Healy โ Complaint Upheld (Germany, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Healy mistakenly sent personal information and newsletters to a person who did not order from them, due to a database error. This case is important because it shows how mistakes in handling customer data can lead to privacy issues and highlights the need for companies to respond promptly to data deletion requests.
What happened
Healy sent personal data and newsletters to the wrong email address due to a database error.
Who was affected
The affected person was someone who received another customer's personal data and communications from Healy.
What the authority found
The Berlin DPA upheld the complaint, finding Healy failed to properly address the data subject's requests and protect personal data.
Why this matters
This case underscores the need for businesses to have robust processes for handling customer data and responding to data deletion requests. It highlights the importance of accurate data entry and timely communication with affected individuals.
GDPR Articles Cited
The data subject received an order confirmation by e-mail from a company called "Healy" (controller). The data subject informed the controller by e-mail that it had used an incorrect e-mail address. She also informed the controller about her suspicion that an actual customer of the controller had used her e-mail address to place an order. The controller did not respond to this. After that, the data subject also received shipping confirmations with personal data of the actual customer who had placed the order, as well as the controller newsletters. In addition, the data subject also received information in German concerning a credit balance, as well as the password and username of the actual customer. As would become clear later, this situation was the result of a faulty process with regard to the controller's database. In this database, there was a customer with the same name as the data subject. When the responsible employee of the controller manually entered the e-mail address to send the shipping confirmations to, he confused the data subject's email with the one of the customer who had actually placed the order. On 28 June 2021 and 6 July 2021, the data subject requested the controller by e-mail to delete her e-mail address. Instead of addressing the DPO of the controller, the data subject sent her requests to the controller's customer service. At first, the controller did not comply with the data subject's request for erasure because it's customer service department was of the opinion that the e-mail address was still required to process an open order. The customer service later transferred the complaint to the legal department after 'a delay'. It is not clear from the decision how long this delay was. After this, the data subject received instructions from the controller to log into her (non-existent) customer account, and fill in a form there. On 4 August 2021, The controller deleted the data subject's e-mail after it finally became aware of the situati
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Healy in DE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Healy - Germany (2022). Retrieved from cookiefines.eu
Last updated: