IMY (Sweden) - DI-2020-10547

From GDPRhub
Revision as of 15:52, 25 October 2022 by Kv (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
IMY - DI-2020-10547
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 6(1) GDPR
Article 12(3) GDPR
Article 21 GDPR
Article 58(2)(b) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 01.04.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: DI-2020-10547
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: Lauren

Following an Article 60 GDPR cooperation procedure, the Swedish DPA issued a reprimand against a newspaper subscription service which violated Articles 6(1), 12(3) and 21(2) GDPR by failing to stop sending marketing emails despite the data subject's objection.

English Summary

Facts

Prompted by a complaint, the Swedish DPA initiated supervision pursuant to Article 56 GDPR in accordance with the Article 60 GDPR cooperation mechanism. The handover of the complaint was made by a German DPA, where the data subject lodged his complaint. The concerned supervisory authorities were located in Germany, Norway, Spain, Denmark, Poland, Italy, and Portugal.

The concerned controller provided a subscription service for the digital distribution of newspapers and magazines in an app. On 5 November 2019, the data subject registered as a customer and user of the controller’s service but simultaneously declined to receive e-mails from the controller. Nevertheless, in the following days the data subject received e-mails from the controller. The data subject stated in the complaint that the date of the infringement was 12 November 2019. It was not until the data subject contacted the company's customer service on 28 November 2019 that the controller stopped sending e-mails.

The controller confirmed that the data subject contacted it on 28 November 2019. It sent the data subject an e-mail on 29 November 2019, confirming that the data subject's e-mail address was unsubscribed from all future e-mails. The controller further stated that the mistake was caused by human error and fixed as soon as the data subject reached out. The controller claimed that the legal basis for processing of mailing was either based on the performance of contract (Article 6(1)(b) GDPR) or legitimate interest (Article 6(1)(f) GDPR), if the mailing was considered marketing.

Holding

First, the DPA pointed out the applicable provisions.

It noted that the processing of personal data must meet at least one of the conditions set out in Article 6(1) GDPR. Also, the DPA considered the rights of data subjects to object to processing of their personal data. Namely, according to Article 21(1) GDPR, the data subject shall have the right to object at any time to the processing of personal data relating to him or her based on Article 6(1)(e) GDPR or Article 6(1)(f) GDPR. In such a case, controllers may no longer process the personal data unless they can demonstrate compelling legitimate reasons for the processing which override the interests of the data subjects. Additionally, under Article 21(2) GDPR, data subjects have the right at all times to object to their personal data being used for direct marketing purposes. Pursuant to Article 21(3) GDPR, if an objection is made to direct marketing, the personal data may no longer be processed for such purposes. Article 12(3) GDPR requires requests under Article 21 GDPR to be dealt with without undue delay and in any event within one month at the latest.

Second, the DPA assessed the case and held that the controller's failure to cancel the e-mail subscription was in violation of the GDPR. The DPA first examined the legal basis of processing used by the controller, which were performance of contract (Article 6(1)(b) GDPR) and legitimate interest (Article 6(1)(f) GDPR).

The DPA found that the main purpose of the contract between the data subject and the controller was the ability to read newspapers and magazines digitally. The DPA noted that several of the e-mails have contained information on how the data subject could further optimize the service according to the data subjects personal interests and receive personalized recommendations based on their reading history. The DPA considered that it could not be assumed that an average user would understand understand or perceive this to be a necessary part of the service. Moreover, the fact that the controller also offered the opportunity to unsubscribe from such e-mails suggested that the processing was not necessary for the performance of the contract. Therefore, the DPA did not consider Article 6(1)(b) GDPR to be a valid legal basis.

Subsequently, the DPA considered that the e-mails were primarily intended to improve the access to the service and that individually adapted content constituted direct marketing. The data subject therefore had the right to object to the processing under Article 21(2) GDPR. The controller was also obliged to stop sending the e-mails. Since the data subject still received marketing e-mails for another 23 days after unsubscribing, the controller failed to act without undue delay and therefore violated Articles 21(3) and 12(3) GDPR. When a data subject objects to direct marketing, further processing of his or her personal data is no longer permitted for such purposes.

Therefore, there was also no lawful basis for processing for direct marketing purposes in violation of Article 6(1) GDPR. The DPA considered that the infringement was negligent. The DPA determined that the controller had taken action when it understood the data subject's intentions. The DPA therefore issued a reprimand pursuant to Article 58(2)(b) GDPR instead of imposing fines.

Comment

The EDPB only provides an unofficial translation of the Swedish Authority for Privacy Protection’s (IMY) final decision 2022-04-1, no. DI-2020-10547. Only the Swedish version of the decision is deemed authentic.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

1(7)







                                                                      Notice: This document is an unofficial translation of the
                                                                      Swedish Authority for Privacy Protection’s (IMY) final
                                                                      decision 2022-04-1, no. DI-2020-10547. Only the Swedish
                                                                      version of the decision is deemed authentic.






Ref no:
DI-2020-10547, IMI case no.     Supervision under the General Data
116489
                                Protection Regulation – Readly AB
Date of draft decision:

2022-04-01

Date of translation:
2022-04-04                      Decision of the Swedish Authority for Privacy

                                Protection


                                The Swedish Authority for Privacy Protection finds that Readly AB has violated

                                                                                                              1
                                         Article 21(3) and 12(3) of the General Data Protection Regulation by
                                          continuing to process personal data for direct marketing purposes after the
                                          complainant objected to such processing on 5 November 2019 in accordance

                                          with their right under Article 21(2).

                                         Article 6.1 of the General Data Protection Regulation by sending direct

                                          marketing e-mails to the complainant the 12, 15, 19 and 23 November 2019
                                          without having a lawful basis for the processing.

                                The Swedish Authority for Privacy Protection gives Readly AB a reprimand in

                                accordance with Article 58(2)(b) of the General Data Protection Regulation for the
                                infringement of Article 21(3), 12(3), 6(1).


                                Report on the supervisory report


                                The Swedish Authority for Privacy Protection (IMY) has initiated supervision regarding
                                Readly AB (Readly or the company) due to a complaint. The complaint has been

                                submitted to IMY, as responsible supervisory authority for the company’s operations
                                pursuant to Article 56 of the General Data Protection Regulation (GDPR). The
                                handover has been made from the supervisory authority of the country where the

                                complainant lodged their complaint (Germany) in accordance with the Regulation’s
                                provisions on cooperation in cross-border processing.


                                The investigation in the case has been carried out through correspondence. In the light
Postal address:                 of a complaint relating to cross-border processing, IMY has used the mechanisms for
Box 8114                        cooperation and consistency contained in Chapter VII GDPR. The supervisory

104 20 Stockholm                authorities concerned have been the data protection authorities in Germany, Norway,
Website:                        Spain, Denmark, Poland, Italy and Portugal.
www.imy.se

E-mail:
imy@imy.se                      1Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with respect to the
Phone:                          processing of personal data and on the free flow of such data and repealing Directive 95/46/EC
                                (General Data Protection Regulation).
08-657 61 00Privacy Protection Authority   Our ref: Di-2021-10547                                                                 2(7)
                               Date:2022-04-01






                               The complaint
                               Complaint from Germany with national reference number:      521.12106/ 631.145


                               The company provides a service, ‘Readly’, for digital distribution of newspapers and
                               magazines.


                               The complaint essentially states the following. The complainant registered as a
                               customer and user of the company’s service on 5 November 2019 and declined to
                               receive e-mails from the company on the same day through their user account.

                               Nevertheless, the complainant received e-mails from the company on 12, 15, 19 and
                               23 November 2019. The complainant also received an e-mail on 6 November 2019 but
                               states in the complaint that they can allow that mailing to pass. The complainant also

                               states in the complaint that the date of the infringement is 12 November 2019. It was
                               not until the complainant contacted the company's customer service on 28 November
                               2019 that the mailings stopped.


                               What Readly AB has stated
                               The company essentially states the following.


                               On 28 November 2019, the complainant contacted the company's customer service
                               and, on the same day, the company took steps to make sure the complainant would

                               not receive further e-mails. The company’s customer service confirmed by e-mail to
                               the complainant on 29 November 2019 that the complainant's e-mail address was
                               unsubscribed from all future e-mails. On 2 December 2019, the complainant requested

                               an explanation of why they had received e-mails even though they had unsubscribed.
                               On 3 December 2019, the company informed the complainant that it was a mistake
                               caused by human error, which the company took measures on, on 28 November 2019.


                               The company states that they make a distinction between mailings that have the
                               contract as a lawful basis, from mailings for marketing purposes, which are based on
                               legitimate interest. The e-mails received by the complainant were intended to

                               communicate with the user about the service and have the customer contract as a
                               lawful basis. The e-mails are part of the company’s welcome routine for newly
                               registered users. The purpose of the e-mails is to explain to the user how the service

                               works and what functionality the service contains. The company argues that the e-
                               mails received by the complainant are necessary in order to, and in accordance with
                               the contract, provide the user with individually tailored content, e.g. to recommend

                               newspapers and magazines that the user is likely to be interested in,  based on the
                               user’s reading history. According to the company, users normally expect the service to
                               adapt the content based on the customer’s use of the service. Since the e-mails have

                               been part of the service, the processing of personal data as a result of the mailings
                               has been necessary and thus had the contract as a lawful basis. The company offers
                               users to unsubscribe from these e-mails, which is offered as a part of the service.


                               Readly, therefore, takes the view that the complainant's personal data was not
                               processed for marketing purposes. If the mailings were to be regarded as marketing

                               and the processing of personal data cannot be based on a contract as a lawful basis,
                               the company believes that the processing of personal data instead has     the purpose of
                               communicating with the user for marketing purposes and relies on the company’s

                               legitimate interests.Privacy Protection Authority     Our ref: Di-2021-10547                                                                   3(7)
                                 Date:2022-04-01






                                 Justification of the decision


                                 Applicable provisions, etc.


                                 In order for personal data processing to be considered lawful, at least one of the
                                 conditions set out in Article 6(1) GDPR must be fulfilled. This means either that the

                                 data subject has given consent to the processing referred to in point (a) which fulfils
                                 the conditions set out in Article 4(11) and Article 7 or that the processing is necessary
                                 in one of the contexts listed in points (b) to (f), for example, for the performance of a

                                 contract to which the data subject is party or to take action at the request of the data
                                 subject prior to the conclusion of such a contract (point (b)) or for the purposes of the
                                 legitimate interests of the controller or a third party, unless the interests or fundamental

                                 rights and freedoms of the data subject overrun and require the protection of personal
                                 data (point (f)). There may be several applicable legal bases for the same treatment.     2


                                 Under Article 21(1), an individual shall have the right, on grounds relating to his or her
                                 specific situation, to object aany time to the processing of personal data relating to
                                 him or her based on Article 6(1)(e) (data carried out in the public interest or the

                                 exercise of official authority) or (f) (legitimate interest), including profiling based on
                                 those provisions. The controller may no longer process the personal data unless it can
                                 demonstrate compelling legitimate reasons for the processing which override the

                                 interests, rights and freedoms of the individual or for the establishment, exercise or
                                 defence of legal claims.


                                 Under Article 21(2), individuals have the right at all times to object to their personal
                                 data being used for direct marketing purposes. If an objection is made to direct
                                 marketing, the personal data may no longer be processed for such purposes, as

                                 follows from Article 21(3).

                                 Article 12(3) requires requests under Article 21 to be dealt with without undue delay

                                 and in any event within one month at the latest. This period may, if necessary, be
                                 extended by a further two months, taking into account the complexity of a request and
                                 the number of requests received.


                                 Assessment of the Authority for Privacy Protection (IMY)


                                 Starting points on contract as a lawful basis under Article 6(1) General Data
                                 Protection Regulation
                                 Where a contract is to provide a lawful basis for the processing of personal data, the

                                 processing of personal data must be necessary either for the performance of the
                                 contract with the data subject or for taking steps at the request of the data subject prior
                                 to entering into a contract.


                                 When assessing whether the processing is necessary, account shall be taken to the
                                 nature of the service, the expectations of the average user in relation to the contractual

                                 terms and conditions and how the service is marketed, and whether the service can be
                                 provided without that specific processing. However, just the mere fact that a
                                 processing of personal data is mentioned in a contract does not automatically mean

                                 that the processing is necessary for the performance of the contract. The processing
                                 must be objectively necessary for the performance of the specific contract. It is not
                                 enough that the processing is “useable”. A controller should be able to demonstrate


                                 2Judgement of 9 March 2017, Manni398/15, EU:C:2017:197, paragraph 42.Privacy Protection Authority     Our ref: Di-2021-10547                                                                   4(7)

                                 Date:2022-04-01






                                 that the main purpose of the specific contract cannot in practice be achieved if the
                                 processing in question is not carried out. 3


                                 As a general rule, the processing of personal data for the purpose of providing

                                 behavioural advertising is not necessary for the performance of an online service
                                 contract. If a user has paid a service provider to have certain goods or/and services

                                 delivered without the intention of having their preferences and lifestyle profiled through
                                 click history on a website, it is difficult to claim that the contract could not have been
                                                                                   4
                                 performed without the behavioural advertising.


