IMY (Sweden) - DI-2020-10545: Difference between revisions
No edit summary |
No edit summary |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 70: | Line 70: | ||
=== Facts === | === Facts === | ||
Six different complaints were filed to multiple DPA’s over H&M’s direct marketing practices. Given that H&M is a Swedish based company, the Swedish | Six different complaints were filed to multiple DPA’s over H&M’s direct marketing practices. Given that H&M is a Swedish based company, the Swedish DPA is the responsible supervisory authority under [[Article 56 GDPR]]. The complaints were forwarded by DPA’s of Poland, Italy and the United Kingdom. | ||
According to the complaints, the data subjects received unsolicited newsletters from the company despite the fact that they objected to having their personal data processed for direct marketing purposes. H&M (the controller) offered its customers three ways to object. Customers could change their subscription status under their account settings, unsubscribe from subscriptions via a link provided in every newsletter mailing or contact the Company's customer service. In each complaint the data subjects submitted evidence demonstrating that they had used these options but still received H&M’s marketing newsletters. | According to the complaints, the data subjects received unsolicited newsletters from the company despite the fact that they objected to having their personal data processed for direct marketing purposes. H&M (the controller) offered its customers three ways to object. Customers could change their subscription status under their account settings, unsubscribe from subscriptions via a link provided in every newsletter mailing or contact the Company's customer service. In each complaint the data subjects submitted evidence demonstrating that they had used these options but still received H&M’s marketing newsletters. | ||
Line 83: | Line 83: | ||
The IMY determined that there has also been an infringement of [[Article 21 GDPR|Articles 21(3),]] [[Article 12 GDPR|12(3)]] and [[Article 6 GDPR|6(1) GDPR. I]]<nowiki/>f a data subject objects to direct marketing under [[Article 21 GDPR#2|Article 21(2) GDPR]], [[Article 21 GDPR#3|Article 21(3) GDPR]] provides that personal data shall no longer be processed for such purposes. The fact that H&M continued to process the data means that there can be no legal basis for the processing under [[Article 6 GDPR#1|Article 6(1) GDPR]] either. Since the right to object to direct marketing according to [[Article 21 GDPR|Article 21(2) GDPR]] is unconditional, there is no room for an individual assessment of whether such an objection should be accepted. | The IMY determined that there has also been an infringement of [[Article 21 GDPR|Articles 21(3),]] [[Article 12 GDPR|12(3)]] and [[Article 6 GDPR|6(1) GDPR. I]]<nowiki/>f a data subject objects to direct marketing under [[Article 21 GDPR#2|Article 21(2) GDPR]], [[Article 21 GDPR#3|Article 21(3) GDPR]] provides that personal data shall no longer be processed for such purposes. The fact that H&M continued to process the data means that there can be no legal basis for the processing under [[Article 6 GDPR#1|Article 6(1) GDPR]] either. Since the right to object to direct marketing according to [[Article 21 GDPR|Article 21(2) GDPR]] is unconditional, there is no room for an individual assessment of whether such an objection should be accepted. | ||
[[Article 21 GDPR#3|Article 21(3) GDPR]] also requires action without undue delay (at maximum within a month). The IMY went through each complaint and determined that H&M had taken too long to react. As H&M is such a large company, it is important that it | [[Article 21 GDPR#3|Article 21(3) GDPR]] also requires action without undue delay (at maximum within a month). The IMY went through each complaint and determined that H&M had taken too long to react. As H&M is such a large company, it is important that it has functioning routines and processes in place to deal with data subjects' requests for objection promptly. All of the complainants' objections to direct marketing had to be repeated to H&M and were made through cumbersome options which delayed action on the side of the company. | ||
The Swedish DPA fined H&M 350,000 SKE (around 30,362 euros). | The Swedish DPA fined H&M 350,000 SKE (around 30,362 euros). | ||
== Comment == | == Comment == | ||
This decision looks like an Article 60 decision but the Article is not mentioned by the IMY. | |||
== Further Resources == | == Further Resources == |
Latest revision as of 15:53, 15 November 2023
IMY - DI-2020-10545 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 6(1) GDPR Article 12(2) GDPR Article 12(3) GDPR Article 21(3) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | DI-2020-10545 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Swedish |
Original Source: | DI-2020-10545 (in SV) |
Initial Contributor: | sh |
The Swedish DPA found H&M to have processed personal data for direct marketing in violation of Articles 6(1), 12(2), 12(3) and 21(3) of the GDPR.
English Summary
Facts
Six different complaints were filed to multiple DPA’s over H&M’s direct marketing practices. Given that H&M is a Swedish based company, the Swedish DPA is the responsible supervisory authority under Article 56 GDPR. The complaints were forwarded by DPA’s of Poland, Italy and the United Kingdom.
According to the complaints, the data subjects received unsolicited newsletters from the company despite the fact that they objected to having their personal data processed for direct marketing purposes. H&M (the controller) offered its customers three ways to object. Customers could change their subscription status under their account settings, unsubscribe from subscriptions via a link provided in every newsletter mailing or contact the Company's customer service. In each complaint the data subjects submitted evidence demonstrating that they had used these options but still received H&M’s marketing newsletters.
Given that this was cross-border processing, the Swedish DPA used the mechanisms provided in Chapter VII GDPR. Concerned Supervisory Authorities included Germany, Slovenia, France, Denmark. Spain, Norway, Italy, Finland, Poland, Belgium, Portugal, Cyprus, Estonia and the Netherlands.
Due to Brexit and given that two of the six complaints were filed in the UK, the Swedish DPA contacted United Kingdom's DPA (ICO) to ensure that a ne bis in idem (charging for the same crime twice) situation was avoided. The ICO replied that they had no information that they had taken any corrective action on the complaints. It was noted that the ICO's retention period for complaints is two years and therefore they had not kept any information on the complaints. The IMY considered Brexit to not be an obstacle because the controller’s establishment was in the Union.
Holding
The IMY decided that, with regard to the six complaints, there were deficiencies in the internal process for handling objections under Article 21(2) GDPR which resulted in the complainants not being able to easily access and exercise their rights under the GDPR.
The IMY determined that there has also been an infringement of Articles 21(3), 12(3) and 6(1) GDPR. If a data subject objects to direct marketing under Article 21(2) GDPR, Article 21(3) GDPR provides that personal data shall no longer be processed for such purposes. The fact that H&M continued to process the data means that there can be no legal basis for the processing under Article 6(1) GDPR either. Since the right to object to direct marketing according to Article 21(2) GDPR is unconditional, there is no room for an individual assessment of whether such an objection should be accepted.
Article 21(3) GDPR also requires action without undue delay (at maximum within a month). The IMY went through each complaint and determined that H&M had taken too long to react. As H&M is such a large company, it is important that it has functioning routines and processes in place to deal with data subjects' requests for objection promptly. All of the complainants' objections to direct marketing had to be repeated to H&M and were made through cumbersome options which delayed action on the side of the company.
The Swedish DPA fined H&M 350,000 SKE (around 30,362 euros).
Comment
This decision looks like an Article 60 decision but the Article is not mentioned by the IMY.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.