publishable_mt_2019-10_right_to_object_marketing_emails_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Infringement of the GDPR

Background information
Date of final decision: 10 October 2019
LSA: MT
CSAs: DE-Berlin, NL, NO, SE
Legal Reference: Right to object (Article 21), Cooperation with the supervisory authority(Article 31)
Decision: Infringement of Article 21 and Article 31 GDPR
Key words: Right to object, Cooperation with the supervisory authority, Exercise of data subjects’ rights, Marketing communications

Summary of the Decision
Origin of the case
The complainant lodged a complaint with the CSA alleging that the controller kept sending marketing communications to the complainant even though he had previously objected to the processing of his data for marketing purposes.

Findings
The preliminary investigation by the LSA was aimed at ensuring that the controller’s main establishment was in its country.
The controller as internal procedure accepted any requests from data subjects only when the requests were made by using the same email address the users have used to open their account.
Through its investigations, the LSA found out that the controller could not find the first email sent by the complainant to object to the processing of his data for marketing purposes even if this email was sent from the email address used by the user to open his account. The data controller admitted that there was a possibility that the email had not been received or had not been dealt with properly.

Following the receipt of further unsolicited marketing communications, the complainant objected several more times. These emails were sent from email addresses different from the one used to open his account. Even if the controller was thus not able to comply with the data subject’s request as he could not identify him, the controller decided to block the complainant’s account from receiving marketing communications. From the investigation it transpired that the controller did not have any internal procedures for the handling of data subjects’ requests.
In addition the controller did not cooperate with the LSA that had to wait months to receive the requested submissions.

Decision
The LSA found that the controller infringed Article 21 by not having adequate procedures put in place to deal with the complainant’s request to exercise his right to object. The controller also infringed Article 31 GDPR by not cooperating with the LSA. Consequently, the LSA imposed an administrative fine of 15,000 euros on the controller. A 2,000 euro administrative fine was also imposed on the controller for having breached several provisions of national law relating to unsolicited communications.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_mt_2019-10_right_to_object_marketing_emails_summarypublic.pdf

Please see also EDPB Copyright page

publishable_fr_2020-02_right_to_object_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand

Background information
Date of final decision: 20 February 2020
LSA: FR
CSAs: LU
Legal Reference: Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12) Right to object (Article 21)

Decision: Reprimand
Key words: Right to object, E- commerce

Summary of the Decision

Origin of the case
The complainant received SMS marketing on his phone. Following his objection to the controller, he received another marketing SMS.

Findings
The LSA has made note of the fact that there was a delay in deletion of the complainant’s data of 48 -72 hours. The controller will now inform individuals when exercising their right to object of the above mentioned delay.

Further, the LSA found out that the controller’s procedure for requests to exercise rights required complainants to systematically provide a copy of an identity document, in breach of Article 12(6) GDPR. Also, the information delivered to individuals at the registration stage and when sending direct marketing messages did not meet the objective of transparency, accessibility and clarity as set out in Article 12.2 GDPR.

The controller undertook the necessary actions to adjust its procedure to request an identity document only under specific circumstances and to improve the information delivered to individuals at the registration stage and when sending direct marketing messages, for instance detailing the contact addresses for exercising rights.

Decision
The LSA issued a reprimand in accordance with Article 58(2)(b) GDPR.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2020-02_right_to_object_summarypublic.pdf

Please see also EDPB Copyright page

publishable_fr_2019-12_right_to_be_informed_summarypublic.docx_validated.pdf

Summary Final Decision Art 60
Investigation

Compliance order

Background information
Date of final decision: 16 December 2019
LSA: FR
CSAs: BE, DE-Rhineland-Palatinate, DK, ES, IT, HU, LU, PL, PT, SE, SK
Legal Reference: Transparency and Information (Articles 12, 13 and 14), Right to erasure (Article 17), Right to object (Article 21), Security of processing (Article 32)

Decision: Order to comply
Key words: Transparency and Information, Right to Erasure, Right to Object, Security of Processing, E-Commerce, Direct Marketing, Children, Consumers

Summary of the Decision

Origin of the case
The LSA conducted two on-site investigations at the controller’s premises to audit the controller’s compliance with the GDPR and tested the procedure set up by the controller to create an account.

