Datatilsynet (Denmark) - 2021-31-5523

From GDPRhub
Datatilsynet - 2021-31-5523
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 17 GDPR
Article 21 GDPR
Type: Investigation
Outcome: Violation Found
Started: 09.09.2021
Decided: 09.08.2022
Published:
Fine: n/a
Parties: TeeShoppen
National Case Number/Name: 2021-31-5523
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: gauravpathak

The Danish DPA reprimanded an e-commerce platform for violating Article 17(1)(c) GDPR by not complying with an erasure request. The DPA ordered the platform to comply.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject who had purchased goods from TeeShoppen, an e-commerce platform (the controller), and was getting marketing messages, asked the controller to delete his personal data. Subsequently, on 24 June 2019, the controller informed the data subject that his data would be deleted. When this was not done, the data subject contacted the Danish DPA. The controller confirmed to the DPA that it had deleted the personal data of the data subject. On 8 October 2020, the DPA reprimanded the controller for not immediately complying with Article 17 GDPR and closed the case. In Autumn of 2021, the data subject started receiving marketing emails again, and thus contacted the Danish DPA. The DPA sought replies from the controller but none was received.

Holding[edit | edit source]

The DPA pointed out that as per Article 21(2) GDPR, data subjects have the right to object to the processing of their personal data for direct marketing purposes. In addition, data subjects have the right to have their personal data erased as per Article 17 GDPR. The DPA found that the controller had not deleted the personal data of the data subject, despite its earlier statement. Therefore, the DPA held that the controller had not complied with the data subject's right to erasure of personal data under Article 17(1)(c) GDPR. Consequently, the DPA reprimanded the controller for violating Article 17(1)(c) GDPR and ordered it to delete the personal data of the data subject.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Injunction and serious criticism of TeeShoppen for not having deleted personal data

Date: 09-08-2022

Decision Private companies Serious criticism Injunction Complaint The right to deletion

The Danish Data Protection Authority issues orders and expresses serious criticism of the Teeshoppen for not having deleted information about a person, despite the fact that in connection with a similar complaint from the same person in 2020, the Teeshoppen had informed both the complainant and the Danish Data Protection Authority that they had deleted the information.

Journal number: 2021-31-5523

Summary

In 2020, the Danish Data Protection Authority settled a case where a person complained about the lack of deletion of personal data at TeeShoppen. The person had previously been a customer of the company and received marketing material against their wishes. The Danish Data Protection Authority found in the decision from 2020 that TeeShoppen had not complied with the person's right to have information about them deleted.

TeeShoppen stated in connection with the processing of the case in 2020 that information about the customer had been deleted from the company's system.

Complain about the same situation again in 2021

In 2021, the Danish Data Protection Authority was again contacted by the same person with a similar complaint about the TeeShop. It turned out that TeeShoppen had not deleted the information about the person, despite the fact that the company had previously informed both the person and the Danish Data Protection Authority about this.

The Norwegian Data Protection Authority then found, in the Norwegian Data Protection Authority's new decision, reason to express serious criticism that TeeShop's processing of personal data had not taken place in accordance with the data protection rules.

At the same time, the Danish Data Protection Authority found reason to order TeeShoppen to delete the information about the person that TeeShoppen used for marketing.

On the same day, the Danish Data Protection Authority received TeeShoppen's statement that the order had been complied with.

Decision

The Danish Data Protection Authority hereby returns to the case, where [complainant] on 9 September 2021 complained to the Danish Authority that Noodle Firm ApS/TeeShoppen (hereinafter TeeShoppen) has not deleted the complainant's personal data, even though the company had previously informed the complainant that this had happened .

1. Decision

After a review of the case, the Danish Data Protection Authority finds that there are grounds for expressing serious criticism that Teeshoppen's processing of personal data has not taken place within the framework of the rules in Article 17 of the Data Protection Regulation[1].

At the same time, the Danish Data Protection Authority finds that there is a basis for notifying TeeShoppen of an order to delete the information about complaints that TeeShoppen uses for marketing. The order is announced in accordance with the data protection regulation, article 58, subsection 2, letter g.

