BlnBDI (Berlin) - 521.13874

From GDPRhub
Revision as of 12:28, 9 November 2021 by Baltpeter (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Germany |DPA-BG-Color= |DPAlogo=LogoDE-BE.png |DPA_Abbrevation=BlnBDI (Berlin) |DPA_With_Country=BlnBDI (Berlin) |Case_Number_Name=521.13874 |...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
BlnBDI (Berlin) - 521.13874
LogoDE-BE.png
Authority: BlnBDI (Berlin)
Jurisdiction: Germany
Relevant Law: Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 12(3) GDPR
Article 15(1) GDPR
§ 7(2)(3) UWG
§ 7(3)(4) UWG
Type: Complaint
Outcome: Upheld
Started:
Decided: 15.10.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: 521.13874
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): German
German
Original Source: Datenanfragen.de (decision) (in DE)
Datenanfragen.de (report) (in DE)
Initial Contributor: Benjamin Altpeter (Baltpeter)

BlnBDI issued reprimand to eBay shop for violating Article 6(1) GDPR by sending newsletters to a customer without consent, Article 12(3) GDPR by not responding to their access request within one month, and Article 15(1) GDPR by not providing a data copy and only incomplete details.

English Summary

Facts

A data subject placed an online order with an eBay shop (the controller). More than half a year later, the controller started sending them weekly newsletters via email. The controller's privacy policy claimed that newsletters would only be sent given consent (Article 6(1)(a) GDPR) but no consent was given by the data subject.

The data subject sent an access request (Article 15(1) and (3) GDPR) to the controller. Neither this request nor the data subject's warning after one month received any response from the controller.

Initially, the controller didn't respond to the DPA's request for a statement after the data subject's complaint either. Only after the DPA issued an administrative notice forcing the company to answer the access request and threatened a penalty payment otherwise, did the controller respond to the data subject.

This initial response however only mentioned the categories of data processed and didn't include a copy of the data. Only after another reclamation by the data subject did the controller provide a data copy.

Holding

The DPA held that the sending of the newsletter happened without a valid legal basis (Article 6(1) GDPR). The data subject had not given consent (Article 6(1)(a) GDPR). The controller could not claim a legitimate interest (Article 6(1)(f) GDPR) either. While the term "legitimate interest" is to be interpreted broadly, it cannot be assumed anymore if the processing violates another legal norm. § 7(2)(3) UWG (German Act against Unfair Competition) declares advertising using electronic mail without the addressee's prior express consent as an "unacceptable nuisance". The exemption under § 7(3)(4) UWG only applies if the controller clearly and unequivocally advised the data subject at the time of the collection of the email address that it will be used for advertising purposes. The controller had not done that by their own admission. Thus, the DPA concluded that the data subject's interests and fundamental rights overrode the controller's and no legitimate interest could be assumed.

The DPA further held that the controller had violated Article 12(3) GDPR by not responding to the data subject's access request within a period of one month.

The DPA finally held that the controller provided an incomplete response to the data subject's access request (Article 15(1) GDPR). In addition to the abstract categories of data, the actual data processed on the particular data subject has to be provided. The controller further didn't inform the data subject about the recipients of the personal data (Article 15(1)(c) GDPR). The DPA held that this has to include processors according to Article 28 GDPR. Finally, the controller's information about the period for which the personal data is stored (Article 15(1)(d) GDPR) was held to have been incomplete. The controller had only mentioned that the period was based on legal retention periods according to § 257 HGB and § 147 AO but the DPA held that this did not fulfill the requirements of Article 15(1)(d) GDPR. The controller either has to state the actual period or name the particular events (like the conclusion of a contract) that influence it.

The DPA issued a reprimand to the controller (Article 58(2)(b) GDPR).

Comment

Notably, the DPA's decision derives the right to a copy only from Article 15(1) GDPR, while other DPAs have held that Article 15(1) GDPR only applies to the meta information and that Article 15(3) GDPR is a separate right.

An official English translation of the UWG is available at: https://www.gesetze-im-internet.de/englisch_uwg/englisch_uwg.html

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

               Berlin representative
   D) for data protection Fa
                                                                               NG 22 OCT.
               and freedom of information



 Berlin Commissioner for atenschu and Freedom of Information
 Friedric 219, 1969 Berlin

                                                    Registration number: .13874.13
                                                    (given)








                                                   Date October 15, 2021




Completion message
Your complaint dated December 21, 2021



Dear Sir or Madam,

We hereby inform you that the complaint is passed on to you.
examination procedure is completed. a violation of the General Data Protection Ordinance

(GDPR) when processing your personal data also EEE
we have based on the information provided to us for the following reasons
can determine.

Reason:


I.
We have established the following facts:

You ordered goods from the company in January 2020 via the Ebay platform. From Octo-
You received various promotional emails through December 2020, including on October 31 and November 7
ber, November 14th, November 21st, November 27th, December 5th, December 12th and December 18th

ber.

