On September 11, 2023, the Danish data protection authority (Datatilsynet) published, its decision in Case No. 2021-31-5667, as issued on March 27, 2023, in which it expressed criticism against OrderYOYO A/S, for violations of the General Data Protection Regulation (GDPR), following a complaint made to the Datatilsynet.

Background to the case

The complainant stated that in July 2021, they had ordered food from a local restaurant through the OrderYOYO platform but canceled the order before payment. The complainant claimed that they received several marketing emails sent by OrderYOYO A/S on behalf of the restaurant in question.

The Datatilsynet noted that the complainant subsequently submitted a data subject access request (DSAR) to OrderYOYO on July 7, 2021, requesting access and deletion of the complainant's payment information. The Datatilsynet stated that the complainant confirmed to OrderYOYO that they wanted access to their personal data before it was deleted. However, the Datatilsynet pointed out that OrderYOYO did not respond to the complainant's DSAR and only complied with the request in December 2021 after the Datatilsynet's involvement.

Findings of the Datatilsynet

Following its investigation, the Datatilsynet found that OrderYOYO had violated Article 12(3) of the GDPR by failing to provide information to the complainant on actions taken on their access request within one month of receipt of the request. Further, the Datatilsynet noted that OrderYOYO's handling of the DSAR was in violation of Articles 15 and 17 of the GDPR.

Outcomes

Ultimately, the Datatilsynet expressed criticism against OrderYOYO for the aforementioned violations.

You can read the press release here and the decision here, both only available in Danish.