DBA – Dismissed (Denmark, 2022)

The controller is Den Blå Avis' (DBA), an online platform for second hand goods. The data subject has a blocked user account on the platform and requested the controller to erase his personal data pursuant to Article 17 GDPR. The controller refused to comply because it had received three independent complaints from buyers regarding the data subject. Hence, in order to prevent fraud, the controller claimed it needed to retain the personal data (the blocked account) in order to identify any newly created profiles by the data subject, pursuant to Article 6(1)(d) GDPR. Moreover, the controller stated there was no other way to achieve this objective of fraud prevention. The data subject filed a complaint with the Danish DPA (Datatilsynet). The DPA rejected the complaint. First, the DPA considered that the controller blocked the data subject’s account because of several complaints, and noted that the controller did this on the basis of Article 6(1)(f), and not Article 6(1)(d) GDPR, since the controller balanced the interests. However, the DPA also noted that there is no basis to disregard the controller’s assessment that their interests (fraud prevention) outweigh the data subject’s interests. Second, the DPA considered that the data subject may object to the controller’s processing, but that the data subject did not bring forward any reasons that would justify the objection pursuant to Article 21(1) GDPR. Hence, the DPA found that it did not need to assess Article 17 GDPR, and rejected the erasure request.