Datatilsynet (Denmark) - 2021-31-5439
Datatilsynet (Denmark) - 2021-31-5439 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 6(1)(d) GDPR Article 6(1)(f) GDPR Article 17(1)(a) GDPR Article 17(1)(c) GDPR Article 21(1) GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 31.01.2022 |
Published: | |
Fine: | None |
Parties: | DBA |
National Case Number/Name: | 2021-31-5439 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Danish |
Original Source: | Datatilsynet (in DA) |
Initial Contributor: | Giel Ritzen |
The Danish DPA rejected the data subject’s complaint and erasure request because it found that the controller’s legitimate interest to retain the personal data, outweighed the interests of the data subject.
English Summary
Facts
The controller is Den Blå Avis' (DBA), an online platform for second hand goods. The data subject has a blocked user account on the platform and requested the controller to erase his personal data pursuant to Article 17 GDPR. The controller refused to comply because it had received three independent complaints from buyers regarding the data subject. Hence, in order to prevent fraud, the controller claimed it needed to retain the personal data (the blocked account) in order to identify any newly created profiles by the data subject, pursuant to Article 6(1)(d) GDPR. Moreover, the controller stated there was no other way to achieve this objective of fraud prevention. The data subject filed a complaint with the Danish DPA (Datatilsynet).
Holding
The DPA rejected the complaint.
First, the DPA considered that the controller blocked the data subject’s account because of several complaints, and noted that the controller did this on the basis of Article 6(1)(f), and not Article 6(1)(d) GDPR, since the controller balanced the interests. However, the DPA also noted that there is no basis to disregard the controller’s assessment that their interests (fraud prevention) outweigh the data subject’s interests.
Second, the DPA considered that the data subject may object to the controller’s processing, but that the data subject did not bring forward any reasons that would justify the objection pursuant to Article 21(1) GDPR. Hence, the DPA found that it did not need to assess Article 17 GDPR, and rejected the erasure request.
Comment
The DPA stated that “[A]fter examining the case, the Danish Data Protection Agency's assessment is that neither the condition of Article 17(1) of the Regulation nor the condition laid down in Article 17(1) of the Regulation are to be assessed.” It seems that the DPA forgot to specify that it meant Article 17(1)(a) and Article 17(1)(c) GDPR. After all, this would be logical, since Article 17(1)(c) is the ground for erasure that applies after the data subject objects to the processing pursuant to Article 21 GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
The DBA was entitled to reject a deletion request Date: 31-01-2022 Decision Private companies In connection with the processing of a complaint, the Danish Data Protection Agency has stated that Den Blå Avis was entitled to reject a request for deletion of a user profile as well as a number of additional information. Journal number: 2021-31-5439 Summary A complainant had requested DBA (hereinafter ‘DBA’) to delete his user profile and other related personal information. However, the DBA rejected the request on the grounds that the DBA had received three independent complaints from buyers of the DBA over complaints and that the DBA therefore needed to retain the information for the purpose of blocking the complainants' access to the DBA's platform. During the case, the DBA stated that complainants had previously tried to circumvent the block by creating new profiles via various email addresses, and that the retention of complainant information had just contributed to the DBA being able to close all profiles. The DBA further stated that the retention of complaint information could take place because the processing was necessary to protect the vital interests of the buyers. The Danish Data Protection Agency did not find grounds to override DBA's assessment that the storage of information was necessary to block complainants' access to DBA's platform. However, the Authority found that the correct basis for processing the case was the so-called “balancing of interests rule”, and that the processing could not take place on the basis of a consideration of the vital interests of the buyers. Decision Following an examination of the case, the Danish Data Protection Agency finds that DBA is not obliged to delete the information in question pursuant to Article 17 (1) of the Data Protection Regulation [1]. 1. Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision. 