Datatilsynet (Denmark) - 2020-7320-1827
|Datatilsynet - 2020-7320-1827|
|Relevant Law:||Article 12 GDPR|
Article 15 GDPR
Article 56 GDPR
Article 60 GDPR
|National Case Number/Name:||2020-7320-1827|
|European Case Law Identifier:||EDPBI:DK:OSS:D:2022:368|
|Original Source:||EDPB (in EN)|
In an Article 60 procedure, the Danish DPA determined that Trustpilot did not have to comply with an access request since Trustpilot was a mere processor under Article 28 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
On 11 May 2019, the data subject bought an unspecified item from the company Asus on EBay, an online market place. Asus is a company that mainly sells consumer electronics, such as smartphones, laptops and accessories.
On 3 February 2020, the data subject received an e-mail from firstname.lastname@example.org. In this email, the data subject was asked to evaluate his buying experience with Asus. On 4 February 2020, the data subject requested access to his personal data by sending an e-mail to Trustpilot using a different e-mail account. Trustpilot replied on 6 February 2020 that it was not able to identify the data subject using this e-mail address. On 8 February 2020, Trustpilot sent the data subject another similar e-mail to the data subject.
On 10 February 2020, the data subject filed a complaint at a German DPA (Bavaria DPA), which forwarded the complaint to another German DPA (Beauftragte für Datenschutz und Informationsfreiheit (Berlin DPA). The latter transferred the complaint to the Danish DPA (DPA), which was the lead supervisory authority in this decision (Article 56 GDPR).
According to the data subject, Trustpilot was not allowed to process personal data about him. He also stated that Trustpilot had not responded to his access request. Trustpilot stated that it was a processor for other companies in relation to the sending of such emails. Trustpilot based this assessment on the fact that companies decided to use Trustpilots software and also decided whether and when invitations were send out using Trustpilots software. In addition, it were the companies, in this case, Asus, that provided the personal data used for the invitations. Therefore, Trustpilot was the processor.
In this decision, a data processing agreement of Trustpilot was also disclosed. It was stated that Trustpilot would assist in any handling of requests from data subjects under Chapter III of the GDPR and, where commercially practicable, under any other Applicable Data Protection Law. This could include requests for access, rectification, blocking or deletion, which related to Trustpilots processing of relevant data.
Holding[edit | edit source]
The main issue of this decision is whether Trustpilot was the controller or processor. The DPA stated that it assumed, based on the information available in the case file, that Trustpilot acted as a processor for Asus when it was processing personal data by sending an e-mail on behalf of Asus. Therefore, it was not the responsibility of the processor to handle and respond to access requests pursuant of Article 12 and 15 GDPR.
However, the DPA stated that it was regrettable that the processor did not have a consistent practice to search for relevant information, such as the name and address of the data subject who submitted the access request. If this had been the case, the processor could have been able to identify the data subject and thus, in its role as processor, could have assisted the controller to the extent as agreed in the data processing agreement.
Comment[edit | edit source]
According to the EDBP Register, the outcome of this Article 60 GDPR procedure was a finding of "no violation". The EDPB Register does not designate the outcome of this specific procedure as a dismissal or rejection of the complaint. In case of dismissal or rejection of the complaint, the decision should have been adopted by the DPA with which was originally lodged the complaint (Article 60(8) GDPR) and notified by such DPA to the data subject, not by the Danish DPA. The document made available on the EDPB as "final decision" is a letter of the Danish DPA referring to the data subject using the second person ("you made an online purchase of an item from..."). It is thus very unclear whether this decision falls under Article 60(7) GDPR or Article 60(8) GDPR.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the English original. Please refer to the English original for more details.
J.No. 2020-7320-1827 Doc.no. 478508 Caseworker Rasmus Martens The Danish Data Protection Agency Carl Jacobsens Vej 35 2500 Valby Denmark T 3319 3200 email@example.com datatilsynet.dk VAT No. 11883729 [Navn 1] [Navn 2] [Adresse 1] [Adresse 2] [Adresse 3] [Postnr.] [Postdistrikt] [Landenavn] Complaint about processing of personal data 1. The Danish Data Protection Agency (Danish DPA) returns to the case, where you on 10 February 2020 have complained to the Berliner Beauftragte für Datenschutz und Infor- mationsfreiheit (DPA, Berlin) about Trustpilot A/S’ response to your request for access. In accordance with Article 56 of the General Data Protection Regulation, the Data Protection Agency has been designated as the lead supervisory authority in relation to Trustpilot A/S. 2. Facts of the case It is apparent from the file that on 11 May 2019 you made an online purchase of an item from the company Asus on Ebay’s website. The e-mail you provided in connection with the purchase from Asus was firstname.lastname@example.org. On 3 February 2020, you received an email from email@example.com to your address firstname.lastname@example.org, where Asus Online Shop appeared as the sender. You were asked in the email to evaluate the buying experience at Asus. On 4 February 2020, you contacted Trustpilot from another email address (service@le- varia.de) and requested access to the personal data Trustpilot may process about you. In addition to the e-mail address, the inquiry included your name and address. Trustpilot replied on 6 February 2020 and stated that Trustpilot could not locate an active user for the email email@example.com and that Trustpilot therefore did not process any information about you. On 8 February 2020, you again received an email from firstname.lastname@example.org on behalf of the Asus Online Shop sent to email@example.com, in which you were again asked to evaluate your purchase from Asus. You subsequently complained on 10 February 2020 about Trustpilot’s response to your re- quest for access to the German supervisory authority (Bavaria DPA), which forwarded the complaint to the Berlin supervisory authority. As the lead supervisory authority in relation to Trustpilot, the Danish Data Protection Agency subsequently took over the case from the Berlin supervisory authority, after which on 14 July 2020 the Danish Data Protection Agency sent your complaint to Trustpilot and asked Trustpilot for a statement on the case. XX.XX.XXXX Page 2 of 4 Trustpilot issued a statement on the matter on 19 August 2020. The statement was sent to you on 8 September 2020. The Berlin supervisory authority informed the Danish Data Protection Agency on 12 January 2021 that you had not commented on the statement. On 10 September 2021, the Danish Data Protection Agency asked Trustpilot for an additional statement on the case, which Trustpilot submitted on 1 November 2021 as regards to the role of Trustpilot when sending invitation emails. At meetings between Trustpilot and the Danish Data Protection Agency on 25 February and 9 March 2022, Trustpilot explained the company’s ability to identify data subjects in general and how Trustpilot in the case in question had tried to uniquely identify you. 2.1. Your comments You have generally stated that Trustpilot is not allowed to process information about you and that Trustpilot has not responded to your request for access in accordance with the data pro- tection rules 2.2. Comments from Trustpilot Trustpilot has generally explained that Trustpilot is an open platform where everyone can read, write and collect reviews. Customers can rate a company at any time, and companies with an online presence can — independently or with Trustpilot’s help — invite customers to rate the company. Trustpilot has further explained that Trustpilot is the data controller for information collected when data subjects use Trustpilot’s website, create user profiles, or submit and/or respond to reviews. However, Trustpilot considers itself a data processor in relation to sending invitation emails. This is based, among other things, on the fact that companies, such as Asus Online Shop, assess whether or not they want to use Trustpilot’s invitation software, just as the companies decide whether and when invitations are sent out via Trustpilot’s invitation software. In addi- tion, it is the companies that provide the personal data used in connection with the invitations. Trustpilot has stated in relation to your complaint that Trustpilot neither as a data controller nor as a data processor processes personal data associated with the email address ser-vice@le- varia.de. Trustpilot processes information associated with the email address firstname.lastname@example.org as data processor for Asus Online Shop. As this email was not used or disclosed in connection with the access request, Trustpilot could not conduct a search in Trustpilot’s systems based on the enquiry. If the email address email@example.com had been provided, Trustpilot would have referred you to the Asus Online Shop, which Trustpilot processed the personal data about you on behalf of. Trustpilot explained in detail that Trustpilot did a search on the e-mail firstname.lastname@example.org, the first and second time you contacted Trustpilot, and that Trustpilot could not identify you on that basis, as Trustpilot had not registered the email email@example.com. When Trustpilot became aware of your complaint, Trustpilot also conducted a search by your name. As a result, Trustpilot found that Trustpilot could not uniquely identify you when search- ing your name (either alone or in conjunction with the e-mail firstname.lastname@example.org), as Trustpilot has several registered names with the same name as you.