Under what circumstances may correspondence be released to a third party following a purchase agreement? which the data subject’s correspondence with an online shop operator had been transmitted to another person transfer to a deceived purchaser.
What was it about? transfer to a deceived purchaser
The affected person had purchased a bicycle online which, in his opinion, turned out to be defective. After the operator of the online shop refused to allow returns, switzerland business fax list the the bicycle without informing the new buyer of the defects. When the buyer of the bicycle also noticed defects on the bicycle, the affected person with this information. Authority and requested a data protection review of the shop operator’s release of the correspondence.
Statement from the shop operator
Following the supervisory authority’s intervention, before we go any further the online shop operator inform the supervisory authority that the customer number was sufficient to submit an inquiry regarding previous purchases. This resulted in the correspondence with the person concerned being forward to the new buyer without further identity verification.
Information from the supervisory authority
The supervisory authority advised that the shop operator had changed this procedure and would also compare the email addresses from inquiries with the respective customer account in the future.
In this way, it should be ensur that the marketing list communication and thus also the personal data are only sent to the person. Who previously conclud the purchase contract under persons can receive previous correspondence and contract-relevant data.
Could the transmission have been permissible?
Have been permissible if the data processing within the scope of the change of purpose pursuant to Art. 6 (4) GDPR had been based on the legal basis of legitimate interest pursuant to Art. 6 (1) (f) GDPR. This would have been assum if the transmission of the personal data was carri out for the purpose of asserting legal claims pursuant to Art. 6 (1) (f) GDPR.would have been possible to lawfully request the correspondence with the online shop on this grounds.
