BfDI (Germany) - 24-191 II
| BfDI (Germany) - 24-191 II#4781 | |
|---|---|
 | |
| Authority: | BfDI (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 15 GDPR Article 20 GDPR Article 95 GDPR Article 7 Directive 2002/58/EC § 11 Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG) |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | 19.08.2020 |
| Decided: | 27.01.2022 |
| Published: | |
| Fine: | None |
| Parties: | anonymous Deusche Telekom AG |
| National Case Number/Name: | 24-191 II#4781 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | German |
| Original Source: | [ internal (in DE)] |
| Initial Contributor: | Heiko Hanusch |
The German Federal DPA issued a decision specifying which data a telecommunications and internet company should provide to a data subject when handling an access request under Article 15 GDPR.
English Summary
Facts
The data subject is a customer and user of services by the Deutsche Telekom AG (controller), the biggest telecommunications and internet provider in Europe. The data subject requested access from the controller to all of his data under Article 15 GDPR. He also requested to have his data transmitted in a portable format under Article 20 GDPR. The controller responded to both requests. The data subject, however, considered that both responses were not complete. He argued that information about his traffic data, his contracts with the controller and his requests to the controller's customer service were missing. Furthermore, the data subject criticised that the controller did not list all recipients in its answer, but only the "most important" ones, that the origin of the data was not specified and that the storage duration was not mentioned. He, therefore, lodged a complaint with the German Federal Data Protection Authority (Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit - BfDI).
Holding
The BfDI partially upheld the complaint. It confirmed the data subject's view that the controller is obligated under Article 15 GDPR to name all recipients and not only the "most important" ones, to specify the origin of the data and to mention the deletion date. However, the DPA found it was not necessary to list each and every individual transfer to a recipient. With regard to the contract documents, the DPA found that it was sufficient that the controller referred the data subject to the online customer portal where the data subject could retrieve those documents.
Regarding the data subject’s requests to the customer service of the controller, the DPA found that these requests are usually handled manually by phone or by paper and not automatically. Accordingly, the DPA concluded that Article 20(1)(b) GDPR was not met. Furthermore, the DPA held that the data collected in the course of service requests must be deleted immediately after the purpose has been achieved, that means after the request has been resolved, or, if the data is to be used for other purposes, it must be anonymised. Consequently, the DPA reasoned that the controller could not have provided this data in its answer to the request under Article 15 GDPR.
Regarding the traffic data, the DPA reasoned that a data subject has no right to access traffic data under Article 15 GDPR because § 11 TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz), which is an implementation of Article 7 ePrivacy Directive and lays down the right to receive itemized bills, takes precedence according to Article 95 GDPR. In the case at hand, the DPA concluded that the data subject did not invoke § 11 TTDSG since the data subject blackened this part of his submissions. Furthermore, the DPA held that by taking the principle of dataminimisation and Article 11 GDPR into account, the controller is only allowed to store IP addresses seven days. Since the IP addresses which were stored at the time of the request have already been deleted, the controller can no longer provide information about them. The DPA also determined that the controller was not obliged to give the data subject access to location data (Cell-ID) because the data subject did not sufficiently demonstrate that he was the sole user of the mobile phone in question. The DPA took the view that, since location data is very sensitive, the data subject must show that no one else was using the cellphone.
Lastly, the DPA clarified that the controller is not allowed to record the content transmitted in an online session. Therefore, it found that it was impossible for the the controller to provide information on the visited websites under Articles 15 and 20 GDPR.
Comment
The decision is not very structured and in part hardly comprehensible. In some parts of the decision, the authority simply makes factual presumptions and, at least, regarding those parts it seems that the DPA did not carry out an actual investigation. Furthermore, some of the legal reasoning seems questionable as well. Anyone interested in more detail please take a look at the automatic translation at the bottom.
A controller actually does not fulfill its obligation under Article 15(1), (3) GDPR by referring a data subject to an online portal, where the data subject can retrieve the personal data themselves. As the EDPB has clarified in paragraph 23 of its guidelines on the right of access (guidelines 01/2022, https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-012022-data-subject-rights-right_en), the right of access comprises complete information on all data. Consequently, according to paragraph 25 of the guidelines a copy is only complete if all personal data is included and according to paragraph 131 the right to a copy is not precluded by giving access through other means than a copy, unless the data subject has unrecognisably waived their right.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
NOTICE 1. I hereby grant your complaint of August 19, 2020 against Deutsche Telekom AG in accordance with Art. 77 (2) GDPR, insofar as it relates to specific data recipients, telephone connections for billing purposes, copies of bills, order confirmations and contracts as well as other documents, the history for customer login and hotline contact, their booking account and their e-mail alias, telephone recordings on the hotline and from the online forum or the social media offer of the telecommunications company. 2. Otherwise, I reject your complaint. 3. According to Art. 57 Para. 3 GDPR, the decision is informal. Reason: I In a letter dated August 19, 2020, you lodged a data protection complaint against Deutsche Telekom AG (Telekom). In it, you complained in particular that Telekom had only incompletely answered your request for information under Art. 15 GDPR. In addition, Telekom ignored your request to port all data in accordance with Art. 20 GDPR. Telekom caught up on this on July 21, 2020 and made the data available to you. In their opinion, however, the porting according to Art. 20 GDPR was also incomplete. Regarding information from Telekom according to Art. 15 GDPR, you stated: Archived correspondence, contract documents, notes on hotline calls, invoices, proof of connection and other data storage (e.g. for specific Internet, telecommunications, app, telephony and Magenta TV use) are missing. In particular, it is not possible for you to call up the itemized bills of your telephone connections. Instead of Telekom's general statements on the recipients or categories of recipients, they should have informed you specifically about your data. Recipients and the data transmitted to them were missing. The same applies to the transfer of data to third countries. You are also entitled to specific, personal information about the planned storage period, namely which data is stored for how long and for what reason. In your opinion, the origin of the data should be specified specifically for each individual piece of externally received data, with precise information about the specific source from which it was obtained. There were also no concrete and comprehensible statements as to whether automated decision-making including profiling took place or is still taking place. Finally, there would be no list of all data protection consents you currently have and information on their revocability. Regarding data porting in accordance with Art. 20 GDPR, you informed me that Telekom had not provided all the requested data. The personal data transmitted would not correspond to those that you had already received in writing. The service requests are also not complete and also contain cryptic information. Information on Magenta TV and internet use was also missing. You also complained about the way in which Telekom made the data available to you. These can be made available without having to register anywhere or to follow a number of different links to gather data. II. As the Federal Commissioner for Data Protection and Freedom of Information (BfDI), I am responsible for supervision in accordance with Section 29 (1) and (3) of the Telecommunications Telemedia Data Protection Act (TTDSG) in conjunction with Article 58 (1) (b) GDPR responsible for the telecommunications service providers such as Telekom. According to Art. 77 Para. 1 GDPR, every person has the right to lodge a complaint with a supervisory authority if they believe that the processing of their personal data violates this regulation. In accordance with Article 57 (1) (f) GDPR, I was able to identify deficiencies in data protection law as part of my investigation into your complaint. 1. Your right to information pursuant to Art. 15 GDPR has only been partially fulfilled by the information provided by Telekom. On July 15, 2020, Telekom provided you with extensive information in accordance with Article 15 (3) of the GDPR. For example, Telekom informed you about the duration of storage that invoices are stored for ten years under the German Commercial Code. Telekom also provided extensive information by name on third parties to whom your data is passed on. Telekom also presented the origin of your data separately for each contract. However, you did not consider the information provided by Telekom to be sufficient or legally compliant. When you asked Telekom to provide you with all the data, you received stored data on service contacts in addition to the data ported in accordance with Article 20 of the GDPR. In your opinion, however, the specific contracts between you and Telekom should be transmitted, as well as telephone and Internet connection data, including the data transmitted during these connections. In addition, for all data that Telekom has stored about you, the specific time must be specified, when it will be deleted and where it came from in detail. The data transmissions to third parties must also be specified precisely, namely when which data was transmitted to which recipients. A prerequisite for information pursuant to Art. 15 (1) GDPR is that the person responsible has stored personal data relating to you, i.e. data about you. The usage data you have complained about (Internet, telecommunications usage) are so-called traffic data within the meaning of Section 2 Paragraph 1 TTDSG in conjunction with Section 3 No. 70 of the Telecommunications