BlnBDI (Berlin) - 631.457.4 521.14765.10
|BlnBDI - 631.457.4 521.14765.10|
|Relevant Law:||Article 12(3) GDPR|
Article 15(3) GDPR
Article 17(1) GDPR
Article 58(2)(b) GDPR
|National Case Number/Name:||631.457.4 521.14765.10|
|European Case Law Identifier:||EDPBI:DEBE:OSS:D:2022:431|
|Original Source:||EDPB (in EN)|
In an Article 60 GDPR decision, the Berlin DPA reprimanded a controller for the violation of Articles 6, 12(3) and 17 GDPR. In order to comply with an erasure request, the controller requested the data subject to log in with her customer account, which she did not have, because she was never a customer.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject received an order confirmation by e-mail from a company called "Healy" (controller). The data subject informed the controller by e-mail that it had used an incorrect e-mail address. She also informed the controller about her suspicion that an actual customer of the controller had used her e-mail address to place an order. The controller did not respond to this.
After that, the data subject also received shipping confirmations with personal data of the actual customer who had placed the order, as well as the controller newsletters. In addition, the data subject also received information in German concerning a credit balance, as well as the password and username of the actual customer. As would become clear later, this situation was the result of a faulty process with regard to the controller's database. In this database, there was a customer with the same name as the data subject. When the responsible employee of the controller manually entered the e-mail address to send the shipping confirmations to, he confused the data subject's email with the one of the customer who had actually placed the order.
On 28 June 2021 and 6 July 2021, the data subject requested the controller by e-mail to delete her e-mail address. Instead of addressing the DPO of the controller, the data subject sent her requests to the controller's customer service. At first, the controller did not comply with the data subject's request for erasure because it's customer service department was of the opinion that the e-mail address was still required to process an open order. The customer service later transferred the complaint to the legal department after 'a delay'. It is not clear from the decision how long this delay was. After this, the data subject received instructions from the controller to log into her (non-existent) customer account, and fill in a form there.
On 4 August 2021, The controller deleted the data subject's e-mail after it finally became aware of the situation. On 23 September 2021, The data subject received an email with apologies from the controller. On an unspecified date, the data subject filed a complaint at the DPA. On 22 February 2022, the DPA asked the controller to comment on the present case. On 6 April 2022, the controller confirmed it had sent e-mails to the data subject and provided its explanation regarding the faulty process with its database. (see second paragraph).
Holding[edit | edit source]
First, the DPA determined that there was no legal basis for the processing of the data subject's e-mail address, in violation of Article 6 GDPR.
Second, the DPA determined that the controller did not respond to the data subject's requests for erasure within one month, which resulted in violations of Articles 12(3) and 17 GDPR. The fact that the data subject did not address her request for erasure to the controller's DPO but to its customer service did not justify the controller's failure to reply in time. Nevertheless, there was no obligation in the GDPR for data subjects to submit their requests electronically, nor was there an obligation to send requests only to a specific e-mail address, pursuant to Article 15(3) GDPR.
The DPA reprimanded the controller pursuant to Article 58(2)(b) GDPR.
Comment[edit | edit source]
It is not entirely clear from the text of the decision itself why this is an Article 60 GDPR decision. It is not clear at which DPA the data subject filed her initial complaint or on what date it was transferred to the DPA of Berlin, if at all.
Further Resources[edit | edit source]
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the English original. Please refer to the English original for more details.
631.457.4 521.14765.10 CR 378706 IC 392914 DD 405582 09 August 2022 Final Decision Reprimand Your undated letter, received by us on 6 April 2022. Dear Sir or Madam, We hereby issue a reprimand to your company for infringements of the General Data Protection Regulation (GDPR). Reasoning: Our decision is based on the following considerations: Berlin Commissionerfor Data ProtectiPhone: (030) 13889-0 Mail:firstname.lastname@example.org and Freedom of Information (BlnBDI) Fax: (030) 215 50 50 Web: www.datenschutz-berlin.de Friedrichstr. 219, 10969 Berlin Visitors‘ entrance: Puttkamerstr. 16–18icehours: Daily from 10 am to 3 pm, Thursdays from 10 am to 6 pmI. We have established the following facts: The complainant in the proceedings with the above-mentioned reference informed us that she had received an order confirmation from a company called "Healy" to her e-mail address [re- dacted]. She assumed that a customer of your company had given an incorrect e-mail address (the complainant's e-mail address) when placing the order. The complainant had informed your company by e-mail that the e-mail address used was incorrect. Your company did not react to this information. The complainant had also received shipping confirmations with personal data of the actual customer as well as Healy newsletters to her e-mail address. The complainant pro- vided us with examples of emails written in English that she had received in July 2021 from ser- email@example.com, firstname.lastname@example.org, email@example.com and no-reply-healy- firstname.lastname@example.org. In addition, she had received information in German from healy@glob- alewallet.com about a credit balance including the password and user name of another person. The complainant requested your company by e-mail (dated 28 June and 6 July 2021) to delete her e-mail address. She then received an e-mail from your company telling her to log into her - in fact non-existent - customer account and fill in a form there. In a letter dated 22 February 2022, we asked you to comment on the facts described and also consulted you on our intention to issue a reprimand to your company. In a letter received by us on 6 April 2022, your company confirmed that the complainant had re- ceived emails from your company. This was due to a faulty process in your company's back of- fice. There had been a customer in your company's database with the same name as the com- plainant. In her customer account, the manual entry of the e-mail address by the responsible em- ployee, the e-mail address of the complainant [redacted] instead of the e-mail address of the customer [redacted]. After your company had become aware of the complainant's complaint, the process of creating the customer account had been completely automated, so that manual data entry by your company's employees was no longer possible. Moreover, a double opt-in procedure had been implemented for the customer e-mail registration in order to prevent incor- rect e-mail addresses from being assigned to a customer account. At first, your company did not comply with the complainant's request for erasure because the customer service department was of the opinion that the e-mail address to be erased was your 2customer's e-mail address and that the e-mail address was still required to process an open or- der and open commission claims. Moreover, the complainant had not addressed her request for deletion to your company's data protection officer, but to Healy's customer service, which had only forwarded her request to the legal department after a delay. The complainant's e-mail ad- dress had been deleted on 4 August 2021, after you had become aware of the complaint. The complainant was sent an email apologising on 23 September 2021. In September 2021, the customer service had again been trained in the handling of personal data and an e-mail ad- dress had been created so that the external data protection officer of your company could be contacted. II. Legally, we assess the facts as follows: Your company has infringed the GDPR. 1. Personal data may only be processed if the person responsible for the processing can refer to a legal basis. In the present case, there was no legal basis for the processing of the com- plainant's e-mail address, so that your company infringed Art. 6 GDPR. 2. According to the first sentence of Art. 12(3) GDPR, the controller must provide the data sub- ject with information on the measures taken upon requests pursuant to Articles 15 to 22 GDPR without undue delay, and in any event within one month of receipt of the request. Your company did not respond to the complainant's request for erasure of 28 June and 6 July 2021 within the one-month period, so that there is also an infringement of the first sentence of Art. 12(3) and Art. 17 GDPR. The fact that the complainant did not address her request for erasure to your company's data protection officer but to Healy's customer service does not justify the failure to reply in time. There is no obligation in the GDPR for data subjects to assert their data protection rights electronically, nor is there an obligation to send requests only to a specific e-mail address. Rather, the second sentence of Art. 15(3) GDPR states: "Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form." 3 The complainant could therefore also have submitted her request for erasure by other means, e.g. by post. The right to erasure is directed against the controller pursuant to Article 17(1) of the GDPR. The complainant sent her request for erasure to an e-mail address used by your company. III. As a result, we decided not to take any further supervisory measures due to the infringement, but to leave it at a reprimand for the time being. The reprimand is based on Art. 58 (2) (b) GDPR. Taking into account the specific circumstances of the established facts, we consider a reprimand to be appropriate after completing our investigation. We identified an infringement on your part for the first time. When approached by us, you showed understanding and informed us that you had already taken measures to prevent a recurrence of the incidents complained about. In the certain expectation that you will comply with the data protection regulations in the future, we consider the matter closed. Legal Remedies An action against this decision may be brought before the Berlin Administrative Court. It must be lodged in writing - also as an electronic document by means of a qualified electronic signature (QES) - or with the clerk of the court within one month of notification of this decision at the Berlin Administrative Court, Kirchstraße 7, 10557 Berlin. Please note that in the case of a written com- plaint, the time limit for filing a complaint is only met if the complaint is received by the adminis- trative court within this time limit. Yours sincerely 4