VÍS – Dismissed (Iceland, 2024)

A data subject contacted [https://vis.is/ VÍS] (a controller) via phone. During the call the data subject didn’t disclose their identity and asked a general question about a car insurance. Afterwards, they received an e-mail survey from the controller. The survey was aimed to evaluate and improve the contact service with the controller. The data subject lodged a complaint with the Islandic DPA (Persónuvernd). The data subject claimed they didn’t consent to their phone number being cross-checked with the customer database every time they called the controller. Also the data subject expressed concerns over the lack of possibility to contact the controller anonymously. Moreover, in the opinion of the data subject their phone number was used for a purpose incompatible with the original one. During the examination proceedings, the controller explained they cross-checked the data subject’s phone number with their customer database to send the e-mail. Once a customer, whose data was stored within the customer database, called the controller, they were automatically identified and the speaker saw the customer’s name and business relation with the controller. The controller claimed they could base this processing on their legitimate interest under Article 6(1)(f) GDPR to send surveys, i.e. increasing the quality of customer service. The DPA dismissed the complaint. According to the DPA, the controller had a legitimate interest in processing the data subject’s phone number by combining it with customer’s database and sending the survey. The controller’s privacy policy clearly indicated that one of processing purposes was sending surveys by the controller. Thus, the data subject could have expected to receive such a survey from the controller. Furthermore, the data subject, being the controller’s customer, must have been aware that the controller was able to use their database to check their identity. Additionally, the email sent to the data subject contained the referen