publishable_mt_2019-10_right_to_object_marketing_emails_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Infringement of the GDPR

Background information
Date of final decision: 10 October 2019
LSA: MT
CSAs: DE-Berlin, NL, NO, SE
Legal Reference: Right to object (Article 21), Cooperation with the supervisory authority(Article 31)
Decision: Infringement of Article 21 and Article 31 GDPR
Key words: Right to object, Cooperation with the supervisory authority, Exercise of data subjects’ rights, Marketing communications

Summary of the Decision
Origin of the case
The complainant lodged a complaint with the CSA alleging that the controller kept sending marketing communications to the complainant even though he had previously objected to the processing of his data for marketing purposes.

Findings
The preliminary investigation by the LSA was aimed at ensuring that the controller’s main establishment was in its country.
The controller as internal procedure accepted any requests from data subjects only when the requests were made by using the same email address the users have used to open their account.
Through its investigations, the LSA found out that the controller could not find the first email sent by the complainant to object to the processing of his data for marketing purposes even if this email was sent from the email address used by the user to open his account. The data controller admitted that there was a possibility that the email had not been received or had not been dealt with properly.

Following the receipt of further unsolicited marketing communications, the complainant objected several more times. These emails were sent from email addresses different from the one used to open his account. Even if the controller was thus not able to comply with the data subject’s request as he could not identify him, the controller decided to block the complainant’s account from receiving marketing communications. From the investigation it transpired that the controller did not have any internal procedures for the handling of data subjects’ requests.
In addition the controller did not cooperate with the LSA that had to wait months to receive the requested submissions.

Decision
The LSA found that the controller infringed Article 21 by not having adequate procedures put in place to deal with the complainant’s request to exercise his right to object. The controller also infringed Article 31 GDPR by not cooperating with the LSA. Consequently, the LSA imposed an administrative fine of 15,000 euros on the controller. A 2,000 euro administrative fine was also imposed on the controller for having breached several provisions of national law relating to unsolicited communications.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_mt_2019-10_right_to_object_marketing_emails_summarypublic.pdf

Please see also EDPB Copyright page

publishable_de_baden-wurttemberg_2020-01_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 24 September 2019
LSA: DE -Baden-Wuerttemberg
CSAs: All SAs
Legal Reference: Transparency (Article 12), Right to erasure (Article 17)

Decision: No infringement of the GDPR
Key words: Exercise of data subjects rights, Erasure request

Summary of the Decision
Origin of the case
The complainant alleged that the controller did not comply with her erasure request.

Findings
The LSA found that the controller deleted the complainant’s personal data. However, the controller did not do so within the timeframe provided by the GDPR. In its reply to the LSA, the controller described the measures taken to avoid delays in the future.

Decision
The LSA found that the controller complied with its obligations under the GDPR and closed the case.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de_baden-wurttemberg_2020-01_right_to_erasure_summarypublic.pdf

Please see also EDPB Copyright page