In a ”double opt-in” procedure, a user gives his consent to the use of their personal data in a two-stage system (“double”). First, the user completes a registration on the website of the provider by using his e-mail address. Subsequently, the provider sends a confirmation message to the registered e-mail address. Only when the user confirms his registration for a second time, for example by clicking on an activation link in the confirmation e-mail, the company has obtained approval for the use of the user’s personal data.
Facts of the case
The present case concerned a Vienna-based company operating online dating portals. Without the knowledge of the underage complainant, accounts on two of the company´s dating portals were created using the complainant´s e-mail address. Subsequently, the complainant received “contact suggestions” and notifications from the respondent, which were summarized by the Austrian DPA as ”sex spam”.3
An investigation by the DPA showed that in order to register with the company’s online dating portals it was sufficient to provide any e-mail address. Although the company sent the user a confirmation e-mail to the provided address, it did not wait for the user to confirm their registration by clicking on an activation link before sending further messages to this address. To summarize, while the company formally had a ”double opt-in” procedure in place, it did not actually abide by it in practice.
The father of the complainant, who acted as his legal representative, alleged that the absence of a mechanism that prevents the simple registration and subsequent sending of messages constitutes a violation of Articles 5 and 6 GDPR, as well as Article 32 GDPR, which would lead to a violation of the Austrian fundamental right to secrecy pursuant to Section 1 (1) of the Austrian Data Protection Act (DSG)4. Under Section 1 (1) DSG everyone has the right to secrecy of personal data, especially with regard to the respect for his private and family life, insofar as that person has an interest which deserves such protection.
With regards to the possible breach of Article 32 GDPR, the DPA already ruled in an earlier decision that a data subject may also rely on any provision outside of Chapter III of the GDPR (rights of the data subject) – therefore also on Article 32 GDPR – if it may lead to a possible violation of the right to secrecy under Section 1 (1) DSG. 5
Since the e-mail address of the complainant is qualified as personal data according to Article 4 (1) GDPR, the DPA, the unauthorized use of a third-party e-mail address can in any case violate Articles 5, 6 and 32 GDPR and thus constitute a conceivable violation of the right to secrecy pursuant to Section 1 (1) DSG.
Pursuant to Article 32 GDPR, the controller has an obligation to ensure the security of the processing of personal data. Taking the elements in Article 32 (1) GDPR into account, security of the personal data may be provided in several ways. 6 The DPA ruled in this decision that an example for such a data protection security measure may consist in the implementation of a ”double opt-in” procedure for obtaining consent in accordance with the law.
Decision of the DPA
Because the respondent was not using a “double opt-in” procedure in the present case, it was possible for any user to register on the respondent’s online dating portals with the e-mail address of an uninvolved third party.
The DPA ruled in favor of the complainant and stated that the company had infringed the complainant’s right to secrecy pursuant to Section 1 (1) DSG. As a result of the fact that the respondent did not take sufficient data security measures in accordance with Article 32 GDPR, specifically due to a lack of a ”double opt-in” procedure, it was possible that personal data of the complainant – namely the e-mail address – was unlawfully processed, which violated the complainant’s fundamental rights.
1 ”Datenschutzbehörde” or “DSB”
3 Newsletter 1/2020 of the Austrian Data Protection Authority, p. 4
4 Section 1 (1) of the Austrian Federal Act concerning the Protection of Personal Data (DSG)
5 See DSB, decision from 13 September 2018, DSB-D123.070/0005-DSB/2018
6 See Recital 78 GDPR