On December 5, 2020, you asked the company for information about your personal information
Data according to Article 15 GDPR. By e-mail dated December 7, 2020, you reminded you of your concern.
There was no response to either of the e-mails. The company has reported
is the mistake of an employee who did not reply to "the e-mail" correctly.

tete, which is why it then disappeared from the overview of the emails to be processed.

In response to our address, the company then sent you an email of April 21, 2021
Information about the data categories stored by the company. This information lies
before us.


You then notified the company in an email dated April 24, 2021 that the
Information is incomplete because it does not contain the specifically stored data
the company then supplemented it with an email dated April 26, 2021.


 Berlin commissioner, speaking at 15 o'clock, Telef03013889-0 ‚Anfami public transport center:
 Data corruption information freDonnersta-1Uhr Telef030 155050 U-BahLin6e tationhstr.
                           Visitor entrance Elgem.3aAbs.VwVIGöffnuBusLinM29und 248
 Friedrich219. Puttkamers16-18 mailbox@datenschutz-berlin.de
 1096Berlin wheelchair-accessible https «// datenschutz-berliu .dell.

The facts determined are legally assessed as follows:

Illegal processing by sending advertising emails


According to Article 6 (1) GDPR, the processing and use of personal data is only
permissible as long as this can be supported on a legal basis.

A legitimate interest of the company in accordance with Article 6 (1) (f) GDPR for advertising

Your data was not used here. Although the term is legitimate interest
However, a legitimate interest can no longer be assumed in any case.
if the data processing violates other legal norms.


According to Article 7 (2) No. 3 UWG, emails for the purpose of direct marketing are
presumable harassment if the recipient has not given their consent. he exception
According to Section 4, Number 4 UWG, metatStock requires, among other things, that the person concerned
the use of the data is clearly indicated that the advertising is being used. The enterprise
himself admitted that this was not the case here. That was the end of the promotional emails

not permitted according to Section 7WG. Accordingly, prevail in the weighing of interests
Article 6 (1) (f) GDPR, your fundamental rights and interests. No consent was given.

The advertising use of his e-mail address constitutes a violation of Article 6 Paragraph 1 DS-

GMOs.

No response to requests for information

According to Article 12, Paragraph 3, Clause 1 of the GDPR, the person responsible has the

about the measures taken in accordance with Articles 15 to 22 GDPR
to be made available in each case but within one month of receipt of the
sluggish.


Your request for information of December 5, 2020 was answered on April 21, 2021
delayed. amit is in violation of Article 12 (3) GDPR.

Incomplete information


According to Article 15, Paragraph 1.2. HS. Every data subject has the GDPR in the event of processing
your data a right to information about this data as well as the under lita) - h)
Information, in particular categories of personal data (litb).
but should be put in a position to check the data processing and, if necessary, to

to assert further rights, e.g. to correction or deletion. It must therefore be next to
the abstract data categories and those specifically stored for the individual
information about these personal data ("Information about this personal data").


In its information dated April 21, 2021, however, the company only has the processed
communicated to the processed data categories. You will only have specific data after a new request.
standing.

In addition, the additional information to be provided in accordance with Article 15 (1) a) to) DS-

GMO incomplete:

    e According to Article 15 Paragraph 1 lit. c) GDPR, those affected must inform about the recipients of their

      . personal data are informed. This also includes processors i.S.
       d.Art.28 GDPR. In its information, the company has not given any information on this.
       power. e Pursuant to Article 15 (1) (d) GDPR, those affected must, as far as possible, be informed about the

       planned duration for which the personal data will be stored or, if so
       is not possible to be informed of the criteria for determining this duration.

       The information must be so precise that it can be seen by the data subject
       how long your data will be processed. Insofar as an indication of the deletion time

       t it is not possible, at least the duration of storage periods and the start of these
       Deadline between the triggering event (e.g. termination of a contract, expiry
       warranty period, etc.). The mere reference to the statutory retention
       notice period is not sufficient.

       The notification of the planned storage period is based on the legal

       retention periods according to $ 257 HGB and 8 147 AO do not meet these requirements.

Il.
We inform the company of this legal assessment. Oppose the company
we issue a warning in accordance with Article 58 (2) GDPR. Further regulatory

We reserve the right funds, especially in the case of repetition.

As far as your complaint is concerned, the matter is considered to be closed.
sen.

Legal appeal

An action against this decision is admissible before the Berlin Administrative Court. ie is-
within one month after notification of this decision to the administrative court
lin, irchstraße 7, 10557 Berlin, in writing and as an electronic document by means of his
qualified electronic signature (QES) - or for the record of the clerk
gain. It should be noted that in the event of a written complaint, the deadline for the action is only

is then respected if the action was received by the administrative court within this period
is.

Kind regards