Datatilsynet (Denmark) - 2020-7320-1827

From GDPRhub
Datatilsynet - 2020-7320-1827
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 12 GDPR
Article 15 GDPR
Article 28 GDPR
Article 56 GDPR
Article 60 GDPR
Type: Complaint
Outcome: Rejected
Started: 10.02.2020
Decided: 20.05.2022
Published:
Fine: None
Parties: Trustpilot
National Case Number/Name: 2020-7320-1827
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Datatilsynet (in EN)
Initial Contributor: n/a

In an Article 60 procedure, the Danish DPA determined that Trustpilot did not have to comply with an access request since Trustpilot was a mere processor under Article 28 GDPR.

English Summary

Facts

On 11 May 2019, the data subject bought an unspecified item from the company Asus on EBay, an online market place. Asus is a company that mainly sells consumer electronics, such as smartphones, laptops and accessories.

On 3 February 2020, the data subject received an e-mail from noreply.invitation@trustpilot.com. In this email, the data subject was asked to evaluate his buying experience with Asus. On 4 February 2020, the data subject requested access to his personal data by sending an e-mail to Trustpilot using a different e-mail account. Trustpilot replied on 6 February 2020 that it was not able to identify the data subject using this e-mail address. On 8 February 2020, Trustpilot sent the data subject another similar e-mail to the data subject.

On 10 February 2020, the data subject filed a complaint at a German DPA (Bavaria DPA), which forwarded the complaint to another German DPA (Beauftragte für Datenschutz und Informationsfreiheit (Berlin DPA). The latter transferred the complaint to the Danish DPA (DPA), which was the lead supervisory authority in this decision (Article 56 GDPR).

According to the data subject, Trustpilot was not allowed to process personal data about him. He also stated that Trustpilot had not responded to his access request. Trustpilot stated that it was a processor for other companies in relation to the sending of such emails. Trustpilot based this assessment on the fact that companies decided to use Trustpilots software and also decided whether and when invitations were send out using Trustpilots software. In addition, it were the companies, in this case, Asus, that provided the personal data used for the invitations. Therefore, Trustpilot was the processor.

In this decision, a data processing agreement of Trustpilot was also disclosed. It was stated that Trustpilot would assist in any handling of requests from data subjects under Chapter III of the GDPR and, where commercially practicable, under any other Applicable Data Protection Law. This could include requests for access, rectification, blocking or deletion, which related to Trustpilots processing of relevant data.

Holding

The main issue of this decision is whether Trustpilot was the controller or processor. The DPA stated that it assumed, based on the information available in the case file, that Trustpilot acted as a processor for Asus when it was processing personal data by sending an e-mail on behalf of Asus. Therefore, it was not the responsibility of the processor to handle and respond to access requests pursuant of Article 12 and 15 GDPR.

However, the DPA stated that it was regrettable that the processor did not have a consistent practice to search for relevant information, such as the name and address of the data subject who submitted the access request. If this had been the case, the processor could have been able to identify the data subject and thus, in its role as processor, could have assisted the controller to the extent as agreed in the data processing agreement.

Comment

According to the EDBP Register, the outcome of this Article 60 GDPR procedure was a finding of "no violation". The EDPB Register does not designate the outcome of this specific procedure as a dismissal or rejection of the complaint. In case of dismissal or rejection of the complaint, the decision should have been adopted by the DPA with which was originally lodged the complaint (Article 60(8) GDPR) and notified by such DPA to the data subject, not by the Danish DPA. The document made available on the EDPB as "final decision" is a letter of the Danish DPA referring to the data subject using the second person ("you made an online purchase of an item from..."). It is thus very unclear whether this decision falls under Article 60(7) GDPR or Article 60(8) GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