Act (TKG) or usage data within the meaning of Section 2 Paragraph 2 No. 3 TTDSG. Their collection, earmarking and storage is based on the provisions of the TTDSG. Telekom has given you information about the telecommunications services you are using. Telekom informed you about the product, the tariff, the contract period and the origin of the data for both the mobile phone contract and the fixed network services. According to Art. 15 (3) GDPR, you also have the right to receive a copy of the specific contracts between you and Telekom and to be able to view telephone data, including the data transmitted during these connections. However, if this data - as in your case - is available in the customer login area, concrete contract data is also listed there in the retrievable invoices and further information you have requested can be retrieved on the Telekom homepage under General Information (e.g. under "MagentaHome M") are, however, a reference to the customer login area or to the Telekom homepage is sufficient. In addition, for all data that Telekom has stored about you, the specific time must be specified, when it will be deleted and where it came from. Data transmissions to third parties must also be specified, ie if Telekom knows the specific recipient Telekom to inform you about these recipients. In your letter dated July 15, 2020, Telekom gave you a detailed list of the most important recipients and purposes in Annex 2. However, for comprehensive information on data transmissions, the other recipients or categories of recipients within the meaning of Article 15 (1) (c) GDPR must also be specified. It should be noted that the information must be as specific as possible and that the specific recipients must therefore be named, provided they are known to Telekom. It must therefore also inform you of the other recipients, provided these recipients are specifically known to Telekom. Likewise, if your data is passed on within the group, Telekom must precisely name the specific recipient. However, an exact specification of the time of any transfer is covered neither by the wording nor by the meaning and purpose of Article 15 (1) (c) GDPR. Rather, the provision is only intended to give you an overview of the specific recipients, but not to list each individual transmission. Legal analyzes and assessments of the legal situation that have been carried out on the basis of your personal data are not covered by the right to information according to Art. 15 DSGVO, since these themselves do not represent any information about the data subject and therefore no personal data. The wording of Art. 15 (3) GDPR does not allow the conclusion that those responsible would have to make copies of files or other documents available. Rather, the person responsible only has to provide you with the personal data relating to you that are the subject of the processing. This also results from recital 63, sentence 1 GDPR, which states that the right to information serves to ensure that the person concerned is aware of the processing and can check the legality of the processing. However, the Federal Court of Justice recently clarified that the term "personal data" according to Art. 4 No. 1 Clause 1 GDPR is to be understood broadly and "[records] all information that relates to an identified or identifiable natural person". In accordance with this definition and the case law of the Court of Justice of the European Union, the term is to be understood broadly, not limited to sensitive or private information, but potentially encompassing all types of information, both objective and subjective in nature, in the form of opinions or judgments, provided that it is information about the person in question. The latter requirement is met if the information is linked to a specific person due to its content, its purpose or its effects. In this respect, the information provided to you by Telekom was previously incomplete Therefore, according to your information no still have a right to specific data recipients, telephone connections for billing purposes, copies of bills - if these documents are older than 18 months and are therefore no longer in the customer account -, order confirmations and contracts as well as other documents, the history of the customer login, if so this is available, your booking account and your e-mail alias, telephone recordings on the hotline and from the online forum or the social media offer of the telecommunications company, insofar as Telekom is (jointly) responsible for this data processing. With regard to the above data, I will request Telekom to make them available to you. In your response to my hearing, you first pointed out that the TKG and the Telemedia Act (TMG) do not regulate access to your data, only their storage by Telekom. If storage is permitted, Art. 15 GDPR must apply in full in the absence of other legal restrictions. Your assessment that the TKG and the TMG or, since December 1, 2021, the TTDSG, do not regulate access to your data is fundamentally correct. It is also correct that Telekom has to provide you with specific data sets. They also think it is incorrect that documents that should already be in your possession should not be made available again. This is not covered by any wording in Art. 15 GDPR. You should at least be informed whether and when you received these documents. It is true that there is no wording in Art. 15 GDPR for documents that you should already have. Based on the most recent Federal Court of Justice decision, you are right in that Telekom must also provide you with information on documents that you (may) already have. Because according to recital 63 GDPR, the person entitled to information can in principle repeatedly request information and the right to information according to Art. 15 GDPR is not limited to data that is not yet known to the person concerned. However, if the documents you requested are still available in your customer account, it is sufficient for Telekom to refer you to your customer account. In your statement to my hearing, you replied that you had first complained about a violation of Art. 15 GDPR with regard to the internet usage