Persónuvernd - 2020010577: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 50: Line 50:
}}
}}


The Icelandic DPA (Personuvernd) ordered Wedo ehf., the operator of the sales website Bland.is, to stop the processing of user's personal data.  According to the controller, the processing  took place on the basis of the complainant's consent, but in the ruling it was concluded that the conditions of consent had not been met.  
The Icelandic DPA ordered an operator of a sale website to stop the processing of users' personal data.  According to the DPA, the consent was not sufficiently informed.  


==English Summary==
==English Summary==


===Facts===
===Facts===
The complainant stated that when registering on the sales website Bland.is, he had to identify himself with an ID number and a bank account which was to be deleted after identification. This information had been used to obtain further information about the complainant, including his address. It was later published on his advertisement on Bland.is. In the complainant's view, the personal information was collected without authorization he was deceived into obtaining it on false pretenses and added to the advertisement without his knowledge.
The complainant stated that when registering on the sales website Bland.is, he had to identify himself with an ID number and a bank account which was to be deleted after identification. However, this information had been used to obtain further information about the complainant, including his address. It was later published on his advertisement on Bland.is. In the complainant's view, the personal information was collected without his authorization. He was deceived into consenting to it under false pretenses and added to the advertisement without his knowledge.


In the answer of Wedo ehf. said that when users identify themselves on the sales page Bland.is, the company looks up the user's address in the national register. The company considered itself to be processing personal information about the complainant's address on the basis of consent.
Wedo, an operator of the website, replied that when users identify themselves on Bland.is, the company looks up the user's address in the national register. The company considered itself to be processing personal information about the complainant's address on the basis of consent.


===Dispute===
===Dispute===


 
Was the consent informed enough?
===Holding===
===Holding===
In the opinion of the DPA, the complainant's authorization to remove an address in the user settings on the website does not fulfill the condition that consent should be granted by action. The declaration of approval offered by Wedo ehf. does not fulfil the conditions for an informed consent. Although the company obtained contact information from the National Registry, the privacy policy stated that contact information will be obtained from users, in addition to which the consent was not limited and specified from other processing operations that took place for other purposes. The processing could therefore not be based on point 1. Article 9 Act no. 90/2018 and item a of the first paragraph Article 6 GDPR.
In the opinion of the DPA, the complainant's authorization to remove an address in the user settings on the website does not fulfill conditions of the consent under Article 7 GDPR. The declaration of approval offered by the controller does not provide enough information. Contrary to the privacy policy that stated that contact information will be obtained from users, the company obtained it from the National Registry. The processing did not comply with Article 6(1)(a) GDPR.


The DPA concluded that the acquisition and publication of Wedo ehf. on personal information about the complainant's address, was not permitted according to Art. Act no. 90/2018, Coll. Paragraph 1 Article 6 GDPR. The  processing did not comply with the law and the regulation.
In accordance with this conclusion, the DPA ordered the controller to stop the processing of personal information about the address of the Bland.is users until the company sends the DPA an explanation on which basis the processing took place and the DPA confirms that the processing complies with the provisions of the law.
 
In accordance with this conclusion, and with reference to points 6 and 7. Article 42 Act no. 90/2018, the DPA ordered Wedo ehf. to stop the processing of personal information about the address of the users of the sales website Bland.is until the company sends the DPA an explanation on which basis the processing takes place and the DPA confirms that the processing complies with the provisions of the law.


==Comment==
==Comment==
Line 79: Line 77:


<pre>
<pre>
<!DOCTYPE html><!-- eplica-no-index --><html class=" onecol" xmlns="http://www.w3.org/1999/xhtml" lang="is"><head><meta charset="utf-8" /><meta name="generator" content="Eplica CMS - www.eplica.is" /><meta name="HandheldFriendly" content="true" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="format-detection" content="telephone=no"><title> Processing of personal information about the addresses of users of Bland.is | Solutions | Privacy. Your information, your privacy. </title><meta property="og:site_name" content="Persónuvernd. Þínar upplýsingar, þitt einkalíf." /><link rel="shortcut icon" href="/skin/v2/pub/i/fav.png" /><link rel="canonical" href="https://www.personuvernd.is/urlausnir/vinnsla-personuupplysinga-um-heimilisfong-notenda-bland.is" /><script>if(self!=top){var ö=document.documentElement;ö.style.display='none !important';try{top.location.replace(location)}catch(e){setTimeout(function(){ö.innerHTML=''},500)}}</script><link rel="stylesheet" href="/skin/v2/pub/main.css?v1.14" /><!--  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ruling
      Eplica web management system
 
      Eplica 3 : (4 @ 1040f32)
On March 10, 2021, the Board of the Data Protection Authority issued a ruling in case no. 2020010577:
      Tags [release/4.7.1]
 
      Project Version (master@f4c8981)
I.
      License Eplica ISP hosted solution
 
      eplica-is-1.hugsmidjan.is::
Procedure
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
      Hugsmiðjan ehf.
1.
      Tel. +354 550-0900
 
      info@eplica.is
Complaint
      www.eplica.is
 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  --><!-- begin og: tags --><meta property="og:type" content="website" /><meta property="og:title" content="Processing of personal information about the addresses of users of Bland.is" /><meta property="og:description" content="The Data Protection Authority has ruled in a case where a complaint was made about the processing of information about the complainant&#39;s address by Wedo ehf., The operator of the sales website Bland.is. The responses of the responsible party stated that the processing of personal data would take place on the basis of the complainant&#39;s consent, but in the ruling it was concluded that the conditions of consent had not been met. The conclusion of the Data Protection Authority was that the processing was not in accordance with Act no. 90/2018, on personal protection and the processing of personal information and Wedo ehf. made to stop the processing of personal information about the addresses of users of the sales website." /><meta name="twitter:title" content="Vinnsla pers&oacute;nuuppl&yacute;singa um heimilisf&ouml;ng notenda Bland.is" /><meta name="twitter:description" content="Pers&oacute;nuvernd hefur &uacute;rskur&eth;a&eth; &iacute; m&aacute;li &thorn;ar sem kvarta&eth; var yfir vinnslu uppl&yacute;singa um heimilisfang kvartanda hj&aacute; Wedo ehf., rekstrara&eth;ila s&ouml;luvefsins Bland.is. &Iacute; sv&ouml;rum &aacute;byrg&eth;ara&eth;ila kom fram a&eth; vinnsla pers&oacute;nuuppl&yacute;singa f&aelig;ri fram &aacute; grundvelli sam&thorn;ykkis kvartanda, en &iacute; &uacute;rskur&eth;inum er komist a&eth; &thorn;eirri ni&eth;urst&ouml;&eth;u a&eth; skilyr&eth;i sam&thorn;ykkis hafi ekki veri&eth; uppfyllt. Var ni&eth;ursta&eth;a Pers&oacute;nuverndar s&uacute; a&eth; vinnslan hafi ekki samr&yacute;mst l&ouml;gum nr. 90/2018, um pers&oacute;nuvernd og vinnslu pers&oacute;nuuppl&yacute;singa og var Wedo ehf. gert a&eth; st&ouml;&eth;va vinnslu pers&oacute;nuuppl&yacute;singa um heimilisf&ouml;ng notenda s&ouml;luvefsins." /><meta name="twitter:card" content="summary_large_image" /><meta property="og:image" content="https://www.personuvernd.is/media/logo/personuvernd-social.png" /><meta name="twitter:image" content="https://www.personuvernd.is/media/logo/personuvernd-social.png" /><!-- end og: tags --><script>(function(f,u,c,i,t){ u[c]+=' _ js-on '+f;setTimeout(function(r,e,m,v){r=f.split(i);e=0;v=u[c]+i;while(m=r[e++]){v=v.replace(i+m+i,i)}(u[c]+i)!==v&&(u[c]=v)},8000);t=document.createElement('input');if('placeholder' in t){u[c]+=' supports-placeholders';}})('beforejsinit',document.getElementsByTagName('html')[0],'className',' ');</script><script src='https://eplica-cdn.is/req/jqreq.js'></script><script>window.Req.joinUrl+='v1.14';</script></head><!-- /eplica-no-index --><body><div class="pghead" id="pghead"><div class="wrap"><!-- eplica-no-index --><div class="brand" role="banner"><svg class="logo" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 111.91 43.46"><path fill="#444345" transform="rotate(180 20.14 25.11)" d="M19.36 17.66h2.51v15.26h-2.51z"></path><path fill="#444345" d="M23.69 26.01h2.51v10.9h-2.51zm0-8.71h2.51v6.53h-2.51z"></path><path fill="#444345" transform="rotate(180 30.7 32.745)" d="M29.92 26.39h2.51v13.08h-2.51z"></path><path fill="#444345" d="M34.25 21.66h2.51v15.26h-2.51zm0-4.37h2.51v2.18h-2.51zm-10.56-4.36h2.51v2.18h-2.51z"></path><path fill="#444345" transform="rotate(180 30.7 42.555)" d="M29.92 41.65h2.51v2.18h-2.51z"></path><path fill="#444345" transform="rotate(180 20.14 38.195)" d="M19.36 37.29h2.51v2.18h-2.51z"></path><path class="tagline" fill="#444345" d="M57.9 17.67a3.7 3.7 0 0 1 1.37.23 2.81 2.81 0 0 1 .92.62 2.51 2.51 0 0 1 .51.88 3.12 3.12 0 0 1 0 2 2.42 2.42 0 0 1-.51.88 2.53 2.53 0 0 1-.92.62 3.5 3.5 0 0 1-1.37.24h-2v3.07H54v-8.54zm-.52 4a3.22 3.22 0 0 0 .63-.05 1.51 1.51 0 0 0 .53-.18 1 1 0 0 0 .36-.39 1.63 1.63 0 0 0 0-1.32 1 1 0 0 0-.36-.39 1.52 1.52 0 0 0-.53-.19 4.23 4.23 0 0 0-.63-.05h-1.46v2.6zm10.96-4v1.58h-4.52v1.84H68v1.46h-4.18v2.1h4.62v1.59h-6.51v-8.57zm6.23 0a2.68 2.68 0 0 1 1 .19 2.34 2.34 0 0 1 .79.51 2 2 0 0 1 .5.75 2.31 2.31 0 0 1 .18.91 2.59 2.59 0 0 1-.32 1.31 2 2 0 0 1-1 .84 1.51 1.51 0 0 1 .58.29 1.71 1.71 0 0 1 .37.47 2.75 2.75 0 0 1 .21.59c0 .22.07.43.09.65s0 .3 0 .48a5.54 5.54 0 0 0 .05.56 3 3 0 0 0 .09.55 1.19 1.19 0 0 0 .2.44h-1.86a3.32 3.32 0 0 1-.2-1c0-.38-.06-.74-.11-1.08a1.68 1.68 0 0 0-.4-1 1.4 1.4 0 0 0-1-.31h-1.91v3.35H70v-8.5zm-.67 3.88a1.44 1.44 0 0 0 1-.29 1.23 1.23 0 0 0 .32-.94 1.14 1.14 0 0 0-.32-.9 1.44 1.44 0 0 0-1-.29h-2.07v2.42zm6.39 2.58a1.31 1.31 0 0 0 .42.48 1.66 1.66 0 0 0 .6.28A2.84 2.84 0 0 0 82 25a5.29 5.29 0 0 0 .54 0 2 2 0 0 0 .54-.17 1.14 1.14 0 0 0 .42-.33.82.82 0 0 0 .17-.53.77.77 0 0 0-.22-.56 1.59 1.59 0 0 0-.55-.41 6.62 6.62 0 0 0-.82-.26l-.92-.24a7.32 7.32 0 0 1-.94-.29 3.59 3.59 0 0 1-.82-.45 2.06 2.06 0 0 1-.58-.69 2.08 2.08 0 0 1-.22-1 2.25 2.25 0 0 1 .28-1.15 2.73 2.73 0 0 1 .74-.81 3.48 3.48 0 0 1 1-.48 4.6 4.6 0 0 1 1.15-.15 5.43 5.43 0 0 1 1.29.15 3.23 3.23 0 0 1 1.1.48A2.42 2.42 0 0 1 85 19a2.62 2.62 0 0 1 .29 1.27h-1.88a1.47 1.47 0 0 0-.16-.64 1 1 0 0 0-.37-.4 1.61 1.61 0 0 0-.52-.2 3.16 3.16 0 0 0-.64-.06 2.49 2.49 0 0 0-.46.05 1.15 1.15 0 0 0-.41.17 1.11 1.11 0 0 0-.31.3.9.9 0 0 0 0 .86.87.87 0 0 0 .38.29 5 5 0 0 0 .78.26l1.3.34c.16 0 .38.09.67.17a3.56 3.56 0 0 1 .84.4 2.71 2.71 0 0 1 .73.74 2.13 2.13 0 0 1 .3 1.18 2.67 2.67 0 0 1-.22 1.1 2.58 2.58 0 0 1-.68.87 3.37 3.37 0 0 1-1.12.57 5.48 5.48 0 0 1-1.54.2 5.65 5.65 0 0 1-1.37-.17 3.47 3.47 0 0 1-1.18-.55 2.67 2.67 0 0 1-.81-.95 2.8 2.8 0 0 1-.29-1.37h1.83a1.65 1.65 0 0 0 .13.7zm6.51-3.92a4.26 4.26 0 0 1 .82-1.44 4.06 4.06 0 0 1 1.33-1 4.33 4.33 0 0 1 1.77-.34 4.38 4.38 0 0 1 1.78.34 4 4 0 0 1 1.32 1 4.26 4.26 0 0 1 .82 1.44 5.15 5.15 0 0 1 .29 1.79 5 5 0 0 1-.29 1.75 4.12 4.12 0 0 1-.82 1.41 3.83 3.83 0 0 1-1.32.94 4.38 4.38 0 0 1-1.78.34 4.33 4.33 0 0 1-1.72-.35 3.87 3.87 0 0 1-1.33-.94 4.12 4.12 0 0 1-.82-1.41 5 5 0 0 1-.34-1.74 5.15 5.15 0 0 1 .29-1.79zM88.52 23a2.83 2.83 0 0 0 .4.92 2 2 0 0 0 .72.65 2.46 2.46 0 0 0 2.16 0 2 2 0 0 0 .72-.65 2.63 2.63 0 0 0 .4-.92 4.08 4.08 0 0 0 .13-1 4.34 4.34 0 0 0-.13-1.09 2.65 2.65 0 0 0-.4-.94 1.91 1.91 0 0 0-.72-.66 2.46 2.46 0 0 0-2.16 0 1.91 1.91 0 0 0-.72.66 2.84 2.84 0 0 0-.4.94 4.34 4.34 0 0 0-.13 1.09 4.08 4.08 0 0 0 .13 1zM91 14.78l-1.25 2.12h1.19l2-2.12zm7.33 2.89l3.57 5.75v-5.75h1.76v8.57h-1.88l-3.54-5.74v5.74h-1.78v-8.57zm13.56 7.91a4.7 4.7 0 0 1-5.38 0 3.26 3.26 0 0 1-1-2.59v-5.32h1.89V23a3.82 3.82 0 0 0 .06.68 1.4 1.4 0 0 0 .25.6 1.41 1.41 0 0 0 .53.42 2.34 2.34 0 0 0 .92.16 1.75 1.75 0 0 0 1.39-.45A2.12 2.12 0 0 0 111 23v-5.33h1.88V23a3.22 3.22 0 0 1-.99 2.58zM55.9 37.24l-2.78-8.57h1.94l1.9 6 1.93-6h1.95L58 37.24zm12.34-8.57v1.58h-4.52v1.84h4.15v1.46h-4.15v2.1h4.62v1.59h-6.5v-8.57zm6.23 0a2.64 2.64 0 0 1 1 .19 2.24 2.24 0 0 1 .79.51 2.17 2.17 0 0 1 .51.75A2.49 2.49 0 0 1 77 31a2.59 2.59 0 0 1-.32 1.31 2 2 0 0 1-1 .84 1.38 1.38 0 0 1 .58.29 1.54 1.54 0 0 1 .37.47 2 2 0 0 1 .21.59 3.63 3.63 0 0 1 .09.65v.48a5.46 5.46 0 0 0 0 .56 4.21 4.21 0 0 0 .09.55 1.37 1.37 0 0 0 .2.44h-1.87a3 3 0 0 1-.19-1c0-.38-.06-.74-.11-1.08a1.75 1.75 0 0 0-.41-1 1.4 1.4 0 0 0-1-.31h-1.9v3.35h-1.89v-8.47zm-.67 3.88a1.42 1.42 0 0 0 1-.29 1.19 1.19 0 0 0 .33-.94 1.11 1.11 0 0 0-.33-.9 1.42 1.42 0 0 0-1-.29h-2.06v2.42zm6.83-3.88l3.58 5.75v-5.75H86v8.57h-1.89l-3.57-5.74v5.74h-1.78v-8.57zm10.95 0a4.58 4.58 0 0 1 1.55.26 3.36 3.36 0 0 1 1.23.8 3.66 3.66 0 0 1 .82 1.32 5.42 5.42 0 0 1 .29 1.86 5.86 5.86 0 0 1-.24 1.72 3.81 3.81 0 0 1-.72 1.37 3.37 3.37 0 0 1-1.22.91 4.08 4.08 0 0 1-1.71.33h-3.69v-8.57zm-.13 7a2.34 2.34 0 0 0 .79-.13 1.7 1.7 0 0 0 .69-.44 2.2 2.2 0 0 0 .48-.79 3.53 3.53 0 0 0 .18-1.2 4.6 4.6 0 0 0-.13-1.17 2.33 2.33 0 0 0-.41-.9 1.82 1.82 0 0 0-.76-.57 3.11 3.11 0 0 0-1.17-.2h-1.35v5.4z" transform="translate(-.95 -.37)"></path><path class="hat" d="M3.45 28H1A27.63 27.63 0 0 1 42.27 4L41 6.17A25.13 25.13 0 0 0 3.45 28z" transform="translate(-.95 -.37)" fill="#376db0"></path></svg></div><div class="skiplink"><p> <a href="#content" title="Direct in content" class="withinpage">Content</a> </p><hr></div><!-- /eplica-no-index --></div></div><nav class="pgextra2" id="pgnav"><!-- eplica-no-index --><div class="mnav"
On 13 January 2020, the Data Protection Authority received a complaint from […] (hereinafter the complainant) about the processing of personal information about him by Wedo ehf., Which operates the website Bland.is.
               
 
               
By letter dated November 5, 2020, the Data Protection Authority of Wedo ehf. about the complaint and gave the company an opportunity to comment on it. The answer was by letter dated. 23. sm
              ><div class="boxbody"><ul class="level1"
 
                      ><li class="cat1 branch"> <a href="/einstaklingar/" class="cat1">Individuals</a><ul class="level2"
In resolving this case, the above data has been taken into account, although not all of them are explained separately.
                        ><li class="branch"> <a href="/einstaklingar/spurt-og-svarad/">Questions and answers</a><ul class="level3"
 
                          ><li> <a href="/einstaklingar/spurt-og-svarad/allar-spurningar-og-svor/">All questions and answers</a></li
The handling of the case by the Data Protection Authority has been delayed due to mining.
                          ><li> <a href="/einstaklingar/spurt-og-svarad/rafraen-voktun/">Electronic monitoring</a></li
 
                          ><li> <a href="/einstaklingar/spurt-og-svarad/almennt-um-personuvernd/">In general about privacy</a></li
2.
                          ><li> <a href="/einstaklingar/spurt-og-svarad/retturinn-til-ad-gleymast/">The right to be forgotten</a></li
 
                          ><li> <a href="/einstaklingar/spurt-og-svarad/rettur-til-upplysinga-um-eigin-arfgerd/">Right to information about one&#39;s own genotype</a></li
The complainant's views
                          ><li class=" last"> <a href="/einstaklingar/spurt-og-svarad/hvad-er-vinnsla/">What is processing?</a> </li
 
                        ></ul
The complaint states that when registering on the sales website Bland.is, the complainant had to identify himself with an ID number and a bank account which, according to the complaint, was to be deleted after identification. The complaint states that this information has been used to obtain further information about the complainant, e.g. á m. information about his address and that that information was published with his advertisement on Bland.is. In the complainant's opinion, the personal information was collected without authorization and the complainant was deceived into obtaining it on false pretenses and added to the advertisement without his knowledge.
                        ></li
 
                        ><li class="branch"> <a href="/ny-personuverndarloggjof-2018/">New privacy legislation 2018</a><ul class="level3"
3.
                          ><li> <a href="/ny-personuverndarloggjof-2018/almennt-um-nyju-loggjofina/">In general about the new legislation</a></li
 
                          ><li class=" last"> <a href="/ny-personuverndarloggjof-2018/annad/">Another interesting topic</a> </li
The views of Wedo ehf.
                        ></ul
 
                        ></li
In the answer of Wedo ehf. says that when users identify themselves on the sales page Bland.is, the company looks up the user's address in the national register. This is done in order to better serve the intermediary role that Bland.is plays. This is done by placing the seller's postcode with products that are put up for sale, as it is in the buyer's interest to know where in the country the seller is located, ie. whether the product is located in Garðabær or in the Westman Islands. The company's response refers to its privacy policy, which states that information that the company collects about its users includes contact information, such as information on name, ID number, gender, address, e-mail address and telephone number.
                        ><li class=" last branch"> <a href="/einstaklingar/fraedsluefni/">Educational material</a><ul class="level3"
 
                          ><li class="singlepage pamphlet"> <a href="/einstaklingar/fraedsluefni/baeklingur-personuvernd-barna/">Booklet: Child privacy</a></li
The purpose of collecting contact information is also stated in the privacy policy:
                          ><li class="singlepage pamphlet"> <a href="/einstaklingar/fraedsluefni/baeklingur-einkamal-ungmenna/">Booklet: Youth Private</a></li
 
                          ><li class="singlepage pamphlet"> <a href="/einstaklingar/fraedsluefni/baeklingur-almenningur/">Booklet: The public</a> </li
"We do this in order to be able to deliver products and services to you and to be able to send you notifications (by e-mail or SMS message) in connection with the purchase of goods and offers of goods and services. We collect contact information from you via, telephone, offline (such as calling a customer service center), website or e-mail, or in any other way where you have provided this information voluntarily. "
                        ></ul
 
                        ></li
The company's privacy policy also states in general terms about the purpose of gathering information:
                      ></ul
 
                      ><li class="cat2 branch"> <a href="/fyrirtaeki-og-stjornsysla/" class="cat2">Business and administration</a><ul class="level2"
"To be able to provide you with the services you request, whether it is sending them products to your door or receiving payments and / or in connection with other products and services that we offer or mediate. In other respects to enforce our terms. "
                        ><li class="branch"> <a href="/fyrirtaeki-og-stjornsysla/spurt-og-svarad/">Questions and answers</a><ul class="level3"
 
                          ><li> <a href="/fyrirtaeki-og-stjornsysla/spurt-og-svarad/allar-spurningar-og-svor/">All questions and answers</a></li
In the answer of Wedo ehf. says that in view of the above, the company has received the user's consent to publish his postal code on the web, but also says that if a user chooses not to provide a postal code, he is in a position to delete the address from user settings.
                          ><li> <a href="/fyrirtaeki-og-stjornsysla/spurt-og-svarad/rafraen-voktun/">Electronic monitoring</a></li
 
                          ><li> <a href="/fyrirtaeki-og-stjornsysla/spurt-og-svarad/almennt-um-personuvernd/">In general about privacy</a></li
The reply also states that following the complaint, two changes were made to the education of users of the sales website Bland.is. On the one hand, when identifying, users are instructed that the address is looked up when registering and that it is used for convenience in decision-making for both buyers and sellers. However, users will be instructed in the user settings of the website that postcodes will be displayed with advertisements.
                          ><li> <a href="/fyrirtaeki-og-stjornsysla/spurt-og-svarad/adgangsrettur/">Right of access</a></li
 
                          ><li> <a href="/fyrirtaeki-og-stjornsysla/spurt-og-svarad/abyrgdaradilar-vinnsluadilar-og-vinnslusamningar/">Guarantors, processors and processing agreements</a></li
II.
                          ><li> <a href="/fyrirtaeki-og-stjornsysla/spurt-og-svarad/abyrgdarskylda/">Liability</a></li
 
                          ><li class=" last"> <a href="/fyrirtaeki-og-stjornsysla/spurt-og-svarad/vinnsluskrar/">Processing files</a></li
Assumptions and conclusion
                        ></ul
 
                        ></li
1.
                        ><li> <a href="/fyrirtaeki-og-stjornsysla/ny-personuverndarloggjof-2018/">New privacy legislation 2018</a></li
 
                        ><li class=" last"> <a href="/fyrirtaeki-og-stjornsysla/fraedsluefni/">Educational material</a> </li
Scope - Responsible party
                      ></ul
 
                      ></li
Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act and Art. of the Regulation, and thus the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.
                      ><li class="log-og-reglur branch"> <a href="/log-og-reglur/log-um-personuvernd" class="cat3">Law and order</a><ul class="level2"
 
                        ><li> <a href="/log-og-reglur/log-um-personuvernd/">Privacy Act</a></li
Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him / her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation.
                        ><li> <a href="/log-og-reglur/reglur-og-reglugerdir/">Rules and regulations</a></li
 
