DVI (Latvia) - SIA “DEPO DIY”
|DVI - SIA “DEPO DIY”|
|Relevant Law:||Article 5 GDPR|
Article 5(1)(c) GDPR
Article 6(1)(a) GDPR
Article 6(1)(c) GDPR
Article 83(5) GDPR
|National Case Number/Name:||SIA “DEPO DIY”|
|European Case Law Identifier:||n/a|
|Original Source:||DVI (in LV)|
the DPA finds that the contested decision, including but not limited to the complaints of the data subject, correctly established the facts of the case and qualified the administrative offence.
English Summary[edit | edit source]
Facts[edit | edit source]
DEPO (the controller) is a do-it-yourself store based in Latvia. In order to receive the additional services (such as home delivery or an accounting receipt) customers must obtain a customer card. Without such a card, the additional service is not provided. To obtain a card, customers must consent to the processing of their personal data for a number of unrelated purposes, such as registration in the accounting system, return of the purchase price to the customer card, identification when using additional services, allocation of the card and allocation of bonuses. The personal data to be included to achieve all these purposes: name, surname, personal identification number, date of birth (for non-residents), business registration number, address and telephone number.
Following several complaints from customers, the Latvian DPA started an investigation.The DPA found that customers who had not obtained a customer card - and thus consented to the processing of their personal data - could not receive the additional services. The DPA held that this did not ensure compliance with the definition of consent set out in Article 4(11) GDPR. It stated that consent cannot be considered as freely given if its withholding results in the service not being received at all. In addition, the DPA found that the controller unreasonably based processing of personal data on Article 6(1)(a) GDPR. For example, the processing of personal data related to invoices. Given that this processing does not depend on customers' will, it cannot be carried out on the basis of consent.
Moreover, the DPA found that the controller violated the principle of data minimisation. For example, customers were required to provide a personal identification number in order to receive an invoice for the purchase of goods, which is not necessary for the specific service.
The controller stated that the issue of a customer card is necessary to identify customers, e.g. when making a delivery. However, the DPA held that it is also possible to identify a person, e.g. when making a delivery, by asking for an ID card. there is no justification for the controller to require a the controller customer card in each case.
The DPAt is also possible for the controller to fulfil its other statutory obligations, such as issuing supporting documents on the basis of Article 6(1)(c) of the GDPR, without making it mandatory for customers to obtain a customer card as a prerequisite for the fulfilment of these tasks.
[2.5] The fact that only two data subjects have lodged a complaint about unlawful data processing is irrelevant in the present case.
The contested decision states that the existence of actual damage is not necessary to establish unlawful processing and an infringement of the fundamental rights of the data subject. In particular, it is irrelevant whether the processing has had any negative consequences (actual infringement of rights) in order to be considered as interference with fundamental rights.
[2.6] In the light of the foregoing, the contested decision finds that the controller, in the context of the provision of ancillary services, has carried out the processing of personal data of customers (natural persons) from 9 September 2020 to 10 June 2021, the processing (acquisition and storage) of name, surname, personal identification number or date of birth, contact details (telephone number, e-mail) address; from 10 June 2021 to the present, name, surname, e-mail and telephone number (address - only in Lithuania and Estonia) has infringed Article 5 of the GDPR. The processing of personal data has been and continues to be carried out on the basis of an incompatible legal basis set out in Article 6(1).
Holding[edit | edit source]
The DPA clarified that the essence of the infringement at hand was that a customer, who wished to receive one of the services offered by the controller, was forced to consent to the processing of personal data also for other purposes for which different legal bases and retention periods were indicated. Therefore, it was irrelevant which legal basis the controller indicated for the processing of personal data, consent or conclusion of a contract. The data subject had to, in any case, consent to the processing of their personal data to be granted a DEPO card, regardless of whether they wished to receive a service unrelated to the card. Furthermore, the DPA noted that, although the personal data was initially collected for the purpose of granting a DEPO card, the processing would be extended to other unrelated purposes, such as provision of delivery services.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Latvian original. Please refer to the Latvian original for more details.