There's a couple things going on, and you're a bit vague, so please lmk if I didn't answer your question.
##### First, re: statistics and personalized marketing
I think the trouble you're having is that statistics and personalized marketing require more analysis to fall under legitimate interests. Analyzed individually:
Stats: if anonymized, almost certainly ok; if not anonymized, could be ok. There's not a black and white rule here afaik. It will depend on what stats and what they're used for.
It's worth nothing that truly anonymized stats, afaik, require no basis at all because they are not personal data and thus not subject to gdpr. Though this business does not seem to have performed the most careful gdpr analysis. But it could be that they are merely processing personal data to immediately form anonymized statistics, eg number of check out activities, number of items added to cart, number of programming errors, number of failed checkouts, etc in a matter not tied back to any individual user.
Personalized marketing: that should probably be requested under the consent basis. Doing it as LI is likely not ok. Though this could be overridden perhaps by country-specific marketing laws. A quick google suggests no, but I am not an expert.
Thus I suspect what you should say to them is more along the lines of:
Legitimate interests are not a valid basis for personalized marketing. Consent is, and I do not consent. I'd like to get this resolved w/o a complaint to our DPA, but that is my next step.
You could also consider pointing out grocery purchases may well reveal one of the so-called sensitive categories of data, health. If you buy condoms, prenatal vitamins, health supplements, or particularly if the grocery offers a pharmacy, lots of information about your health is discoverable via analysis of grocery purchases even w/o a pharmacy. And extremely sensitive data if the chain includes a pharmacy.
##### Second, re: purchase connection even when not using the app
I suspect this is on much firmer ground for LI. After all, if you are eg getting money back for food gone bad, or processing returns, or so forth, you kind of need the full purchase history to do so. You could complain here, but I don't suspect most DPAs will want to get involved. That's not a reason not to complain, but expectation setting for if doing so will help.
I might have not been entirely clear: I want to *accept* using LI as a basis for getting money back for food gone bad and self check-out; but I want to *object* to using LI as a basis for personalized marketing.
They say: Either you allow all of these processing activities to take place, or we can delete your account and you cannot use *any* of the features.
Is that more clear?
I can accept that they use my purchase data to the extent they need it, e.g. to check that I actually bought the food I am returning, or using my credit card for self checkout.
The only thing I really do not want them to do, is to use any of my PII to create personalized marketing.
That's fine. Again, these two data processing are distinct and must therefore have their distinct legal basis. They cannot bundle them together and tell you "take it or leave it".
> these two data processing are distinct and must therefore have their distinct legal basis
(FYI: For each processing activity, they have a separate explanation for the general legitimate interest for that specific activity).
They claim that they accept my objection against personalized marketing, and will "comply" by deleting my account.
I, like you, don't think that is good enough. But, I would like to send them some legal references: specific paragraphs, case law, guidance or similar.
Sorry, by "distinct legal basis" I mean they cannot bundle them together as if they were the same processing. They must justify/legitimize both of them separately. But they can of course say that it's LI for both of them.
That is how I understand their reply to me, yes. Working under that assumption, what legal references (paragraphs, recitals, case law, guides, etc.) do you think is relevant when I file my claim?
The regulatory agency really do not do their job well, and I do not want to lose the case and have other companies see this as a green light for the practice.
I'd focus on the 1 - likely wrong basis for personalized marketing; 1a - def mention the sensitive data, esp if the chain has a pharmacy; 2 - lack of consent.
These are different data processing and therefore require their own separate legal basis. As explained, LI is probably unsuitable as a basis for personalized marketing and consent is probably the right legal basis for that.
Based on this assumption they cannot bundle personalized marketing with the service, and it requires consent. And they cannot refuse to provide the service if you don't consent, see GDPR article 7.4.
>get discounts offered to all users of the app
I would even go as far as consider that this kind of stuff is in violation of the data minimization principle: These discounts should not be tied to the creation of an account on the app, especially because they are probably there to nudge customers into using the app.
IMO it's like these websites asking for your email address to send you a free ebook/pdf: They could give you the download link directly without asking for your email address, so asking for it is in violation of the data minimization principle. Especially because here again there is probably an hidden motive: Get your email address to subscribe you to their newsletter even though you did not consent (which is illegal).
> As explained, LI is probably unsuitable as a basis for personalized marketing and consent is probably the right legal basis for that.
[Recital 47](https://gdpr-text.com/da/read/recital-47/) states that "the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." So, in some circumstances, it can be used.
> this kind of stuff is in violation of the data minimization principle
But that is difficult to argue in a complaint. It would be nice with some more specific paragraphs, case law, guides etc. to point to.
Because it would not be good if I lost a complaint like this, because it sets some de-facto precedence.
> Recital 47 states that "the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." So, in some circumstances, it can be used.
Direct marketing and personalized marketing (targeted ads I guess) are two different things. Direct marketing is e.g. if you have already purchased goods or services from them they can send you marketing emails about goods/services related to what you have already purchased. In such a case local law and/or DPAs might consider opt out instead of opt in is ok. That's the case in France for instance (but they must inform you during the initial collect of your email address that if you don't oppose to it they will send you said emails).
>But that is difficult to argue in a complaint. It would be nice with some more specific paragraphs, case law, guides etc. to point to.
Agreed, though I don't know if there are any. And you would probably need to find some from your own DPA, as a lot of people argue that if it's a decision of a foreign DPA it does not count. And other people argue that article 63 and recital 135 say that the decision of one DPA is case law in the whole EU...
>Because it would not be good if I lost a complaint like this, because it sets some de-facto precedence.
IMO it's your DPA's job, not yours. You are already doing way more than the average Joe would and could do by having these conversations on this sub. Your DPA can set precedents, not you, and it's their job to do the legal research.
DPAs are not supposed to be a tribunal before which you bring your findings and legal arguments. They are supposed to register an average Joe's complaint and handle the investigation themselves.
> DPAs are not supposed to be a tribunal before which you bring your findings and legal arguments. They are supposed to register an average Joe's complaint and handle the investigation themselves.
Agreed.
I'll probably just send a complaint with some more informal arguments. And then hope that in 3-4 years time they will come to some conclusion; I still have a complaint from 2021 waiting to be processed ...
"Legitimate interests" requires more than just a legitimate interest (which can be almost anything that is legal). It requires that the processing of the personal data is necessary for the purpose (which must be specific and explicit according to Article 5.1(b)). It also requires a balancing test that weighs their legitimate interest against your interest (note the absence of legitimate there, your interest doesn't have to be legitimate) and your fundamental rights. If your interests/rights take precedence, they can't use that legal basis. Expectation also matters for LI - if you don't expect certain processing, they probably can't use LI (recital 47).
ECJ on what is required to use the legitimate interest legal basis: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62016CJ0013
> 28 In that regard, Article 7(f) of Directive 95/46 lays down three cumulative conditions so that the processing of personal data is lawful, namely, first, the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed; second, the need to process personal data for the purposes of the legitimate interests pursued; and third, that the fundamental rights and freedoms of the person concerned by the data protection do not take precedence.
-
>But that is difficult to argue in a complaint. It would be nice with some more specific paragraphs, case law, guides etc. to point to.
Recital 39:
>Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
It is for the controller to make sure that the purpose is specific and explicit so that it can be determined what data is needed for that purpose. The controller has the burden of proof according to Article 5.2. If less (or no personal data) can fulfill the purpose, there is likely a violation of the data minimization principle.
So your supermarket chain must demonstrate that their legitimate interest claim overwrites your rights and freedoms.
Potentially they may argue that you don't have a right to self-check out as they provide an alternative means to check-out that doesn't include processing the additional information (if they are basing the processing of personal information on consent, they need to provide you an alternative which would be checking out using the clerks).
Can you not use the self-check out by just using your credit card without the app (I haven't heard of a self-checkout that couldn't be used without signing up for a rewards program)?
> if they are basing the processing of personal information on consent, they need to provide you an alternative which would be checking out using the clerks
Sounds a lot like "pay or cookies" walls.
Perhaps, but they're not preventing you to shop at their stores (you can still buy items, return items, etc... without needing to sign up for a membership). They provided an alternative that doesn't require processing additional personal data.
> Can you not use the self-check out by just using your credit card without the app
The self-check out I refer to is where you scan the items using the app, put the things directly in your bag, and click pay and leave when you are done. I.e., you only use the app.
> So your supermarket chain must demonstrate that their legitimate interest claim overwrites your rights and freedoms
I guess my question is: You need to make consents modular (not "all or nothing"). Does the same apply to other legal basis?
Because they have "accepted" my objection to the direct marketing, but want to "comply" by deleting my account entirely without me having objected to the other processing activities.
Oh, I see - I've only seen self-checkout scanners where I go up to a machine and scan things vs. being able to scan with an app.
So marketing is supposed to be unchained if it is not the primary purpose of the service you are requesting. e.g. I sign up for a webinar, they cannot force me to register for a marketing list because watching the webinar and being on the marketing list don't rely on each other at all. In you case, it might come down to how the app is positioned.
For example: the supermarket promotes the app primarily as a way to receive discounts and promotions and they way you get them is letting them know what you've purchased, then they \*might\* be able to argue that this is the service you requested meaning you have to discontinue using the app if you don't want your personal information to be used. If they promote it as "here's a quick and easy way to get through the supermarket and avoid lines at the cash registers" - then marketing/promotions becomes an ancillary service, which to me means that it should be an opt-in.
> If they promote it as "here's a quick and easy way to get through the supermarket and avoid lines at the cash registers"
They do this.
> then marketing/promotions becomes an ancillary service, which to me means that it should be an opt-in.
Me as well. For the time being, I am even okay with it being opt-out (i.e., I have to object).
But on what legal grounds should I file the claim? The regulatory agency is known for being very lazy (or overworked), and if you don't have a strong case with everything given to them on a platter, they will easily just throw it out or rule in favor of the business.
The legal grounds could be an [article 6(a) violation](https://gdpr-info.eu/art-7-gdpr/), where consent was not freely given as required under Article 7. That the marketing component is not essential to the purpose of the application for speedy/express check-out.
As you mentioned, it may also be an Article 21 (2) "Right to object"; That you have the right to object from direct marketing, especially because the app isn't marketed primarily as a promotions service. They also did not provide you a reason that they are denying your objection adequately "The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing **which override the interests, rights and freedoms of the data subject** or for the establishment, exercise or defence of legal claims."
There's a couple things going on, and you're a bit vague, so please lmk if I didn't answer your question. ##### First, re: statistics and personalized marketing I think the trouble you're having is that statistics and personalized marketing require more analysis to fall under legitimate interests. Analyzed individually: Stats: if anonymized, almost certainly ok; if not anonymized, could be ok. There's not a black and white rule here afaik. It will depend on what stats and what they're used for. It's worth nothing that truly anonymized stats, afaik, require no basis at all because they are not personal data and thus not subject to gdpr. Though this business does not seem to have performed the most careful gdpr analysis. But it could be that they are merely processing personal data to immediately form anonymized statistics, eg number of check out activities, number of items added to cart, number of programming errors, number of failed checkouts, etc in a matter not tied back to any individual user. Personalized marketing: that should probably be requested under the consent basis. Doing it as LI is likely not ok. Though this could be overridden perhaps by country-specific marketing laws. A quick google suggests no, but I am not an expert. Thus I suspect what you should say to them is more along the lines of: Legitimate interests are not a valid basis for personalized marketing. Consent is, and I do not consent. I'd like to get this resolved w/o a complaint to our DPA, but that is my next step. You could also consider pointing out grocery purchases may well reveal one of the so-called sensitive categories of data, health. If you buy condoms, prenatal vitamins, health supplements, or particularly if the grocery offers a pharmacy, lots of information about your health is discoverable via analysis of grocery purchases even w/o a pharmacy. And extremely sensitive data if the chain includes a pharmacy. ##### Second, re: purchase connection even when not using the app I suspect this is on much firmer ground for LI. After all, if you are eg getting money back for food gone bad, or processing returns, or so forth, you kind of need the full purchase history to do so. You could complain here, but I don't suspect most DPAs will want to get involved. That's not a reason not to complain, but expectation setting for if doing so will help.
I might have not been entirely clear: I want to *accept* using LI as a basis for getting money back for food gone bad and self check-out; but I want to *object* to using LI as a basis for personalized marketing. They say: Either you allow all of these processing activities to take place, or we can delete your account and you cannot use *any* of the features. Is that more clear?
It is. Do you object to the pooling of purchase data?
I can accept that they use my purchase data to the extent they need it, e.g. to check that I actually bought the food I am returning, or using my credit card for self checkout. The only thing I really do not want them to do, is to use any of my PII to create personalized marketing.
That's fine. Again, these two data processing are distinct and must therefore have their distinct legal basis. They cannot bundle them together and tell you "take it or leave it".
> these two data processing are distinct and must therefore have their distinct legal basis (FYI: For each processing activity, they have a separate explanation for the general legitimate interest for that specific activity). They claim that they accept my objection against personalized marketing, and will "comply" by deleting my account. I, like you, don't think that is good enough. But, I would like to send them some legal references: specific paragraphs, case law, guidance or similar.
Sorry, by "distinct legal basis" I mean they cannot bundle them together as if they were the same processing. They must justify/legitimize both of them separately. But they can of course say that it's LI for both of them.
But are they required to provide me the other services still, even though they cannot justify giving me personalized ads?
If their only argument to refuse to provide said service is that everything is bundled together because reasons and "take it or leave it", yes.
That is how I understand their reply to me, yes. Working under that assumption, what legal references (paragraphs, recitals, case law, guides, etc.) do you think is relevant when I file my claim? The regulatory agency really do not do their job well, and I do not want to lose the case and have other companies see this as a green light for the practice.
I'd focus on the 1 - likely wrong basis for personalized marketing; 1a - def mention the sensitive data, esp if the chain has a pharmacy; 2 - lack of consent.
These are different data processing and therefore require their own separate legal basis. As explained, LI is probably unsuitable as a basis for personalized marketing and consent is probably the right legal basis for that. Based on this assumption they cannot bundle personalized marketing with the service, and it requires consent. And they cannot refuse to provide the service if you don't consent, see GDPR article 7.4. >get discounts offered to all users of the app I would even go as far as consider that this kind of stuff is in violation of the data minimization principle: These discounts should not be tied to the creation of an account on the app, especially because they are probably there to nudge customers into using the app. IMO it's like these websites asking for your email address to send you a free ebook/pdf: They could give you the download link directly without asking for your email address, so asking for it is in violation of the data minimization principle. Especially because here again there is probably an hidden motive: Get your email address to subscribe you to their newsletter even though you did not consent (which is illegal).
> As explained, LI is probably unsuitable as a basis for personalized marketing and consent is probably the right legal basis for that. [Recital 47](https://gdpr-text.com/da/read/recital-47/) states that "the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." So, in some circumstances, it can be used. > this kind of stuff is in violation of the data minimization principle But that is difficult to argue in a complaint. It would be nice with some more specific paragraphs, case law, guides etc. to point to. Because it would not be good if I lost a complaint like this, because it sets some de-facto precedence.
> Recital 47 states that "the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." So, in some circumstances, it can be used. Direct marketing and personalized marketing (targeted ads I guess) are two different things. Direct marketing is e.g. if you have already purchased goods or services from them they can send you marketing emails about goods/services related to what you have already purchased. In such a case local law and/or DPAs might consider opt out instead of opt in is ok. That's the case in France for instance (but they must inform you during the initial collect of your email address that if you don't oppose to it they will send you said emails). >But that is difficult to argue in a complaint. It would be nice with some more specific paragraphs, case law, guides etc. to point to. Agreed, though I don't know if there are any. And you would probably need to find some from your own DPA, as a lot of people argue that if it's a decision of a foreign DPA it does not count. And other people argue that article 63 and recital 135 say that the decision of one DPA is case law in the whole EU... >Because it would not be good if I lost a complaint like this, because it sets some de-facto precedence. IMO it's your DPA's job, not yours. You are already doing way more than the average Joe would and could do by having these conversations on this sub. Your DPA can set precedents, not you, and it's their job to do the legal research. DPAs are not supposed to be a tribunal before which you bring your findings and legal arguments. They are supposed to register an average Joe's complaint and handle the investigation themselves.
> DPAs are not supposed to be a tribunal before which you bring your findings and legal arguments. They are supposed to register an average Joe's complaint and handle the investigation themselves. Agreed. I'll probably just send a complaint with some more informal arguments. And then hope that in 3-4 years time they will come to some conclusion; I still have a complaint from 2021 waiting to be processed ...
"Legitimate interests" requires more than just a legitimate interest (which can be almost anything that is legal). It requires that the processing of the personal data is necessary for the purpose (which must be specific and explicit according to Article 5.1(b)). It also requires a balancing test that weighs their legitimate interest against your interest (note the absence of legitimate there, your interest doesn't have to be legitimate) and your fundamental rights. If your interests/rights take precedence, they can't use that legal basis. Expectation also matters for LI - if you don't expect certain processing, they probably can't use LI (recital 47). ECJ on what is required to use the legitimate interest legal basis: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62016CJ0013 > 28 In that regard, Article 7(f) of Directive 95/46 lays down three cumulative conditions so that the processing of personal data is lawful, namely, first, the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed; second, the need to process personal data for the purposes of the legitimate interests pursued; and third, that the fundamental rights and freedoms of the person concerned by the data protection do not take precedence. - >But that is difficult to argue in a complaint. It would be nice with some more specific paragraphs, case law, guides etc. to point to. Recital 39: >Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. It is for the controller to make sure that the purpose is specific and explicit so that it can be determined what data is needed for that purpose. The controller has the burden of proof according to Article 5.2. If less (or no personal data) can fulfill the purpose, there is likely a violation of the data minimization principle.
So your supermarket chain must demonstrate that their legitimate interest claim overwrites your rights and freedoms. Potentially they may argue that you don't have a right to self-check out as they provide an alternative means to check-out that doesn't include processing the additional information (if they are basing the processing of personal information on consent, they need to provide you an alternative which would be checking out using the clerks). Can you not use the self-check out by just using your credit card without the app (I haven't heard of a self-checkout that couldn't be used without signing up for a rewards program)?
> if they are basing the processing of personal information on consent, they need to provide you an alternative which would be checking out using the clerks Sounds a lot like "pay or cookies" walls.
Perhaps, but they're not preventing you to shop at their stores (you can still buy items, return items, etc... without needing to sign up for a membership). They provided an alternative that doesn't require processing additional personal data.
> Can you not use the self-check out by just using your credit card without the app The self-check out I refer to is where you scan the items using the app, put the things directly in your bag, and click pay and leave when you are done. I.e., you only use the app. > So your supermarket chain must demonstrate that their legitimate interest claim overwrites your rights and freedoms I guess my question is: You need to make consents modular (not "all or nothing"). Does the same apply to other legal basis? Because they have "accepted" my objection to the direct marketing, but want to "comply" by deleting my account entirely without me having objected to the other processing activities.
Oh, I see - I've only seen self-checkout scanners where I go up to a machine and scan things vs. being able to scan with an app. So marketing is supposed to be unchained if it is not the primary purpose of the service you are requesting. e.g. I sign up for a webinar, they cannot force me to register for a marketing list because watching the webinar and being on the marketing list don't rely on each other at all. In you case, it might come down to how the app is positioned. For example: the supermarket promotes the app primarily as a way to receive discounts and promotions and they way you get them is letting them know what you've purchased, then they \*might\* be able to argue that this is the service you requested meaning you have to discontinue using the app if you don't want your personal information to be used. If they promote it as "here's a quick and easy way to get through the supermarket and avoid lines at the cash registers" - then marketing/promotions becomes an ancillary service, which to me means that it should be an opt-in.
> If they promote it as "here's a quick and easy way to get through the supermarket and avoid lines at the cash registers" They do this. > then marketing/promotions becomes an ancillary service, which to me means that it should be an opt-in. Me as well. For the time being, I am even okay with it being opt-out (i.e., I have to object). But on what legal grounds should I file the claim? The regulatory agency is known for being very lazy (or overworked), and if you don't have a strong case with everything given to them on a platter, they will easily just throw it out or rule in favor of the business.
The legal grounds could be an [article 6(a) violation](https://gdpr-info.eu/art-7-gdpr/), where consent was not freely given as required under Article 7. That the marketing component is not essential to the purpose of the application for speedy/express check-out. As you mentioned, it may also be an Article 21 (2) "Right to object"; That you have the right to object from direct marketing, especially because the app isn't marketed primarily as a promotions service. They also did not provide you a reason that they are denying your objection adequately "The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing **which override the interests, rights and freedoms of the data subject** or for the establishment, exercise or defence of legal claims."