                        ><li> <a href="/log-og-reglur/onnur-log/">Other laws</a></li
Processing refers to an operation or series of operations where personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation.
                        ><li> <a href="/log-og-reglur/adrar-reglur-og-leidbeiningar/">Other rules and guidelines</a></li
 
                        ><li class=" last"> <a href="/log-og-reglur/althjodasamningar-og-evropuloggjof/">International agreements and European legislation</a> </li
This case concerns the collection and publication of information about the complainant on the sales website Bland.is. In this respect and in the light of the above provisions, this case concerns the processing of personal data which falls within the competence of the Data Protection Authority.
                      ></ul
 
                      ></li
The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. In the privacy policy published on the website Bland.is, the company Wedo ehf. specified as the responsible party for the personal information processed on the website. As such, Wedo ehf. therefore be responsible for the processing in question.
                      ><li class="cat4 parent branch"> <a href="/urlausnir/" class="cat4">Solutions</a><ul class="level2"
 
                        ><li class="current"> <a href="/urlausnir/">Solutions</a></li
2.
                        ><li> <a href="/adrar-urlausnir/umsagnir/">Reviews</a></li
 
                        ><li> <a href="/adrar-urlausnir/leyfisveitingar/">Licensing</a></li
Legality of processing
                        ><li class=" last"> <a href="/adrar-urlausnir/ymis-bref/">Various letters</a> </li
 
                      ></ul
All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018 and Article 6. Regulation (EU) 2016/679. It may be mentioned that personal data may be processed if a registered individual has given his or her consent for the processing of his or her personal data for the benefit of one or more specific purposes, cf. 1. tölul. Article 9 of the Act and point a of the first paragraph. Article 6 of the Regulation, or if the processing is necessary due to legitimate interests that the responsible party or a third party safeguards, unless the interests and fundamental rights of the data subject that require the protection of personal data outweigh, cf. 6. tölul. Article 9 of the Act and item f of the first paragraph. Article 6 of the Regulation. As in this case, in the opinion of the Data Protection Authority, it will not be seen that other processing authorizations according to the aforementioned provision can be considered.
                      ></li
 
                      ><li class="cat5 branch"> <a href="/personuvernd/" class="cat5">Privacy</a><ul class="level2"
According to point 8. Article 3 Act no. 90/2018 and point 11. Paragraph 1 Article 4 of Regulation (EU) 2016/679, consent is considered to be an unforced, specific, informed and unequivocal declaration of intent by the data subject that he consents, by declaration or unequivocal confirmation, to the processing of personal data about himself. When processing is based on consent, the responsible party shall be able to demonstrate that a registered individual has agreed to the processing of his personal data in accordance with the conditions of the first paragraph. Article 10 Act no. 90/2018, Coll. Article 7 Regulation (EU) 2016/679. If the data subject gives his consent by a written statement, which also concerns other matters, the request for consent shall be presented in such a way that it is easily distinguishable from the other matters, in an understandable and accessible form and a clear and simple matter, cf. Paragraph 2 the same provision as the second paragraph. Article 7 Regulation (EU) 2016/679.
                        ><li> <a href="/personuvernd/hlutverk-personuverndar/">The role of the Data Protection Authority</a></li
 
                        ><li> <a href="/personuvernd/frettir/">News</a></li
Point 32 of the preamble to Regulation (EU) 2016/679 further states that consent should be given by clear confirmation, such as a written declaration, including by electronic means, or an oral declaration, of the existence of an unrestricted, limited, informed and unambiguous the data subject's declaration of intent that he consents to the processing of personal data concerning himself. This may involve checking a box when accessing an Internet site, selecting technical settings for information society services or any other statement or act that clearly indicates in this context that a data subject agrees to the proposed processing of personal data. Silence, boxes that have already been checked or inaction should therefore not constitute consent. In the guidelines of the European Privacy Council no. 5/2020, on approval,issued on the basis of paragraph 1 (e). Article 70 Regulation (EU) 2016/679, this legal interpretation is also reaffirmed.
                        ><li> <a href="/personuvernd/starfsfolk-og-stjorn/" title="Staff and board of the Data Protection Authority" aria-label="Starfsfólk og stjórn Persónuverndar">Staff and management</a></li
 
                        ><li> <a href="/personuvernd/fyrir-fjolmidla/" title="Information for the media" aria-label="Upplýsingar fyrir fjölmiðla">For the media</a></li
On behalf of Wedo ehf. has stated that the company considered itself to be processing personal information about the complainant's address on the basis of consent. In a letter from Wedo ehf. refers, among other things, to the fact that if a user chooses not to provide his / her postal code, he or she can delete the address in the user settings of the sales website. The letter from Wedo ehf. referred to the company's privacy policy, which is referred to above, which states that among the information that the company collects is contact information, such as address. The same paragraph states that contact information is collected from users by telephone, offline (such as calls to customer service centers), websites or e-mails, or in any other way where the person has voluntarily provided that information.
                        ><li> <a href="/personuvernd/beidnir-um-kynningar/">Requests for presentations</a></li
 
                        ><li> <a href="/personuvernd/vidburdir/">Events</a></li
In the opinion of the Data Protection Authority, it will not be considered that the complainant's authorization to remove an address in the user settings on the website fulfills the above-mentioned condition that consent must be granted by action. It will also not be considered that the declaration of approval that Wedo ehf. offers fulfills the conditions for being informed as the company obtained contact information from the National Registry, but the privacy policy states that contact information will be obtained from users, in addition to which the consent was not limited and specified from other processing operations that took place for other purposes. The processing could therefore not be based on point 1. Article 9 Act no. 90/2018 and item a of the first paragraph. Article 6 Regulation (EU) 2016/679.
                        ><li> <a href="/personuvernd/stefna-og-gildi/" title="Privacy Policy and Values" aria-label="Stefna og gildi Persónuverndar">Policy and values</a></li
 
                        ><li class=" last branch"> <a href="/personuvernd/arsskyrslur/">Annual reports</a><ul class="level3"
As is the case here, point 6 comes into consideration in particular. Article 9 of the Act, cf. paragraph 1 (f) Article 6 of the Regulation, to the effect that personal data may be processed, it is necessary to safeguard legitimate interests unless the fundamental rights and freedoms of the data subject are overridden. On behalf of Wedo ehf. has stated that the company considered that the processing of personal information about the complainant was based on his consent. It cannot therefore be considered that the company has specifically assessed the legitimate interests that the company safeguards, whether the processing is necessary in the interests of those interests or how its legitimate interests in the processing in question outweighed the interests of the data subject. As here and the like, the Data Protection Authority does not have grounds for assessing whether the processing fulfills the conditions of the provision,but it can be assumed that the processing authorization in question may be considered following an interest assessment which confirms that the conditions of the provision are met. The Data Protection Authority also reminds us of the second paragraph. Article 8 Act no. 90/2018, Coll. Paragraph 2 Article 5 Regulation (EU) 2016/679, that the responsible party is responsible for complying with the principles of the Act and can demonstrate this.
                          ><li> <a href="/media/arsskyrslur/Arsskyrsla-2016ny.pdf">2016</a></li
 
                          ><li> <a href="/media/arsskyrslur/Arsskyrsla-2015.pdf">2015</a></li
In view of all the above, the Data Protection Authority considers that the acquisition and publication of Wedo ehf. on personal information about the complainant's address, was not permitted according to Article 9. Act no. 90/2018, Coll. Paragraph 1 Article 6 Regulation (EU) 2016/679. The conclusion of the Data Protection Authority is therefore that the processing did not comply with the law and the regulation.
                          ><li> <a href="/media/arsskyrslur/2014.pdf">2014</a></li
 
                          ><li> <a href="/media/arsskyrslur/04_arsskyrsla_2013.pdf">2013</a></li
In accordance with this conclusion, and with reference to points 6 and 7. Article 42 Act no. 90/2018, is hereby submitted to Wedo ehf. to stop the processing of personal information about the address of the users of the sales website Bland.is until the company has sent the Data Protection Authority a description to that effect on the basis of which authority in Article 9. Act no. 90/2018 and the first paragraph. Article 6 of Regulation (EU) 2016/679 the processing takes place and the Data Protection Authority confirms that the processing complies with the provisions of the Act. In this connection, Wedo ehf. instructed that if the processing is to take place on the basis of the consent of the data subject, cf. 1. tölul. Paragraph 1 Article 9 Act no. 90/2018, the data subject must be informed of the processing in question, the approval must be specified from other processing operations and granted by a special operation. If the processing is to take place on the basis of legitimate interests, cf. 6. tölul. of the same provision, Wedo ehf.it is necessary to assess the legitimate interests of the company, whether the processing is necessary in the interests of those interests and whether the company's interests in the processing outweigh the interests or fundamental rights and freedoms of the data subject.
                          ><li> <a href="/media/arsskyrslur/arsskyrsla-2012_loka.pdf">2012</a></li
 
