DSB - DSB-D130.073/0008-DSB/2019

From GDPRhub
DSB - DSB-D130.073/0008-DSB/2019
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 32 GDPR
§ 1(1) DSG
§ 24(1) DSG
§ 24(5) DSG
Type: Complaint
Outcome: Upheld
Decided: 09.10.2019
Published:
Fine: None
Parties: Anonymous
National Case Number/Name: DSB-D130.073/0008-DSB/2019
European Case Law Identifier: ECLI:AT:DSB:2019:DSB.D130.073.0008.DSB.2019
Appeal: Final
Original Language(s): German
Original Source: RIS (in DE)
Initial Contributor: {{{Initial_Contributor}}}

The DSB found an Article 32 GDPR violation where a dating platform did not require a double opt-in confirmation for email addresses used in the sign-up process.

English Summary[edit | edit source]

Facts[edit | edit source]

The email address of a minor (complainant) was used to register an account on two dating websites of the respondent. The complainant's email address subsequently received dating-related emails sent by the respondent. These emails included 'contact recommendations' and other notifications. The complainant did not register the account himself.

Dispute[edit | edit source]

The complainant alleged that by not implementing a double opt-in process for user registrations, the respondent violated Article 5 GDPR, Article 6 GDPR, and Article 32 GDPR, and § 1 para 1 DSG (the Austrian Data Protection Act), which protects the confidentiality of data subjects where the data subjects have such an interest that deserves protection. The complainant also alleged that their personal data (the email address) was unlawfully processed by the respondent.

The respondent disputed this and alleged that an account could not be fully used as long as the email address provided was not confirmed through a double opt-in process.

Holding[edit | edit source]

The DSB held that sending emails to an unconfirmed email address contrary to the requirements of Article 32 GDPR violated the complainant's right to confidentiality under § 1 para 1 DSG (the Austrian Data Protection Act).

Comment[edit | edit source]

The DSB confirmed in the decision that a data subject may rely in its complaint on provisions outside of Chapter III GDPR on data subject rights, such as Article 32 GDPR, provided that the alleged infringement may lead to a violation of the right to confidentiality granted in § 1 para 1 DSG (the Austrian Data Protection Act).

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the ***German*** original. Please refer to the ***German*** original for more details.

Deciding authority
Data Protection Authority

Decision date
09.10.2019

Case number
DSB-D130.073/0008-DSB/2019

Contestation before the BVwG/VwGH/VfGH
This decision is final.

Text

GZ: DSB-D130.073/0008-DSB/2019 of 9.10.2019

Note from the administrator: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymisation. Obvious spelling, grammar and punctuation errors have been corrected].

DECISION

SAYING

The data protection authority decides on the data protection complaint of the minor A*** F*** (complainant), represented by the custodian Z*** F***, of 21 August 2018 against N***Netzwerk GmbH & Co KG (respondent) for violation of the right to confidentiality as follows:

- The complaint is upheld and it is determined that the respondent has violated the complainant's right to secrecy pursuant to Article 1 paragraph 1 of the DSG by allowing, in the absence of suitable technical and organisational measures pursuant to Article 32 of the DSGVO ("security of processing"), the e-mail address ***@***.com of the minor complainant, but without the complainant's knowledge, the profile "***geilab14" on the online dating portal www.dates***.com operated by the respondent and the profile "bernd***" on the dating portal www.***frauen.com also operated by the respondent and that the complainant was subsequently sent "contact suggestions" and notifications from the respondent to his or her e-mail address ***@***.com on an ongoing basis.

Legal basis: Article 32 of Regulation (EU) 2016/679 (Basic Data Protection Regulation - DSGVO), OJ No. L 119 of 4.5.2016; Article 1(1) and (2) and Article 24(1) and (5) of the Data Protection Act - DSG, Federal Law Gazette I No. 165/1999 as amended.

EXPLANATIONS

A. Arguments of the parties and procedure

1 Z*** F***, as legal representative of the minor complainant A*** F***, filed a complaint with the DSGVO by submission of 21 August 2018, improved by submission of 3 November 2018 and by submission of 18 November 2018, and alleged a violation of Articles 5, 6, 7 and 8 of the DSGVO.

In summary, he submitted that the e-mail address of the minor complainant ***@***.com had been used without his knowledge to register the profile "***geilab14" on the online dating portal www.dates***.com operated by the respondent and the profile "bernd ***" on the dating portal www.***frauen.com also operated by the respondent. This had led to the underage complainant receiving regular dating or sex offers sent to his or her e-mail address ***@***.com.

Registration - continued the legally represented complainant - and access to the online portal ("dates***") was possible with any e-mail address and without an integrity check pursuant to Article 5.1(f) of the DPA. It was possible that the data was forwarded to third parties not mentioned in the data protection declaration, such as "***-Date", "L***".

On 24 June 2018, Z*** F*** had found messages in the minor complainant's inbox. It had not been possible to unsubscribe from these messages. He had immediately sent a cease-and-desist letter to the respondent and had pointed out that the complainant was a minor. On 8 July 2018, Z*** F*** had urged a reply, which he had received on 10 August 2018. There had been further e-mail correspondence with the defendant. In any event, the minor complainant had not created the two profiles "***geilab14" and "bernd***" for the e-mail address ***@***.com himself. Rather, it had to be assumed that an unknown person had created the two profiles on the online dating portals operated by the respondent.

The complaint is directed against the fact that it is possible to create a profile on the online dating portals operated by the respondent without a double opt-in procedure and without checking the age of the "interested party" inquiring by e-mail. Z*** F*** can prove on the basis of a "self-test" that the mere registration with an e-mail address without a double opt-in procedure is sufficient to create a profile and subsequently use the respondent's services.

For the two profiles "***geilab14" and "bernd***" - the legally represented complainant continued - there was no confirmation that the double opt-in procedure had been carried out or an age verification that legitimises the sending of sex offers to and the passing on of the complainant's e-mail address ***@***.com.

2. in its opinion of 8 February 2019, the respondent essentially argued that in order to create a profile on the online dating portals www.dates***.com and www.***frauen.com, which it operates, a user must state his or her gender, the desired user name, password and an e-mail address and must accept the respondent's terms and conditions and entertainment guidelines.

After successful registration, the user will receive a message at the e-mail address provided, asking him/her to activate his/her profile or confirm his/her e-mail address. Although the user can log in to his profile without activating his profile or confirming his e-mail address, he will be asked to confirm his e-mail address again. In addition, he would have to state his age.

The profile can only be activated after clicking on the activation link, which is sent to the user's e-mail address. The user cannot activate his profile if he does not have access to the e-mail address used. Only after activation does the user receive another e-mail.

In a letter from the data protection authority dated 15 February 2019 regarding GZ: DSB-D130.073/0001-DSB/2019, the respondent was requested to provide additional comments in extracts as follows

"The DSB understands your opinion to mean that a user (after creating his or her profile) can already then log in to his or her profile on your website without having to activate the activation link - in the message sent to his or her e-mail address. Is this correct?

What services can the user use if he has logged into his profile even though he has not yet activated it? Please demonstrate this with screenshots."

4. in its observations of 28 February 2019, the respondent submitted the following:

"We will be happy to answer your questions as follows.

It is correct that after registration and the explicit confirmation of his age and place of residence and the request to confirm his DoubleOptIn e-mail, the user can use the portal with restrictions.

The request to confirm his DoubleOptIn email will come in regular intervals (every 3-5 minutes) within the portal as long as the user has not confirmed it.

It is possible for the user to use some services on the portal with restrictions. As an example we have attached the following screenshots".

Remark Editor: the graphic files/screenshots inserted here in the original were removed, because they cannot be pseudonymized with reasonable effort].

(4) In his observations of 22 March 2019, the complainant submitted in summary form at the hearing of the parties that the documents he had submitted showed that, even without activating the profile, messages would be sent to the e-mail address that actually had to be confirmed first. The double opt-in procedure mentioned in the respondent's opinion was not applicable, certainly also in order to encourage potential users to activate the profile. He could - according to the legally represented complainant further - prove this via a test account if required. He could not see any reasonable effort to determine the real age of the users.

Despite the lack of profile activation via the double opt-in procedure, the underage complainant had been sent unrequested inappropriate contact requests. In summary, the legally represented complainant assumes - even after knowing the respondent's comments on the registration procedure for its online dating portals - that the DSGVO has been violated by unlawful processing/use of the e-mail address ***@***.com.

B. Object of complaint

On the basis of the submissions of the legally represented complainant, it emerges that the subject of the complaint is the question of whether the respondent has infringed the complainant's right to confidentiality by allowing the e-mail address ***@***.com, but without the knowledge of the complainant, to create the profile "***geilab14" on the online dating portal www.dates***.com operated by the respondent and the profile "bernd***" on the dating portal www.***frauen.com also operated by the respondent and to send the complainant "contact suggestions" and notifications of the respondent to his e-mail address ***@***.com on an ongoing basis.