2. Case presentation It appears from the case that on 14 August 2021 you contacted DBA and requested that your user and the information that DBA processed about you be deleted, including information about your e-mail, name and CPR number. The DBA responded to your inquiry on August 16, 2021, stating that the DBA stores personal information “to resolve disputes between buyers and sellers, enforce the Company's advertising policy and prevent persons blocked from using the DBA's website from registering on new". DBA further stated that your profile and associated personal information would not be deleted and that information about you will be automatically deleted after 24 months of inactivity with DBA. 2.1. DBA’s comments DBA has generally stated that the company has rejected your request for deletion on the grounds that the company received three independent complaints from buyers of DBA against you. DBA has stated that it is crucial for the safety of DBA's users and the company's efforts to prevent fraud on DBA's platform that DBA can block and maintain the blocking of sellers who do not deliver the goods that buyers have paid for. DBA is therefore only able to maintain the block and prevent you from creating a new profile on DBA if the company stores information about you for identification. According to DBA, you have previously tried to bypass the block by creating new profiles via eight different email addresses. DBA has been able to close all of these profiles precisely because the company has been able to identify you based on the information. DBA has stated that the company does not store information about your CPR number. The DBA has stated that the storage of the information also enables the DBA to assist the police with a possible investigation. The DBA has further argued that the storage of the information about you may take place pursuant to Article 6 (1) of the Data Protection Regulation. 1, letter d, as this is the only way DBA can prevent you from creating a new profile on DBA's platform and cheating more buyers. Therefore, DBA is of the opinion that the company pursues a legitimate purpose and adheres to the principle of storage limitation 2.2. Your comments You have generally stated that you have the right to have your profile and associated personal information deleted by DBA, and that DBA’s continued storage of information about you is therefore illegal. Justification for the Danish Data Protection Agency's decision Pursuant to Article 17 (1) of the Data Protection Regulation 1, letter a, the data subject has the right to have personal data about himself deleted by the data controller without undue delay, and the data controller has a duty to delete personal data without undue delay if the data is no longer necessary to fulfill the purposes for which they were collected or otherwise treated. Furthermore, it follows from Article 17 (1) Article 21 (1) (c) requires the data controller to delete information if the data subject objects to the processing pursuant to Article 21 (1). And there are no legitimate reasons for the processing which precedes the objection or the data subject objects to the processing pursuant to Article 21 (1). 2. As the case is stated, the Danish Data Protection Agency finds that DBA processes the information in question about you in relation to the fact that several complaints have been received about you, and that you have therefore been blocked from accessing your profile on the basis of the "balancing rule" in Article 6 of the Data Protection Regulation. , PCS. Article 6 (1) (f) and not in the light of Article 6 (1) of the Data Protection Regulation. 1, letter d, as stated by the DBA. In this connection, the Danish Data Protection Agency finds that there is no basis for overriding DBA's assessment that the processing of the personal data in question is necessary for DBA to pursue a legitimate interest that precedes your interest in the data not being processed, cf. Article 6 (1) of the Data Protection Regulation 1, letter f. In this connection, the Danish Data Protection Agency has emphasized that DBA will only be able to block you from creating a new user by continuing to store the information in question. Pursuant to Article 21 (1) of the Data Protection Regulation 1, the data subject has at any time the right - for reasons relating to the person's special situation - to object to an otherwise lawful processing of his personal data. However, the right to object only applies when the processing of information takes place in the light of Article 6 (1) of the Regulation. 1, letter e or f. If the processing takes place pursuant to Article 6 (1) of the Regulation 1, letter e or f, an objection from the data subject means that the data controller must make a reassessment of the necessity of the processing and possibly stop the processing in continuation thereof and delete the information, cf. Article 17 (1) of the Data Protection Regulation. 1, letter c. If the data controller demonstrates compelling legitimate reasons for the processing that take precedence over the data subjects' interests, rights and freedoms, or the processing is necessary for legal claims to be established, asserted or defended, the processing may continue. In this connection, the Danish Data Protection Agency finds that you have not put forward such reasons regarding your special situation in support of your objection that your objection is justified, cf. Article 21 (1) of the Regulation. 1. After a review of the case, it is the Data Inspectorate's assessment that neither the condition in Article 17, skt. Article 17 (1) (a) or (c) is fulfilled, as are none of the other conditions of Article 17 (1). 1 is found relevant to deal with in the case, which is why you do not have the right to have the information deleted pursuant to Article 17 (1) of the Protection Regulation. 1. Furthermore, the Danish Data Protection Agency's assessment is that the processing cannot be considered to be in conflict with the principle of "storage limitation" in Article 5 (1) of the Data Protection Regulation. 1, letter e, as the information is automatically deleted at DBA after 24 months of inactivity. [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).