                          ><li> <a href="/media/frettir/Endanleg-profork.pdf">2011</a></li
Confirmation of the above-mentioned suspension of processing shall be received by the Data Protection Authority no later than 24 March 2021.
                          ><li> <a href="/media/frettir/profork-14.09.2011.pdf">2010</a></li
 
                          ><li> <a href="/media/frettir/6_personuv_2010.pdf">2009</a></li
Ruling:
                          ><li> <a href="/media/frettir/arsskyrsla2008.pdf">2008</a></li
 
                          ><li> <a href="/media/frettir/arsskyrsla2007.pdf">2007</a></li
Acquisition of Wedo ehf. on personal information about address […] and the publication of his postal code did not comply with Act no. 90/2018, on personal protection and processing of personal information.
                          ><li> <a href="/media/frettir/arsskyrsla2006.pdf">2006</a></li
 
                          ><li> <a href="/media/frettir/arsskyrsla-2005-pdf.pdf">2005</a></li
Wedo ehf. shall stop the processing of personal information on the addresses of users of the sales website Bland.is and send the Data Protection Authority a confirmation to that effect no later than 24 March 2021. Wedo ehf. is not permitted to resume processing of that information until the Data Protection Authority has confirmed that the processing fulfills the conditions of Act no. 90/2018.
                          ><li> <a href="/media/frettir/arsskyrsla-2004.pdf">2004</a></li
 
                          ><li> <a href="/personuvernd/arsskyrslur/2003/">2003</a></li
In Privacy, March 10, 2021
                          ><li> <a href="/personuvernd/arsskyrslur/2002/">2002</a></li
                          ><li> <a href="/media/frettir/arsskyrsla-2001.pdf">2001</a></li
                          ><li> <a href="/personuvernd/arsskyrslur/2000/">2000</a></li
                          ><li> <a href="/personuvernd/arsskyrslur/1999/">1999</a></li
                          ><li> <a href="/personuvernd/arsskyrslur/1998/">1998</a></li
                          ><li> <a href="/personuvernd/arsskyrslur/1997/">1997</a></li
                          ><li class=" last"> <a href="/personuvernd/arsskyrslur/1996/">1996</a> </li
                        ></ul
                        ></li
                      ></ul
                      ><li class="extras branch"> <a href="/log-og-reglur/log-um-personuvernd" class="cat6">Other content</a><ul class="level2"
                        ><li class="vefkokustefna"> <a href="/upplysingar-um-thig/">Privacy Policy</a></li
                        ><li class="normal"> <a href="/lagalegur-fyrirvari/">Legal notice</a></li
                        ><li> <a href="/adgengismal/">Accessibility issues</a></li
                        ><li> <a href="/thjonustubord-personuverndarloggjafar/">Service desk</a></li
                        ><li class="tw last"> <a href="https://twitter.com/personuvernd">Twitter</a> </li
                      ></ul
                      ></li
                      ><li class="english branch"> <a href="/information-in-english/" class="cat7" title="Information in English" aria-label="Information in English">En</a><ins> glish</ins><ul class="level2"
                        ><li class=" last"> <a href="/information-in-english/decisions/">Decisions in English</a> </li
                      ></ul
                      ></li
                      ><li class="singlepage contactus"> <a href="/hafa-samband/" class="cat8">Contact</a></li
                      ><li class="search"> <a href="/leit" class="cat9">Search</a></li
                      ><li class="tilkynna-brot singlepage branch"> <a href="/tilkynna-oryggisbrest/" class="cat10">Report a security breach</a><ul class="level2"
                        ><li> <a href="/tilkynna-oryggisbrest/tolfraedi/">Statistics</a></li
                        ><li class=" last"> <a href="/tilkynna-oryggisbrest/tolfraedi-2021/">Statistics 2021</a> </li
                    ></ul></li
                ></ul></div></div><hr class="stream" /><!-- /eplica-no-index --><!-- eplica-no-index --><!-- eplica-no-index --><div class="qsearch search ac-search" role="search"><h2 class="boxhead"> Search the web</h2><form class="boxbody" action="/leit" > <span class="fi_txt req"><label for="qstr2">Enter keywords</label><input id="qstr2" name="q" value="" /></span><span class="fi_btn"><input class="submit" type="submit" value="Search" /></span> </form></div><hr class="stream" /><!-- /eplica-no-index --><!-- /eplica-no-index --></nav><div class="pg"><div class="pgwrap"><div class="navbar"><!-- eplica-no-index --><div class="snav"
               
