Datatilsynet (Denmark) - 2020-7320-1827

From GDPRhub
Revision as of 21:29, 31 December 2022 by Kv (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Denmark |DPA-BG-Color= |DPAlogo=LogoDK.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Denmark) |Case_Number_Name=2020-7320-...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datatilsynet - 2020-7320-1827
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 12 GDPR
Article 15 GDPR
Type: Complaint
Outcome: Rejected
Started: 10.02.2020
Decided: 20.05.2022
Published:
Fine: n/a
Parties: Trustpilot
National Case Number/Name: 2020-7320-1827
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

In an Article 60 GDPR decision, the Danish DPA determined that Truspilot was the processor with Asus being the controller. Trustpilot had send an e-mail to the data subject inviting him to evaluate his purchasing experience at Asus.

English Summary

Facts

On 11 May 2019, The data subject bought an unspecified item from the company ‘Asus’ on EBay, an online market place. Asus is a company that mainly sells consumer electronics, such as smartphones, laptops and accessories. On 3 February 2020, the data subject received an e-mail from the processor, truspilot.com, where Asus (controller) appeared to be the sender of the e-mail. The processor asked the data subject to evaluate the buying experience at Asus. The data subject requested access to his personal data by sending an e-mail to the controller. The controller replied on 6 February 2020 that it was not able to identify the data subject using his e-mail address. Therefore, the controller stated that it did not process any personal data of the data subject. On 8 February 2020, the controller sent the data subject another e-mail requesting to evaluate his purchase. In this decision, a data processing agreement of the processor was disclosed. It was stated that the processor would assist in any handling of requests from data subjects under Chapter III of the GDPR and, where commercially practicable, under any other Applicable Data Protection Law, including requests for access, rectification, blocking or deletion, which relates to our processing of the relevant data. The data subject filed a complaint at a German DPA (Bavaria DPA), which forwarded the complaint to another German DPA (Beauftragte für Datenschutz und Informationsfreiheit (Berling DPA). The latter transferred the complaint to the Danish DPA (DPA), which was the lead supervisory authority in this decision (Article 56 GDPR).

Holding

The main issue of this decision is whether Trustpilot was the controller or processor in this case. The DPA stated that it assumed, based on the information in this case, that Trustpilot acted as a processor for Asus when it was processing personal data by sending an e-mail on behalf of Asus. Therefore, it was not the responsibility of the processor to handle and respond to access requests pursuant of Article 12 and 15 GDPR. However, the DPA stated that it was regrettable that the processor did not have a consistent practice to search for relevant information, including the name and address, which the data subject had submitted in connection with his access request (Article 15 GDPR). If this had been the case, the processor could have been able to identify the data subject and thus, in its role as processor, could have assisted the controller to the extent agreed in the data processing agreement.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.