Personal data may not be passed on to third parties without further ado. This also applies to commercial e-mails. For example, companies must take care not to disclose customer data in their email traffic in such a way that other customers can obtain it. This is illustrated by two cases.
[ttt-galelry-image]
Case 1: Fine for an openly readable email distribution list
The employee of a retail company had sent an email to customers that was ten pages long when printed out. Nine and a half pages contained the recipients’ email addresses and half a page informed the reader that their request would be processed promptly. Some customers were not thrilled because their names were recognizable in the e-mail address.
Complaints were made to the Bavarian State Office for Data Protection, which imposed a fine. Verdict: The e-mail addresses are personal data. These may only be passed on to third parties with consent or on a legal basis. The fine was imposed in view of the large number of addresses. The addresses are only invisible if they are entered in the “BCC” field (BCC = “Blind Carbon Copy”).
If they are entered in the “To” or “CC” field, anyone can see the other recipient addresses – and this is not permitted. The BayLDA announced that it would impose further fines in similar cases – not only against the employee responsible, but also against the respective company management due to inadequate instruction.
(Bavarian State Office for Data Protection Supervision, press release dated June 28, 2013)
Case 2: Use of data from previous customers
If a customer has terminated the cooperation, their address may not simply continue to be used to send them advertising from the company. This is the result of a ruling by the Higher Regional Court of Karlsruhe. The case concerned an electricity provider that had found out that some of its customers had switched providers as a result of a competitor terminating their contract. These customers then received advertising with a direct comparison of the tariffs of both providers and a request to switch back.
Verdict: The court considered this to be an inadmissible use of personal data within the meaning of the Data Protection Act and a breach of competition law that could lead to a warning letter. The people in question are no longer customers of the first electricity provider. The latter was therefore not allowed to use their address data for individual advertising letters without their consent.
(Karlsruhe Higher Regional Court, judgment of May 9, 2012, Ref. 6 U 38/11)
Source: D.A.S. legal expenses insurance, image: Rock1997/wikipedia.org