CNPD (Portugal) - Deliberação 2019/297: Difference between revisions
No edit summary |
mNo edit summary |
||
Line 35: | Line 35: | ||
|National_Law_Link_2=http://www.pgdlisboa.pt/leis/lei_mostra_articulado.php?nid=156&tabela=leis&ficha=1&pagina=1 | |National_Law_Link_2=http://www.pgdlisboa.pt/leis/lei_mostra_articulado.php?nid=156&tabela=leis&ficha=1&pagina=1 | ||
|Party_Name_1= | |Party_Name_1=DECO PROTESTE Editores, Lda. | ||
|Party_Link_1= | |Party_Link_1=https://www.deco.proteste.pt/ | ||
|Party_Name_2= | |Party_Name_2= | ||
|Party_Link_2= | |Party_Link_2= | ||
Line 64: | Line 64: | ||
===Facts=== | ===Facts=== | ||
A data subject complained about receiving unsolicited direct marketing emails from Deco Proteste (the largest Portuguese Consumer Protection | A data subject complained about receiving unsolicited direct marketing emails from Deco Proteste (the largest Portuguese Consumer Protection association, operating, in this matter, as Deco Proteste Edições Lda., a limited liability company). | ||
The data subject never provided her/his personal data to Deco Proteste and, as a result, never consented to receiving direct marketing emails from the organization. | The data subject never provided her/his personal data to Deco Proteste and, as a result, never consented to receiving direct marketing emails from the organization. |
Revision as of 14:18, 30 March 2021
CNPD - Deliberação 2019/297 | |
---|---|
Authority: | CNPD (Portugal) |
Jurisdiction: | Portugal |
Relevant Law: | Article 28 GDPR Article 13 of the e-Privacy Directive Article 13A of the Portuguese e-Privacy Act Portuguese Data Protection Act (Act 67/98) |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 06.05.2019 |
Published: | |
Fine: | 107.000 EUR |
Parties: | DECO PROTESTE Editores, Lda. |
National Case Number/Name: | Deliberação 2019/297 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Portuguese |
Original Source: | CNPD Website (in PT) |
Initial Contributor: | Jose Belo |
The Portuguese DPA considered that an organisation is the controller of personal data when employing the services of a direct marketing company to promote its products or services, even if using its database for direct marketing purposes.
The direct marketing company, even if using its database for direct marketing purposes, acts on behalf of the controller and is a processor.
The Portuguese DPA also ruled that repeatedly sending unsolicited marketing communications without the data subject's consent, where said data subject is not an existing customer of the controller, breaches the GDPR and the ePrivacy Directive.
English Summary
Facts
A data subject complained about receiving unsolicited direct marketing emails from Deco Proteste (the largest Portuguese Consumer Protection association, operating, in this matter, as Deco Proteste Edições Lda., a limited liability company).
The data subject never provided her/his personal data to Deco Proteste and, as a result, never consented to receiving direct marketing emails from the organization.
After the investigation by the CNPD, 45 other unsolicited direct marketing emails, between the dates of 11th of October 2011 and 5 of June 2013, were added to the complaint.
Dispute
Deco Proteste claimed that the personal data of the data subject was part of a database owned by a direct marketing company it had subcontracted to provide direct marketing services. As such, it is the direct marketing company that is the controller, not Company A.
Holding
The Portuguese DPA did not accept the controller's arguments that (i) the marketing agency who sent the marketing communications was acting as an independent controller (and not the former's processor) and that (ii) the applicable legal basis to using the data subject's contact details for direct marketing purposes was the controller's legitimate interests, under Article 6(1)(f) of the GDPR.
Portuguese DPA considered that all direct marketing emails sent by the direct marketing company were of products and services offered by Deco Proteste.
It also considered that Deco Proteste freely, voluntarily and consciously decided to process personal data without any legal basis to promote its products and services, neglecting its legal obligations under the Personal Data Protection Act of 1998, in force at the time of the offences.
The fact that Deco Proteste used a third party to assist in direct marketing of its products does not exclude controllership status of Deco Proteste, even if the database used was owned by the direct marketing company, which is considered by the CNPD as a processor acting on behalf of Deco Proteste, the controller.
Marketing agencies sending such messages on behalf of the controller act as the latter's processor, regardless of the fact that the former are the sole holders of the contact details database used to send the messages.
Comment
Further Resources
English Machine Translation of the Decision
The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.