J.No. 2020-7320-1827
Doc.no. 478508
Caseworker
Rasmus Martens
The Danish Data
Protection Agency
Carl Jacobsens Vej 35
2500 Valby
Denmark
T 3319 3200
dt@datatilsynet.dk
datatilsynet.dk
VAT No. 11883729
[Navn 1] [Navn 2]
[Adresse 1] [Adresse 2] [Adresse 3]
[Postnr.] [Postdistrikt]
[Landenavn]
Complaint about processing of personal data
1. The Danish Data Protection Agency (Danish DPA) returns to the case, where you on 10
February 2020 have complained to the Berliner Beauftragte für Datenschutz und Infor-
mationsfreiheit (DPA, Berlin) about Trustpilot A/S’ response to your request for access.
In accordance with Article 56 of the General Data Protection Regulation, the Data Protection
Agency has been designated as the lead supervisory authority in relation to Trustpilot A/S.
2. Facts of the case
It is apparent from the file that on 11 May 2019 you made an online purchase of an item from
the company Asus on Ebay’s website. The e-mail you provided in connection with the purchase
from Asus was ebay@levaria.de.
On 3 February 2020, you received an email from noreply.invitations@trustpilot.com to your
address ebay@levaria.de, where Asus Online Shop appeared as the sender. You were asked
in the email to evaluate the buying experience at Asus.
On 4 February 2020, you contacted Trustpilot from another email address (service@le-
varia.de) and requested access to the personal data Trustpilot may process about you. In
addition to the e-mail address, the inquiry included your name and address.
Trustpilot replied on 6 February 2020 and stated that Trustpilot could not locate an active user
for the email service@levaria.de and that Trustpilot therefore did not process any information
about you.
On 8 February 2020, you again received an email from noreply.invitations@trustpilot.com on
behalf of the Asus Online Shop sent to ebay@levaria.de, in which you were again asked to
evaluate your purchase from Asus.
You subsequently complained on 10 February 2020 about Trustpilot’s response to your re-
quest for access to the German supervisory authority (Bavaria DPA), which forwarded the
complaint to the Berlin supervisory authority.
As the lead supervisory authority in relation to Trustpilot, the Danish Data Protection Agency
subsequently took over the case from the Berlin supervisory authority, after which on 14 July
2020 the Danish Data Protection Agency sent your complaint to Trustpilot and asked Trustpilot
for a statement on the case.
XX.XX.XXXX
Page 2 of 4
Trustpilot issued a statement on the matter on 19 August 2020. The statement was sent to you
on 8 September 2020.
The Berlin supervisory authority informed the Danish Data Protection Agency on 12 January
2021 that you had not commented on the statement.
On 10 September 2021, the Danish Data Protection Agency asked Trustpilot for an additional
statement on the case, which Trustpilot submitted on 1 November 2021 as regards to the role
of Trustpilot when sending invitation emails.
At meetings between Trustpilot and the Danish Data Protection Agency on 25 February and 9
March 2022, Trustpilot explained the company’s ability to identify data subjects in general and
how Trustpilot in the case in question had tried to uniquely identify you.
2.1. Your comments
You have generally stated that Trustpilot is not allowed to process information about you and
that Trustpilot has not responded to your request for access in accordance with the data pro-
tection rules
2.2. Comments from Trustpilot
Trustpilot has generally explained that Trustpilot is an open platform where everyone can read,
write and collect reviews. Customers can rate a company at any time, and companies with an
online presence can — independently or with Trustpilot’s help — invite customers to rate the
company.
Trustpilot has further explained that Trustpilot is the data controller for information collected
when data subjects use Trustpilot’s website, create user profiles, or submit and/or respond to
reviews.
However, Trustpilot considers itself a data processor in relation to sending invitation emails.
This is based, among other things, on the fact that companies, such as Asus Online Shop,
assess whether or not they want to use Trustpilot’s invitation software, just as the companies
decide whether and when invitations are sent out via Trustpilot’s invitation software. In addi-
tion, it is the companies that provide the personal data used in connection with the invitations.
Trustpilot has stated in relation to your complaint that Trustpilot neither as a data controller nor
as a data processor processes personal data associated with the email address ser-vice@le-
varia.de. Trustpilot processes information associated with the email address ebay@levaria.de
as data processor for Asus Online Shop. As this email was not used or disclosed in connection
with the access request, Trustpilot could not conduct a search in Trustpilot’s systems based
on the enquiry. If the email address ebay@levaria.de had been provided, Trustpilot would have
referred you to the Asus Online Shop, which Trustpilot processed the personal data about you
on behalf of.
Trustpilot explained in detail that Trustpilot did a search on the e-mail service@levaria.de, the
first and second time you contacted Trustpilot, and that Trustpilot could not identify you on that
basis, as Trustpilot had not registered the email service@levaria.de.
When Trustpilot became aware of your complaint, Trustpilot also conducted a search by your
name. As a result, Trustpilot found that Trustpilot could not uniquely identify you when search-
ing your name (either alone or in conjunction with the e-mail service@levaria.de), as Trustpilot
has several registered names with the same name as you.