|
|
| Line 87: |
Line 87: |
|
| |
|
| <pre> | | <pre> |
| <!DOCTYPE html><!-- eplica-no-index --><html class=" onecol" xmlns="http://www.w3.org/1999/xhtml" lang="is"><head><meta charset="utf-8" /><meta name="generator" content="Eplica CMS - www.eplica.is" /><meta name="HandheldFriendly" content="true" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="format-detection" content="telephone=no"><title> Ruling on the processing of personal information by Elísa Guðrún ehf. (Living Science) | Solutions | Privacy. Your information, your privacy. </title><meta property="og:site_name" content="Persónuvernd. Þínar upplýsingar, þitt einkalíf." /><link rel="shortcut icon" href="/skin/v2/pub/i/fav.png" /><link rel="canonical" href="https://www.personuvernd.is/urlausnir/urskurdur-um-vinnslu-personuupplysinga-af-halfu-elisu-gudrunar-ehf.-lifandi-visinda" /><script>if(self!=top){var ö=document.documentElement;ö.style.display='none !important';try{top.location.replace(location)}catch(e){setTimeout(function(){ö.innerHTML=''},500)}}</script><link rel="stylesheet" href="/skin/v2/pub/main.css?v1.14" /><!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| Eplica web management system
| |
| Eplica 3 : (4 @ 1040f32)
| |
| Tags [release/4.7.1]
| |
| Project Version (master@f4c8981)
| |
| License Eplica ISP hosted solution
| |
| eplica-is-1.hugsmidjan.is::
| |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| Hugsmiðjan ehf.
| |
| Tel. +354 550-0900
| |
| info@eplica.is
| |
| www.eplica.is
| |
| Ruling on the processing of personal information by Elísa Guðrún ehf. (Living Science) | | Ruling on the processing of personal information by Elísa Guðrún ehf. (Living Science) |
| Case no. 2020010673 | | Case no. 2020010673 |
| | |
| 24.11.2020 | | 24.11.2020 |
| The Data Protection Authority has ruled in a case where a complaint was made about the processing of personal information in connection with marketing by Elísa Guðrún ehf. (Living Science). The ruling concludes that the preservation and use of Elísa Guðrún ehf. (Living Science) on the personal information of the complainant did not comply with Act no. 90/2018 and Regulation (EU) 2016/679. | | |
| | The Data Protection Authority has ruled in a case where a complaint was made about the processing of personal information in connection with marketing by Elísa Guðrún ehf. (Living Science). The ruling concludes that the preservation and use of Elísa Guðrún ehf. (Living Science) on the personal information of the complainant did not comply with Act no. 90/2018 and Regulation (EU) 2016/679. |
|
| |
|
| Ruling | | Ruling |
| | |
|
| |
|
| On October 27, 2020, the Data Protection Authority issued a ruling in case no. 2020010673 (formerly 2019091811): | | On October 27, 2020, the Data Protection Authority issued a ruling in case no. 2020010673 (formerly 2019091811): |
|
| |
|
| I. | | I. |
| | |
| Procedure | | Procedure |
| | |
|
| |
|
| 1. | | 1. |
| | |
| Outline of case | | Outline of case |
| | |
| On September 27, 2019, the Data Protection Authority received a complaint from [A] (hereinafter referred to as "the complainant"), dated September 23, 2019. The complainant claims to have received a phone call from Elísa Guðrún ehf., Which publishes the journal Lifandi vísindi. It was a marketing call where he was offered a presentation and a subscription to a magazine. | | On September 27, 2019, the Data Protection Authority received a complaint from [A] (hereinafter referred to as "the complainant"), dated September 23, 2019. The complainant claims to have received a phone call from Elísa Guðrún ehf., Which publishes the journal Lifandi vísindi. It was a marketing call where he was offered a presentation and a subscription to a magazine. |
|
| |
|
| Line 122: |
Line 117: |
|
| |
|
| 2. | | 2. |
| | |
| The complainant's views | | The complainant's views |
| The complainant claimed to have refused an offer of a new subscription, in a call he received from Living Sciences, but he was abroad when he was called and the relationship was poor.