                                 Has the company infringed Article 12.3 and 21 of the General Data Protection
                                 Regulation?
                                 In the present case, in the light of the complaint, IMY has to assess whether canceling

                                 the e-mail subscription 23 days after the complainant’s request, made by declining
                                 through their account on 5 November 2019, was in accordance with the GDPR.


                                 The first question for IMY to examine is whether the complainant had a right to object

                                 to that specific type of mailing and which lawful basis the processing is based on. The
                                 company claims, first, that the processing is based on the contract with the

                                 complainant and, in the alternative, on its legitimate interests.

                                 Readly AB provides a subscription service for the digital distribution of newspapers

                                 and magazines in an app. Therefore, the specific service purchased by a user by
                                 entering into a contract with the company is the ability to read newspapers and

                                 magazines digitally, which IMY finds to be the main purpose of the contract. A review
                                 of Readly’s website (landing page) shows that their service is mainly marketed as

                                 following:

                                 • a digital subscription service without a binding time,

                                 • the possibility to use offline mode,
                                 • access to the latest and previous editions;

                                 • unlimited reading at a low cost and
                                 • the possibility of family sharing.


                                 On the basis of the contract, the company processes its customers’ personal data in

                                 order to provide the service and for payment purposes. In order for the company to be
                                 able to process the personal data for other purposes with the contract as a lawful
                                 basis, the company needs to be able to    demonstrate that the processing is necessary

                                 for the performance of the contract with the data subject.


                                 In the present case, the company has sent an e-mail to the complainant with the
                                 purpose of communicating about the service, which the company believes can rely on

                                 the contract as a lawful basis. However, it should be noted that several of the e-mails
                                 have contained information on how the complainant can further optimize the service

                                 according to the complainant's personal interests and receive personalized
                                 recommendations based on their reading history. At least one of the e-mails contained
                                 individually tailored suggestions that stated "Find your favorite magazines and discover

                                 similar titles. Start with these ones we’ve highlighted just for you".



                                 3European Data Protection Board’s Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR
                                 in the context of the provision of online services to data subjects, para. 57.
                                 4Article 29 Data Protection Working Party - Guidelines on Automated individual decision-making and Profiling for the
                                 purposes of Regulation 2016/679 p. 13-14 and
                                 5Accessed from the company’s website, https://.com/gb-21 (visited 2021-10-20); Translated by IMYPrivacy Protection Authority    Our ref: Di-2021-10547                                                                    5(7)

                                Date:2022-04-01






                                The company states on its website that they offer suggestions for recommended
                                reading when purchasing an online subscription. Although the company informs that

                                they offer personalized content, it cannot be assumed that an average user
                                understands or perceives this to be a necessarily part of the service. The fact that the

                                company also offers the opportunity to unsubscribe from such e-mails suggests that
                                the processing of personal data was not necessary for the performance of the contract.
                                According to IMY, the e-mails received by the complainant with individually tailored

                                content are not objectively necessary to fulfill the main purpose of the contract, i.e.
                                providing a digital newspaper and magazine subscription. IMY finds that these e-mails

                                cannot be supported on article 6(1)(b) GDPR.


                                IMY considers that the e-mails are primarily intended to improve the access to and
                                experience of the service and that the individually adapted content constitutes direct
                                marketing . The complainant therefore had the right to object to the processing of their

                                personal data under Article 21(2) and, after receiving such an objection, the company
                                was obliged to stop sending e-mails for direct marketing purposes.


                                After the complainant unsubscribed they still received marketing e-mails for another 23

                                days, which according to the company was due to an oversight and human error on
                                their part. IMI finds that the company has not, in this case, acted without undue delay
                                and therefore violated Article 21(3) and 12(3) of the GDPR.


                                The company's statement, that if the processing of personal data cannot be based on

                                a contract as a lawful basis, it may instead support the processing on legitimate
                                interest, does not affect IMY:s assessment of the violation of Article 21(3) and 12(3).


                                Has the company infringed Article 6.1 of the General Data Protection

                                Regulation?
                                In the present case, in the light of the complaint, IMY has to assess whether the
                                processing complained of by the complainant has been carried out in accordance with

                                the GDPR. It is clear from the complaint that it does not cover the mailing on 6
                                November. IMY’s assessment is therefore focused on whether the company has had a

                                lawful basis for the e-mails sent between 12 and 23 November 2019.

                                When a data subject objects to direct marketing, further processing of his or her

                                personal data is no longer permitted for such purposes.


                                That means that there is then no lawful basis for the processing. In order to determine
                                when the company has ceased to have a lawful basis for the processing, it must be

                                assessed when the objection should in any event have been dealt with.

                                Where a data subject objects to direct marketing pursuant to Article 21(2), the

                                controller shall cease mailings for direct marketing purposes. Since that right is
                                unconditional, there is no need for individual examination of such an objection. The


                                6
                                 The GDPR does not define the terms ‘marketing’ or ‘direct marketing’. However, recital 47 mentions direct marke ing
                                as an example of what may be a legitimate interest under Article 6(1)(f). In the Swedish Marke ing Act (2008:486)
                                marketing is defined as: "advertising and other measures in the course of business activities which are intended to
                                promote the sale of and access to products including a trader’s actions, omissions or other measures or behaviour
                                before, during or after sale or delivery of products to consumers or traders." The International Chamber of Commerce
                                (ICC) Advertising and marketing communication code (ICC Code), 2018 edition, Chapter C, define the term “direct
                                marketing” as " communication, by whatever means, of advertising or marketing material carried out by a direct
                                marketer itself or on its behalf, and which is directed to particular
                                individuals using their personal contact information (including mailing address, telephone number, email address,
                                mobile phone number, facsimile, personal social media account handle, and the like." Available here; icc-advertising-
                                and-marketing-communications-code-int.pdf (iccwbo.org)Privacy Protection Authority    Our ref: Di-2021-10547                                                                   6(7)
                                Date:2022-04-01






                                objection should therefore be dealt with promptly and routinely. The company also has
                                an automated system that aims to easily capture the data subject’s intention, i.e. to
                                object to direct marketing. The complainant's intention to object to direct marketing

                                was therefore not unclear to the company. This suggests that the time limit within
                                which the objection should have been dealt with in this case is short.

                                According to Article 12(3) a request under Articles 15 to 22 shall be dealt with without

                                undue delay. The complainant objected on 5 November 2019 pursuant to Article 21
                                and thereafter received marketing e-mails on 12, 15, 19 and 23 November 2019.
                                Between 5 and 12 November six days passed.


                                In view of the foregoing, IMY considers that the company should have handled the
                                complainant’s objection at least after six days. It therefore did not handle the objection

                                without undue delay and, consequently, had no lawful basis for processing the
                                complainant’s personal data for direct marketing purposes. The direct marketing
                                mailings on 12, 15, 19 and 23 November 2019 meant that the company processed the

                                complainant’s personal data in violation of Article 6(1) of the GDPR.

                                Choice     of corrective measure


                                Pursuant to Article 58(2)(i) and Article 83(2) IMY has the authority to impose
                                administrative fines in accordance with Article 83. Depending on the circumstances of
                                the individual case, administrative fines may be imposed in addition to or instead of the

                                other measures referred to in Article 58(2). Furthermore, Article 83(2) states which
                                factors should be taken into account in decisions on whether administrative fines
                                should be imposed and when determining the amount of the fine. In case of a minor

                                infringement, IMY may, as stated in Recital 148, instead of imposing a sanction fee,
                                issue a reprimand pursuant to Article 58(2)(b). In this assessment, regard shall be
                                taken to aggravating and mitigating circumstances in the case, such as the nature of

                                the infringement, severity and duration as well as previous infringement of relevance.

                                IMY notes that the time passed before the company acted was relatively short. The
                                data in question was not special category data nor other types of particularly integrity-

                                sensitive data. The infringement was negligent, and when the company understood the
                                complainant's intentions actions were taken. Against this background IMY considers
                                that it is a matter of a minor infringement within the meaning of recital 148 and that

                                Readly AB should be given a reprimand pursuant to Article 58(2)(b) of the GDPR for
                                the stated infringement.


                                This decision has been made by the specially appointed decision-maker
                                            after presentation by legal advisor               .Privacy Protection Authority     Our ref: Di-2021-10547                                                                    7(7)
                                 Date:2022-04-01






                                 How to appeal


                                 If you want to appeal the decision, you should write to the Authority for Privacy
                                 Protection. Indicate in the letter which decision you appeal and the change you

                                 request. The appeal must have been received by the Authority for Privacy Protection
                                 no later than three weeks from the day you received the decision. If the appeal has
                                 been received at the right time, the Authority for Privacy Protection will forward it to the
                                 Administrative Court in Stockholm for review.


                                 You can e-mail the appeal to the Authority for Privacy Protection if it does not contain
                                 any privacy-sensitive personal data or information that may be covered by

                                 confidentiality. The authority’s contact information is shown in the first page of the
                                 decision.