BlnBDI (Berlin) - 631.457.4 521.14765.10

From GDPRhub
Revision as of 09:52, 10 February 2023 by Kv (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Germany |DPA-BG-Color= |DPAlogo=LogoDE-BE.png |DPA_Abbrevation=BlnBDI |DPA_With_Country=BlnBDI (Berlin) |Case_Number_Name=631.457.4 521.14765....")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
BlnBDI - 631.457.4 521.14765.10
LogoDE-BE.png
Authority: BlnBDI (Berlin)
Jurisdiction: Germany
Relevant Law: Article 12(3) GDPR
Article 15(3) GDPR
Article 17(1) GDPR
Article 58(2)(b) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 09.08.2022
Published: 09.02.2023
Fine: n/a
Parties: Healy
National Case Number/Name: 631.457.4 521.14765.10
European Case Law Identifier: EDPBI:DEBE:OSS:D:2022:431
Appeal: Unknown
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

To be updated

English Summary

Facts

to be updated

Holding

To be updated

Comment

To be updated

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

631.457.4

521.14765.10




CR 378706


IC 392914

DD 405582


                                                                                  09 August 2022


                                          Final Decision




Reprimand


Your undated letter, received by us on 6 April 2022.





Dear Sir or Madam,

We hereby issue a reprimand to your company for infringements of the General Data Protection

Regulation (GDPR).





Reasoning:

Our decision is based on the following considerations:









Berlin Commissionerfor Data ProtectiPhone: (030) 13889-0             Mail:mailbox@datenschutz-berlin.de
and Freedom of Information (BlnBDI) Fax: (030) 215 50 50                Web: www.datenschutz-berlin.de
Friedrichstr. 219, 10969 Berlin
Visitors‘ entrance: Puttkamerstr. 16–18icehours: Daily from 10 am to 3 pm,
                                    Thursdays from 10 am to 6 pmI.

We have established the following facts:




The complainant in the proceedings with the above-mentioned reference informed us that she

had received an order confirmation from a company called "Healy" to her e-mail address [re-
dacted]. She assumed that a customer of your company had given an incorrect e-mail address

(the complainant's e-mail address) when placing the order. The complainant had informed your

company by e-mail that the e-mail address used was incorrect. Your company did not react to
this information. The complainant had also received shipping confirmations with personal data

of the actual customer as well as Healy newsletters to her e-mail address. The complainant pro-
vided us with examples of emails written in English that she had received in July 2021 from ser-

vice@healy.de, no-reply@healyworld.net, your.healy@healy.shop and no-reply-healy-

world@healy-world.net. In addition, she had received information in German from healy@glob-
alewallet.com about a credit balance including the password and user name of another person.


The complainant requested your company by e-mail (dated 28 June and 6 July 2021) to delete
her e-mail address. She then received an e-mail from your company telling her to log into her -

in fact non-existent - customer account and fill in a form there.

In a letter dated 22 February 2022, we asked you to comment on the facts described and also

consulted you on our intention to issue a reprimand to your company.

In a letter received by us on 6 April 2022, your company confirmed that the complainant had re-

ceived emails from your company. This was due to a faulty process in your company's back of-
fice. There had been a customer in your company's database with the same name as the com-

plainant. In her customer account, the manual entry of the e-mail address by the responsible em-

ployee, the e-mail address of the complainant [redacted] instead of the e-mail address of the
customer [redacted]. After your company had become aware of the complainant's complaint,

the process of creating the customer account had been completely automated, so that manual
data entry by your company's employees was no longer possible. Moreover, a double opt-in

procedure had been implemented for the customer e-mail registration in order to prevent incor-

rect e-mail addresses from being assigned to a customer account.

At first, your company did not comply with the complainant's request for erasure because the

customer service department was of the opinion that the e-mail address to be erased was your



                                                                                              2customer's e-mail address and that the e-mail address was still required to process an open or-

der and open commission claims. Moreover, the complainant had not addressed her request for
deletion to your company's data protection officer, but to Healy's customer service, which had

only forwarded her request to the legal department after a delay. The complainant's e-mail ad-
dress had been deleted on 4 August 2021, after you had become aware of the complaint. The

complainant was sent an email apologising on 23 September 2021. In September 2021, the

customer service had again been trained in the handling of personal data and an e-mail ad-
dress had been created so that the external data protection officer of your company could be

contacted.




II.

Legally, we assess the facts as follows: Your company has infringed the GDPR.

 1. Personal data may only be processed if the person responsible for the processing can refer

    to a legal basis. In the present case, there was no legal basis for the processing of the com-

    plainant's e-mail address, so that your company infringed Art. 6 GDPR.


 2. According to the first sentence of Art. 12(3) GDPR, the controller must provide the data sub-
    ject with information on the measures taken upon requests pursuant to Articles 15 to 22

    GDPR without undue delay, and in any event within one month of receipt of the request. Your

    company did not respond to the complainant's request for erasure of 28 June and 6 July
    2021 within the one-month period, so that there is also an infringement of the first sentence

    of Art. 12(3) and Art. 17 GDPR. The fact that the complainant did not address her request
    for erasure to your company's data protection officer but to Healy's customer service does

    not justify the failure to reply in time. There is no obligation in the GDPR for data subjects to

    assert their data protection rights electronically, nor is there an obligation to send requests
    only to a specific e-mail address. Rather, the second sentence of Art. 15(3) GDPR states:


         "Where the data subject makes the request by electronic means, and unless
         otherwise requested by the data subject, the information shall be provided in

         a commonly used electronic form."








                                                                                               3    The complainant could therefore also have submitted her request for erasure by other

    means, e.g. by post. The right to erasure is directed against the controller pursuant to Article
    17(1) of the GDPR. The complainant sent her request for erasure to an e-mail address used

    by your company.




III.

As a result, we decided not to take any further supervisory measures due to the infringement, but

to leave it at a reprimand for the time being.

The reprimand is based on Art. 58 (2) (b) GDPR.


Taking into account the specific circumstances of the established facts, we consider a reprimand
to be appropriate after completing our investigation. We identified an infringement on your part

for the first time. When approached by us, you showed understanding and informed us that you

had already taken measures to prevent a recurrence of the incidents complained about.

In the certain expectation that you will comply with the data protection regulations in the future,

we consider the matter closed.




Legal Remedies

An action against this decision may be brought before the Berlin Administrative Court. It must be

lodged in writing - also as an electronic document by means of a qualified electronic signature
(QES) - or with the clerk of the court within one month of notification of this decision at the Berlin

Administrative Court, Kirchstraße 7, 10557 Berlin. Please note that in the case of a written com-

plaint, the time limit for filing a complaint is only met if the complaint is received by the adminis-
trative court within this time limit.


Yours sincerely












                                                                                                 4