C. Findings of the facts

The respondent is registered under the name "N***Netzwerk GmbH & Co KG" in the commercial register under the commercial register number ******a.

Assessment of evidence: This results from the enquiry - carried out by the data protection authority - into the commercial register on the cut-off date of 4 October 2019.

In any event, the respondent operated the online dating portals www.***frauen.com and www.dates***.com until 28 February 2019.

Assessment of the evidence: This follows from the statements of 8 February 2019 and 28 February 2019 submitted by the Respondent to the Data Protection Authority, in particular the Respondent's statement of 28 February 2019 which contains the following information: "www.***frauen.com is an offer of: N***Netzwerk GmbH & Co KG" and "www.dates***.com is an offer by: N***Netzwerk GmbH & Co KG".

In order to create a profile or register on these dating portals www.***frauen.com and www.dates***.com, the user must enter his/her gender, desired user name, a password and an e-mail address. Furthermore, by ticking a box, the user must declare his agreement with the respondent's terms and conditions and entertainment guidelines. Under point II. ("Conclusion of contract") 1. of the GTC, "persons under the age of 18 and those acting on behalf of a third party" are excluded from using the services.

Assessment of evidence: This results from the Respondent's statement of 8 February 2019 and the official research of the data protection authority on the websites www.***frauen.com and www.dates***.com on the cut-off date of 4 October 2019.

By logging into his or her profile on the websites of the respondent www.***frauen.com and www.dates***.com, the user can use the respondent's services from the time a profile is created, i.e. from registration, without having to confirm his or her registration again by clicking on an "activation link" that was sent to the e-mail address provided during registration.

Evaluation of evidence: This follows from the Respondent's submission of 28 February 2019.

The e-mail address given when creating a profile (= when registering) is continuously sent notifications to the respondent from the time the profile is created.

Assessment of evidence: This is based on the credible submission of the Complainant and the Respondent's notifications sent to ***@***.com at the same time as the Complaint.

The underage complainant's e-mail address is ***@***.com.

Assessment of Evidence: This follows from the undisputed submissions of the complainant in his complaint of 21 August 2018.

In June 2018, Z*** F***, the father of the complainant, who was 12 years old at the time the complaint was lodged on 21 August 2018, found several messages from the respondent in his son's (= the complainant's) e-mail box ***@***.com. These messages came from the respondent's online dating portals www.***frauen.com and www.dates***.com. The messages concerned the "***geilab14" profile on the online dating portal www.dates***.com and the "bernd***" profile on the online dating portal www.***frauen.com and contained, inter alia, "contact suggestions". Both profiles were registered to the e-mail address ***@***.com of the minor complainant.

Evaluation of evidence: This follows from the complainant's credible submissions in his complaint of 21 August 2018, which have not been disputed by the respondent.

On 5 June 2018, the profile "***geilab14" was created on the online dating portal www.dates***.com with the complainant's e-mail address ***@***.com. On 29 June 2018, the profile "bernd***" was created on the online dating portal www.***frauen.com using the e-mail address of the Complainant ***@***.com.

Assessment of evidence: By e-mail of 8 July 2018, the complainant requested information from the respondent under Article 15 of the DSGVO. The respondent subsequently provided the complainant with a list of the information stored about him/her, indicating when the profiles "***geilab14" and "brnd***" were registered on the complainant's e-mail address ***@***.com.

The underage complainant did not personally create the two profiles "***geilab14" and "bernd***" that were registered to his or her ***@***.com email address and to which he or she received notifications from the Respondent regarding both profiles.

Assessment of evidence: The fact that the minor complainant did not himself create the profiles "***geilab14" and "bernd***" is based, on the one hand, on the credible submission of the legally represented minor complainant, who, at the express request of the data protection authority in a letter dated 19 September 2018 in reply dated 14 October 2018, denied that he himself created the two profiles "***geilab14" and "bernd***" with his e-mail address ***@***.com. In addition, the data protection authority has in the meantime been confronted with further complaints - recorded for the business number D145,050 and the business number D124,788 and the business number D124,1053 - concerning the same respondent, in which the respective complainants unanimously claim to have received "spam e-mails" from the respondent without ever having created a profile on the respondent's online dating portals. In the overall picture, it therefore appears plausible to the data protection authority that the e-mail addresses of uninvolved third parties - i.e. persons who have not themselves created a profile on the respondent's online dating portals - are used for spam e-mails of the respondent.