| |
|
| |
|
| He subsequently received a magazine sent home and a claim to an online bank. The complainant had contacted the magazine's office and said he was not interested in paying the claim. He also asked why he had been contacted. The complainant's answers were that they were calling old subscribers and offering them a new subscription. The complainant considers that by doing so, Lifandi vísindi has violated the provisions of the Act on Personal Data Protection and the Processing of Personal Data. The complainant wants to find out whether the magazine has the right to own and store information about subscribers, many years back in time. | | The complainant claimed to have turned down an offer of a new subscription, in a call he received from Living Sciences, but he was abroad when he was called and the relationship was poor. |
| | |
| | He subsequently received a magazine sent home and a claim to an online bank. The complainant had contacted the magazine's office and said he was not interested in paying the claim. He also asked why he had been contacted. The complainant's answers were that they were calling old subscribers and offering them a new subscription. The complainant considers that by doing so, Lifandi vísindi has violated the provisions of the Act on Personal Data Protection and the Processing of Personal Data. The complainant wants to find out whether the magazine is authorized to own and store information about subscribers, many years back in time. |
|
| |
|
| 3. | | 3. |
| | |
| The views of the responsible party | | The views of the responsible party |
| Lifandi vísinda's response states that the company is on the phone all year round and calls people who have been subscribers before, but that those who are on a ban list are cleared of lists that are called after. | | |
| | Lifandi vísinda's response states that the company is on the phone all year round and calls people who have been subscribers before, but that those who are on a banned list are cleared of lists that are called after. |
|
| |
|
| It says that the company has considered it okay to call former subscribers, but will stop if it is not okay. | | It says that the company has considered it okay to call former subscribers, but will stop if it is not okay. |
|
| |
|
| II. | | II. |
| | |
| Assumptions and conclusion | | Assumptions and conclusion |
| | |
|
| |
|
| 1. | | 1. |
| | |
| Scope - Responsible party | | Scope - Responsible party |
| | |
| Scope of Act no. 90/2018, on personal data protection and the processing of personal data and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file. | | Scope of Act no. 90/2018, on personal data protection and the processing of personal data and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file. |
|
| |
|
| Line 149: |
Line 152: |
|
| |
|
| 2. | | 2. |
| | |
| Legality of processing | | Legality of processing |
| All processing of personal data must be covered by one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. The sources that are particularly relevant here are that the data subject has given his consent for the processing of personal information about himself for the benefit of one or more specific purposes, cf. 1. tölul. Article 9 that processing is necessary to fulfill a contract to which the data subject is a party, cf. 2. tölul. Article 9 or that processing is necessary due to legitimate interests that the responsible party or a third party may pursue, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail, cf. 6. tölul. same articles. | | |
| | All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. The sources that are particularly relevant here are that the data subject has given his consent for the processing of personal information about himself for the benefit of one or more specific purposes, cf. 1. tölul. Article 9 that processing is necessary to fulfill a contract to which the data subject is a party, cf. 2. tölul. Article 9 or that processing is necessary due to legitimate interests that the responsible party or a third party may pursue, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail, cf. 6. tölul. same articles. |
|
| |
|
| In this case, it is tested whether Lifandi vísindum was allowed to retain information about the complainant's name and telephone number, after he had canceled his subscription and use it later in the direct marketing of new subscription channels. | | In this case, it is tested whether Lifandi vísindum was allowed to retain information about the complainant's name and telephone number, after he had canceled his subscription and use it later in the direct marketing of new subscription channels. |
|
| |
|
| In particular, in the implementation of the Data Protection Authority, it has been considered that direct marketing can be based on either the consent of the data subject or that it is necessary due to the legitimate interests of the party responsible for the marketing. In this case, it is not clear that the data subject has given his consent to the processing in question and the processing will therefore not be considered to have been permitted on that basis. It is then examined whether the company had a legitimate interest in directing marketing to it. It is generally considered that three conditions must be met in order for personal information to be processed on the basis of point 6. Paragraph 1 Article 9 Act no. 90/2018, Coll. paragraph 1 (f) Article 6 of the Regulation. First, processing must be carried out in the interests of the legitimate interests of the responsible party or a third party who has access to the personal information. Secondly, it is required that the processing is necessary in the interests of them. Thirdly, the interests and fundamental rights of the data subject that require the protection of personal data must not outweigh the interests of others in the processing. | | In particular, in the implementation of the Data Protection Authority, it has been considered that direct marketing can be based on either the consent of the data subject or that it is necessary due to the legitimate interests of the party responsible for the marketing. In this case, it is not clear that the data subject has given his consent to the processing in question and the processing will therefore not be considered to have been permitted on that basis. It is then examined whether the company had a legitimate interest in directing marketing to it. It is generally considered that three conditions must be met in order for personal information to be processed on the basis of point 6. Paragraph 1 Article 9 Act no. 90/2018, Coll. paragraph 1 (f) Article 6 of the Regulation. First, processing must be carried out in the interests of the legitimate interests of the controller or a third party who has access to the personal information. Secondly, it is required that the processing is necessary in the interests of them. Thirdly, the interests and fundamental rights of the data subject that require the protection of personal data must not outweigh the interests of others in the processing. |
|
| |
|
| In the opinion of the Data Protection Authority, temporary storage of information on the name and telephone number of former customers can be considered to be carried out in the interests of the company's legitimate interests. From the explanations of Living Sciences, however, it can be concluded that no assessment has been made of the need to preserve the information. In addition, the company did not specifically substantiate how its interests in the processing in question outweighed the interests of the complainant. In view of this, the Data Protection Authority considers that the processing in question was not in accordance with Act no. 90/2018. | | In the opinion of the Data Protection Authority, temporary storage of information on the names and telephone numbers of former customers can be considered to take place in the interests of the company's legitimate interests. From the explanations of Living Sciences, however, it can be concluded that no assessment has been made of the need to preserve the information. In addition, the company did not specifically substantiate how its interests in the processing in question outweighed the interests of the complainant. In view of this, the Data Protection Authority considers that the processing in question was not in accordance with Act no. 90/2018. |
|
| |
|
| In addition to the authorization according to the above, the processing of personal information must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1); that they shall be obtained for clearly defined, legitimate and objective purposes and not further processed for other and incompatible purposes (point 2); and that they shall be sufficient, appropriate and not in excess of what is necessary for the purpose of the processing (paragraph 3); that they are preserved in such a way that it is not possible to identify registered persons for longer than is necessary for the purpose of processing (point 5). | | In addition to the authorization according to the above, the processing of personal information must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1); that they shall be obtained for clearly defined, legitimate and objective purposes and not further processed for other and incompatible purposes (paragraph 2); and that they shall be sufficient, appropriate and not in excess of what is necessary for the purpose of the processing (paragraph 3); that they are preserved in such a way that it is not possible to identify registered persons for longer than is necessary for the purpose of processing (point 5). |
|
| |
|
| The complainant has stated that although several years have passed since he terminated his subscription to Living Sciences and has therefore not been challenged by the responsible party. | | The complainant has stated that although several years have passed since he canceled his subscription to Living Sciences and has therefore not been challenged by the responsible party. |
|
| |
|
| The Data Protection Authority does not consider it possible to rule out that after the end of a business relationship, it can be assumed for some time that individual aspects of the relationship or individual accounts and other related legal instruments may be tried. However, such storage shall not be for an indefinite period, unless otherwise provided by law. The guarantor has not stated that he has taken special measures to delete information on older subscribers on a regular basis and it will therefore not be considered that the processing was in accordance with the above-mentioned point of the provision. | | The Data Protection Authority does not consider it possible to rule out that after the end of a business relationship, it can be assumed for some time that individual aspects of the relationship or individual accounts and other related legal instruments may be tried. However, such storage shall not be for an indefinite period, unless otherwise provided by law. The guarantor has not stated that he has taken special measures to delete information on older subscribers on a regular basis and it will therefore not be considered that the processing was in accordance with the above-mentioned point of the provision. |
| Line 166: |
Line 171: |
|
| |
|
|
| |
|
| Ú r s k u r ð a r o r ð:
| | From r k e r ð a r o r ð: |
| | |
| Preservation and use of Elísa Guðrún ehf. (Living Science) personal information [A] in connection with marketing was not in accordance with Act no. 90/2018 and Regulation (EU) 2016/679. | | Preservation and use of Elísa Guðrún ehf. (Living Science) personal information [A] in connection with marketing was not in accordance with Act no. 90/2018 and Regulation (EU) 2016/679. |
|
| |
|
| Line 174: |
Line 180: |
|
| |
|
|
| |
|
| Helga Þórisdóttir Helga Sigríður Þórhallsdóttir | | Helga Þórisdóttir Helga Sigríður Þórhallsdóttir |
|
| |
| ><div class="boxbody"><ul class="level1"
| |
| ><li class="cat1 branch"> <a href="/einstaklingar/" class="cat1">Individuals</a><ul class="level2"
| |
| ><li class="branch"> <a href="/einstaklingar/spurt-og-svarad/">Questions and answers</a><ul class="level3"
| |
| ><li> <a href="/einstaklingar/spurt-og-svarad/allar-spurningar-og-svor/">All questions and answers</a></li
| |
| ><li> <a href="/einstaklingar/spurt-og-svarad/rafraen-voktun/">Electronic monitoring</a></li
| |
| ><li> <a href="/einstaklingar/spurt-og-svarad/almennt-um-personuvernd/">In general about privacy</a></li
| |
| ><li> <a href="/einstaklingar/spurt-og-svarad/retturinn-til-ad-gleymast/">The right to be forgotten</a></li
| |
| ><li> <a href="/einstaklingar/spurt-og-svarad/rettur-til-upplysinga-um-eigin-arfgerd/">Right to information about one's own genotype</a></li
| |
| ><li class=" last"> <a href="/einstaklingar/spurt-og-svarad/hvad-er-vinnsla/">What is processing?</a> </li
| |
| ></ul
| |
| ></li
| |
| ><li class="branch"> <a href="/ny-personuverndarloggjof-2018/">New privacy legislation 2018</a><ul class="level3"
| |
| ><li> <a href="/ny-personuverndarloggjof-2018/almennt-um-nyju-loggjofina/">In general about the new legislation</a></li
| |
| ><li class=" last"> <a href="/ny-personuverndarloggjof-2018/annad/">Another interesting topic</a> </li
| |
| ></ul
| |
| ></li
| |
| ><li class=" last branch"> <a href="/einstaklingar/fraedsluefni/">Educational material</a><ul class="level3"
| |
| ><li class="singlepage pamphlet"> <a href="/einstaklingar/fraedsluefni/baeklingur-personuvernd-barna/">Booklet: Child privacy</a></li
| |
| ><li class="singlepage pamphlet"> <a href="/einstaklingar/fraedsluefni/baeklingur-einkamal-ungmenna/">Booklet: Youth Private</a></li
| |
| ><li class="singlepage pamphlet"> <a href="/einstaklingar/fraedsluefni/baeklingur-almenningur/">Booklet: The public</a> </li
| |
| ></ul
| |
| ></li
| |
| ></ul
| |
| ><li class="cat2 branch"> <a href="/fyrirtaeki-og-stjornsysla/" class="cat2">Business and administration</a><ul class="level2"
| |
| ><li class="branch"> <a href="/fyrirtaeki-og-stjornsysla/spurt-og-svarad/">Questions and answers</a><ul class="level3"
| |
| ><li> <a href="/fyrirtaeki-og-stjornsysla/spurt-og-svarad/allar-spurningar-og-svor/">All questions and answers</a></li
| |
| ><li> <a href="/fyrirtaeki-og-stjornsysla/spurt-og-svarad/rafraen-voktun/">Electronic monitoring</a></li
| |
| ><li> <a href="/fyrirtaeki-og-stjornsysla/spurt-og-svarad/almennt-um-personuvernd/">In general about privacy</a></li
| |
| ><li> <a href="/fyrirtaeki-og-stjornsysla/spurt-og-svarad/adgangsrettur/">Right of access</a></li
| |
| ><li> <a href="/fyrirtaeki-og-stjornsysla/spurt-og-svarad/abyrgdaradilar-vinnsluadilar-og-vinnslusamningar/">Guarantors, processors and processing agreements</a></li
| |
| ><li> <a href="/fyrirtaeki-og-stjornsysla/spurt-og-svarad/abyrgdarskylda/">Liability</a></li
| |
| ><li class=" last"> <a href="/fyrirtaeki-og-stjornsysla/spurt-og-svarad/vinnsluskrar/">Processing files</a></li
| |
| ></ul
| |
| ></li
| |
| ><li> <a href="/fyrirtaeki-og-stjornsysla/ny-personuverndarloggjof-2018/">New privacy legislation 2018</a></li
| |
| ><li class=" last"> <a href="/fyrirtaeki-og-stjornsysla/fraedsluefni/">Educational material</a> </li
| |
| ></ul
| |
| ></li
| |
| ><li class="log-og-reglur branch"> <a href="/log-og-reglur/log-um-personuvernd" class="cat3">Law and order</a><ul class="level2"
| |
| ><li> <a href="/log-og-reglur/log-um-personuvernd/">Privacy Act</a></li
| |
| ><li> <a href="/log-og-reglur/reglur-og-reglugerdir/">Rules and regulations</a></li
| |
| ><li> <a href="/log-og-reglur/onnur-log/">Other laws</a></li
| |
| ><li> <a href="/log-og-reglur/adrar-reglur-og-leidbeiningar/">Other rules and guidelines</a></li
| |
| ><li class=" last"> <a href="/log-og-reglur/althjodasamningar-og-evropuloggjof/">International agreements and European legislation</a> </li
| |
| ></ul
| |
| ></li
| |
| ><li class="cat4 parent branch"> <a href="/urlausnir/" class="cat4">Solutions</a><ul class="level2"
| |
| ><li class="current"> <a href="/urlausnir/">Solutions</a></li
| |
| ><li> <a href="/adrar-urlausnir/umsagnir/">Reviews</a></li
| |
| ><li> <a href="/adrar-urlausnir/leyfisveitingar/">Licensing</a></li
| |
| ><li class=" last"> <a href="/adrar-urlausnir/ymis-bref/">Various letters</a> </li
| |
| ></ul
| |
| ></li
| |
| ><li class="cat5 branch"> <a href="/personuvernd/" class="cat5">Privacy</a><ul class="level2"
| |
| ><li> <a href="/personuvernd/hlutverk-personuverndar/">The role of the Data Protection Authority</a></li
| |
| ><li> <a href="/personuvernd/frettir/">News</a></li
| |
| ><li> <a href="/personuvernd/starfsfolk-og-stjorn/" title="Staff and board of the Data Protection Authority" aria-label="Starfsfólk og stjórn Persónuverndar">Staff and management</a></li
| |
| ><li> <a href="/personuvernd/fyrir-fjolmidla/" title="Information for the media" aria-label="Upplýsingar fyrir fjölmiðla">For the media</a></li
| |
| ><li> <a href="/personuvernd/beidnir-um-kynningar/">Requests for presentations</a></li
| |
| ><li> <a href="/personuvernd/vidburdir/">Events</a></li
| |
| ><li> <a href="/personuvernd/stefna-og-gildi/" title="Privacy Policy and Values" aria-label="Stefna og gildi Persónuverndar">Policy and values</a></li
| |
| ><li class=" last branch"> <a href="/personuvernd/arsskyrslur/">Annual reports</a><ul class="level3"
| |
| ><li> <a href="/media/arsskyrslur/Arsskyrsla-2016ny.pdf">2016</a></li
| |
| ><li> <a href="/media/arsskyrslur/Arsskyrsla-2015.pdf">2015</a></li
| |
| ><li> <a href="/media/arsskyrslur/2014.pdf">2014</a></li
| |
| ><li> <a href="/media/arsskyrslur/04_arsskyrsla_2013.pdf">2013</a></li
| |
| ><li> <a href="/media/arsskyrslur/arsskyrsla-2012_loka.pdf">2012</a></li
| |
| ><li> <a href="/media/frettir/Endanleg-profork.pdf">2011</a></li
| |
| ><li> <a href="/media/frettir/profork-14.09.2011.pdf">2010</a></li
| |
| ><li> <a href="/media/frettir/6_personuv_2010.pdf">2009</a></li
| |
| ><li> <a href="/media/frettir/arsskyrsla2008.pdf">2008</a></li
| |
| ><li> <a href="/media/frettir/arsskyrsla2007.pdf">2007</a></li
| |
| ><li> <a href="/media/frettir/arsskyrsla2006.pdf">2006</a></li
| |
| ><li> <a href="/media/frettir/arsskyrsla-2005-pdf.pdf">2005</a></li
| |
| ><li> <a href="/media/frettir/arsskyrsla-2004.pdf">2004</a></li
| |
| ><li> <a href="/personuvernd/arsskyrslur/2003/">2003</a></li
| |
| ><li> <a href="/personuvernd/arsskyrslur/2002/">2002</a></li
| |
| ><li> <a href="/media/frettir/arsskyrsla-2001.pdf">2001</a></li
| |
| ><li> <a href="/personuvernd/arsskyrslur/2000/">2000</a></li
| |
| ><li> <a href="/personuvernd/arsskyrslur/1999/">1999</a></li
| |
| ><li> <a href="/personuvernd/arsskyrslur/1998/">1998</a></li
| |
| ><li> <a href="/personuvernd/arsskyrslur/1997/">1997</a></li
| |
| ><li class=" last"> <a href="/personuvernd/arsskyrslur/1996/">1996</a> </li
| |
| ></ul
| |
| ></li
| |
| ></ul
| |
| ><li class="extras branch"> <a href="/log-og-reglur/log-um-personuvernd" class="cat6">Other content</a><ul class="level2"
| |
| ><li class="vefkokustefna"> <a href="/upplysingar-um-thig/">Privacy Policy</a></li
| |
| ><li class="normal"> <a href="/lagalegur-fyrirvari/">Legal notice</a></li
| |
| ><li> <a href="/adgengismal/">Accessibility issues</a></li
| |
| ><li> <a href="/thjonustubord-personuverndarloggjafar/">Service desk</a></li
| |
| ><li class="tw last"> <a href="https://twitter.com/personuvernd">Twitter</a> </li
| |
| ></ul
| |
| ></li
| |
| ><li class="english branch"> <a href="/information-in-english/" class="cat7" title="Information in English" aria-label="Information in English">En</a><ins> glish</ins><ul class="level2"
| |
| ><li class=" last"> <a href="/information-in-english/decisions/">Decisions in English</a> </li
| |
| ></ul
| |
| ></li
| |
| ><li class="singlepage contactus"> <a href="/hafa-samband/" class="cat8">Contact</a></li
| |
| ><li class="search"> <a href="/leit" class="cat9">Search</a></li
| |
| ><li class="tilkynna-brot singlepage"> <a href="/tilkynna-oryggisbrest/" class="cat10">Report a security breach</a> </li
| |
| ></ul></div></div><hr class="stream" /><!-- /eplica-no-index --><!-- eplica-no-index --><!-- eplica-no-index --><div class="qsearch search ac-search" role="search"><h2 class="boxhead"> Search the web</h2><form class="boxbody" action="/leit" > <span class="fi_txt req"><label for="qstr2">Enter keywords</label><input id="qstr2" name="q" value="" /></span><span class="fi_btn"><input class="submit" type="submit" value="Search" /></span> </form></div><hr class="stream" /><!-- /eplica-no-index --><!-- /eplica-no-index --></nav><div class="pg"><div class="pgwrap"><div class="navbar"><!-- eplica-no-index --><div class="snav"
| |
|
| |
|
| |
| ><div class="boxbody"><ul class="level1"
| |
| ><li class="cat1 current"> <a href="/urlausnir/" class="cat1">Solutions</a></li
| |
| ><li class="cat2"> <a href="/adrar-urlausnir/umsagnir/" class="cat2">Reviews</a></li
| |
| ><li class="cat3"> <a href="/adrar-urlausnir/leyfisveitingar/" class="cat3">Licensing</a></li
| |
| ><li class="cat4 last"> <a href="/adrar-urlausnir/ymis-bref/" class="cat4">Various letters</a> </li
| |
| ></ul></div></div><hr class="stream" /><!-- /eplica-no-index --></div><main class="pginner" id="content"><div class="pgmain"><div class="wrap"><div class="filters"><!-- eplica-no-index --><!-- eplica-no-index --><div class="psearch ac-search box" role="search"><form class="boxbody" action="/leit" ><input type="hidden" name="pid" value="1066" data-url="https://www.personuvernd.is/urlausnir/*" /><div class="fi_txt searchstr req"> <label for="qstr">Search for solutions</label> <input id="qstr" name="q" value="" placeholder="Leita í úrlausnum" /></div><div class="f_row datesearch"><div class="fi_txt datefrom"> <label for="datefrom">Year from:</label> <input id="datefrom" type="text" name="datefrom" value="" placeholder="Ár frá" /></div><div class="fi_txt dateto"> <label for="dateto">Year to:</label> <input id="dateto" type="text" name="dateto" value="" placeholder="Ár til" /></div></div><div class="fi_btn"> <button class="submit" type="submit">Search</button> </div></form></div><hr class="stream" /><!-- /eplica-no-index --><!-- /eplica-no-index --></div><!-- eplica-search-index-fields
| |
| SearchType=Article
| |
| title=Úrskurður um vinnslu persónuupplýsinga af hálfu Elísu Guðrúnar ehf. (Lifandi vísinda)
| |
| subtitle=Mál nr. 2020010673
| |
| articlepublisheddate=1606230300000
| |
| eplica-search-index-fields --><!-- eplica-contentid 1-2999-MainContent --><div class="article add-print box" data-aid="2999"><!-- eplica-no-index --><div class="boxhead"> Solutions</div><!-- /eplica-no-index --><div class="boxbody"><h1> Ruling on the processing of personal information by Elísa Guðrún ehf. (Living Science)</h1><h2 class='subtitle'> Case no. 2020010673</h2><!-- eplica-no-index --><p class="meta"> <span class='date'>24.11.2020</span></p><!-- /eplica-no-index --><div class='summary'><p> The Data Protection Authority has ruled in a case where a complaint was made about the processing of personal information in connection with marketing by Elísa Guðrún ehf. (Living Science). The ruling concludes that the preservation and use of Elísa Guðrún ehf. (Living Science) on the personal information of the complainant did not comply with Act no. 90/2018 and Regulation (EU) 2016/679.</p></div><h2 align="center"> <strong>Ruling</strong></h2><p><br> On October 27, 2020, the Data Protection Authority issued a ruling in case no. 2020010673 (formerly 2019091811):</p><h3 align="center"> I.</h3><h3 align="center"> Procedure<br><br></h3><h4 align="center"> <em>1.</em></h4><h4 align="center"> <em>Outline of case</em></h4><p> On September 27, 2019, the Data Protection Authority received a complaint from [A] (hereinafter referred to as "the complainant"), dated September 23, 2019. The complainant claims to have received a phone call from Elísa Guðrún ehf., Which publishes the journal Lifandi vísindi. It was a marketing call where he was offered a presentation and a subscription to a magazine.</p><p> By letter dated October 22, 2019, reiterated by letters dated. 17 December 2019 and 18 June 2020, Elísa Guðrún ehf. (hereafter Living Sciences) invited to provide explanations regarding the complaint. Two emails were answered on July 14, 2020.</p><p> By letter dated On 20 July 2020, the complainant was given an opportunity to comment on the above explanations of Living Sciences. The answer was sent by e-mail on August 7, 2020.</p><p> All the above documents have been taken into account in resolving the case, although not all of them are specifically described in the following ruling.</p><h4 align="center"> <em>2.</em></h4><h4 align="center"> <em>The complainant's views</em></h4><p> The complainant claimed to have turned down an offer of a new subscription, in a call he received from Living Sciences, but he was abroad when he was called and the relationship was poor.</p><p> He subsequently received a magazine sent home and a claim to an online bank. The complainant had contacted the magazine's office and said he was not interested in paying the claim. He also asked why he had been contacted. The complainant's answers were that they were calling old subscribers and offering them a new subscription. The complainant considers that by doing so, Lifandi vísindi has violated the provisions of the Act on Personal Data Protection and the Processing of Personal Data. The complainant wants to find out whether the magazine has the right to own and store information about subscribers, many years back.