Findings
The controller is a company offering subscription to educational magazines for children. On the basis of the investigation, the LSA found several GDPR infringements. First of all, several breaches of the obligation to inform data subjects, enshrined in articles 12 and 13 GDPR, were identified. No information relating to data protection nor link to the controller’s Terms and Conditions was given to the data subjects upon registration or when placing an order. As a consequence, the information was considered to be not accessible enough.
The Terms and Conditions did not include any information on the legal basis for processing, on the retention period and on the individual rights to restriction of processing, data portability, or to submit a claim to a supervisory authority. Although the target audience was French-speaking and the website is fully in French, the “unsubscribe” button in the newsletter and marketing emails was hyperlinked to a text in English, asking for confirmation. An additional hypertext link was included in the final page (titled “Clicking here”): this is misleading for the user, as clicking on such link actually resulted in a new subscription.

Secondly, a breach of the obligation to comply with the request to erase data was identified, as personal data was not erased systematically when requested by data subjects although there was no legal requirement to keep it and although users had been informed of the erasure of the data.

Last, there was a breach of the obligation to ensure the security of data, concerning passwords, locking of workstations, and access to data. More specifically, the password requirements and methods for processing the passwords were found to be non-compliant with the obligation to implement technical and organisational measures to ensure a level of security appropriate to the risk, since authentication was based on insufficiently complex passwords and obsolete hash algorithms. Additionally, the computer used by one of the database’s administrators was configured to never automatically lock or go on sleep mode. With regard to access to data, the absence of specific identification (i.e. the use of the same account by several people) made it impossible to ensure access traceability.

Decision
The LSA ordered the controller to comply, within two months of the notification of the decision, with several specific instructions.
First, the controller was ordered to provide full information to data subjects about the processing activities, in an easily accessible manner. Additionally, the LSA ordered the controller to set up a procedure for unsubscribing that is compliant with Articles 12 and 21 GDPR.
Secondly, the controller was ordered to ensure the effectiveness of all requests to exercise the right of erasure.
Last, the authority ordered the controller to take appropriate security measures to protect personal data and prevent access thereto by unauthorised third parties (by setting up a new password policy, avoiding the transmission of passwords in clear text, ensuring that workstations go on sleep mode, and setting up individual accounts).


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-12_right_to_be_informed_summarypublic.docx_validated.pdf

Please see also EDPB Copyright page

publishable_fr_2019-09_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 29 August 2019
LSA: FR
CSAs: BE
Legal Reference: Right to erasure (Article 17), Right to object (Article 21)

Decision: No violation
Key words: Right to erasure, Right to object, Anonymisation

Summary of the Decision

Origin of the case
In a complaint filed with the CSA, the complainant alleged that personal data in her email correspondence with the controller was published on the controller’s website without her consent.

Findings
After communicating with the LSA, the controller took action to anonymise the complainant’s first and last names from the correspondence.

Decision
The LSA invited the controller to anonymise the copies of all the letters published on its website.

No further action towards the controller was taken.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-09_right_to_erasure_summarypublic.pdf

Please see also EDPB Copyright page

publishable_fr_2019-08_right_to_object_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 26 August 2019
LSA: FR
CSAs: AT, BE, DE-Rhineland-Palatinate, DE-Saxony-Anhalt, DE-North Rhine-Westphalia, NL, UK
Legal Reference: Right of access (Article 15); Right to erasure (Article 17); Right to object (Article 21)

Decision: No violation of the GDPR
Key words: Right to object, right to access, direct marketing

Summary of the Decision

Origin of the case
The complainant alleged that the controller had not taken his objection to direct marketing into account and that his request to access his personal data had not been granted.

Findings
The LSA found that both requests had been granted. The complainant’s email address had been erased from the controller’s marketing tools and an unsubscribe confirmation message had been sent.

Decision
No violation of the GDPR was found.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-08_right_to_object_summarypublic.pdf

Please see also EDPB Copyright page

publishable_fr_2019-08_lawfulness_of_the_processing_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 9 August 2019
LSA: FR
CSAs: ES, IT
Legal Reference: Lawfulness of the processing (Article 6 GDPR)

Decision: No violation
Key words: lawfulness of the processing, right to object, spam emails, unsolicited communication, rights of the data subject

Summary of the Decision

Origin of the case
The complainant alleged he faced difficulties when he tried to exercise his right to object to unsolicited marketing emails.

Findings
The LSA found that the complainant had consented to receiving marketing emails and that the controller removed the complainant’s data from their database, following the request. The controller’s reaction to the request was delayed, due to an internal dysfunction, which has since been resolved.

Decision
The LSA found no infringement.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-08_lawfulness_of_the_processing_summarypublic_0.pdf

Please see also EDPB Copyright page

publishable_fr_2019-03_lawfulness_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 22 March 2019
LSA: FR
CSAs: AT, BE, DE-Berlin, DE-Mecklenburg-Western Pomerania, DE-Bavaria (private sector), DE-Lower Saxony
Legal Reference: Right to object (Article 21), Principles relating to processing of personal data (Article 5), Lawfulness of the processing (Article 6), Conditions for consent (Article 7)

Decision: No violation
Key words: Rights of data subjects, Right to object, Lawfulness of processing, e-Commerce, Marketing

Summary of the Decision

Origin of the case
The data subject filed a complaint after facing difficulties in pursuing his right to object and in relation to the information required on the product order form.

Findings
The LSA found that the delay in complying with the right to object was due to the 72 hours required to process the relevant request, of which the data subject was informed. Besides, the request was submitted on a Saturday and Monday was a holiday. The data controller also took measures to clarify the e-mail address to which such requests can be submitted, and it also set up a dedicated email address to handle such requests more efficiently. In addition, the data controller no longer requires the date of birth to be provided for an order to be placed. Moreover, the consent to receive promotional offers from the controller and third parties must be explicitly given by checking the respective boxes when ordering a product.

Decision
The LSA did not identify any infringement of the obligations set out in Regulation (EU) 2016/679 (GDPR) by the controller. The data controller did not delay to comply with the request beyond what was reasonable and adjusted the information required to avoid collecting more data than necessary.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-03_lawfulness_summarypublic.pdf

Please see also EDPB Copyright page

publishable_cy_2019-10_erasure_request_ignored_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 10 October 2019
LSA: CY
CSAs: DE, DK, ES, FR, HU, IT, LT, SK, NO
Controller: Hostinger International Ltd
Legal Reference: Right of access (Article 15), Right to erasure (Article 17), Right to object (Article 21)

Decision: No infringement of the GDPR
Key words: Right to erasure, Right to object, Data subject request, Advertising and marketing purposes

Summary of the Decision
Origin of the case
Two complainants lodged complaints with two CSAs regarding the controller’s failure to comply with their requests. The first complainant demanded that his email and other account data would no longer be processed for advertising and marketing purposes. The second complainant aimed at exercising his right of access.

Findings
Through several investigations, the LSA found that the controller never received the data subject requests. However, following the interaction with the LSA, the controller fully complied with the complainants’ requests.

Decision
The LSA found that the controller ultimately complied with his obligations under the GDPR. No further action towards the controller was taken.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cy_2019-10_erasure_request_ignored_summarypublic_0.pdf

Please see also EDPB Copyright page

publishable_cy_2019-10_article_21_and_15_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No ongoing infringement of the GDPR

Background information
Date of final decision: 10 October 2019
LSA: CY
CSAs: DE-Rhineland-Palatinate, DK, ES, FR, HU, IT, LT, PL, PT, SE, SK
Controller: Hostinger International Ltd
Legal Reference: Right of access (Article 15), Right to object (Article 21)

Decision: No ongoing infringement of the GDPR
Key words: Right of access, Right to object, Data subject request, Advertising and marketing purposes

Summary of the Decision

Origin of the case
Two complainants lodged complaints with two CSAs regarding the controller’s failure to comply with this requests. The first complainant demanded that his email and other account data would no longer be processed for advertising and marketing purposes. The second complainant aimed at exercising his right of access.

Findings
Through several investigations, the LSA found that the controller never received the data subject requests. However, following the interaction with the LSA, the controller fully complied with the complainants’ requests.

Decision
The LSA found that the controller ultimately complied with his obligations under the GDPR. No further action towards the controller was taken.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cy_2019-10_article_21_and_15_summarypublic.pdf

Please see also EDPB Copyright page