Tietosuojavaltuutetun toimisto (Finland) - 8086/182/2019: Difference between revisions
(Made some minor grammatical corrections; updated references to be in line with the style guide ("e.g. article 4(11) GDPR"); deleted chapter regarding Article 95 GDPR) |
No edit summary |
||
(One intermediate revision by one other user not shown) | |||
Line 69: | Line 69: | ||
}} | }} | ||
The Finnish DPA held that consent requested by the controller for direct marketing in the context of participation in a lottery was freely given in accordance with Article 4(11) GDPR and fulfilled the condition for withdrawal of consent set out in Article 7(3). | The Finnish DPA held that consent requested by the controller for direct marketing in the context of participation in a lottery was freely given in accordance with Article 4(11) GDPR and fulfilled the condition for withdrawal of consent set out in Article 7(3) GDPR. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The Finnish DPA received a submission from a complainant regarding a data controller's processing of personal data in connection with a lottery. As a condition for participating to the lottery | The Finnish DPA received a submission from a complainant regarding a data controller's processing of personal data in connection with a lottery. As a condition for participating to the lottery requested the participants to consent to direct marketing. | ||
According to the | According to the lottery, the complaint concerned a marketing campaign related to the company's 30th anniversary including a lottery for the customers, and the rules for the lottery said that in order to participate, a customer had to give their consent for direct marketing. Consent was given by ticking a box saying "Yes, I want to participate to the lottery and subscribe to direct marketing or I am already a subscriber". After receiving the first marketing email or newsletter, a data subject could unsubscribe by following instructions on the email. | ||
=== Holding === | === Holding === | ||
The Finnish DPA considered the following questions: 1) is consent for direct marketing freely given as required under Article 4 (11) GDPR when consent is a condition for participating | The Finnish DPA considered the following questions: 1) is consent for direct marketing freely given as required under Article 4 (11) GDPR when consent is a condition for participating in a lottery, and 2) has the data controller complied with Article 7(3) GDPR and provided a possibility to data subjects to withdraw consent. | ||
The Finnish DPA viewed that it is undeniable that participating to the lottery is depending on consent for marketing, and that a consent is not voluntary if data subject does not have real option to not give consent without having negative consequence. The DPA noted that the European Data Protection Board has stated that adding consent to agreement terms is strongly undesirable. | The Finnish DPA viewed that it is undeniable that participating to the lottery is depending on consent for marketing, and that a consent is not voluntary if data subject does not have real option to not give consent without having negative consequence. The DPA noted that the European Data Protection Board has stated that adding consent to agreement terms is strongly undesirable. |
Latest revision as of 15:12, 25 April 2023
Tietosuojavaltuutetun toimisto - 8086/182/2019 | |
---|---|
Authority: | Tietosuojavaltuutetun toimisto (Finland) |
Jurisdiction: | Finland |
Relevant Law: | Article 4(11) GDPR Article 7(3) GDPR Article 7(4) GDPR Article 95 GDPR 2002/58/EC 2014/917 200§ |
Type: | Investigation |
Outcome: | No Violation Found |
Started: | 21.10.2019 |
Decided: | 24.03.2023 |
Published: | 24.03.2023 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 8086/182/2019 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Finnish |
Original Source: | Finlex (in FI) |
Initial Contributor: | Eetu Salpaharju |
The Finnish DPA held that consent requested by the controller for direct marketing in the context of participation in a lottery was freely given in accordance with Article 4(11) GDPR and fulfilled the condition for withdrawal of consent set out in Article 7(3) GDPR.
English Summary
Facts
The Finnish DPA received a submission from a complainant regarding a data controller's processing of personal data in connection with a lottery. As a condition for participating to the lottery requested the participants to consent to direct marketing.
According to the lottery, the complaint concerned a marketing campaign related to the company's 30th anniversary including a lottery for the customers, and the rules for the lottery said that in order to participate, a customer had to give their consent for direct marketing. Consent was given by ticking a box saying "Yes, I want to participate to the lottery and subscribe to direct marketing or I am already a subscriber". After receiving the first marketing email or newsletter, a data subject could unsubscribe by following instructions on the email.
Holding
The Finnish DPA considered the following questions: 1) is consent for direct marketing freely given as required under Article 4 (11) GDPR when consent is a condition for participating in a lottery, and 2) has the data controller complied with Article 7(3) GDPR and provided a possibility to data subjects to withdraw consent.
The Finnish DPA viewed that it is undeniable that participating to the lottery is depending on consent for marketing, and that a consent is not voluntary if data subject does not have real option to not give consent without having negative consequence. The DPA noted that the European Data Protection Board has stated that adding consent to agreement terms is strongly undesirable.
The DPA stated that the wording in Article 7(4) GDPR is not absolute and that the view of the European Data Protection Board has been, there may be some rare cases where this conditionality would not invalidate the consent.
When assessing whether consent is valid, the DPA paid attention to the purpose of processing personal data which in the case was about voluntary participation in the lottery. The Data Protection Commissioner emphasizes the importance of voluntary consent, but notes that the case in question is not about a service that is necessary for the data subject. According to the DPA, not participating in the lottery does not cause negative consequences or harm to the data subject.
This said, the DPA decided that the consent requested by the controller for direct marketing in connection with participation in the lottery has been freely given in accordance with Article 4(11) GDPR, and it has fulfilled the condition for withdrawal of consent stipulated in Article 7(3) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
Decision of the Data Protection Commissioner Thing Voluntary consent to direct marketing in connection with participation in the lottery Background of the matter On October 21, 2019, a report was filed with the Data Protection Commissioner's office regarding the data controller's processing of personal data in connection with the lottery. The matter has been that the condition for participating in the lottery has been giving consent to direct marketing. The method of operation described in the notification is still in established use by the controller. Statement received from the registrar The Office of the Data Protection Commissioner has sent a request for clarification to the controller on 22 March 2021, and again on 21 September 2021 and 5 September 2022, as the controller had not submitted a response to the request for clarification from the Office of the Data Protection Commissioner. On 12 October 2022, the registrar has submitted a report. In his report, the registrar has said, among other things, the following. In marketing lotteries organized by the controller, the processing of personal data is based on consent. The notification was about the raffle for the 30th anniversary of the data controller, the rules of which state the following: "Participation in the raffle requires either that the participant gives the data controller an electronic marketing license when participating in the raffle, or that he has previously given the data controller an electronic marketing license before participating in the raffle and participates in this context, only for the lottery". Consent to direct marketing is given by ticking the box indicating approval: "Yes, I participate in the lottery and I want to join the group of recipients of electronic advertising from the data controller or I am already a subscriber to electronic advertising from the data controller". The registrar has said that in connection with its raffles, the granting of a direct marketing license is still required as a condition for participation. The above is done by checking the box "I subscribe to the data controller's electronic newsletter or I am already a subscriber". The controller has said that the registered person can cancel the subscription to the newsletter at any time from the text link at the bottom of the newsletter. According to the registrar, you will be informed about the cancellation of the newsletter when you participate in the lottery as follows: "You can cancel the subscription to the newsletter from the link at the bottom of the letter". Applicable legislation According to Article 4, Section 11 of the General Data Protection Regulation, the data subject's consent means any voluntary, individualized, informed and unambiguous expression of will by which the data subject accepts the processing of his personal data by giving a statement expressing consent or by taking an action clearly expressing consent. According to Article 7, paragraph 3 of the General Data Protection Regulation, the data subject has the right to withdraw his consent at any time. Withdrawal of consent does not affect the legality of processing carried out on the basis of consent prior to its withdrawal. Before giving consent, the data subject must be informed of this. Withdrawing consent must be as easy as giving it. According to Article 7, paragraph 4 of the General Data Protection Regulation, when assessing the voluntariness of consent, it must be taken into account as comprehensively as possible, among other things, whether consent to the processing of personal data that is not necessary for the execution of the contract in question has been set as a condition for the provision of a service or the execution of another contract. According to Article 95 of the General Data Protection Regulation, the General Data Protection Regulation does not impose additional obligations regarding the processing related to the provision of publicly available electronic communication services on public communication networks in the Union, in relation to matters that must be complied with in the Regulation on the processing of personal data and the protection of privacy in the field of electronic communications of the European Parliament and special obligations laid down in Council Directive 2002/58/EC (electronic communications data protection directive) with the same objective. Paragraph 173 of the preamble of the General Data Protection Regulation, on the other hand, states that the General Data Protection Regulation should be applied to all matters concerning the protection of fundamental rights and freedoms in the processing of personal data, which are not subject to the special obligations laid down in the Electronic Communications Data Protection Directive, which have the same goal, the obligations concerning the controller and including the rights of natural persons. The general data protection regulation will thus basically be applicable to the extent that the electronic communications data protection directive does not provide for more specific provisions on the matter. Electronic direct marketing to natural persons is regulated in Section 200 of the Act on Electronic Communication Services. According to § 200 subsection 1 of the said law, direct marketing carried out using automated calling systems and fax machines, e-mail messages, text messages, voice messages, audio messages or picture messages may only be targeted at natural persons who have given their consent in advance. The consent of the user or subscriber is defined in Article 2(2)(f) of the Electronic Communications Data Protection Directive. In the Electronic Communications Data Protection Directive, consent means the same as the data subject's consent in Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals in the processing of personal data and the free movement of such data (personal data directive). The Personal Data Directive has been repealed by the General Data Protection Regulation, which is why, according to Article 94 of the regulation, it applies instead of the Personal Data Directive. The Court of Justice of the European Union has also stated in paragraph 63 of its ruling in the Planet49 case that the conditions for consent in the Electronic Communications Directive and the General Data Protection Regulation must be read together. Consequently, the regulation on consent of the General Data Protection Regulation will be applied in the case. A legal question The Data Protection Commissioner evaluates and decides the case based on the General Data Protection Regulation (EU) 2016/679. The matter has to be resolved 1. Whether the consent requested by the data controller in connection with participation in the lottery was voluntary in accordance with Article 4, paragraph 11 of the General Data Protection Regulation, and whether the data controller enabled the data subject to withdraw consent in accordance with Article 7, paragraph 3 of the General Data Protection Regulation. If the processing of personal data carried out by the data controller has not been in accordance with the provisions of the General Data Protection Regulation, the matter to be resolved is which sanction according to Article 58, paragraph 2 of the General Data Protection Regulation should be imposed on the data controller. The data protection officer's decision and reasons Decision No order. In accordance with Article 4 11 of the General Data Protection Regulation, the consent requested by the controller for direct marketing in connection with participation in the lottery has been voluntary, and it has fulfilled the condition for withdrawal of consent stipulated in Article 7, paragraph 3. Reasoning The controller requires that the data subject participating in the lottery agrees to electronic direct marketing. If the registrant does not check the box, and thus accepts direct marketing, the registrant will not be able to participate in the lottery. Consent to direct marketing is therefore a prerequisite for participation in the draw. Article 4, paragraph 11 of the General Data Protection Regulation provides for consent in accordance with the General Data Protection Regulation, which must be a voluntary, individualized, informed and unambiguous expression of will (See also chapter 42 of the preamble of the General Data Protection Regulation regarding the conditions for consent.). A valid consent therefore includes all the elements mentioned above. The component "voluntary" requires the actual possibility of free choice and control of the data subjects. The General Data Protection Regulation generally stipulates that consent is not valid if the data subject does not have a real possibility of free choice, if he feels compelled to give his consent, or if he suffers negative consequences for not giving consent. (Guidelines for consent under Regulation 2016/679 05/2020, version 1.1, approved on 4 May 2020.) In the current case, the most important thing is to assess the voluntariness of the consent from the point of view of conditionality. Conditionality means that the data subject must have a real possibility of free choice. Centrally related to this is assessing whether the consent has been included as a non-negotiable part of the contract terms. If consent is included as part of non-negotiable terms, the presumption is that it was not voluntarily given. By forcing to accept the use of personal data other than absolutely necessary, the data subject's choices are limited and voluntary consent is prevented. Paragraph 4 of Article 7 of the General Data Protection Regulation is important when assessing whether consent has been given voluntarily. The European Data Protection Board has considered, with regard to Article 7, paragraph 4 of the General Data Protection Regulation, that "attaching" consent to the acceptance of terms, or "tying" the execution of a contract or the provision of a service to a request to obtain consent to the processing of personal data that is not necessary for the execution of the contract or the performance of the service in question, considered highly undesirable. Voluntary means, as explained above, that the data subject must have a real possibility of free choice to give or not to give consent. However, the evaluation should also take into account the wording of Article 7, paragraph 4 of the General Data Protection Regulation "when evaluating the voluntariness of the consent, the voluntariness of the consent should be taken into account as comprehensively as possible", which suggests that the said wording is not absolute. In the view of the European Data Protection Board, there may be some rare cases where this conditionality would not invalidate the consent. When assessing whether the consent in the case in question could be considered valid regardless of the condition, the data protection commissioner pays attention to the purpose of processing personal data. In the present case, it is about voluntary participation in the lottery. The Data Protection Commissioner emphasizes the importance of voluntary consent, but notes that the case in question is not about a service that is necessary for the data subject. According to the Data Protection Commissioner's opinion, not participating in the lottery does not cause negative consequences or harm to the data subject. Participation in the lottery is also voluntary and a natural person can freely make a decision about participating in the lottery. Based on the above, the Data Protection Commissioner considers that the consent to direct marketing required in connection with participation in the lottery has been voluntary in accordance with Article 4, Section 11 of the General Data Protection Regulation. In addition, to be valid, the data subject must have the right to withdraw consent at any time, according to Article 7(3) of the General Data Protection Regulation. Withdrawal must be as easy as giving it, and the data subject must be informed of the right to withdraw consent before consent is given. The Data Protection Commissioner considers the controller's method of operation to meet the requirement for withdrawal of consent according to Article 7, paragraph 3 of the General Data Protection Regulation, as the controller says that it informs about the cancellation of the newsletter when participating in the lottery. According to the controller's explanation, it is also possible to cancel the processing of personal data for direct marketing using the link in the newsletter. In its decision, the Data Protection Commissioner does not evaluate the conditions of participation in the lottery in other respects. Applicable legal provisions General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) Article 4(11), Article 7(3) and (4).