data and that I only went into the porting according to Art. 20 GDPR. You are also wondering how I came to the conclusion that Telekom does not record your (Internet) connections. Telekom is not allowed to save the Internet traffic initiated from your connection. I have no knowledge that Telekom would record (Internet) connections called up. With regard to itemized bills, there is no entitlement under Art. 15 (3) GDPR. According to Art. 95 GDPR, provisions of the ePrivacy Directive, which pursue the same goal as the provisions of the GDPR, take precedence over these provisions. § 11 TTDSG, which contains such a provision on itemized bills and which pursues the same goal as Art. 15 GDPR, takes precedence over the GDPR in this respect. Consequently, you must have asserted your claim to the information of itemized bills according to § 11 TTDSG to Telekom. However, I cannot see that from your entry, since you have blacked out the relevant passage in your complaint. With regard to disclosure of IP addresses, Telekom can only provide you with information on those IP addresses that were still available after you submitted your request for information. Because it is not necessary for a person responsible to store IP addresses for more than a week, so that IP addresses must be irreversibly deleted after seven days at the latest or irreversible deletion must be ensured. According to the principle of data minimization and the legal concept of Art. 11 GDPR, Telekom is therefore not allowed to store the IP addresses assigned to you for longer than 7 days. You submitted your request for information to Telekom on July 1, 2020, but Telekom only replied to you on July 15, 2020. Since IP addresses that were assigned to you seven days after you submitted your request for information were not expressly included in your request, your request for information came to nothing, meaning that Telekom did not have to provide you with any IP addresses. With regard to disclosure of location data (cell ID), Telekom was in principle obliged to provide information to you. However, if location data is disclosed, it cannot be ruled out that third parties will regularly use the mobile phone. In our opinion, Telekom was or is only obliged to provide you with information in compliance with the requirements of Art. 12 (6) GDPR. Strict standards apply here for Art. 12 (6) GDPR due to the high sensitivity of the location data of third parties. Because it cannot be ruled out - not least due to widespread usage habits - that the location data is not data of the applicant due to use of the device by third parties. As a result, Telekom was only allowed to provide you with the location data if you could clearly prove that you were solely using your mobile phone. Since you have not (clearly) proven such sole use in this case, Telekom was not obliged to disclose your location data (cell ID) in our opinion. 2. Art. 20 GDPR concerns the right to receive the personal data that you have provided to the person responsible in a structured, common and machine-readable format. The conditions for this are that you have consented to the processing or that it is based on a contract with you and that the data provided is processed automatically. It is therefore only a subset of the data about which you are referred to in Art. 15 of the GDPR can request information. In the examples you mentioned for service requests, IP addresses and Internet connections, I do not consider the conditions for data porting to be met for the following reasons: Service requests are generally not automatically processed within the meaning of Article 20 (1) (b) GDPR and the IP addresses are assigned to you by Telekom (and not provided by you to Telekom). The Internet connections you call up are not recorded by Telekom. Your further criticism of the procedure in which Telekom made the data available to you is unfounded. Art. 20 of the GDPR does not specify in detail how the data is to be made available. The data provided to you was structured, common and in a machine-readable format. Telekom has also already made it clear by partially but obviously incomplete transmission to you that service requests are generally covered by Art. 15 GDPR. You are therefore surprised at my finding that Telekom does not generally process service requests automatically and therefore does not have to port them according to Art. 20 GDPR. It should therefore be noted that Telekom has informed you of the service requests stored there. From this it follows for me, without any further concrete evidence on your part, that Telekom has complied with your request for information. Service requests can also be processed "manually", e.g. by telephone or by hand. Without good reason, these requests are to be destroyed after the purpose (e.g. to clarify your request) has been fulfilled or to be made anonymous if they are to be further processed (automated) for purposes other than the original ones (e.g. training purposes). As a result, Telekom can no longer provide you with any information about these service requests, unless it is jointly responsible for processing your data in the online forum or in the social media offering. In this respect, you would then also have a right to information under Art. 15 GDPR. 3. You describe the way in which information was provided by Telekom in accordance with Art. 15 GDPR as unlawful. You would have already explained this to me in detail under the heading "obligation to bring". In your case, there would also be the aspect of proof, since you would ultimately never be able to demonstrate that information was incomplete, since you were referred to various websites with subpages and links, the content of which Telekom can change at any time. In addition, I would not have considered the aspects of insufficient information about data transfer to third parties. As I have already explained in detail under point 1., I do not consider the information provided by Telekom according to Art. 15 GDPR to be sufficiently fulfilled in your case. In this respect, I will request Telekom to provide you with the information that is still missing within a short period of time. Kind regards