The deadline for compliance with the order is 23 August 2022. The Danish Data Protection Authority must request to receive confirmation that the order has been complied with by the same date. According to the Data Protection Act[2] § 41, subsection 2, no. 5, anyone who fails to comply with an order issued by the Danish Data Protection Authority pursuant to Article 58, subsection of the Data Protection Regulation shall be punished with a fine or imprisonment for up to 6 months. 2, letter g.

Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.

2. Case presentation

The complainant had purchased goods from TeeShoppen in 2018 and subsequently received marketing emails from the company. The complainant had requested the TeeShoppen to delete information about him, and on 24 June 2019 the TeeShoppen informed the complainant that the information about him would be deleted. When the complainant subsequently found that information about him for use in marketing had not been deleted, the complainant contacted the Danish Data Protection Authority.

On 27 January 2020, TeeShoppen announced in the Data Protection Authority's case with j.nr. 2019-31-2638, that complaints had been deleted from TeeShoppen's system.

On 8 October 2020, the Danish Data Protection Authority expressed criticism in the case that TeeShoppen's processing of personal data had not taken place within the framework of the rules in Article 17 of the Data Protection Regulation. The Danish Data Protection Authority had noted in the case that TeeShoppen no longer processed information about complaints.

On 9 September 2021, the complainant again contacted the Danish Data Protection Authority after receiving e-mails with marketing from TeeShoppen in the autumn of 2021.

2.1. Complainant's comments

The complainant has generally stated that TeeShoppen has not deleted information about him, which the company had otherwise stated it had done.

2.2. TeeShop's comments

The Danish Data Protection Authority requested TeeShoppen for a statement in the matter by letters of 12 October and 9 November 2021. TeeShoppen has not returned a response to the Danish Data Protection Authority.

3. Reason for the Data Protection Authority's decision

3.1. It follows from the data protection regulation article 21, subsection 2, that if personal data is processed for the purpose of direct marketing, the data subject has the right at any time to object to the processing of his personal data for such marketing.

The data subject has the right to have personal data about him deleted by the data controller without undue delay, and the data controller has the duty to delete personal data without

unnecessary delay if the data subject objects to the processing pursuant to Article 21, subsection 2, cf. the data protection regulation, article 17, subsection 1, letter c.

The Danish Data Protection Authority found, in connection with the Danish Data Protection Authority's decision of 8 October 2020, that TeeShoppen has not complied with the complainant's right to delete personal data according to Article 17, paragraph 1 of the Data Protection Regulation. 1, letter c.

3.2. The Danish Data Protection Authority assumes that TeeShoppen – despite what TeeShoppen stated in this regard on 27 January 2020 – has not deleted information about complaints for marketing purposes.

The Danish Data Protection Authority continues to find that TeeShoppen has not complied with the complainant's right to delete personal data pursuant to Article 17, paragraph 1 of the Data Protection Regulation. 1, letter c.

The Danish Data Protection Authority has hereby emphasized that the conditions for complainants to demand that the information be deleted from TeeShoppen's e-mail list are seen to have been met on 24 June 2019, and that the deletion should then take place without undue delay.

The Danish Data Protection Authority then finds grounds to express serious criticism that TeeShoppen's processing of personal data has not taken place within the framework of the rules in Article 17 of the Data Protection Regulation.

At the same time, the Danish Data Protection Authority finds that there is a basis for notifying TeeShoppen of an order to delete the information about complaints that TeeShoppen uses for marketing. The order is announced in accordance with the data protection regulation, article 58, subsection 2, letter g.

The deadline for compliance with the order is 23 August 2022. The Danish Data Protection Authority must request to receive confirmation that the order has been complied with by the same date. According to the Data Protection Act § 41, subsection 2, no. 5, anyone who fails to comply with an order issued by the Danish Data Protection Authority pursuant to Article 58, subsection of the Data Protection Regulation shall be punished with a fine or imprisonment for up to 6 months. 2, letter g.



[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection).

[2] Act No. 502 of 23 May 2018 on supplementary provisions to the regulation on the protection of natural persons in connection with the processing of personal data and on the free exchange of such information (the Data Protection Act).