D. From a legal point of view, it follows that

The complainant relies - after having been managed by the data protection authority by means of an improvement order dated 12 November 2018 - on a violation of Article 5, Article 6 and Article 32 DSGVO (in conjunction with Article 1 DSG). The rights of the persons concerned are now listed in Chapter III DSGVO, namely in Articles 12 to 23 DSGVO. According to the case law of the data protection authority, a data subject may also rely on any provision outside Chapter III DSGVO - thus also on Article 32 DSGVO - provided that this may lead to a possible violation of the right to confidentiality under Article 1 paragraph 1 DSG (cf. the decision of the data protection authority of 13 September 2018, DSB-D123.070/0005-DSB/2018, according to which a violation of Article 32 DSGVO by the controller may lead to a violation of Article 1 paragraph 1 DSG). Accordingly, a violation of the right to secrecy in accordance with Article 1.1 of the DPA was to be examined in the present case.

Pursuant to Article 1, paragraph 1 of the DSG, everyone has the right to confidentiality of personal data concerning him or her, in particular with regard to respect for his or her private and family life, insofar as there is an interest worthy of protection.

E-mail addresses are personal data in accordance with Art. 4 Z 1 DSGVO. This means that the e-mail address ***@***.com is a personal date of the minor complainant.

According to the legal opinion of the data protection authority, unauthorised use of e-mail addresses can in any case violate Art. 5, Art. 6 and Art. 32 DSGVO and thus constitute a conceivable violation of § 1 Para. 1 DSG:

As can be seen from Art. 32 DSGVO, there is an obligation of the controller or the processor to ensure the security of the processing of personal data. Art. 32 DSGVO focuses its normative content on "technical and organisational measures". The DPA uses these terms in numerous other places as a normative connecting factor, in particular in Art. 5 Para. 1 lit. f, Art. 24 Para. 1 sentence 1, Art. 25 Para. 1 and Para. 2 sentence 1, Art. 28 Para. 1 and Art. 89 Para. 1 sentence 2 (...). The topos refers to all measures which aim at processing in accordance with the provisions of the DPA (see Martini in Paal/Pauly, Datenschutz-Grundverordnung [2017], Art. 32 para. 28). This security can be guaranteed in several ways, taking into account the elements mentioned in paragraph 1 of this provision. For example, such a data protection security measure may consist in the implementation of a double opt-in procedure for obtaining consent in conformity with the law:

The "double opt-in procedure" is generally understood to be the obtaining of the subscriber's declaration of consent in a two-stage system which provides for a registration to obtain electronic information, for example on the provider's website, followed in a first step by an individual message to the specified e-mail address or telephone connection, after which a registration is made for this address or connection. Only after a reply to this (individual) e-mail or short message confirming the registration or a comparable reaction (e.g. clicking on a link), will advertising messages be sent (cf. the decision of the Administrative Court of 26 June 2013, no. 2012/03/0089 with further references).

As the respondent itself submits, it is already possible for a user to use the respondent's online dating portals after registration by logging into their profiles on the websites www.***frauen.com and www.dates***.com. In order to use the respondent's online dating portals, the user does not have to confirm the e-mail address he/she entered upon registration by clicking on an "activation link" that was sent to the e-mail address he/she entered upon registration.

Nor does the respondent wait with the sending of "contact suggestions" until the user confirms his registration again by clicking on an activation link which was sent to the e-mail address he entered during registration. Rather, the respondent will continuously send its notifications to the e-mail address given upon registration - even without clicking on the activation link.

This means that the respondent does not use a double opt-in procedure.

It is therefore possible - as in the present case - for a user to register on the respondent's online dating portals with the e-mail address of an uninvolved third party rather than with his own e-mail address. As a result, this user can use the respondent's services without ever having to access the e-mail account of the e-mail address given upon registration. The uninvolved third party, however, whose e-mail address was used for registration on the online dating portals, will subsequently receive notifications ("contact suggestions") from the Respondent sent to its e-mail address, without ever having registered on the Respondent's online dating portals.

This is exactly what happened in the present case: The email address of the minor complainant ***@***.com was used by an unknown person(s) to create two profiles on the respondent's online dating sites.

As a result of the fact that the respondent did not take adequate data security measures in accordance with Article 32 of the Data Protection Act, it was possible that personal data of the complainant - namely the e-mail address ***@***.com - was processed unlawfully, which violated the complainant's fundamental right to confidentiality under Article 1 paragraph 1 of the Data Protection Act.

The claim for damages

The data protection authority has no competence with regard to the claim for damages raised by the complainant. Pursuant to § 29.2 of the Data Protection Act (DSG), the competent regional court must be called upon for this purpose.
European Case Law Identifier

ECLI:AT:DSB:2019:DSB.D130.073.0008.DSB.2019