Trionic Sverige AB – Complaint Upheld (Sweden, 2022)

The data subject ordered a product from the German website of Trionic, a company selling wheelchairs among other products. According to the data subject, the controller then sent a copy of his order confirmation to the domain provider of the data subject's email provider. The data subject communicated his dissatisfaction about this practice to the controller. The data subject also complained about the fact that the controller was sharing personal data with another company, despite the fact that this was not mentioned in the privacy policy. The data subject later cancelled the order. The controller clarified its several processing operations and the corresponding legal bases. First, the controller suspected at first that the data subject had provided an incorrect personal e-mail address for this order. When the controller tried to contact the data subject with the provided telephone number, this did not work. It turned out that the data subject had provided a fax number instead of a telephone number. Because there was no other way to contact the data subject, the controller decided to send the order confirmation to the 'info' e-mail address of the data subject's e-mail domain. Besides the fact that the controller claimed that this was the only way to contact the data subject, the controller also stated that it was legally obligated to do so pursuant to Article 5(1)(d) GDPR. The controller did not explicitly mention Article 6(1)(c) GDPR, but it did mention that it was using the legal bases of 'legal obligation'. Second, the controller allowed its customers to pay with invoice in the German market. However, the controller had experienced before that these invoices were not paid. To prevent this from happening again, the controller shared the data subject's personal data with its processor, providing fraud control services. The controller's legal basis for this processing was Article 6(1)(f) GDPR, for the controller's legitimate interest to prevent fraud. It a