</p><h4 align="center"> <em>3.</em></h4><h4 align="center"> <em>The views of the responsible party</em></h4><p> Lifandi vísinda's response states that the company is on the phone all year round and calls people who have been subscribers before, but that those who are on a banned list are cleared of lists that are called after.</p><p> It says that the company has considered it okay to call former subscribers, but will stop if it is not okay.</p><h3 align="center"> II.</h3><h3 align="center"> Assumptions and conclusion<br><br></h3><h4 align="center"> <em>1.</em></h4><h4 align="center"> <em>Scope - Responsible party</em></h4><p> Scope of Act no. 90/2018, on personal data protection and the processing of personal data and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.</p><p> Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him or her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation.</p><p> Processing refers to an action or series of actions where personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation.</p><p> This case concerns the processing of personal information about the complainant by Living Sciences in connection with marketing. In this respect and in the light of the above provisions, this case concerns the processing of personal information which falls within the competence of the Data Protection Authority.</p><p> The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. As such, Elísa Guðrún ehf. (Living Science) be responsible for the processing in question.</p><h4 align="center"> <em>2.</em></h4><h4 align="center"> <a name="_Hlk2759438"><em>Legality of processing</em></a></h4><p> All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. The sources that are particularly relevant here are that the data subject has given his consent for the processing of personal information about himself for the benefit of one or more specific purposes, cf. 1. tölul. Article 9 that processing is necessary to fulfill a contract to which the data subject is a party, cf. 2. tölul. Article 9 or that processing is necessary due to legitimate interests that the responsible party or a third party may pursue, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail, cf. 6. tölul. same articles.</p><p> In this case, it is tested whether Lifandi vísindum was allowed to retain information about the complainant's name and telephone number, after he had canceled his subscription and use it later in the direct marketing of new subscription channels.</p><p> In particular, in the implementation of the Data Protection Authority, it has been considered that direct marketing can be based on either the consent of the data subject or that it is necessary due to the legitimate interests of the party responsible for the marketing. In this case, it is not clear that the data subject has given his consent to the processing in question and the processing will therefore not be considered to have been permitted on that basis. It is then examined whether the company had a legitimate interest in directing marketing to it. It is generally considered that three conditions must be met in order for personal information to be processed on the basis of point 6. Paragraph 1 Article 9 Act no. 90/2018, Coll. paragraph 1 (f) Article 6 of the Regulation. First, processing must be carried out in the interests of the legitimate interests of the responsible party or a third party who has access to the personal information. Secondly, it is required that the processing is necessary in the interests of them. Thirdly, the interests and fundamental rights of the data subject that require the protection of personal data must not outweigh the interests of others in the processing.</p><p> In the opinion of the Data Protection Authority, temporary storage of information on the name and telephone number of former customers can be considered to be carried out in the interests of the company's legitimate interests. From the explanations of Living Sciences, however, it can be concluded that no assessment has been made of the need to preserve the information. In addition, the company did not specifically substantiate how its interests in the processing in question outweighed the interests of the complainant. In view of this, the Data Protection Authority considers that the processing in question was not in accordance with Act no. 90/2018.</p><p> In addition to the authorization according to the above, the processing of personal information must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1); that they shall be obtained for clearly defined, legitimate and objective purposes and not further processed for other and incompatible purposes (point 2); and that they shall be sufficient, appropriate and not in excess of what is necessary for the purpose of the processing (paragraph 3); that they are preserved in such a way that it is not possible to identify registered persons for longer than is necessary for the purpose of processing (point 5).</p><p> The complainant has stated that although several years have passed since he terminated his subscription to Living Sciences and has therefore not been challenged by the responsible party.</p><p> The Data Protection Authority does not consider it possible to rule out that after the end of a business relationship, it can be assumed for some time that individual aspects of the relationship or individual accounts and other related legal instruments may be tried. However, such storage shall not be for an indefinite period, unless otherwise provided by law. The guarantor has not stated that he has taken special measures to delete information on older subscribers on a regular basis and it will therefore not be considered that the processing was in accordance with the above-mentioned point of the provision.</p><p><br></p><h2 align="center"> Ruling:</h2><p> Preservation and use of Elísa Guðrún ehf. (Living Science) personal information [A] in connection with marketing was not in accordance with Act no. 90/2018 and Regulation (EU) 2016/679.<br><br></p><p align="center"> In Privacy, October 27, 2020</p><p align="center"><br></p><p align="center"> Helga Þórisdóttir Helga Sigríður Þórhallsdóttir </p></div></div><hr class="stream" /><!-- eplica-no-index --><div class="breadcrumbs" role="navigation" aria-labelledby="crumbs54107295"><div> <strong id="crumbs54107295">You are here</strong> <a href="/" class='home'>Home</a> <i>»</i> <a href="/urlausnir/">Solutions</a> <i>»</i> <b class="current"><a href="/urlausnir/">Solutions</a></b> </div></div><hr class="stream" /><!-- /eplica-no-index --></div></div><div class="pgbottom"><!-- eplica-no-index --><p class="didithelp" aria-labelledby="helpful04535693"> <span class="didithelp__question" id="helpful04535693">Was the material helpful?</span> <a class="didithelp__answer didithelp__answer--yay button minor yay" role="button" href="#" data-thankstext="Gott að vita. Takk!">Yes</a> <a class="didithelp__answer didithelp__answer--nay button minor nay" href="/hvad-tharf-ad-laga">No</a> </p><!-- /eplica-no-index --></div></main></div><footer class="pgfoot"><div class="wrap"><!-- eplica-no-index --><div class="footer" role="contentinfo"><div class="info"><div class="brand"><svg class="logo" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 41.27 43.43"><path d="M18.36 17.27h2.51v15.26h-2.51zm5.28 8.71h2.51v10.9h-2.51zm0-8.71h2.51v6.53h-2.51zm5.28 8.72h2.51v13.08h-2.51zm5.28-4.36h2.51v15.26H34.2zm0-4.37h2.51v2.18H34.2zM23.64 12.9h2.51v2.18h-2.51zm5.28 28.35h2.51v2.18h-2.51zm-10.56-4.36h2.51v2.18h-2.51z" fill="#ffffff"/><path d="M2.45 27.6H0a27.63 27.63 0 0 1 41.27-24L40 5.77A25.13 25.13 0 0 0 2.45 27.6z" fill="#ffffff"/></svg></div><div class="about"><h3> The role of the Data Protection Authority</h3><p> The Data Protection Authority monitors compliance with laws and other rules on the processing of personal data and the correction of deficiencies and mistakes.</p></div></div><div class="contact"><div class="loc"><h3> Office</h3><p> Rauðarárstígur 10, 105 Reykjavík, Iceland<br> Open at 9-12 and 13-15<br> Lawyers' phone hours are at 10-12 Tuesdays and Thursdays<br> <span>Phone <a href="tel:+3545109600" class="tel">510 9600</a> <i>•</i></span> <span>Email <strong>address [at] personuvernd.is</strong> <i>•</i></span> <span>Id. <strong>560800-2820</strong></span> </p></div><!-- <form class="subscr" method="get" name="formMailingListRegistration" action="/postlisti">
| |
| <input id="id_1" name="SubscriptionType" value="1" type="hidden">
| |
| <div class="fi_txt fi_email req">
| |
| <input id="s_email" name="VIS_Email" value="" placeholder="Skráðu þig á póstlistann" type="email">
| |
| </div>
| |
| <p class="note"><abbr class="req" title="Ath: ">*</abbr> Við notum netfangið þitt til að senda þér fréttir tengdar persónuvernd</p>
| |
| <div class="fi_btn"><button type="submit">Skrá</button></div>
| |
| </form> --></div></div><!-- /eplica-no-index --><!-- eplica-no-index --><div class="fnav"
| |
|
| |
|
| |
| ><div class="boxbody"><ul class="level1"
| |
| ><li class="vefkokustefna"> <a href="/upplysingar-um-thig/" class="cat1">Privacy Policy</a></li
| |
| ><li class="normal"> <a href="/lagalegur-fyrirvari/" class="cat2">Legal notice</a></li
| |
| ><li class="cat3"> <a href="/adgengismal/" class="cat3">Accessibility issues</a></li
| |
| ><li class="cat4"> <a href="/thjonustubord-personuverndarloggjafar/" class="cat4">Service desk</a></li
| |
| ><li class="tw last"> <a href="https://twitter.com/personuvernd" class="cat5">Twitter</a> </li
| |
| ></ul></div></div><hr class="stream" /><!-- /eplica-no-index --></div></footer></div><script async src='/skin/v2/pub/main.js?v1.14'></script><script type="text/javascript">
| |
| /*<![CDATA[*/
| |
| (function() {
| |
| if (! /(?:^|;\s*)cookie=1/.test(document.cookie)) { return; } // consent-check
| |
| var sz = document.createElement('script');
| |
| sz.type = 'text/javascript';
| |
| sz.async = true;
| |
| sz.src = '//siteimproveanalytics.com/js/siteanalyze_6103423.js';
| |
| var s = document.getElementsByTagName('script')[0];
| |
| s.parentNode.insertBefore(sz, s);
| |
| })();
| |
| /*]]>*/
| |
| </script></body></html>
| |
| </pre> | | </pre> |
The Icelandic DPA (Persónuvernd) held that a controller breached the GDPR by not conducting a legitimate interest assessment and by not substantiating how its interest outweighed those of the data subject in the context of direct marketing communications.
English Summary
Facts
The complainant had a subscription with the controller for a magazine, which he cancelled. Several years after terminating the subscription, he was called by the company and asked whether he would like a new subscription.
The data subject claims complained to the DPA that the controller acted in breach of the GDPR by contacting him for marketing purposes when he had already cancelled his subscription years before.
Dispute
Did the data controller breach the GDPR by storing the contact details of the former subscriber for years after cancelling the subscription, and by contacting him for marketing purposes (offering a new subscription)?
Holding
The Persónuvernd first ruled out the possibility of the processing being based on consent in this case. With regards to legitimate interest (Article 6(1)(f)), the DPA held that the temporarily storing the name and telephone number of former customers can be considered to be carried out in the interests of the company's legitimate interests.
However, the controller did not conduct a legitimate interest assessment to establish the need to preserve the information. In addition, the company did not specifically substantiate how its interests in the processing in question outweighed the interests of the complainant. In view of this, the DPA considered that the processing in question was not in accordance with the GDPR.
Furthermore, the DPA held that the controller breached the principles enshrined in Articles 5(1)(a), (b), (c), and (e), especially in light of storing the data for several years after the cancellation of the subscription.
Finally, the The DPA emphasised that the controller did not take special measures to delete the personal data of older subscribers on a regular basis.
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Ruling on the processing of personal information by Elísa Guðrún ehf. (Living Science)
Case no. 2020010673
24.11.2020
The Data Protection Authority has ruled in a case where a complaint was made about the processing of personal information in connection with marketing by Elísa Guðrún ehf. (Living Science). The ruling concludes that the preservation and use of Elísa Guðrún ehf. (Living Science) on the personal information of the complainant did not comply with Act no. 90/2018 and Regulation (EU) 2016/679.
