VÍS – Dismissed (Iceland, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Iceland's data protection authority dismissed a complaint against VÍS, a car insurance company, regarding how it handled customer phone calls. The authority found that VÍS had a legitimate reason to check the caller's identity to send them a survey. This decision shows that companies can use customer data for service improvement if they clearly inform users.
What happened
VÍS was accused of improperly using a customer's phone number to send a survey after a phone call.
Who was affected
A customer of VÍS who contacted the company without revealing their identity.
What the authority found
The authority ruled that VÍS had a legitimate interest in processing the customer's phone number to enhance service quality.
Why this matters
This ruling highlights that companies can use customer data for legitimate purposes, like improving services, as long as they are transparent about their practices. Businesses should ensure their privacy policies clearly communicate how customer data will be used.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A data subject contacted [https://vis.is/ VÍS] (a controller) via phone. During the call the data subject didn’t disclose their identity and asked a general question about a car insurance. Afterwards, they received an e-mail survey from the controller. The survey was aimed to evaluate and improve the contact service with the controller. The data subject lodged a complaint with the Islandic DPA (Persónuvernd). The data subject claimed they didn’t consent to their phone number being cross-checked with the customer database every time they called the controller. Also the data subject expressed concerns over the lack of possibility to contact the controller anonymously. Moreover, in the opinion of the data subject their phone number was used for a purpose incompatible with the original one. During the examination proceedings, the controller explained they cross-checked the data subject’s phone number with their customer database to send the e-mail. Once a customer, whose data was stored within the customer database, called the controller, they were automatically identified and the speaker saw the customer’s name and business relation with the controller. The controller claimed they could base this processing on their legitimate interest under Article 6(1)(f) GDPR to send surveys, i.e. increasing the quality of customer service. The DPA dismissed the complaint. According to the DPA, the controller had a legitimate interest in processing the data subject’s phone number by combining it with customer’s database and sending the survey. The controller’s privacy policy clearly indicated that one of processing purposes was sending surveys by the controller. Thus, the data subject could have expected to receive such a survey from the controller. Furthermore, the data subject, being the controller’s customer, must have been aware that the controller was able to use their database to check their identity. Additionally, the email sent to the data subject contained the referen
Outcome
Dismissed
The complaint or investigation was dismissed.
Related Enforcement Actions (0)
No other enforcement actions found for VÍS in IS
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. VÍS - Iceland (2024). Retrieved from cookiefines.eu
Last updated: