paydirekt GmbH – Complaint Upheld (Germany, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Hesse Data Protection Authority found that paydirekt GmbH stored unnecessary details about customers' purchases, like specific items bought, without a valid reason. This matters because it shows companies must limit data collection to what's necessary for their services. The decision emphasizes the importance of data minimization under GDPR.
What happened
paydirekt GmbH stored detailed information about customers' purchases without a valid legal basis.
Who was affected
Customers who used paydirekt GmbH's payment service and had their purchase details stored unnecessarily.
What the authority found
The DPA found that paydirekt GmbH lacked a legal basis for storing detailed purchase information for transaction history and customer support purposes.
Why this matters
This case highlights the need for businesses to only collect and store data necessary for their services. It serves as a reminder that companies must evaluate their data practices to ensure compliance with GDPR's data minimization principle.
GDPR Articles Cited
The data subject purchased eye drops, skin care products, and other similar products from on online pharmacy website, as well as items from an online sex shop website. The data subject used the online payment service of Paydirekt GmbH (the controller) when paying for the online purchases. The controller stored data regarding the items purchased, along with the amount of money spent and the date of the transactions. The data subject filed a complained with the Hesse DPA (HBDI) in which she argued that the controller violated Article 5(1) GDPR and Article 9(1) GDPR by processing health-related data and data relating to her sexual life without a legal basis - specifically by storing the information on the individual items purchased. Moreover, the data subject argues that the controller was in violation of Article 25(1) GDPR by processing data that were not needed for the provision of the payment services (i.e. data minimisation). The DPA identified four purposes for the processing of information on the individual items purchased by the data subject carried out by the controller: # To show the information to the user when making a purchase 2. For fraud prevention 3. To offer the user a history of their transactions 4. To provide the information for the payment service customer support The DPA found that the controller did not have a legal basis for the processing for the 3rd and 4th purposes. However, the DPA found that the controller had a legitimate interest in processing the personal data for the 1st purpose, as it served the interest of the controller to minimise the number of mid-transaction cancellations made by customers. Furthermore, the DPA found that the controller had a legitimate interest in processing such personal data for the 2nd purpose, since processing was done in the interest of all parties involved. Next, the DPA held that the data relating to the items purchased from the online sex shop were not sensitive data within the meaning of Article 9(
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for paydirekt GmbH in DE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. paydirekt GmbH - Germany (2022). Retrieved from cookiefines.eu
Last updated: