Trionic Sverige AB – Complaint Upheld (Sweden, 2022)
A Swedish authority upheld a complaint against Trionic Sverige AB for sharing a customer's order confirmation with an unrelated email domain. The company claimed it was trying to verify the customer's contact details but failed to disclose this practice in its privacy policy. This case underscores the importance of transparency in data sharing practices.
What happened
Trionic Sverige AB shared a customer's order confirmation with an unrelated email domain without proper disclosure.
Who was affected
The affected individual was a customer who ordered a product from Trionic's German website.
What the authority found
The authority found that Trionic's data sharing practice lacked transparency, as it was not disclosed in the privacy policy.
Why this matters
This case highlights the need for companies to be transparent about their data sharing practices, especially when sharing personal information with third parties. Businesses should ensure their privacy policies clearly outline all data processing activities.
GDPR Articles Cited
The data subject ordered a product from the German website of Trionic, a company selling wheelchairs among other products. According to the data subject, the controller then sent a copy of his order confirmation to the domain provider of the data subject's email provider. The data subject communicated his dissatisfaction about this practice to the controller. The data subject also complained about the fact that the controller was sharing personal data with another company, despite the fact that this was not mentioned in the privacy policy. The data subject later cancelled the order. The controller clarified its several processing operations and the corresponding legal bases. First, the controller suspected at first that the data subject had provided an incorrect personal e-mail address for this order. When the controller tried to contact the data subject with the provided telephone number, this did not work. It turned out that the data subject had provided a fax number instead of a telephone number. Because there was no other way to contact the data subject, the controller decided to send the order confirmation to the 'info' e-mail address of the data subject's e-mail domain. Besides the fact that the controller claimed that this was the only way to contact the data subject, the controller also stated that it was legally obligated to do so pursuant to Article 5(1)(d) GDPR. The controller did not explicitly mention Article 6(1)(c) GDPR, but it did mention that it was using the legal bases of 'legal obligation'. Second, the controller allowed its customers to pay with invoice in the German market. However, the controller had experienced before that these invoices were not paid. To prevent this from happening again, the controller shared the data subject's personal data with its processor, providing fraud control services. The controller's legal basis for this processing was Article 6(1)(f) GDPR, for the controller's legitimate interest to prevent fraud. It a
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Trionic Sverige AB in SE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Trionic Sverige AB - Sweden (2022). Retrieved from cookiefines.eu
Last updated: