IMY (Sweden) - DI-2020-10547
IMY - DI-2020-10547 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 6(1) GDPR Article 12(3) GDPR Article 21 GDPR Article 58(2)(b) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 01.04.2022 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | DI-2020-10547 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | Lauren |
Pursuant of Article 60 GDPR, The Swedish DPA issued a reprimand against a newspaper subscription service, which violated Articles 6(1), 12(3) and 21(2) GDPR by failing to to stop sending marketing emails depsite the data subject's objection.
English Summary
Facts
In this Article 60 GDPR procedure, The Swedish DPA initiated supervision regarding the controller due to a complaint. The handover of the complaint was made by the German DPA, where the data subject lodged his complaint. The CSA's were located in Germany, Norway, Spain, Denmark, Poland, Italy and Portugal.
The controller provided a subscription service for the digital distribution of newspapers and magazines in an app. On 5 November 2019, the data subject registered as a customer and user of the controller’s service and declined to receive e-mails from the controller on the same day. Nevertheless, the data subject received e-mails from the controller in the following days. The data subject stated in the complaint that the date of the infringement was 12 November 2019. It was not until the data subject contacted the company's customer service on 28 November 2019 that the controller stopped sending e-mails.
The controller stated that the data subject contacted the controller on 28 November 2019. It send the data subject an e-mail on 29 November 2019 confirming that the data subject's e-mail address was unsubscribed from all future e-mails. The data subject later asked why he had received e-mails even though he had unsubscribed. The controller stated that it was a mistake caused by human error and was fixed after the data subject contacted the controller. The controller claimed that the legal basis for processing of mailing was either based on the performance of contract (Article 6(1)(b) GDPR) or legitimate interest (Article 6(1)(f) GDPR), if the mailing was considered as marketing.
The DPA considered that, in order for personal data processing to be considered lawful, at least one of the conditions set out in Article 6(1) GDPR must be fulfilled.
The DPA also considered the rights of data subjects to object to processing of their personal data.
According to Article 21(1), the data subject shall have the right, on grounds relating to his or her specific situation, to object at any time to the processing of personal data relating to him or her based on Article 6(1)(e) GDPR GDPR or Article 6(1)(f) GDPR, including profiling based on these provisions. The controller may no longer process the personal data unless it can demonstrate compelling legitimate reasons for the processing which override the interests of the data subject.
Under Article 21(2) GDPR, data subjects have the right at all times to object to their personal data being used for direct marketing purposes. If an objection is made to direct marketing, the personal data may no longer be processed for such purposes (Article 21(3) GDPR). Article 12(3) GDPR requires requests under Article 21 GDPR to be dealt with without undue delay and in any event within one month at the latest.
Holding
The DPA assessed whether the controller's cancellation of the e-mail subscription was compliant with the GDPR.
The DPA first examined the legal basis of processing used by the controller, which were performance of contract (Article 6(1)(b) GDPR) and legitimate interest Article 6(1)(f) GDPR. The DPA found that the main purpose of the contract between the data subject and the controller was the ability to read newspapers and magazines digitally. The DPA noted that several of the e-mails have contained information on how the data subject could further optimize the service according to the data subjects personal interests and receive personalized recommendations based on their reading history. The DPA considered that, although the controller informed on their website that they offered personalized content, it could not be assumed that an average user understands or perceives this to be a necessary part of the service. The fact that the controller also offered the opportunity to unsubscribe from such e-mails suggested that the processing was not necessary for the performance of the contract. Therefore, the DPA did not consider Article 6(1)(b) GDPR to be a valid legal basis.
Subsequently, the DPA considered that the e-mails were primarily intended to improve the access to - and experience of the service and that the individually adapted content constituted direct marketing. The data subject therefore had the right to object to the processing under Article 21(2) GDPR. The controller was also obliged to stop sending the e-mails. Since the data subject still received marketing e-mails for another 23 days unsubscribing, the controller failed to act without undue delay and therefore violated Article 21(3) and 12(3) GDPR. When a data subject objects to direct marketing, further processing of his or her personal data is no longer permitted for such purposes. Therefore, there was no lawful basis for the processing personal data for direct marketing purposes in violation of Article 6(1) GDPR.
When deciding the penalty, the DPA considered the infringement was negligent. The DPA determined that the controller had taken action when it understood the data subject's intentions. The DPA there issued a reprimand pursuant to Article 58(2)(b) instead of imposing fines.
Comment
The EDPB only provides an unofficial translation of the Swedish Authority for Privacy Protection’s (IMY) final decision 2022-04-1, no. DI-2020-10547. Only the Swedish version of the decision is deemed authentic.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
1(7) Notice: This document is an unofficial translation of the Swedish Authority for Privacy Protection’s (IMY) final decision 2022-04-1, no. DI-2020-10547. Only the Swedish version of the decision is deemed authentic. Ref no: DI-2020-10547, IMI case no. Supervision under the General Data 116489 Protection Regulation – Readly AB Date of draft decision: 2022-04-01 Date of translation: 2022-04-04 Decision of the Swedish Authority for Privacy Protection The Swedish Authority for Privacy Protection finds that Readly AB has violated 1 Article 21(3) and 12(3) of the General Data Protection Regulation by continuing to process personal data for direct marketing purposes after the complainant objected to such processing on 5 November 2019 in accordance with their right under Article 21(2). Article 6.1 of the General Data Protection Regulation by sending direct marketing e-mails to the complainant the 12, 15, 19 and 23 November 2019 without having a lawful basis for the processing. The Swedish Authority for Privacy Protection gives Readly AB a reprimand in accordance with Article 58(2)(b) of the General Data Protection Regulation for the infringement of Article 21(3), 12(3), 6(1). Report on the supervisory report The Swedish Authority for Privacy Protection (IMY) has initiated supervision regarding Readly AB (Readly or the company) due to a complaint. The complaint has been submitted to IMY, as responsible supervisory authority for the company’s operations pursuant to Article 56 of the General Data Protection Regulation (GDPR). The handover has been made from the supervisory authority of the country where the complainant lodged their complaint (Germany) in accordance with the Regulation’s provisions on cooperation in cross-border processing. The investigation in the case has been carried out through correspondence. In the light Postal address: of a complaint relating to cross-border processing, IMY has used the mechanisms for Box 8114 cooperation and consistency contained in Chapter VII GDPR. The supervisory 104 20 Stockholm authorities concerned have been the data protection authorities in Germany, Norway, Website: Spain, Denmark, Poland, Italy and Portugal. www.imy.se E-mail: imy@imy.se 1Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with respect to the Phone: processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (General Data Protection Regulation). 08-657 61 00Privacy Protection Authority Our ref: Di-2021-10547 2(7) Date:2022-04-01 The complaint Complaint from Germany with national reference number: 521.12106/ 631.145 The company provides a service, ‘Readly’, for digital distribution of newspapers and magazines. The complaint essentially states the following. The complainant registered as a customer and user of the company’s service on 5 November 2019 and declined to receive e-mails from the company on the same day through their user account. Nevertheless, the complainant received e-mails from the company on 12, 15, 19 and 23 November 2019. The complainant also received an e-mail on 6 November 2019 but states in the complaint that they can allow that mailing to pass. The complainant also states in the complaint that the date of the infringement is 12 November 2019. It was not until the complainant contacted the company's customer service on 28 November 2019 that the mailings stopped. What Readly AB has stated The company essentially states the following. On 28 November 2019, the complainant contacted the company's customer service and, on the same day, the company took steps to make sure the complainant would not receive further e-mails. The company’s customer service confirmed by e-mail to the complainant on 29 November 2019 that the complainant's e-mail address was unsubscribed from all future e-mails. On 2 December 2019, the complainant requested an explanation of why they had received e-mails even though they had unsubscribed. On 3 December 2019, the company informed the complainant that it was a mistake caused by human error, which the company took measures on, on 28 November 2019. The company states that they make a distinction between mailings that have the contract as a lawful basis, from mailings for marketing purposes, which are based on legitimate interest. The e-mails received by the complainant were intended to communicate with the user about the service and have the customer contract as a lawful basis. The e-mails are part of the company’s welcome routine for newly registered users. The purpose of the e-mails is to explain to the user how the service works and what functionality the service contains. The company argues that the e- mails received by the complainant are necessary in order to, and in accordance with the contract, provide the user with individually tailored content, e.g. to recommend newspapers and magazines that the user is likely to be interested in, based on the user’s reading history. According to the company, users normally expect the service to adapt the content based on the customer’s use of the service. Since the e-mails have been part of the service, the processing of personal data as a result of the mailings has been necessary and thus had the contract as a lawful basis. The company offers users to unsubscribe from these e-mails, which is offered as a part of the service. Readly, therefore, takes the view that the complainant's personal data was not processed for marketing purposes. If the mailings were to be regarded as marketing and the processing of personal data cannot be based on a contract as a lawful basis, the company believes that the processing of personal data instead has the purpose of communicating with the user for marketing purposes and relies on the company’s legitimate interests.Privacy Protection Authority Our ref: Di-2021-10547 3(7) Date:2022-04-01 Justification of the decision Applicable provisions, etc. In order for personal data processing to be considered lawful, at least one of the conditions set out in Article 6(1) GDPR must be fulfilled. This means either that the data subject has given consent to the processing referred to in point (a) which fulfils the conditions set out in Article 4(11) and Article 7 or that the processing is necessary in one of the contexts listed in points (b) to (f), for example, for the performance of a contract to which the data subject is party or to take action at the request of the data subject prior to the conclusion of such a contract (point (b)) or for the purposes of the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject overrun and require the protection of personal data (point (f)). There may be several applicable legal bases for the same treatment. 2 Under Article 21(1), an individual shall have the right, on grounds relating to his or her specific situation, to object aany time to the processing of personal data relating to him or her based on Article 6(1)(e) (data carried out in the public interest or the exercise of official authority) or (f) (legitimate interest), including profiling based on those provisions. The controller may no longer process the personal data unless it can demonstrate compelling legitimate reasons for the processing which override the interests, rights and freedoms of the individual or for the establishment, exercise or defence of legal claims. Under Article 21(2), individuals have the right at all times to object to their personal data being used for direct marketing purposes. If an objection is made to direct marketing, the personal data may no longer be processed for such purposes, as follows from Article 21(3). Article 12(3) requires requests under Article 21 to be dealt with without undue delay and in any event within one month at the latest. This period may, if necessary, be extended by a further two months, taking into account the complexity of a request and the number of requests received. Assessment of the Authority for Privacy Protection (IMY) Starting points on contract as a lawful basis under Article 6(1) General Data Protection Regulation Where a contract is to provide a lawful basis for the processing of personal data, the processing of personal data must be necessary either for the performance of the contract with the data subject or for taking steps at the request of the data subject prior to entering into a contract. When assessing whether the processing is necessary, account shall be taken to the nature of the service, the expectations of the average user in relation to the contractual terms and conditions and how the service is marketed, and whether the service can be provided without that specific processing. However, just the mere fact that a processing of personal data is mentioned in a contract does not automatically mean that the processing is necessary for the performance of the contract. The processing must be objectively necessary for the performance of the specific contract. It is not enough that the processing is “useable”. A controller should be able to demonstrate 2Judgement of 9 March 2017, Manni398/15, EU:C:2017:197, paragraph 42.Privacy Protection Authority Our ref: Di-2021-10547 4(7) Date:2022-04-01 that the main purpose of the specific contract cannot in practice be achieved if the processing in question is not carried out. 3 As a general rule, the processing of personal data for the purpose of providing behavioural advertising is not necessary for the performance of an online service contract. If a user has paid a service provider to have certain goods or/and services delivered without the intention of having their preferences and lifestyle profiled through click history on a website, it is difficult to claim that the contract could not have been 4 performed without the behavioural advertising. Has the company infringed Article 12.3 and 21 of the General Data Protection Regulation? In the present case, in the light of the complaint, IMY has to assess whether canceling the e-mail subscription 23 days after the complainant’s request, made by declining through their account on 5 November 2019, was in accordance with the GDPR. The first question for IMY to examine is whether the complainant had a right to object to that specific type of mailing and which lawful basis the processing is based on. The company claims, first, that the processing is based on the contract with the complainant and, in the alternative, on its legitimate interests. Readly AB provides a subscription service for the digital distribution of newspapers and magazines in an app. Therefore, the specific service purchased by a user by entering into a contract with the company is the ability to read newspapers and magazines digitally, which IMY finds to be the main purpose of the contract. A review of Readly’s website (landing page) shows that their service is mainly marketed as following: • a digital subscription service without a binding time, • the possibility to use offline mode, • access to the latest and previous editions; • unlimited reading at a low cost and • the possibility of family sharing. On the basis of the contract, the company processes its customers’ personal data in order to provide the service and for payment purposes. In order for the company to be able to process the personal data for other purposes with the contract as a lawful basis, the company needs to be able to demonstrate that the processing is necessary for the performance of the contract with the data subject. In the present case, the company has sent an e-mail to the complainant with the purpose of communicating about the service, which the company believes can rely on the contract as a lawful basis. However, it should be noted that several of the e-mails have contained information on how the complainant can further optimize the service according to the complainant's personal interests and receive personalized recommendations based on their reading history. At least one of the e-mails contained individually tailored suggestions that stated "Find your favorite magazines and discover similar titles. Start with these ones we’ve highlighted just for you". 3European Data Protection Board’s Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, para. 57. 4Article 29 Data Protection Working Party - Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 p. 13-14 and 5Accessed from the company’s website, https://.com/gb-21 (visited 2021-10-20); Translated by IMYPrivacy Protection Authority Our ref: Di-2021-10547 5(7) Date:2022-04-01 The company states on its website that they offer suggestions for recommended reading when purchasing an online subscription. Although the company informs that they offer personalized content, it cannot be assumed that an average user understands or perceives this to be a necessarily part of the service. The fact that the company also offers the opportunity to unsubscribe from such e-mails suggests that the processing of personal data was not necessary for the performance of the contract. According to IMY, the e-mails received by the complainant with individually tailored content are not objectively necessary to fulfill the main purpose of the contract, i.e. providing a digital newspaper and magazine subscription. IMY finds that these e-mails cannot be supported on article 6(1)(b) GDPR. IMY considers that the e-mails are primarily intended to improve the access to and experience of the service and that the individually adapted content constitutes direct marketing . The complainant therefore had the right to object to the processing of their personal data under Article 21(2) and, after receiving such an objection, the company was obliged to stop sending e-mails for direct marketing purposes. After the complainant unsubscribed they still received marketing e-mails for another 23 days, which according to the company was due to an oversight and human error on their part. IMI finds that the company has not, in this case, acted without undue delay and therefore violated Article 21(3) and 12(3) of the GDPR. The company's statement, that if the processing of personal data cannot be based on a contract as a lawful basis, it may instead support the processing on legitimate interest, does not affect IMY:s assessment of the violation of Article 21(3) and 12(3). Has the company infringed Article 6.1 of the General Data Protection Regulation? In the present case, in the light of the complaint, IMY has to assess whether the processing complained of by the complainant has been carried out in accordance with the GDPR. It is clear from the complaint that it does not cover the mailing on 6 November. IMY’s assessment is therefore focused on whether the company has had a lawful basis for the e-mails sent between 12 and 23 November 2019. When a data subject objects to direct marketing, further processing of his or her personal data is no longer permitted for such purposes. That means that there is then no lawful basis for the processing. In order to determine when the company has ceased to have a lawful basis for the processing, it must be assessed when the objection should in any event have been dealt with. Where a data subject objects to direct marketing pursuant to Article 21(2), the controller shall cease mailings for direct marketing purposes. Since that right is unconditional, there is no need for individual examination of such an objection. The 6 The GDPR does not define the terms ‘marketing’ or ‘direct marketing’. However, recital 47 mentions direct marke ing as an example of what may be a legitimate interest under Article 6(1)(f). In the Swedish Marke ing Act (2008:486) marketing is defined as: "advertising and other measures in the course of business activities which are intended to promote the sale of and access to products including a trader’s actions, omissions or other measures or behaviour before, during or after sale or delivery of products to consumers or traders." The International Chamber of Commerce (ICC) Advertising and marketing communication code (ICC Code), 2018 edition, Chapter C, define the term “direct marketing” as " communication, by whatever means, of advertising or marketing material carried out by a direct marketer itself or on its behalf, and which is directed to particular individuals using their personal contact information (including mailing address, telephone number, email address, mobile phone number, facsimile, personal social media account handle, and the like." Available here; icc-advertising- and-marketing-communications-code-int.pdf (iccwbo.org)Privacy Protection Authority Our ref: Di-2021-10547 6(7) Date:2022-04-01 objection should therefore be dealt with promptly and routinely. The company also has an automated system that aims to easily capture the data subject’s intention, i.e. to object to direct marketing. The complainant's intention to object to direct marketing was therefore not unclear to the company. This suggests that the time limit within which the objection should have been dealt with in this case is short. According to Article 12(3) a request under Articles 15 to 22 shall be dealt with without undue delay. The complainant objected on 5 November 2019 pursuant to Article 21 and thereafter received marketing e-mails on 12, 15, 19 and 23 November 2019. Between 5 and 12 November six days passed. In view of the foregoing, IMY considers that the company should have handled the complainant’s objection at least after six days. It therefore did not handle the objection without undue delay and, consequently, had no lawful basis for processing the complainant’s personal data for direct marketing purposes. The direct marketing mailings on 12, 15, 19 and 23 November 2019 meant that the company processed the complainant’s personal data in violation of Article 6(1) of the GDPR. Choice of corrective measure Pursuant to Article 58(2)(i) and Article 83(2) IMY has the authority to impose administrative fines in accordance with Article 83. Depending on the circumstances of the individual case, administrative fines may be imposed in addition to or instead of the other measures referred to in Article 58(2). Furthermore, Article 83(2) states which factors should be taken into account in decisions on whether administrative fines should be imposed and when determining the amount of the fine. In case of a minor infringement, IMY may, as stated in Recital 148, instead of imposing a sanction fee, issue a reprimand pursuant to Article 58(2)(b). In this assessment, regard shall be taken to aggravating and mitigating circumstances in the case, such as the nature of the infringement, severity and duration as well as previous infringement of relevance. IMY notes that the time passed before the company acted was relatively short. The data in question was not special category data nor other types of particularly integrity- sensitive data. The infringement was negligent, and when the company understood the complainant's intentions actions were taken. Against this background IMY considers that it is a matter of a minor infringement within the meaning of recital 148 and that Readly AB should be given a reprimand pursuant to Article 58(2)(b) of the GDPR for the stated infringement. This decision has been made by the specially appointed decision-maker after presentation by legal advisor .Privacy Protection Authority Our ref: Di-2021-10547 7(7) Date:2022-04-01 How to appeal If you want to appeal the decision, you should write to the Authority for Privacy Protection. Indicate in the letter which decision you appeal and the change you request. The appeal must have been received by the Authority for Privacy Protection no later than three weeks from the day you received the decision. If the appeal has been received at the right time, the Authority for Privacy Protection will forward it to the Administrative Court in Stockholm for review. You can e-mail the appeal to the Authority for Privacy Protection if it does not contain any privacy-sensitive personal data or information that may be covered by confidentiality. The authority’s contact information is shown in the first page of the decision.