BlnBDI (Berlin) - 521.13874
BlnBDI (Berlin) - 521.13874 | |
---|---|
Authority: | BlnBDI (Berlin) |
Jurisdiction: | Germany |
Relevant Law: | Article 6(1)(a) GDPR Article 6(1)(f) GDPR Article 12(3) GDPR Article 15(1) GDPR § 7(2)(3) UWG § 7(3)(4) UWG |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 15.10.2021 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 521.13874 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | German German |
Original Source: | Datenanfragen.de (decision) (in DE) Datenanfragen.de (complaint text) (in DE) |
Initial Contributor: | Benjamin Altpeter (Baltpeter) |
BlnBDI issued reprimand to eBay shop for violating Article 6(1) GDPR by sending newsletters to a customer without consent, Article 12(3) GDPR by not responding to their access request within one month, and Article 15(1) GDPR by not providing a data copy and only incomplete details.
English Summary
Facts
A data subject placed an online order with an eBay shop (the controller). More than half a year later, the controller started sending them weekly newsletters via email. The controller's privacy policy claimed that newsletters would only be sent given consent (Article 6(1)(a) GDPR) but no consent was given by the data subject.
The data subject sent an access request (Article 15(1) and (3) GDPR) to the controller. Neither this request nor the data subject's warning after one month received any response from the controller.
Initially, the controller didn't respond to the DPA's request for a statement after the data subject's complaint either. Only after the DPA issued an administrative notice forcing the company to answer the access request and threatened a penalty payment otherwise, did the controller respond to the data subject.
This initial response however only mentioned the categories of data processed and didn't include a copy of the data. Only after another reclamation by the data subject did the controller provide a data copy.
Holding
The DPA held that the sending of the newsletter happened without a valid legal basis (Article 6(1) GDPR). The data subject had not given consent (Article 6(1)(a) GDPR). The controller could not claim a legitimate interest (Article 6(1)(f) GDPR) either. While the term "legitimate interest" is to be interpreted broadly, it cannot be assumed anymore if the processing violates another legal norm. § 7(2)(3) UWG (German Act against Unfair Competition) declares advertising using electronic mail without the addressee's prior express consent as an "unacceptable nuisance". The exemption under § 7(3)(4) UWG only applies if the controller clearly and unequivocally advised the data subject at the time of the collection of the email address that it will be used for advertising purposes. The controller had not done that by their own admission. Thus, the DPA concluded that the data subject's interests and fundamental rights overrode the controller's and no legitimate interest could be assumed.
The DPA further held that the controller had violated Article 12(3) GDPR by not responding to the data subject's access request within a period of one month.
The DPA finally held that the controller provided an incomplete response to the data subject's access request (Article 15(1) GDPR). In addition to the abstract categories of data, the actual data processed on the particular data subject has to be provided. The controller further didn't inform the data subject about the recipients of the personal data (Article 15(1)(c) GDPR). The DPA held that this has to include processors according to Article 28 GDPR. Finally, the controller's information about the period for which the personal data is stored (Article 15(1)(d) GDPR) was held to have been incomplete. The controller had only mentioned that the period was based on legal retention periods according to § 257 HGB and § 147 AO but the DPA held that this did not fulfill the requirements of Article 15(1)(d) GDPR. The controller either has to state the actual period or name the particular events (like the conclusion of a contract) that influence it.
The DPA issued a reprimand to the controller (Article 58(2)(b) GDPR).
Comment
Notably, the DPA's decision derives the right to a copy only from Article 15(1) GDPR, while other DPAs have held that Article 15(1) GDPR only applies to the meta information and that Article 15(3) GDPR is a separate right.
An official English translation of the UWG is available at: https://www.gesetze-im-internet.de/englisch_uwg/englisch_uwg.html
Further Resources
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Berlin representative D) for data protection Fa NG 22 OCT. and freedom of information Berlin Commissioner for atenschu and Freedom of Information Friedric 219, 1969 Berlin Registration number: .13874.13 (given) Date October 15, 2021 Completion message Your complaint dated December 21, 2021 Dear Sir or Madam, We hereby inform you that the complaint is passed on to you. examination procedure is completed. a violation of the General Data Protection Ordinance (GDPR) when processing your personal data also EEE we have based on the information provided to us for the following reasons can determine. Reason: I. We have established the following facts: You ordered goods from the company in January 2020 via the Ebay platform. From Octo- You received various promotional emails through December 2020, including on October 31 and November 7 ber, November 14th, November 21st, November 27th, December 5th, December 12th and December 18th ber. On December 5, 2020, you asked the company for information about your personal information Data according to Article 15 GDPR. By e-mail dated December 7, 2020, you reminded you of your concern. There was no response to either of the e-mails. The company has reported is the mistake of an employee who did not reply to "the e-mail" correctly. tete, which is why it then disappeared from the overview of the emails to be processed. In response to our address, the company then sent you an email of April 21, 2021 Information about the data categories stored by the company. This information lies before us. You then notified the company in an email dated April 24, 2021 that the Information is incomplete because it does not contain the specifically stored data the company then supplemented it with an email dated April 26, 2021. Berlin commissioner, speaking at 15 o'clock, Telef03013889-0 ‚Anfami public transport center: Data corruption information freDonnersta-1Uhr Telef030 155050 U-BahLin6e tationhstr. Visitor entrance Elgem.3aAbs.VwVIGöffnuBusLinM29und 248 Friedrich219. Puttkamers16-18 mailbox@datenschutz-berlin.de 1096Berlin wheelchair-accessible https «// datenschutz-berliu .dell. The facts determined are legally assessed as follows: Illegal processing by sending advertising emails According to Article 6 (1) GDPR, the processing and use of personal data is only permissible as long as this can be supported on a legal basis. A legitimate interest of the company in accordance with Article 6 (1) (f) GDPR for advertising Your data was not used here. Although the term is legitimate interest However, a legitimate interest can no longer be assumed in any case. if the data processing violates other legal norms. According to Article 7 (2) No. 3 UWG, emails for the purpose of direct marketing are presumable harassment if the recipient has not given their consent. he exception According to Section 4, Number 4 UWG, metatStock requires, among other things, that the person concerned the use of the data is clearly indicated that the advertising is being used. The enterprise himself admitted that this was not the case here. That was the end of the promotional emails not permitted according to Section 7WG. Accordingly, prevail in the weighing of interests Article 6 (1) (f) GDPR, your fundamental rights and interests. No consent was given. The advertising use of his e-mail address constitutes a violation of Article 6 Paragraph 1 DS- GMOs. No response to requests for information According to Article 12, Paragraph 3, Clause 1 of the GDPR, the person responsible has the about the measures taken in accordance with Articles 15 to 22 GDPR to be made available in each case but within one month of receipt of the sluggish. Your request for information of December 5, 2020 was answered on April 21, 2021 delayed. amit is in violation of Article 12 (3) GDPR. Incomplete information According to Article 15, Paragraph 1.2. HS. Every data subject has the GDPR in the event of processing your data a right to information about this data as well as the under lita) - h) Information, in particular categories of personal data (litb). but should be put in a position to check the data processing and, if necessary, to to assert further rights, e.g. to correction or deletion. It must therefore be next to the abstract data categories and those specifically stored for the individual information about these personal data ("Information about this personal data"). In its information dated April 21, 2021, however, the company only has the processed communicated to the processed data categories. You will only have specific data after a new request. standing. In addition, the additional information to be provided in accordance with Article 15 (1) a) to) DS- GMO incomplete: e According to Article 15 Paragraph 1 lit. c) GDPR, those affected must inform about the recipients of their . personal data are informed. This also includes processors i.S. d.Art.28 GDPR. In its information, the company has not given any information on this. power. e Pursuant to Article 15 (1) (d) GDPR, those affected must, as far as possible, be informed about the planned duration for which the personal data will be stored or, if so is not possible to be informed of the criteria for determining this duration. The information must be so precise that it can be seen by the data subject how long your data will be processed. Insofar as an indication of the deletion time t it is not possible, at least the duration of storage periods and the start of these Deadline between the triggering event (e.g. termination of a contract, expiry warranty period, etc.). The mere reference to the statutory retention notice period is not sufficient. The notification of the planned storage period is based on the legal retention periods according to $ 257 HGB and 8 147 AO do not meet these requirements. Il. We inform the company of this legal assessment. Oppose the company we issue a warning in accordance with Article 58 (2) GDPR. Further regulatory We reserve the right funds, especially in the case of repetition. As far as your complaint is concerned, the matter is considered to be closed. sen. Legal appeal An action against this decision is admissible before the Berlin Administrative Court. ie is- within one month after notification of this decision to the administrative court lin, irchstraße 7, 10557 Berlin, in writing and as an electronic document by means of his qualified electronic signature (QES) - or for the record of the clerk gain. It should be noted that in the event of a written complaint, the deadline for the action is only is then respected if the action was received by the administrative court within this period is. Kind regards