CNPD (Portugal) - Deliberação 2019/297

From GDPRhub
Revision as of 11:42, 10 September 2024 by Wp (talk | contribs) (Hi, thanks for contributing to the GDPRHub. Great summary! I implemented some changes in the structure of facts and holding to emphasise the subject matter. Since the short summary is not suppose to exceed 250 characters, I shortened a bit.)
CNPD - Deliberação 2019/297
LogoPT.png
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 28 GDPR
Article 13 of the e-Privacy Directive
Article 13A of the Portuguese e-Privacy Act
Portuguese Data Protection Act (Act 67/98)
Type: Complaint
Outcome: Upheld
Started:
Decided: 06.05.2019
Published:
Fine: 107.000 EUR
Parties: DECO PROTESTE Editores, Lda.
National Case Number/Name: Deliberação 2019/297
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Portuguese
Original Source: CNPD Website (in PT)
Initial Contributor: Jose Belo

The DPA fined the controller €107,000 for repeatedly sending unsolicited marketing communications without the data subject's consent. The controller bore liability even though it was a third-party who sent the communications using their own database.  

English Summary

Facts

A data subject received unsolicited direct marketing emails from Deco Proteste. Deco Proteste was the largest Portuguese Consumer Protection association, operating, in this matter, as Deco Proteste Edições Lda., a limited liability company.

The data subject never provided their personal data to Deco Proteste and, as a result, never consented to receiving direct marketing emails from the organization.

The data subject filed a complaint with the Portuguese DPA (CNPD).

After the investigation, 45 other unsolicited direct marketing emails, between the dates of 11th of October 2011 and 5 of June 2013, were added to the complaint.

Dispute

Deco Proteste claimed that the personal data of the data subject was part of a database owned by a direct marketing company it had subcontracted to provide direct marketing services. As such, it is the direct marketing company that was the controller, not Deco Proteste.

Holding

The DPA upheld the complaint and imposed a fine of €107,000.

Deco Proteste was assigned a role of a data controller. The DPA did not accept the controller's arguments that the marketing agency who sent the marketing communications was acting as an independent controller.The fact that the controller used a third party to assist in direct marketing of its products did not exclude their status of controller, even if the database used was owned by that third-party. Hence, the marketing company was considered by the DPA as a processor.

Also, the DPA explained the legitimate interest under Article 6(1)(f) GDPR was not the applicable legal basis to use the data subject's contact details for direct marketing purposes. The DPA considered that all direct marketing emails sent referred to products and services offered by controller. It also considered that controller freely, voluntarily and consciously decided to process personal data without any legal basis to promote its products and services, neglecting its legal obligations under the Personal Data Protection Act of 1998, in force at the time of the violations.

Marketing agencies sending such messages on behalf of the controller act as the latter's processor, regardless of the fact that the former are the sole holders of the contact details database used to send the messages.

Comment


Further Resources

https://www.dn.pt/pais/comissao-de-protecao-de-dados-aplica-coima-de-107-mil-euros-a-deco-11515689.html

https://www.mondaq.com/data-protection/871388/new-fine-for-unsolicited-marketing-messages-by-portuguese-data-protection-authority

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.
Retrieved from "https://gdprhub.eu/index.php?title=CNPD_(Portugal)_-_Deliberação_2019/297&oldid=42905"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki