Skip to content

After a lengthy investigation, the FDPIC has now issued the final report with recommendations for the parties Ricardo and TX Group. Due to various data protection violations, the FDPIC has issued eleven recommendations to Ricardo. You can read our assessment of this here.

       I.            Starting point

Since February 2016, the TX Group has been introducing new data protection declarations at the associated companies. This is intended to promote the exchange of data within the group in order to improve security and the online experience.

One of the companies affected is Ricardo AG, which operates the online auction platform Ricardo. It introduced the new data protection declaration in July 2017 and drew users’ attention to the changes by email that same month. The FDPIC then received complaints that Ricardo’s approach was not transparent. This was partly because customers felt compelled to consent to the transfer of data for marketing purposes, otherwise their existing membership would be terminated.

After an exchange of correspondence between the FDPIC and Ricardo AG, in which Ricardo AG was able to comment on how it ensured that consent was voluntary or what justification it could invoke, the FDPIC ordered a more detailed investigation of the matter.

Since the investigation began, TX Group AG and Ricardo AG have introduced several new data protection declarations, which led to repeated adjustments to the findings. In the meantime, the new Data Protection Act (SR 235.1) has also been enacted.

    II.            Data protection assessment

The FDPIC sees a violation of the data processing principles under data protection law in three respects.
Firstly, the principle of proportionality has been violated by the fact that cross-platform tracking or extensive data enrichment from various sources is taking place.
Secondly, the principle of good faith has been violated by misleading communication about the purposes of the newly introduced data processing.
The principle of transparency was also violated by the dissemination of non-transparent and incomprehensible information about the data processing and the possibilities for objecting to it.
Ricardo and TX Group AG are of the opinion that the relevant data processing is based on an overriding private interest of the TX Group and that any violation of privacy is justified accordingly.
The FDPIC recognizes the interest of the TX Group and the participating companies in knowing the interests of their existing and potential customers in order to be able to target advertising more effectively. This is countered by the interest of the persons concerned in informational self-determination. However, according to the FDPIC’s weighing of interests, the interests of the affected users outweigh the purely economic interests of Ricardo and the TX Group.

  III.            Recommendations

The FDPIC has issued eleven recommendations to Ricardo and TX Group AG. These fall into two categories. Nine of the recommendations relate to a lack of transparency and the duty to provide information, as well as to the right to object. The aim here is to ensure that the website maintained by Ricardo AG is adapted in such a way that users can see, among other things, for what purposes personal data is processed, which data processing operations lead to personality profiles, which platforms are involved in tracking for advertising purposes and for which data processing operations Ricardo AG relies on which justifications.

The second set of recommendations relates to the fact that consent for the forwarding of personal data to the TX Group AG for advertising purposes was not obtained in a legally valid manner. Ricardo requires a justification for the data to be forwarded. The FDPIC has ruled out the existence of overriding private interests, meaning that data processing can only be justified by consent from the users. The FDPIC therefore recommends that the website be adapted so that consent is obtained before data is passed on to the TX Group AG and that consent is given after appropriate information has been provided. Furthermore, the existing data of customers that has already been collected for advertising purposes must be deleted by the TX Group AG if no legally valid consent has been obtained.

 IV.         Statements from Ricardo AG and TX Group AG

Nach der Veröffentlichung des Schlussberichts des EDÖB haben sowohl die Ricardo AG als auch die TX Group AG ihre Stellungnahmen eingereicht.

Die Unternehmen machen geltend, dass sich die Empfehlungen des EDÖB auf einen nicht mehr existierenden Sachverhalt und ein nicht mehr geltendes Gesetz stützen würden. Sie seien daher gegenstandslos.

Des Weiteren weisen die Parteien die Feststellungen von Verstössen gegen das DSG zurück und dementieren die rechtlichen Schlussfolgerungen. Es handle sich bei den Daten, die jeweils der TX Group AG übermittelt wurden, nicht um Personendaten, weshalb das DSG gar nicht zur Anwendung komme. Die allgemeinen Datenschutzgrundsätze würden respektiert und dementsprechend käme es gar nicht zu einer Persönlichkeitsverletzung. Schlussendlich argumentieren Ricardo und TX Group, dass obwohl kein Rechtfertigungsgrund nötig sei, die Einwilligung der NutzerInnen eingeholt werde bzw. ein überwiegendes privates Interesse vorliege.

    V.         Our assessment

Es ist klar ersichtlich, dass dem EDÖB die Transparenz ganz besonders wichtig ist (auch zu sehen in unserem Bericht zu der Sachverhaltsabklärung i.S. Galaxus). Dies ist so auch richtig, liegt doch beim Schweizer Datenschutzrecht der Fokus sehr auf der Selbstverantwortung, für welche Transparenz eine Voraussetzung ist. Datenschutzerklärungen sollten deshalb sorgfältig formuliert werden. Allerdings wird so das ganze Gewicht der Transparenz auf die Datenschutzerklärungen abgewälzt, weil man davon ausgeht, dass Personen sonst ihr Auskunftsrecht nicht ausüben. Man sollte aber nicht übersehen, dass Betroffene durchaus in der Lage sind, sich auch in Datenschutzerklärungen zurecht zu finden, die etwas komplexer sind.

 

Des Weiteren ist an der Sachverhaltsfeststellung des EDÖB zu kritisieren, dass recht grosszügig mit dem Datenschutzrecht umgegangen wird. So wird in casu der Begriff des Personendatums extensiv ausgelegt. Das EDÖB kommt in sehr knappen Erwägungen zum Schluss, dass die von Ricardo übermittelten Daten personenbezogen seien, weil der Personenbezug keinen Schluss auf die bürgerliche Identität verlangt, sondern ein Pseudonym schon genüge.

 

 

Quellen (Links [als Hyperlink in Textform], Zitation von Büchern)