Bland.is – Complaint Upheld (Iceland, 2021)

The complainant stated that when registering on the sales website Bland.is, he had to identify himself with an ID number and a bank account which was to be deleted after identification. However, this information had been used to obtain further information about the complainant, including his address. It was later published on his advertisement on Bland.is. In the complainant's view, the personal information was collected without his authorization. He was deceived into consenting to it under false pretenses and added to the advertisement without his knowledge. Wedo, an operator of the website, replied that when users identify themselves on Bland.is, the company looks up the user's address in the national register. The company considered itself to be processing personal information about the complainant's address on the basis of consent. Was the consent informed enough? In the opinion of the DPA, the complainant's authorization to remove an address in the user settings on the website does not fulfill conditions of the consent under Article 7 GDPR. The declaration of approval offered by the controller does not provide enough information. Contrary to the privacy policy that stated that contact information will be obtained from users, the company obtained it from the National Registry. The processing did not comply with Article 6(1)(a) GDPR. In accordance with this conclusion, the DPA ordered the controller to stop the processing of personal information about the address of the Bland.is users until the company sends the DPA an explanation on which basis the processing took place and the DPA confirms that the processing complies with the provisions of the law.