BlnBDI (Berlin) - 631.457.4 521.14765.10

From GDPRhub
Revision as of 14:21, 13 February 2023 by Kv (talk | contribs)
BlnBDI - 631.457.4 521.14765.10
LogoDE-BE.png
Authority: BlnBDI (Berlin)
Jurisdiction: Germany
Relevant Law: Article 12(3) GDPR
Article 15(3) GDPR
Article 17(1) GDPR
Article 58(2)(b) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 09.08.2022
Published: 09.02.2023
Fine: n/a
Parties: Healy
National Case Number/Name: 631.457.4 521.14765.10
European Case Law Identifier: EDPBI:DEBE:OSS:D:2022:431
Appeal: Unknown
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: mgrd

Option 1: The Berlin DPA issued a reprimand to a data controller due to several GDPR violations. The data subject was a non-customer who had her email mistakenly linked to a purchase order that she did not place.

Option 2: The Berlin DPA issued a reprimand to a data controller due to several GDPR violations. The data subject received e-mails without being a customer of the controller. When the data subject submitted an erasure request, the controller requested the data subject to login with her customer account, which she obviously did not have.

English Summary

Facts

The data subject complain that she had received an order confirmation from a company called "Healy" (the controller) to her e-mail address. In the occasion, she assumed that a customer of that company had given an incorrect e-mail address (the complainant's e-mail address) when placing the order.

The data subject informed the controller by e-mail that the e-mail address used was incorrect and no reply was received. After that, the data subject had also received shipping confirmations with personal data of the actual customer as well as the controller newsletters to her e-mail address. In addition, she had received information in german from the controller's e-mail about a credit balance, including the password and user name of another person.

On June 28 and July 6 2021, the data subject requested by e-mail to delete her e-mail address. She then received an e-mail from the controller with instructions to log into her (non-existent) customer account and fill in a form there.

COMPLAINT FILED?

On February 22 2022, the Federal Commissioner for Data Protection and Freedom of Information (BlnBDI) asked the company to comment on the facts described by the data subject and also informed on regards their intention to issue a reprimand to the controller.

On April 6 2022, the controller confirmed that the data subject had received e-mails from them, due to a faulty process on their data base. There was a customer with the same name of the complainant and when the responsible employee manually entry the e-mail address it was the complainant's email instead of the customer.

After the company became aware of the complaint, the process of creating the customer account had been completely automated, so that manual data entry by the controller's employees was no longer possible. Moreover, a double opt-in procedure had been implemented for the customer e-mail registration in order to prevent incorrect e-mail addresses from being assigned to a customer account.

At first, the controller did not comply with the data subject's request for erasure because the customer service department was of the opinion that the e-mail address to be erased was the customer's e-mail address and that the e-mail address was still required to process an open order and open commission claims.

Moreover, the data subject did not addressed her request for deletion to the company's data protection officer, but to their customer service, which had only forwarded her request to the legal department after a delay.

The data subject's e-mail address had been deleted on August 4, 2021, after the awareness of the complaint. The data subject received an email with apologies on September 23 2021.

In September 2021, the customer service had again been trained in the handling of personal data and an e-mail address had been created so that the external data protection officer of the controller could be contacted.

Holding

By the facts described above, BlnBDI understood that the company has infringed several GDPR articles.

First, personal data shall only be processed if the person responsible for the processing can refer to a legal basis and, in the present case, there was no legal basis for the processing of the data subject's e-mail address, violating Article 6 GDPR.

Secondly, the controller did not respond to the data subject's request for erasure on June 28 and July 6, 2021 within one month of deadline pursuant Articles 12(3) and 17 GDPR. The fact that the data subject did not address her request for erasure to the controller's data protection officer but to its customer service does not justify the failure to reply in time. Nevertheless, there is no obligation in the GDPR for data subjects to assert their data protection rights electronically, nor there is an obligation to send requests only to a specific e-mail address, considering Article 15(3) GDPR. Pursuant Article 17(1) GDPR, the right to erasure is directed against the controller and the data subject sent her request for erasure to an e-mail address used by the controller.

BlnBDI decided to leave a reprimand for the time being based on Article 58(2)(b) GDPR, taking into account the specific circumstances of the fact and that the controller, when approached by BlnBDI, showed understanding and informed the measures to prevent a recurrence on incidents.

Comment

-

Further Resources

-

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

631.457.4

521.14765.10




CR 378706


IC 392914

DD 405582


                                                                                  09 August 2022


                                          Final Decision




Reprimand


Your undated letter, received by us on 6 April 2022.





Dear Sir or Madam,

We hereby issue a reprimand to your company for infringements of the General Data Protection

Regulation (GDPR).





Reasoning:

Our decision is based on the following considerations:









Berlin Commissionerfor Data ProtectiPhone: (030) 13889-0             Mail:mailbox@datenschutz-berlin.de
and Freedom of Information (BlnBDI) Fax: (030) 215 50 50                Web: www.datenschutz-berlin.de
Friedrichstr. 219, 10969 Berlin
Visitors‘ entrance: Puttkamerstr. 16–18icehours: Daily from 10 am to 3 pm,
                                    Thursdays from 10 am to 6 pmI.

We have established the following facts:




The complainant in the proceedings with the above-mentioned reference informed us that she

had received an order confirmation from a company called "Healy" to her e-mail address [re-
dacted]. She assumed that a customer of your company had given an incorrect e-mail address

(the complainant's e-mail address) when placing the order. The complainant had informed your

company by e-mail that the e-mail address used was incorrect. Your company did not react to
this information. The complainant had also received shipping confirmations with personal data

of the actual customer as well as Healy newsletters to her e-mail address. The complainant pro-
vided us with examples of emails written in English that she had received in July 2021 from ser-

vice@healy.de, no-reply@healyworld.net, your.healy@healy.shop and no-reply-healy-

world@healy-world.net. In addition, she had received information in German from healy@glob-
alewallet.com about a credit balance including the password and user name of another person.


The complainant requested your company by e-mail (dated 28 June and 6 July 2021) to delete
her e-mail address. She then received an e-mail from your company telling her to log into her -

in fact non-existent - customer account and fill in a form there.

In a letter dated 22 February 2022, we asked you to comment on the facts described and also

consulted you on our intention to issue a reprimand to your company.

In a letter received by us on 6 April 2022, your company confirmed that the complainant had re-

ceived emails from your company. This was due to a faulty process in your company's back of-
fice. There had been a customer in your company's database with the same name as the com-

plainant. In her customer account, the manual entry of the e-mail address by the responsible em-

ployee, the e-mail address of the complainant [redacted] instead of the e-mail address of the
customer [redacted]. After your company had become aware of the complainant's complaint,

the process of creating the customer account had been completely automated, so that manual
data entry by your company's employees was no longer possible. Moreover, a double opt-in

procedure had been implemented for the customer e-mail registration in order to prevent incor-

rect e-mail addresses from being assigned to a customer account.

At first, your company did not comply with the complainant's request for erasure because the

customer service department was of the opinion that the e-mail address to be erased was your



                                                                                              2customer's e-mail address and that the e-mail address was still required to process an open or-

der and open commission claims. Moreover, the complainant had not addressed her request for
deletion to your company's data protection officer, but to Healy's customer service, which had

only forwarded her request to the legal department after a delay. The complainant's e-mail ad-
dress had been deleted on 4 August 2021, after you had become aware of the complaint. The

complainant was sent an email apologising on 23 September 2021. In September 2021, the

customer service had again been trained in the handling of personal data and an e-mail ad-
dress had been created so that the external data protection officer of your company could be

contacted.




II.

Legally, we assess the facts as follows: Your company has infringed the GDPR.

 1. Personal data may only be processed if the person responsible for the processing can refer

    to a legal basis. In the present case, there was no legal basis for the processing of the com-

    plainant's e-mail address, so that your company infringed Art. 6 GDPR.


 2. According to the first sentence of Art. 12(3) GDPR, the controller must provide the data sub-
    ject with information on the measures taken upon requests pursuant to Articles 15 to 22

    GDPR without undue delay, and in any event within one month of receipt of the request. Your

    company did not respond to the complainant's request for erasure of 28 June and 6 July
    2021 within the one-month period, so that there is also an infringement of the first sentence

    of Art. 12(3) and Art. 17 GDPR. The fact that the complainant did not address her request
    for erasure to your company's data protection officer but to Healy's customer service does

    not justify the failure to reply in time. There is no obligation in the GDPR for data subjects to

    assert their data protection rights electronically, nor is there an obligation to send requests
    only to a specific e-mail address. Rather, the second sentence of Art. 15(3) GDPR states:


         "Where the data subject makes the request by electronic means, and unless
         otherwise requested by the data subject, the information shall be provided in

         a commonly used electronic form."








                                                                                               3    The complainant could therefore also have submitted her request for erasure by other

    means, e.g. by post. The right to erasure is directed against the controller pursuant to Article
    17(1) of the GDPR. The complainant sent her request for erasure to an e-mail address used

    by your company.




III.

As a result, we decided not to take any further supervisory measures due to the infringement, but

to leave it at a reprimand for the time being.

The reprimand is based on Art. 58 (2) (b) GDPR.


Taking into account the specific circumstances of the established facts, we consider a reprimand
to be appropriate after completing our investigation. We identified an infringement on your part

for the first time. When approached by us, you showed understanding and informed us that you

had already taken measures to prevent a recurrence of the incidents complained about.

In the certain expectation that you will comply with the data protection regulations in the future,

we consider the matter closed.




Legal Remedies

An action against this decision may be brought before the Berlin Administrative Court. It must be

lodged in writing - also as an electronic document by means of a qualified electronic signature
(QES) - or with the clerk of the court within one month of notification of this decision at the Berlin

Administrative Court, Kirchstraße 7, 10557 Berlin. Please note that in the case of a written com-

plaint, the time limit for filing a complaint is only met if the complaint is received by the adminis-
trative court within this time limit.


Yours sincerely












                                                                                                 4