned provision can be considered.

According to point 8. Article 3 Act no. 90/2018 and point 11. Paragraph 1 Article 4 of Regulation (EU) 2016/679, consent is considered to be an unforced, specific, informed and unequivocal declaration of intent by the data subject that he consents, by declaration or unequivocal confirmation, to the processing of personal data about himself. When processing is based on consent, the responsible party shall be able to demonstrate that a registered individual has agreed to the processing of his personal data in accordance with the conditions of the first paragraph. Article 10 Act no. 90/2018, Coll. Article 7 Regulation (EU) 2016/679. If the data subject gives his consent by a written statement, which also concerns other matters, the request for consent shall be presented in such a way that it is easily distinguishable from the other matters, in an understandable and accessible form and a clear and simple matter, cf. Paragraph 2 the same provision as the second paragraph. Article 7 Regulation (EU) 2016/679.

Point 32 of the preamble to Regulation (EU) 2016/679 further states that consent should be given by clear confirmation, such as a written declaration, including by electronic means, or an oral declaration, of the existence of an unrestricted, limited, informed and unambiguous the data subject's declaration of intent that he consents to the processing of personal data concerning himself. This may involve checking a box when accessing an Internet site, selecting technical settings for information society services or any other statement or act that clearly indicates in this context that a data subject agrees to the proposed processing of personal data. Silence, boxes that have already been checked or inaction should therefore not constitute consent. In the guidelines of the European Privacy Council no. 5/2020, on approval,issued on the basis of paragraph 1 (e). Article 70 Regulation (EU) 2016/679, this legal interpretation is also reaffirmed.

On behalf of Wedo ehf. has stated that the company considered itself to be processing personal information about the complainant's address on the basis of consent. In a letter from Wedo ehf. refers, among other things, to the fact that if a user chooses not to provide his / her postal code, he or she can delete the address in the user settings of the sales website. The letter from Wedo ehf. referred to the company's privacy policy, which is referred to above, which states that among the information that the company collects is contact information, such as address. The same paragraph states that contact information is collected from users by telephone, offline (such as calls to customer service centers), websites or e-mails, or in any other way where the person has voluntarily provided that information.

In the opinion of the Data Protection Authority, it will not be considered that the complainant's authorization to remove an address in the user settings on the website fulfills the above-mentioned condition that consent must be granted by action. It will also not be considered that the declaration of approval that Wedo ehf. offers fulfills the conditions for being informed as the company obtained contact information from the National Registry, but the privacy policy states that contact information will be obtained from users, in addition to which the consent was not limited and specified from other processing operations that took place for other purposes. The processing could therefore not be based on point 1. Article 9 Act no. 90/2018 and item a of the first paragraph. Article 6 Regulation (EU) 2016/679.

As is the case here, point 6 comes into consideration in particular. Article 9 of the Act, cf. paragraph 1 (f) Article 6 of the Regulation, to the effect that personal data may be processed, it is necessary to safeguard legitimate interests unless the fundamental rights and freedoms of the data subject are overridden. On behalf of Wedo ehf. has stated that the company considered that the processing of personal information about the complainant was based on his consent. It cannot therefore be considered that the company has specifically assessed the legitimate interests that the company safeguards, whether the processing is necessary in the interests of those interests or how its legitimate interests in the processing in question outweighed the interests of the data subject. As here and the like, the Data Protection Authority does not have grounds for assessing whether the processing fulfills the conditions of the provision,but it can be assumed that the processing authorization in question may be considered following an interest assessment which confirms that the conditions of the provision are met. The Data Protection Authority also reminds us of the second paragraph. Article 8 Act no. 90/2018, Coll. Paragraph 2 Article 5 Regulation (EU) 2016/679, that the responsible party is responsible for complying with the principles of the Act and can demonstrate this.

In view of all the above, the Data Protection Authority considers that the acquisition and publication of Wedo ehf. on personal information about the complainant's address, was not permitted according to Article 9. Act no. 90/2018, Coll. Paragraph 1 Article 6 Regulation (EU) 2016/679. The conclusion of the Data Protection Authority is therefore that the processing did not comply with the law and the regulation.

In accordance with this conclusion, and with reference to points 6 and 7. Article 42 Act no. 90/2018, is hereby submitted to Wedo ehf. to stop the processing of personal information about the address of the users of the sales website Bland.is until the company has sent the Data Protection Authority a description to that effect on the basis of which authority in Article 9. Act no. 90/2018 and the first paragraph. Article 6 of Regulation (EU) 2016/679 the processing takes place and the Data Protection Authority confirms that the processing complies with the provisions of the Act. In this connection, Wedo ehf. instructed that if the processing is to take place on the basis of the consent of the data subject, cf. 1. tölul. Paragraph 1 Article 9 Act no. 90/2018, the data subject must be informed of the processing in question, the approval must be specified from other processing operations and granted by a special operation. If the processing is to take place on the basis of legitimate interests, cf. 6. tölul. of the same provision, Wedo ehf.it is necessary to assess the legitimate interests of the company, whether the processing is necessary in the interests of those interests and whether the company's interests in the processing outweigh the interests or fundamental rights and freedoms of the data subject.

Confirmation of the above-mentioned suspension of processing shall be received by the Data Protection Authority no later than 24 March 2021.

Ruling:

Acquisition of Wedo ehf. on personal information about address […] and the publication of his postal code did not comply with Act no. 90/2018, on personal protection and processing of personal information.

Wedo ehf. shall stop the processing of personal information on the addresses of users of the sales website Bland.is and send the Data Protection Authority a confirmation to that effect no later than 24 March 2021. Wedo ehf. is not permitted to resume processing of that information until the Data Protection Authority has confirmed that the processing fulfills the conditions of Act no. 90/2018.

In Privacy, March 10, 2021