BlnBDI (Berlin) - 631.457.4 521.14765.10: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 81: Line 81:
On 23 September 2021, The data subject received an email with apologies from the controller.
On 23 September 2021, The data subject received an email with apologies from the controller.


On an unspecified date, the data subject filed a complaint at the DPA. It is not clear at which DPA the original complaint was filed, but since this is an [[Article 60 GDPR]] decision, it is most likely that this was not the Berlin DPA (DPA), who was the Lead supervisory authority in this decision.   
On an unspecified date, the data subject filed a complaint at the DPA.    


On 22 February 2022, the DPA asked the controller to comment on the present case.   
On 22 February 2022, the DPA asked the controller to comment on the present case.   
Line 95: Line 95:


== Comment ==
== Comment ==
-
It is not entirely clear from the text of the decision itself why this is an [[Article 60 GDPR|Article 60 GDPR decision]]. It is not clear at which DPA the data subject filed her initial complaint or on what date it was transferred to the DPA of Berlin, if at all.


== Further Resources ==
== Further Resources ==

Revision as of 14:47, 14 February 2023

BlnBDI - 631.457.4 521.14765.10
LogoDE-BE.png
Authority: BlnBDI (Berlin)
Jurisdiction: Germany
Relevant Law: Article 12(3) GDPR
Article 15(3) GDPR
Article 17(1) GDPR
Article 58(2)(b) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 09.08.2022
Published: 09.02.2023
Fine: n/a
Parties: Healy
National Case Number/Name: 631.457.4 521.14765.10
European Case Law Identifier: EDPBI:DEBE:OSS:D:2022:431
Appeal: Unknown
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: mgrd

In an Article 60 GDPR decision, the Berlin DPA reprimanded a controller, pursuant to Article 58(2)(b) GDPR, for violations of Articles 6, 12(3) and 17 GDPR. The data subject received e-mails without being a customer of the controller. When the data subject submitted an erasure request, the controller requested the data subject to log in with her customer account, which she did not have.

English Summary

Facts

The data subject received an order confirmation by e-mail from a company called "Healy" (controller). The data subject informed the controller by e-mail that it had used an incorrect e-mail address. She also informed the controller about her suspicion that an actual customer of the controller had used her e-mail address to place an order. The controller did not respond.

After that, the data subject also received shipping confirmations with personal data of the actual customer who had placed the order, as well as the controller newsletters. In addition, the data subject also received information in German concerning a credit balance, as well as the password and username of the actual customer. As would become clear later, this situation was the result of a faulty process with regard to the controller's database. In this database, there was a customer with the same name as the data subject. When the responsible employee of the controller manually entered the e-mail address to send the shipping confirmations to, he confused the data subject's email with the one of the customer who had actually placed the order.

On 28 June 2021 and 6 July 2021, the data subject requested the controller by e-mail to delete her e-mail address. Instead of addressing the DPO of the controller, the data subject sent her requests to the controller's customer service. At first, the controller did not comply with the data subject's request for erasure because it's customer service department was of the opinion that the e-mail address was still required to process an open order. The customer service later transferred the complaint to the legal department after 'a delay'. It is not clear from the decision how long this delay was. After this, the data subject received instructions from the controller to log into her (non-existent) customer account, and fill in a form there.

On 4 August 2021, The controller deleted the data subject's e-mail after it finally became aware of the situation.

On 23 September 2021, The data subject received an email with apologies from the controller.

On an unspecified date, the data subject filed a complaint at the DPA.

On 22 February 2022, the DPA asked the controller to comment on the present case.

On 6 April 2022, the controller confirmed it had sent e-mails to the data subject and provided its explanation regarding the faulty process with its database. (see second paragraph).

Holding

First, the DPA determined that there was no legal basis for the processing of the data subject's e-mail address, in violation of Article 6 GDPR.

Second, the DPA determined that the controller did not respond to the data subject's requests for erasure within one month, which resulted in violations of Articles 12(3) and 17 GDPR. The fact that the data subject did not address her request for erasure to the controller's DPO but to its customer service did not justify the controller's failure to reply in time. Nevertheless, there was no obligation in the GDPR for data subjects to submit their data protection rights electronically, nor was there an obligation to send requests only to a specific e-mail address, pursuant to Article 15(3) GDPR.

The DPA reprimanded the controller pursuant to Article 58(2)(b) GDPR.

Comment

It is not entirely clear from the text of the decision itself why this is an Article 60 GDPR decision. It is not clear at which DPA the data subject filed her initial complaint or on what date it was transferred to the DPA of Berlin, if at all.

Further Resources

-

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

631.457.4

521.14765.10




CR 378706


IC 392914

DD 405582


                                                                                  09 August 2022


                                          Final Decision




Reprimand


Your undated letter, received by us on 6 April 2022.





Dear Sir or Madam,

We hereby issue a reprimand to your company for infringements of the General Data Protection

Regulation (GDPR).





Reasoning:

Our decision is based on the following considerations:









Berlin Commissionerfor Data ProtectiPhone: (030) 13889-0             Mail:mailbox@datenschutz-berlin.de
and Freedom of Information (BlnBDI) Fax: (030) 215 50 50                Web: www.datenschutz-berlin.de
Friedrichstr. 219, 10969 Berlin
Visitors‘ entrance: Puttkamerstr. 16–18icehours: Daily from 10 am to 3 pm,
                                    Thursdays from 10 am to 6 pmI.

We have established the following facts:




The complainant in the proceedings with the above-mentioned reference informed us that she

had received an order confirmation from a company called "Healy" to her e-mail address [re-
dacted]. She assumed that a customer of your company had given an incorrect e-mail address

(the complainant's e-mail address) when placing the order. The complainant had informed your

company by e-mail that the e-mail address used was incorrect. Your company did not react to
this information. The complainant had also received shipping confirmations with personal data

of the actual customer as well as Healy newsletters to her e-mail address. The complainant pro-
vided us with examples of emails written in English that she had received in July 2021 from ser-

vice@healy.de, no-reply@healyworld.net, your.healy@healy.shop and no-reply-healy-

world@healy-world.net. In addition, she had received information in German from healy@glob-
alewallet.com about a credit balance including the password and user name of another person.


The complainant requested your company by e-mail (dated 28 June and 6 July 2021) to delete
her e-mail address. She then received an e-mail from your company telling her to log into her -

in fact non-existent - customer account and fill in a form there.

In a letter dated 22 February 2022, we asked you to comment on the facts described and also

consulted you on our intention to issue a reprimand to your company.

In a letter received by us on 6 April 2022, your company confirmed that the complainant had re-

ceived emails from your company. This was due to a faulty process in your company's back of-
fice. There had been a customer in your company's database with the same name as the com-

plainant. In her customer account, the manual entry of the e-mail address by the responsible em-

ployee, the e-mail address of the complainant [redacted] instead of the e-mail address of the
customer [redacted]. After your company had become aware of the complainant's complaint,

the process of creating the customer account had been completely automated, so that manual
data entry by your company's employees was no longer possible. Moreover, a double opt-in

procedure had been implemented for the customer e-mail registration in order to prevent incor-

rect e-mail addresses from being assigned to a customer account.

At first, your company did not comply with the complainant's request for erasure because the

customer service department was of the opinion that the e-mail address to be erased was your



                                                                                              2customer's e-mail address and that the e-mail address was still required to process an open or-

der and open commission claims. Moreover, the complainant had not addressed her request for
deletion to your company's data protection officer, but to Healy's customer service, which had

only forwarded her request to the legal department after a delay. The complainant's e-mail ad-
dress had been deleted on 4 August 2021, after you had become aware of the complaint. The

complainant was sent an email apologising on 23 September 2021. In September 2021, the

customer service had again been trained in the handling of personal data and an e-mail ad-
dress had been created so that the external data protection officer of your company could be

contacted.




II.

Legally, we assess the facts as follows: Your company has infringed the GDPR.

 1. Personal data may only be processed if the person responsible for the processing can refer

    to a legal basis. In the present case, there was no legal basis for the processing of the com-

    plainant's e-mail address, so that your company infringed Art. 6 GDPR.


 2. According to the first sentence of Art. 12(3) GDPR, the controller must provide the data sub-
    ject with information on the measures taken upon requests pursuant to Articles 15 to 22

    GDPR without undue delay, and in any event within one month of receipt of the request. Your

    company did not respond to the complainant's request for erasure of 28 June and 6 July
    2021 within the one-month period, so that there is also an infringement of the first sentence

    of Art. 12(3) and Art. 17 GDPR. The fact that the complainant did not address her request
    for erasure to your company's data protection officer but to Healy's customer service does

    not justify the failure to reply in time. There is no obligation in the GDPR for data subjects to

    assert their data protection rights electronically, nor is there an obligation to send requests
    only to a specific e-mail address. Rather, the second sentence of Art. 15(3) GDPR states:


         "Where the data subject makes the request by electronic means, and unless
         otherwise requested by the data subject, the information shall be provided in

         a commonly used electronic form."








                                                                                               3    The complainant could therefore also have submitted her request for erasure by other

    means, e.g. by post. The right to erasure is directed against the controller pursuant to Article
    17(1) of the GDPR. The complainant sent her request for erasure to an e-mail address used

    by your company.




III.

As a result, we decided not to take any further supervisory measures due to the infringement, but

to leave it at a reprimand for the time being.

The reprimand is based on Art. 58 (2) (b) GDPR.


Taking into account the specific circumstances of the established facts, we consider a reprimand
to be appropriate after completing our investigation. We identified an infringement on your part

for the first time. When approached by us, you showed understanding and informed us that you

had already taken measures to prevent a recurrence of the incidents complained about.

In the certain expectation that you will comply with the data protection regulations in the future,

we consider the matter closed.




Legal Remedies

An action against this decision may be brought before the Berlin Administrative Court. It must be

lodged in writing - also as an electronic document by means of a qualified electronic signature
(QES) - or with the clerk of the court within one month of notification of this decision at the Berlin

Administrative Court, Kirchstraße 7, 10557 Berlin. Please note that in the case of a written com-

plaint, the time limit for filing a complaint is only met if the complaint is received by the adminis-
trative court within this time limit.


Yours sincerely












                                                                                                 4