               
              ><div class="boxbody"><ul class="level1"
                      ><li class="cat1 current"> <a href="/urlausnir/" class="cat1">Solutions</a></li
                      ><li class="cat2"> <a href="/adrar-urlausnir/umsagnir/" class="cat2">Reviews</a></li
                      ><li class="cat3"> <a href="/adrar-urlausnir/leyfisveitingar/" class="cat3">Licensing</a></li
                      ><li class="cat4 last"> <a href="/adrar-urlausnir/ymis-bref/" class="cat4">Various letters</a> </li
                ></ul></div></div><hr class="stream" /><!-- /eplica-no-index --></div><main class="pginner" id="content"><div class="pgmain"><div class="wrap"><div class="filters"><!-- eplica-no-index --><!-- eplica-no-index --><div class="psearch ac-search box" role="search"><form class="boxbody" action="/leit"  ><input type="hidden" name="pid" value="1066" data-url="https://www.personuvernd.is/urlausnir/*" /><div class="fi_txt searchstr req"> <label for="qstr">Search for solutions</label> <input id="qstr" name="q" value="" placeholder="Leita í úrlausnum" /></div><div class="f_row datesearch"><div class="fi_txt datefrom"> <label for="datefrom">Year from:</label> <input id="datefrom" type="text" name="datefrom" value="" placeholder="Ár frá" /></div><div class="fi_txt dateto"> <label for="dateto">Year to:</label> <input id="dateto" type="text" name="dateto" value="" placeholder="Ár til" /></div></div><div class="fi_btn"> <button class="submit" type="submit">Search</button> </div></form></div><hr class="stream" /><!-- /eplica-no-index --><!-- /eplica-no-index --></div><!-- eplica-search-index-fields
    SearchType=Article
    title=Vinnsla persónuupplýsinga um  heimilisföng notenda Bland.is
    subtitle=Mál nr.  2020010577
    articlepublisheddate=1616758620000
    eplica-search-index-fields --><!-- eplica-contentid 1-3085-MainContent --><div class="article add-print box" data-aid="3085"><!-- eplica-no-index --><div class="boxhead"> Solutions</div><!-- /eplica-no-index --><div class="boxbody"><h1> Processing of personal information about the addresses of users of Bland.is</h1><h2 class='subtitle'> Case no. 2020010577</h2><!-- eplica-no-index --><p class="meta"> <span class='date'>26.3.2021</span></p><!-- /eplica-no-index --><div class='summary'><p> The Data Protection Authority has ruled in a case where a complaint was made about the processing of information about the complainant&#39;s address by Wedo ehf., The operator of the sales website Bland.is. The responses of the responsible party stated that the processing of personal data would take place on the basis of the complainant&#39;s consent, but in the ruling it was concluded that the conditions of consent had not been met. The conclusion of the Data Protection Authority was that the processing was not in accordance with Act no. 90/2018, on personal protection and the processing of personal information and Wedo ehf. made to stop the processing of personal information about the addresses of users of the sales website.</p></div><h2 align="center"> <strong>Ruling</strong></h2><p><br> On March 10, 2021, the Board of the Data Protection Authority issued a ruling in case no. 2020010577:</p><h3 align="center"> I.</h3><h3 align="center"> Procedure<br><br></h3><h4 align="center"> <em>1.</em></h4><h4 align="center"> <em>Complaint</em></h4><p> On 13 January 2020, the Data Protection Authority received a complaint from […] (hereinafter the complainant) about the processing of personal information about him by Wedo ehf., Which operates the website Bland.is.</p><p> By letter dated November 5, 2020, the Data Protection Authority of Wedo ehf. about the complaint and gave the company an opportunity to comment on it. The answer was by letter dated. 23. sm</p><p> In resolving this case, the above data has been taken into account, although not all of them are explained separately.</p><p> The handling of the case by the Data Protection Authority has been delayed due to mining.</p><h4 align="center"> <em>2.</em></h4><h4 align="center"> <em>The complainant&#39;s views</em></h4><p> The complaint states that when registering on the sales website Bland.is, the complainant had to identify himself with an ID number and a bank account which, according to the complaint, was to be deleted after identification. The complaint states that this information has been used to obtain further information about the complainant, e.g. á m. information about his address and that that information was published with his advertisement on Bland.is. In the complainant&#39;s view, the personal information was collected without authorization and the complainant was deceived into obtaining it on false pretenses and added to the advertisement without his knowledge.</p><h4 align="center"> <em>3.</em></h4><h4 align="center"> <em>The views of Wedo ehf.</em></h4><p> In the answer of Wedo ehf. says that when users identify themselves on the sales page Bland.is, the company looks up the user&#39;s address in the national register. This is done in order to better serve the intermediary role that Bland.is plays. This is done by placing the seller&#39;s postcode with products that are put up for sale, as it is in the buyer&#39;s interest to know where in the country the seller is located, ie. whether the product is located in Garðabær or in the Westman Islands. The company&#39;s response refers to its privacy policy, which states that information that the company collects about its users includes contact information, such as information on name, ID number, gender, address, e-mail address and telephone number.</p><p> The purpose of collecting contact information is also stated in the privacy policy:</p><p> &quot;We do this in order to be able to deliver products and services to you and to be able to send you notifications (by e-mail or SMS message) in connection with the purchase of goods and offers of goods and services. We collect contact information from you via, telephone, offline (such as calling a customer service center), website or e-mail, or in any other way where you have provided this information voluntarily. &quot;</p><p> The company&#39;s privacy policy also states in general terms about the purpose of gathering information:</p><p> &quot;To be able to provide you with the services you request, whether it is sending them products to your door or receiving payments and / or in connection with other products and services that we offer or mediate. In other respects to enforce our terms. &quot;</p><p> In the answer of Wedo ehf. says that in view of the above, the company has received the user&#39;s consent to publish his postal code on the web, but also says that if a user chooses not to provide a postal code, he is in a position to delete the address from user settings.</p><p> The reply also states that following the complaint, two changes were made to the education of users of the sales website Bland.is. On the one hand, when identifying, users are instructed that the address is looked up when registering and that it is used for convenience in decision-making for both buyers and sellers. On the other hand, users are instructed in the user settings of the website that postcodes will be published with advertisements.</p><h3 align="center"> II.</h3><h3 align="center"> Assumptions and conclusion<br><br></h3><h4 align="center"> <em>1.</em></h4><h4 align="center"> <em>Scope - Responsible party</em></h4><p> Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act and Art. of the Regulation, and thus the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.</p><p> Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him or her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation.</p><p> Processing refers to an action or series of actions in which personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation.</p><p> This case concerns the collection and publication of information about the complainant on the sales website Bland.is. In this respect and in the light of the above provisions, this case concerns the processing of personal data which falls within the competence of the Data Protection Authority.</p><p> The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. In the privacy policy published on the website Bland.is, the company Wedo ehf. specified as the responsible party for the personal information processed on the website. As such, Wedo ehf. therefore be responsible for the processing in question.</p><h4 align="center"> <em>2.</em></h4><h4 align="center"> <a name="_Hlk2759438"><em>Legality of processing</em></a></h4><p> All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018 and Article 6. Regulation (EU) 2016/679. It may be mentioned that personal data may be processed if a registered individual has given his or her consent for the processing of his or her personal data for the benefit of one or more specific purposes, cf. 1. tölul. Article 9 of the Act and point a of the first paragraph. Article 6 of the Regulation, or if the processing is necessary due to legitimate interests that the responsible party or a third party safeguards, unless the interests and fundamental rights of the data subject that require the protection of personal data outweigh, cf. 6. tölul. Article 9 of the Act and item f of the first paragraph. Article 6 of the Regulation. As in this case, in the opinion of the Data Protection Authority, it will not be seen that other processing authorizations according to the aforementioned provision can be considered.</p><p> According to point 8. Article 3 Act no. 90/2018 and point 11. Paragraph 1 Article 4 of Regulation (EU) 2016/679, consent is considered to be an unforced, specific, informed and unequivocal declaration of intent by the data subject that he consents, by declaration or unequivocal confirmation, to the processing of personal data about himself. When processing is based on consent, the responsible party shall be able to demonstrate that a registered individual has agreed to the processing of his personal data in accordance with the conditions of the first paragraph. Article 10 Act no. 90/2018, Coll. Article 7 Regulation (EU) 2016/679. If the data subject gives his consent by a written statement, which also concerns other matters, the request for consent shall be presented in such a way that it is easily distinguishable from the other matters, in an understandable and accessible form and a clear and simple matter, cf. Paragraph 2 the same provision as the second paragraph. Article 7 Regulation (EU) 2016/679.</p><p> Point 32 of the preamble to Regulation (EU) 2016/679 further states that consent should be given by clear confirmation, such as a written declaration, including by electronic means, or an oral declaration, of the existence of an unrestricted, demarcated, informed and unambiguous the data subject&#39;s declaration of intent that he consents to the processing of personal data concerning himself. This may involve checking a box when accessing an Internet site, selecting technical settings for information society services or any other statement or act that clearly indicates in this context that a data subject agrees to the proposed processing of personal data. Silence, boxes that have already been checked or inaction should therefore not constitute consent. In the guidelines of the European Privacy Council no. 5/2020, on approvals issued on the basis of item e of the first paragraph. Article 70 Regulation (EU) 2016/679, this legal interpretation is also reaffirmed.</p><p> On behalf of Wedo ehf. has stated that the company considered itself to be processing personal information about the complainant&#39;s address on the basis of consent. In a letter from Wedo ehf. refers, among other things, to the fact that if a user chooses not to provide his / her postal code, he or she can delete the address in the user settings of the sales website. The letter from Wedo ehf. referred to the company&#39;s privacy policy, which is referred to above, which states that among the information the company collects is contact information, such as address. The same paragraph states that contact information is collected from users by telephone, offline (such as through customer service calls), websites or e-mails, or in any other way where the person has voluntarily provided that information.</p><p> In the opinion of the Data Protection Authority, it will not be considered that the complainant&#39;s authorization to remove an address in the user settings on the website fulfills the above-mentioned condition that consent must be granted by action. It will also not be considered that the declaration of approval that Wedo ehf. offers fulfills the conditions for being informed as the company obtained contact information from the National Registry, but the privacy policy states that contact information will be obtained from users, in addition to which the consent was not limited and specified from other processing operations that took place for other purposes. The processing could therefore not be based on point 1. Article 9 Act no. 90/2018 and item a of the first paragraph. Article 6 Regulation (EU) 2016/679.</p><p> As is the case here, point 6 comes into consideration in particular. Article 9 of the Act, cf. paragraph 1 (f) Article 6 of the Regulation, to the effect that personal data may be processed, it is necessary to safeguard legitimate interests unless the fundamental rights and freedoms of the data subject are overridden. On behalf of Wedo ehf. has stated that the company considered that the processing of personal information about the complainant was based on his consent. It cannot therefore be considered that the company has specifically assessed the legitimate interests that the company safeguards, whether the processing is necessary in the interests of those interests or how its legitimate interests in the processing in question outweighed the interests of the data subject. As here and the like, the Data Protection Authority does not have grounds for assessing whether the processing fulfills the conditions of the provision, but it can be assumed that the processing authorization in question can be considered after an interest assessment confirming that the conditions of the provision are met. The Data Protection Authority also reminds us of the second paragraph. Article 8 Act no. 90/2018, Coll. Paragraph 2 Article 5 of Regulation (EU) 2016/679, that the responsible party is responsible for complying with the principles of the Act and can demonstrate this.</p><p> In view of all the above, the Data Protection Authority considers that the acquisition and publication of Wedo ehf. on personal information about the complainant&#39;s address, was not permitted according to Article 9. Act no. 90/2018, Coll. Paragraph 1 Article 6 Regulation (EU) 2016/679. The conclusion of the Data Protection Authority is therefore that the processing did not comply with the law and the regulation.</p><p> In accordance with this conclusion, and with reference to points 6 and 7. Article 42 Act no. 90/2018, is hereby submitted to Wedo ehf. to stop the processing of personal information about the address of the users of the sales website Bland.is until the company has sent the Data Protection Authority a description to that effect on the basis of which authority in Article 9. Act no. 90/2018 and the first paragraph. Article 6 of Regulation (EU) 2016/679 the processing takes place and the Data Protection Authority confirms that the processing complies with the provisions of the Act. In this connection, Wedo ehf. instructed that if the processing is to take place on the basis of the consent of the data subject, cf. 1. tölul. Paragraph 1 Article 9 Act no. 90/2018, the data subject must be informed of the processing in question, the approval must be specified from other processing operations and granted by a special operation. If the processing is to take place on the basis of legitimate interests, cf. 6. tölul. of the same provision, Wedo ehf. it is necessary to assess the legitimate interests of the company, whether the processing is necessary in the interests of those interests and whether the company&#39;s interests in the processing outweigh the interests or fundamental rights and freedoms of the data subject.</p><p> Confirmation of the above-mentioned suspension of processing shall be received by the Data Protection Authority no later than 24 March 2021.</p><h2 align="center"> Ruling:</h2><p> Acquisition of Wedo ehf. on personal information about address […] and the publication of his postal code did not comply with Act no. 90/2018, on personal protection and processing of personal information.</p><p> Wedo ehf. shall stop the processing of personal information on the addresses of users of the sales website Bland.is and send the Data Protection Authority a confirmation to that effect no later than 24 March 2021. Wedo ehf. is not permitted to resume processing of that information until the Data Protection Authority has confirmed that the processing fulfills the conditions of Act no. 90/2018.<br><br></p><p align="center"> In Privacy, March 10, 2021</p><p align="center"><br> Ólafur Garðarsson<br> acting chairman<br><br></p><p align="center"> Björn Geirsson Vilhelmína Haraldsdóttir<br><br></p><p align="center"> Þorvarður Kári Ólafsson </p></div></div><hr class="stream" /><!-- eplica-no-index --><div class="breadcrumbs" role="navigation" aria-labelledby="crumbs260302603"><div> <strong id="crumbs260302603">You are here</strong> <a href="/" class='home'>Home</a> <i>»</i> <a href="/urlausnir/">Solutions</a> <i>»</i> <b class="current"><a href="/urlausnir/">Solutions</a></b> </div></div><hr class="stream" /><!-- /eplica-no-index --></div></div><div class="pgbottom"><!-- eplica-no-index --><p class="didithelp" aria-labelledby="helpful265502502"> <span class="didithelp__question" id="helpful265502502">Was the material helpful?</span> <a class="didithelp__answer didithelp__answer--yay button minor yay" role="button" href="#" data-thankstext="Gott að vita. Takk!">Yes</a> <a class="didithelp__answer didithelp__answer--nay button minor nay" href="/hvad-tharf-ad-laga">No</a> </p><!-- /eplica-no-index --></div></main></div><footer class="pgfoot"><div class="wrap"><!-- eplica-no-index --><div class="footer" role="contentinfo"><div class="info"><div class="brand"><svg class="logo" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 41.27 43.43"><path d="M18.36 17.27h2.51v15.26h-2.51zm5.28 8.71h2.51v10.9h-2.51zm0-8.71h2.51v6.53h-2.51zm5.28 8.72h2.51v13.08h-2.51zm5.28-4.36h2.51v15.26H34.2zm0-4.37h2.51v2.18H34.2zM23.64 12.9h2.51v2.18h-2.51zm5.28 28.35h2.51v2.18h-2.51zm-10.56-4.36h2.51v2.18h-2.51z" fill="#ffffff"/><path d="M2.45 27.6H0a27.63 27.63 0 0 1 41.27-24L40 5.77A25.13 25.13 0 0 0 2.45 27.6z" fill="#ffffff"/></svg></div><div class="about"><h3> The role of the Data Protection Authority</h3><p> The Data Protection Authority monitors compliance with laws and other rules on the processing of personal data and the correction of deficiencies and mistakes.</p></div></div><div class="contact"><div class="loc"><h3> Office</h3><p> Rauðarárstígur 10, 105 Reykjavík, Iceland<br> Open at 9-12 and 13-15<br> Lawyers&#39; phone hours are at 10-12 Tuesdays and Thursdays<br> <span>Phone <a href="tel:+3545109600" class="tel">510 9600</a> <i>•</i></span> <span>Email <strong>address [at] personuvernd.is</strong> <i>•</i></span> <span>Id. <strong>560800-2820</strong></span> </p></div><!--        <form class="subscr" method="get" name="formMailingListRegistration" action="/postlisti">
          <input id="id_1" name="SubscriptionType" value="1" type="hidden">
          <div class="fi_txt fi_email req">
            <input id="s_email" name="VIS_Email" value="" placeholder="Skráðu þig á póstlistann" type="email">
          </div>
          <p class="note"><abbr class="req" title="Ath: ">*</abbr> Við notum netfangið þitt til að senda þér fréttir tengdar persónuvernd</p>
          <div class="fi_btn"><button type="submit">Skrá</button></div>
        </form> --></div></div><!-- /eplica-no-index --><!-- eplica-no-index --><div class="fnav"
               
