Persónuvernd - 2020010673
From GDPRhub
| Persónuvernd - 2020010673 | |
|---|---|
 | |
| Authority: | Persónuvernd (Iceland) |
| Jurisdiction: | Iceland |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 6(1)(f) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 27.10.2020 |
| Published: | 24.11.2020 |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | 2020010673 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Icelandic |
| Original Source: | Persónuvernd (in IS) |
| Initial Contributor: | n/a |
The Icelandic DPA (Persónuvernd) held that a controller breached the GDPR by not conducting a legitimate interest assessment and by not substantiating how its interest outweighed those of the data subject in the context of direct marketing communications.
English Summary
Facts
The complainant had a subscription with the controller for a magazine, which he cancelled. Several years after terminating the subscription, he was called by the company and asked whether he would like a new subscription.
The data subject claims complained to the DPA that the controller acted in breach of the GDPR by contacting him for marketing purposes when he had already cancelled his subscription years before.
Dispute
Did the data controller breach the GDPR by storing the contact details of the former subscriber for years after cancelling the subscription, and by contacting him for marketing purposes (offering a new subscription)?
Holding
The Persónuvernd first ruled out the possibility of the processing being based on consent in this case. With regards to legitimate interest (Article 6(1)(f)), the DPA held that the temporarily storing the name and telephone number of former customers can be considered to be carried out in the interests of the company's legitimate interests.
However, the controller did not conduct a legitimate interest assessment to establish the need to preserve the information. In addition, the company did not specifically substantiate how its interests in the processing in question outweighed the interests of the complainant. In view of this, the DPA considered that the processing in question was not in accordance with the GDPR.
Furthermore, the DPA held that the controller breached the principles enshrined in Articles 5(1)(a), (b), (c), and (e), especially in light of storing the data for several years after the cancellation of the subscription.
Finally, the The DPA emphasised that the controller did not take special measures to delete the personal data of older subscribers on a regular basis.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Ruling on the processing of personal information by Elísa Guðrún ehf. (Living Science) Case no. 2020010673 24.11.2020 The Data Protection Authority has ruled in a case where a complaint was made about the processing of personal information in connection with marketing by Elísa Guðrún ehf. (Living Science). The ruling concludes that the preservation and use of Elísa Guðrún ehf. (Living Science) on the personal information of the complainant did not comply with Act no. 90/2018 and Regulation (EU) 2016/679. Ruling On October 27, 2020, the Data Protection Authority issued a ruling in case no. 2020010673 (formerly 2019091811): I. Procedure 1. Outline of case On September 27, 2019, the Data Protection Authority received a complaint from [A] (hereinafter referred to as "the complainant"), dated September 23, 2019. The complainant claims to have received a phone call from Elísa Guðrún ehf., Which publishes the journal Lifandi vísindi. It was a marketing call where he was offered a presentation and a subscription to a magazine. By letter dated October 22, 2019, reiterated by letters dated. 17 December 2019 and 18 June 2020, Elísa Guðrún ehf. (hereafter Living Sciences) invited to provide explanations regarding the complaint. Two emails were answered on July 14, 2020. By letter dated On 20 July 2020, the complainant was given an opportunity to comment on the above explanations of Living Sciences. The answer was sent by e-mail on August 7, 2020. All the above documents have been taken into account in resolving the case, although not all of them are specifically described in the following ruling. 2. The complainant's views The complainant claimed to have turned down an offer of a new subscription, in a call he received from Living Sciences, but he was abroad when he was called and the relationship was poor. He subsequently received a magazine sent home and a claim to an online bank. The complainant had contacted the magazine's office and said he was not interested in paying the claim. He also asked why he had been contacted. The complainant's answers were that they were calling old subscribers and offering them a new subscription. The complainant considers that by doing so, Lifandi vísindi has violated the provisions of the Act on Personal Data Protection and the Processing of Personal Data. The complainant wants to find out whether the magazine is authorized to own and store information about subscribers, many years back in time. 3. The views of the responsible party Lifandi vísinda's response states that the company is on the phone all year round and calls people who have been subscribers before, but that those who are on a banned list are cleared of lists that are called after. It says that the company has considered it okay to call former subscribers, but will stop if it is not okay. II. Assumptions and conclusion 1. Scope - Responsible party Scope of Act no. 90/2018, on personal data protection and the processing of personal data and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file. Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him or her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation. Processing refers to an action or series of actions where personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation. This case concerns the processing of personal information about the complainant by Living Sciences in connection with marketing. In this respect and in the light of the above provisions, this case concerns the processing of personal data which falls within the competence of the Data Protection Authority. The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. As such, Elísa Guðrún ehf. (Living Science) be responsible for the processing in question. 2. Legality of processing All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. The sources that are particularly relevant here are that the data subject has given his consent for the processing of personal information about himself for the benefit of one or more specific purposes, cf. 1. tölul. Article 9 that processing is necessary to fulfill a contract to which the data subject is a party, cf. 2. tölul. Article 9 or that processing is necessary due to legitimate interests that the responsible party or a third party may pursue, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail, cf. 6. tölul. same articles. In this case, it is tested whether Lifandi vísindum was allowed to retain information about the complainant's name and telephone number, after he had canceled his subscription and use it later in the direct marketing of new subscription channels. In particular, in the implementation of the Data Protection Authority, it has been considered that direct marketing can be based on either the consent of the data subject or that it is necessary due to the legitimate interests of the party responsible for the marketing. In this case, it is not clear that the data subject has given his consent to the processing in question and the processing will therefore not be considered to have been permitted on that basis. It is then examined whether the company had a legitimate interest in directing marketing to it. It is generally considered that three conditions must be met in order for personal information to be processed on the basis of point 6. Paragraph 1 Article 9 Act no. 90/2018, Coll. paragraph 1 (f) Article 6 of the Regulation. First, processing must be carried out in the interests of the legitimate interests of the controller or a third party who has access to the personal information. Secondly, it is required that the processing is necessary in the interests of them. Thirdly, the interests and fundamental rights of the data subject that require the protection of personal data must not outweigh the interests of others in the processing. In the opinion of the Data Protection Authority, temporary storage of information on the names and telephone numbers of former customers can be considered to take place in the interests of the company's legitimate interests. From the explanations of Living Sciences, however, it can be concluded that no assessment has been made of the need to preserve the information. In addition, the company did not specifically substantiate how its interests in the processing in question outweighed the interests of the complainant. In view of this, the Data Protection Authority considers that the processing in question was not in accordance with Act no. 90/2018. In addition to the authorization according to the above, the processing of personal information must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1); that they shall be obtained for clearly defined, legitimate and objective purposes and not further processed for other and incompatible purposes (paragraph 2); and that they shall be sufficient, appropriate and not in excess of what is necessary for the purpose of the processing (paragraph 3); that they are preserved in such a way that it is not possible to identify registered persons for longer than is necessary for the purpose of processing (point 5). The complainant has stated that although several years have passed since he canceled his subscription to Living Sciences and has therefore not been challenged by the responsible party. The Data Protection Authority does not consider it possible to rule out that after the end of a business relationship, it can be assumed for some time that individual aspects of the relationship or individual accounts and other related legal instruments may be tried. However, such storage shall not be for an indefinite period, unless otherwise provided by law. The guarantor has not stated that he has taken special measures to delete information on older subscribers on a regular basis and it will therefore not be considered that the processing was in accordance with the above-mentioned point of the provision. From r k e r ð a r o r ð: Preservation and use of Elísa Guðrún ehf. (Living Science) personal information [A] in connection with marketing was not in accordance with Act no. 90/2018 and Regulation (EU) 2016/679. In Privacy, October 27, 2020 Helga Þórisdóttir Helga Sigríður Þórhallsdóttir
