DPO Austria: Lack of dou­ble opt-in pro­ce­du­re as a breach of GDPR 32

EN 
EN  DE  FR 

from

on

Indu­stries

Aut­ho­ri­ty

Laws

,

Topics

Take-Aways (AI)
  • On Octo­ber 9, 2019, the Austri­an data pro­tec­tion aut­ho­ri­ty ruled that a dou­ble opt-in is man­da­to­ry for online dating regi­stra­ti­ons in accordance with Art. 32 GDPR.
  • The plat­form allo­wed limi­t­ed use wit­hout a con­firm­ed dou­ble opt-in, with repea­ted prompts every 3 – 5 minutes.
  • Unknown per­sons crea­ted pro­files with the email of a minor; DPO found ina­de­qua­te data secu­ri­ty mea­su­res in accordance with Art. 32 GDPR
  • The DPA did not con­clu­si­ve­ly cla­ri­fy under which cir­cum­stances dou­ble opt-in is gene­ral­ly requi­red (adver­ti­sing vs. service/contract situation).

The Austri­an Data Pro­tec­tion Aut­ho­ri­ty (DPA) issued a decis­i­on on Octo­ber 9, 2019 (DSB-D130.073/0008-DSB/2019) deter­mi­ned that accor­ding to Art. 32 DSGVO (data secu­ri­ty) a dou­ble opt-in pro­ce­du­re is man­da­to­ry for regi­stra­ti­ons on an online dating platform.

Regi­stra­ti­on and limi­t­ed use of the plat­form was pos­si­ble wit­hout dou­ble opt-in:

It is cor­rect that after regi­stering and expli­ci­t­ly con­fir­ming their age and place of resi­dence, and being asked to con­firm their Dou­ble­Op­tIn email, the User will have limi­t­ed use of the Portal.

The request to con­firm his Dou­ble­Op­tIn email comes at regu­lar inter­vals (every 3 – 5 minu­tes) within the por­tal as long as the user has not con­firm­ed it.

In the pre­sent case, an unknown per­son had used the e‑mail address of the underage com­plainant to crea­te two pro­files on the online dating por­tals of the respon­dent, which con­sti­tu­tes unlawful data pro­ce­s­sing. Against this back­ground, the DPO comes to the fol­lo­wing conclusion:

By the fact that the respon­dent No suf­fi­ci­ent data secu­ri­ty mea­su­res cor­re­spon­ding to Art. 32 DSGVO it was pos­si­ble that per­so­nal data of the com­plainant – name­ly the e‑mail address ***@***.com – were pro­ce­s­sed unlawful­ly, which vio­la­ted the complainant’s fun­da­men­tal right to con­fi­den­tia­li­ty pur­su­ant to Sec­tion 1 (1) of the Data Pro­tec­tion Act.

Howe­ver, the DPA does not address the que­sti­on of whe­ther, why and under which cir­cum­stances a dou­ble opt-in pro­ce­du­re is man­da­to­ry accor­ding to the cri­te­ria of Art. 32(1) GDPR. It is also open whe­ther a dou­ble opt-in pro­ce­du­re is also then required,

  • if, unli­ke here, no adver­ti­sing is sent wit­hout con­fir­ma­ti­on of regi­stra­ti­on, but only a ser­vice can be used; and
  • if the regi­stra­ti­on is not con­side­red con­sent, but is requi­red, for exam­p­le, in the con­text of a con­tract within the mea­ning of Art. 6 (1) lit. b DSGVO, e.g. in the case of an online purchase.

Cf. also the Con­tri­bu­ti­on by Car­lo Piltz to the decision.