               
              ><div class="boxbody"><ul class="level1"
                      ><li class="vefkokustefna"> <a href="/upplysingar-um-thig/" class="cat1">Privacy Policy</a></li
                      ><li class="normal"> <a href="/lagalegur-fyrirvari/" class="cat2">Legal notice</a></li
                      ><li class="cat3"> <a href="/adgengismal/" class="cat3">Accessibility issues</a></li
                      ><li class="cat4"> <a href="/thjonustubord-personuverndarloggjafar/" class="cat4">Service desk</a></li
                      ><li class="tw last"> <a href="https://twitter.com/personuvernd" class="cat5">Twitter</a> </li
                ></ul></div></div><hr class="stream" /><!-- /eplica-no-index --></div></footer></div><script async src='/skin/v2/pub/main.js?v1.14'></script><script type="text/javascript">
/*<![CDATA[*/
(function() {
if (! /(?:^|;\s*)cookie=1/.test(document.cookie)) { return; } // consent-check
var sz = document.createElement('script');
sz.type = 'text/javascript';
sz.async = true;
sz.src = '//siteimproveanalytics.com/js/siteanalyze_6103423.js';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(sz, s);
})();
/*]]>*/
</script></body></html>
</pre>
</pre>

Latest revision as of 16:21, 13 April 2021

Persónuvernd - 2020010577
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 6(1)(a) GDPR
Article 7 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 10.03.2021
Published: 26.03.2021
Fine: None
Parties: Bland.is
Wedo ehf.
National Case Number/Name: 2020010577
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Personuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA ordered an operator of a sale website to stop the processing of users' personal data. According to the DPA, the consent was not sufficiently informed.

English Summary

Facts

The complainant stated that when registering on the sales website Bland.is, he had to identify himself with an ID number and a bank account which was to be deleted after identification. However, this information had been used to obtain further information about the complainant, including his address. It was later published on his advertisement on Bland.is. In the complainant's view, the personal information was collected without his authorization. He was deceived into consenting to it under false pretenses and added to the advertisement without his knowledge.

Wedo, an operator of the website, replied that when users identify themselves on Bland.is, the company looks up the user's address in the national register. The company considered itself to be processing personal information about the complainant's address on the basis of consent.

Dispute

Was the consent informed enough?

Holding

In the opinion of the DPA, the complainant's authorization to remove an address in the user settings on the website does not fulfill conditions of the consent under Article 7 GDPR. The declaration of approval offered by the controller does not provide enough information. Contrary to the privacy policy that stated that contact information will be obtained from users, the company obtained it from the National Registry. The processing did not comply with Article 6(1)(a) GDPR.

In accordance with this conclusion, the DPA ordered the controller to stop the processing of personal information about the address of the Bland.is users until the company sends the DPA an explanation on which basis the processing took place and the DPA confirms that the processing complies with the provisions of the law.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Ruling

On March 10, 2021, the Board of the Data Protection Authority issued a ruling in case no. 2020010577:

I.

Procedure

1.

Complaint

On 13 January 2020, the Data Protection Authority received a complaint from […] (hereinafter the complainant) about the processing of personal information about him by Wedo ehf., Which operates the website Bland.is.

By letter dated November 5, 2020, the Data Protection Authority of Wedo ehf. about the complaint and gave the company an opportunity to comment on it. The answer was by letter dated. 23. sm

In resolving this case, the above data has been taken into account, although not all of them are explained separately.

The handling of the case by the Data Protection Authority has been delayed due to mining.

2.

The complainant's views

The complaint states that when registering on the sales website Bland.is, the complainant had to identify himself with an ID number and a bank account which, according to the complaint, was to be deleted after identification. The complaint states that this information has been used to obtain further information about the complainant, e.g. á m. information about his address and that that information was published with his advertisement on Bland.is. In the complainant's opinion, the personal information was collected without authorization and the complainant was deceived into obtaining it on false pretenses and added to the advertisement without his knowledge.

3.

The views of Wedo ehf.

In the answer of Wedo ehf. says that when users identify themselves on the sales page Bland.is, the company looks up the user's address in the national register. This is done in order to better serve the intermediary role that Bland.is plays. This is done by placing the seller's postcode with products that are put up for sale, as it is in the buyer's interest to know where in the country the seller is located, ie. whether the product is located in Garðabær or in the Westman Islands. The company's response refers to its privacy policy, which states that information that the company collects about its users includes contact information, such as information on name, ID number, gender, address, e-mail address and telephone number.

The purpose of collecting contact information is also stated in the privacy policy:

"We do this in order to be able to deliver products and services to you and to be able to send you notifications (by e-mail or SMS message) in connection with the purchase of goods and offers of goods and services. We collect contact information from you via, telephone, offline (such as calling a customer service center), website or e-mail, or in any other way where you have provided this information voluntarily. "

The company's privacy policy also states in general terms about the purpose of gathering information:

"To be able to provide you with the services you request, whether it is sending them products to your door or receiving payments and / or in connection with other products and services that we offer or mediate. In other respects to enforce our terms. "

In the answer of Wedo ehf. says that in view of the above, the company has received the user's consent to publish his postal code on the web, but also says that if a user chooses not to provide a postal code, he is in a position to delete the address from user settings.

The reply also states that following the complaint, two changes were made to the education of users of the sales website Bland.is. On the one hand, when identifying, users are instructed that the address is looked up when registering and that it is used for convenience in decision-making for both buyers and sellers. However, users will be instructed in the user settings of the website that postcodes will be displayed with advertisements.

II.

Assumptions and conclusion

1.

Scope - Responsible party

Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act and Art. of the Regulation, and thus the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.

Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him / her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation.

Processing refers to an operation or series of operations where personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation.

This case concerns the collection and publication of information about the complainant on the sales website Bland.is. In this respect and in the light of the above provisions, this case concerns the processing of personal data which falls within the competence of the Data Protection Authority.

The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. In the privacy policy published on the website Bland.is, the company Wedo ehf. specified as the responsible party for the personal information processed on the website. As such, Wedo ehf. therefore be responsible for the processing in question.

2.

Legality of processing

All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018 and Article 6. Regulation (EU) 2016/679. It may be mentioned that personal data may be processed if a registered individual has given his or her consent for the processing of his or her personal data for the benefit of one or more specific purposes, cf. 1. tölul. Article 9 of the Act and point a of the first paragraph. Article 6 of the Regulation, or if the processing is necessary due to legitimate interests that the responsible party or a third party safeguards, unless the interests and fundamental rights of the data subject that require the protection of personal data outweigh, cf. 6. tölul. Article 9 of the Act and item f of the first paragraph. Article 6 of the Regulation. As in this case, in the opinion of the Data Protection Authority, it will not be seen that other processing authorizations according to the aforementioned provision can be considered.

According to point 8. Article 3 Act no. 90/2018 and point 11. Paragraph 1 Article 4 of Regulation (EU) 2016/679, consent is considered to be an unforced, specific, informed and unequivocal declaration of intent by the data subject that he consents, by declaration or unequivocal confirmation, to the processing of personal data about himself. When processing is based on consent, the responsible party shall be able to demonstrate that a registered individual has agreed to the processing of his personal data in accordance with the conditions of the first paragraph. Article 10 Act no. 90/2018, Coll. Article 7 Regulation (EU) 2016/679. If the data subject gives his consent by a written statement, which also concerns other matters, the request for consent shall be presented in such a way that it is easily distinguishable from the other matters, in an understandable and accessible form and a clear and simple matter, cf. Paragraph 2 the same provision as the second paragraph. Article 7 Regulation (EU) 2016/679.

Point 32 of the preamble to Regulation (EU) 2016/679 further states that consent should be given by clear confirmation, such as a written declaration, including by electronic means, or an oral declaration, of the existence of an unrestricted, limited, informed and unambiguous the data subject's declaration of intent that he consents to the processing of personal data concerning himself. This may involve checking a box when accessing an Internet site, selecting technical settings for information society services or any other statement or act that clearly indicates in this context that a data subject agrees to the proposed processing of personal data. Silence, boxes that have already been checked or inaction should therefore not constitute consent. In the guidelines of the European Privacy Council no. 5/2020, on approval,issued on the basis of paragraph 1 (e). Article 70 Regulation (EU) 2016/679, this legal interpretation is also reaffirmed.

On behalf of Wedo ehf. has stated that the company considered itself to be processing personal information about the complainant's address on the basis of consent. In a letter from Wedo ehf. refers, among other things, to the fact that if a user chooses not to provide his / her postal code, he or she can delete the address in the user settings of the sales website. The letter from Wedo ehf. referred to the company's privacy policy, which is referred to above, which states that among the information that the company collects is contact information, such as address. The same paragraph states that contact information is collected from users by telephone, offline (such as calls to customer service centers), websites or e-mails, or in any other way where the person has voluntarily provided that information.

In the opinion of the Data Protection Authority, it will not be considered that the complainant's authorization to remove an address in the user settings on the website fulfills the above-mentioned condition that consent must be granted by action. It will also not be considered that the declaration of approval that Wedo ehf. offers fulfills the conditions for being informed as the company obtained contact information from the National Registry, but the privacy policy states that contact information will be obtained from users, in addition to which the consent was not limited and specified from other processing operations that took place for other purposes. The processing could therefore not be based on point 1. Article 9 Act no. 90/2018 and item a of the first paragraph. Article 6 Regulation (EU) 2016/679.

As is the case here, point 6 comes into consideration in particular. Article 9 of the Act, cf. paragraph 1 (f) Article 6 of the Regulation, to the effect that personal data may be processed, it is necessary to safeguard legitimate interests unless the fundamental rights and freedoms of the data subject are overridden. On behalf of Wedo ehf. has stated that the company considered that the processing of personal information about the complainant was based on his consent. It cannot therefore be considered that the company has specifically assessed the legitimate interests that the company safeguards, whether the processing is necessary in the interests of those interests or how its legitimate interests in the processing in question outweighed the interests of the data subject. As here and the like, the Data Protection Authority does not have grounds for assessing whether the processing fulfills the conditions of the provision,but it can be assumed that the processing authorization in question may be considered following an interest assessment which confirms that the conditions of the provision are met. The Data Protection Authority also reminds us of the second paragraph. Article 8 Act no. 90/2018, Coll. Paragraph 2 Article 5 Regulation (EU) 2016/679, that the responsible party is responsible for complying with the principles of the Act and can demonstrate this.

In view of all the above, the Data Protection Authority considers that the acquisition and publication of Wedo ehf. on personal information about the complainant's address, was not permitted according to Article 9. Act no. 90/2018, Coll. Paragraph 1 Article 6 Regulation (EU) 2016/679. The conclusion of the Data Protection Authority is therefore that the processing did not comply with the law and the regulation.

In accordance with this conclusion, and with reference to points 6 and 7. Article 42 Act no. 90/2018, is hereby submitted to Wedo ehf. to stop the processing of personal information about the address of the users of the sales website Bland.is until the company has sent the Data Protection Authority a description to that effect on the basis of which authority in Article 9. Act no. 90/2018 and the first paragraph. Article 6 of Regulation (EU) 2016/679 the processing takes place and the Data Protection Authority confirms that the processing complies with the provisions of the Act. In this connection, Wedo ehf. instructed that if the processing is to take place on the basis of the consent of the data subject, cf. 1. tölul. Paragraph 1 Article 9 Act no. 90/2018, the data subject must be informed of the processing in question, the approval must be specified from other processing operations and granted by a special operation. If the processing is to take place on the basis of legitimate interests, cf. 6. tölul. of the same provision, Wedo ehf.it is necessary to assess the legitimate interests of the company, whether the processing is necessary in the interests of those interests and whether the company's interests in the processing outweigh the interests or fundamental rights and freedoms of the data subject.

Confirmation of the above-mentioned suspension of processing shall be received by the Data Protection Authority no later than 24 March 2021.

Ruling:

Acquisition of Wedo ehf. on personal information about address […] and the publication of his postal code did not comply with Act no. 90/2018, on personal protection and processing of personal information.

Wedo ehf. shall stop the processing of personal information on the addresses of users of the sales website Bland.is and send the Data Protection Authority a confirmation to that effect no later than 24 March 2021. Wedo ehf. is not permitted to resume processing of that information until the Data Protection Authority has confirmed that the processing fulfills the conditions of Act no. 90/2018.

In Privacy, March 10, 2021