Ruling
On October 27, 2020, the Data Protection Authority issued a ruling in case no. 2020010673 (formerly 2019091811):
I.
Procedure
1.
Outline of case
On September 27, 2019, the Data Protection Authority received a complaint from [A] (hereinafter referred to as "the complainant"), dated September 23, 2019. The complainant claims to have received a phone call from Elísa Guðrún ehf., Which publishes the journal Lifandi vísindi. It was a marketing call where he was offered a presentation and a subscription to a magazine.
By letter dated October 22, 2019, reiterated by letters dated. 17 December 2019 and 18 June 2020, Elísa Guðrún ehf. (hereafter Living Sciences) invited to provide explanations regarding the complaint. Two emails were answered on July 14, 2020.
By letter dated On 20 July 2020, the complainant was given an opportunity to comment on the above explanations of Living Sciences. The answer was sent by e-mail on August 7, 2020.
All the above documents have been taken into account in resolving the case, although not all of them are specifically described in the following ruling.
2.
The complainant's views
The complainant claimed to have turned down an offer of a new subscription, in a call he received from Living Sciences, but he was abroad when he was called and the relationship was poor.
He subsequently received a magazine sent home and a claim to an online bank. The complainant had contacted the magazine's office and said he was not interested in paying the claim. He also asked why he had been contacted. The complainant's answers were that they were calling old subscribers and offering them a new subscription. The complainant considers that by doing so, Lifandi vísindi has violated the provisions of the Act on Personal Data Protection and the Processing of Personal Data. The complainant wants to find out whether the magazine is authorized to own and store information about subscribers, many years back in time.
3.
The views of the responsible party
Lifandi vísinda's response states that the company is on the phone all year round and calls people who have been subscribers before, but that those who are on a banned list are cleared of lists that are called after.
It says that the company has considered it okay to call former subscribers, but will stop if it is not okay.
II.
Assumptions and conclusion
1.
Scope - Responsible party
Scope of Act no. 90/2018, on personal data protection and the processing of personal data and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.
Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him or her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation.
Processing refers to an action or series of actions where personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation.
This case concerns the processing of personal information about the complainant by Living Sciences in connection with marketing. In this respect and in the light of the above provisions, this case concerns the processing of personal data which falls within the competence of the Data Protection Authority.
The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. As such, Elísa Guðrún ehf. (Living Science) be responsible for the processing in question.
2.
Legality of processing
All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. The sources that are particularly relevant here are that the data subject has given his consent for the processing of personal information about himself for the benefit of one or more specific purposes, cf. 1. tölul. Article 9 that processing is necessary to fulfill a contract to which the data subject is a party, cf. 2. tölul. Article 9 or that processing is necessary due to legitimate interests that the responsible party or a third party may pursue, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail, cf. 6. tölul. same articles.
In this case, it is tested whether Lifandi vísindum was allowed to retain information about the complainant's name and telephone number, after he had canceled his subscription and use it later in the direct marketing of new subscription channels.
In particular, in the implementation of the Data Protection Authority, it has been considered that direct marketing can be based on either the consent of the data subject or that it is necessary due to the legitimate interests of the party responsible for the marketing. In this case, it is not clear that the data subject has given his consent to the processing in question and the processing will therefore not be considered to have been permitted on that basis. It is then examined whether the company had a legitimate interest in directing marketing to it. It is generally considered that three conditions must be met in order for personal information to be processed on the basis of point 6. Paragraph 1 Article 9 Act no. 90/2018, Coll. paragraph 1 (f) Article 6 of the Regulation. First, processing must be carried out in the interests of the legitimate interests of the controller or a third party who has access to the personal information. Secondly, it is required that the processing is necessary in the interests of them. Thirdly, the interests and fundamental rights of the data subject that require the protection of personal data must not outweigh the interests of others in the processing.
In the opinion of the Data Protection Authority, temporary storage of information on the names and telephone numbers of former customers can be considered to take place in the interests of the company's legitimate interests. From the explanations of Living Sciences, however, it can be concluded that no assessment has been made of the need to preserve the information. In addition, the company did not specifically substantiate how its interests in the processing in question outweighed the interests of the complainant. In view of this, the Data Protection Authority considers that the processing in question was not in accordance with Act no. 90/2018.
In addition to the authorization according to the above, the processing of personal information must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1); that they shall be obtained for clearly defined, legitimate and objective purposes and not further processed for other and incompatible purposes (paragraph 2); and that they shall be sufficient, appropriate and not in excess of what is necessary for the purpose of the processing (paragraph 3); that they are preserved in such a way that it is not possible to identify registered persons for longer than is necessary for the purpose of processing (point 5).
The complainant has stated that although several years have passed since he canceled his subscription to Living Sciences and has therefore not been challenged by the responsible party.
The Data Protection Authority does not consider it possible to rule out that after the end of a business relationship, it can be assumed for some time that individual aspects of the relationship or individual accounts and other related legal instruments may be tried. However, such storage shall not be for an indefinite period, unless otherwise provided by law. The guarantor has not stated that he has taken special measures to delete information on older subscribers on a regular basis and it will therefore not be considered that the processing was in accordance with the above-mentioned point of the provision.
From r k e r ð a r o r ð:
Preservation and use of Elísa Guðrún ehf. (Living Science) personal information [A] in connection with marketing was not in accordance with Act no. 90/2018 and Regulation (EU) 2016/679.
In Privacy, October 27, 2020
Helga Þórisdóttir Helga Sigríður Þórhallsdóttir
