AKI (Estonia) - 2.1.-1/24/181-367-3: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Estonia |DPA-BG-Color= |DPAlogo=LogoEE.png |DPA_Abbrevation=AKI |DPA_With_Country=AKI (Estonia) |Case_Number_Name=2.1.-1/24/181-367-3 |ECLI= |Original_Source_Name_1=AKI |Original_Source_Link_1=https://gdprhub.eu/images/e/eb/EE.pdf |Original_Source_Language_1=Estonian |Original_Source_Language__Code_1=ET |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_2= |Type=Complaint |Outc...") |
mNo edit summary |
||
| (One intermediate revision by one other user not shown) | |||
| Line 61: | Line 61: | ||
}} | }} | ||
The DPA reprimanded | The DPA reprimanded a controller for sending direct marketing offers without an option to opt-out while claiming during the investigation, that the processing in question was suspended. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On 26 August 2022 a data subject lodged a complaint according to which they received direct marketing offers to their e-mail address from various e-mail | On 26 August 2022 a data subject lodged a complaint according to which they received direct marketing offers to their e-mail address from various e-mail addresses belonging to Staffrent OÜ, a personnel outsourcing and staffing agency (‘controller’). The offers did not contain information on the possibility to opt out of receiving them. The data subject repeatedly contacted the controller, expressing their wish to not receive the direct marketing offers and prohibited the controller from further processing their contact details. | ||
The DPA started an investigation into the matter and sent an inquiry to the controller regarding the allegations made against them. The controller replied on 24 October 2022 that they informed the data subject that no further offers will be sent to their e-mail address. Additionally, they | The DPA started an investigation into the matter and sent an inquiry to the controller regarding the allegations made against them. The controller replied on 24 October 2022 that they informed the data subject that no further offers will be sent to their e-mail address. Additionally, they added a note to their direct marketing offers regarding an option to unsubscribe. | ||
However, on 27 October 2022, the data subject received another direct marketing offer from the controller, again without an information to opt-out. In its reply to the DPA, the controller stated that the e-mail in | However, on 27 October 2022, the data subject received another direct marketing offer from the controller, again without an information to opt-out. In its reply to the DPA, the controller stated that the e-mail in question was sent in error and promised to seek help from IT specialists. As a result, the DPA closed the monitoring procedure. | ||
On 27 September 2023, the DPA received a letter of warning from another customer to whom the controller sent direct marketing offers omitting the information on how to opt-out. The controller explained to the DPA that their software broke down and the opt-out service | On 27 September 2023, the DPA received a letter of warning from another customer to whom the controller sent direct marketing offers omitting the information on how to opt-out. The controller explained to the DPA that their software broke down and the opt-out service did not work. However, the data subjects were guaranteed the possibility to send them a request for deletion of their data. The controller claimed that until the problem is solved, they will stop advertising. | ||
On 8 February 2024, another customers’ complaint to the DPA contained the same allegations regarding the controller. | On 8 February 2024, another customers’ complaint to the DPA contained the same allegations regarding the controller. | ||
| Line 79: | Line 79: | ||
To begin with, the DPA stated that the processing in question concerns electronic direct marketing within the meaning of Section 5(1) of the Information Society Service Act. The use of electronic contact data for direct marketing is regulation by Section 103 of the Estonian Electronic Communications Act (‘ECA’) according to which the use of this data is permitted if: | To begin with, the DPA stated that the processing in question concerns electronic direct marketing within the meaning of Section 5(1) of the Information Society Service Act. The use of electronic contact data for direct marketing is regulation by Section 103 of the Estonian Electronic Communications Act (‘ECA’) according to which the use of this data is permitted if: | ||
1) the use of the contact data provides a clear and comprehensible opportunity to opt out of such use of his or her contact data in a free and simple manner at any time, or | 1) the use of the contact data provides a clear and comprehensible opportunity to opt out of such use of his or her contact data in a free and simple manner at any time, or | ||
The DPA emphasized that pursuant to Section 103(4)(5) ECA the use of contact details for direct marketing is prohibited if the user has | 2) a person will be allowed to exercise their right to refuse through an electronic communications network. | ||
The DPA emphasized that pursuant to Section 103(4) and (5) ECA the use of contact details for direct marketing is prohibited if the user has objected to the processing of their electronic contact details for direct marketing. | |||
In the light of the above, several data subjects refused to have their contact details deleted on several occasions. The controller confirmed to the DPA twice that no further offers will be sent to the data subjects that do not wish to receive them. Nevertheless, the data subject received another direct marketing offer whereby the controller violated the | In the light of the above, several data subjects refused to have their contact details deleted on several occasions. The controller confirmed to the DPA twice that no further offers will be sent to the data subjects that do not wish to receive them. Nevertheless, the data subject received another direct marketing offer whereby the controller violated the objection to the processing of contact data for the purpose of direct marketing as per Section 103(4) and (5) ECA. | ||
Taking into account the fact that the controller repeatedly violated its obligations under the ECA, the DPA considered that the issuance of a mandatory injunction in this case is necessary in order to put an end to the infringement as soon as possible. | Taking into account the fact that the controller repeatedly violated its obligations under the ECA, the DPA considered that the issuance of a mandatory injunction in this case is necessary in order to put an end to the infringement as soon as possible. Therefore, the DPA reprimanded the controller for the above mentioned acts and ordered them to stop sending direct marketing offers to the data subject’s e-mail address. In case the controller failed to comply with the order, the DPA will impose a fine in the amount of €2,500. | ||
Therefore, the DPA reprimanded the controller for the above mentioned acts and ordered them to stop sending direct marketing offers to the data subject’s e-mail address. In case the controller failed to comply with the order, the DPA will impose a fine in the amount of €2,500. | |||
== Comment == | == Comment == | ||
The Estonian Electronic Communications Act incorporates the principles and requirements of the e-Privacy Directive as a separate legal instrument tailored to Estonia’s legal and regulatory framework. | The Estonian Electronic Communications Act incorporates the principles and requirements of the e-Privacy Directive as a separate legal instrument tailored to Estonia’s legal and regulatory framework. | ||
The Article of the ECA regulating the requirement to include an option to opt-out of receiving direct marketing offers mirrors right to object under [[Article 21 GDPR]]. | |||
== Further Resources == | == Further Resources == | ||
Latest revision as of 08:56, 21 May 2024
| AKI - 2.1.-1/24/181-367-3 | |
|---|---|
 | |
| Authority: | AKI (Estonia) |
| Jurisdiction: | Estonia |
| Relevant Law: | Article 13 103 ESS |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 26.08.2022 |
| Decided: | 01.03.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 2.1.-1/24/181-367-3 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Estonian |
| Original Source: | AKI (in ET) |
| Initial Contributor: | im |
The DPA reprimanded a controller for sending direct marketing offers without an option to opt-out while claiming during the investigation, that the processing in question was suspended.
English Summary
Facts
On 26 August 2022 a data subject lodged a complaint according to which they received direct marketing offers to their e-mail address from various e-mail addresses belonging to Staffrent OÜ, a personnel outsourcing and staffing agency (‘controller’). The offers did not contain information on the possibility to opt out of receiving them. The data subject repeatedly contacted the controller, expressing their wish to not receive the direct marketing offers and prohibited the controller from further processing their contact details.
The DPA started an investigation into the matter and sent an inquiry to the controller regarding the allegations made against them. The controller replied on 24 October 2022 that they informed the data subject that no further offers will be sent to their e-mail address. Additionally, they added a note to their direct marketing offers regarding an option to unsubscribe.
However, on 27 October 2022, the data subject received another direct marketing offer from the controller, again without an information to opt-out. In its reply to the DPA, the controller stated that the e-mail in question was sent in error and promised to seek help from IT specialists. As a result, the DPA closed the monitoring procedure.
On 27 September 2023, the DPA received a letter of warning from another customer to whom the controller sent direct marketing offers omitting the information on how to opt-out. The controller explained to the DPA that their software broke down and the opt-out service did not work. However, the data subjects were guaranteed the possibility to send them a request for deletion of their data. The controller claimed that until the problem is solved, they will stop advertising.
On 8 February 2024, another customers’ complaint to the DPA contained the same allegations regarding the controller.
Holding
To begin with, the DPA stated that the processing in question concerns electronic direct marketing within the meaning of Section 5(1) of the Information Society Service Act. The use of electronic contact data for direct marketing is regulation by Section 103 of the Estonian Electronic Communications Act (‘ECA’) according to which the use of this data is permitted if:
1) the use of the contact data provides a clear and comprehensible opportunity to opt out of such use of his or her contact data in a free and simple manner at any time, or
2) a person will be allowed to exercise their right to refuse through an electronic communications network.
The DPA emphasized that pursuant to Section 103(4) and (5) ECA the use of contact details for direct marketing is prohibited if the user has objected to the processing of their electronic contact details for direct marketing.
In the light of the above, several data subjects refused to have their contact details deleted on several occasions. The controller confirmed to the DPA twice that no further offers will be sent to the data subjects that do not wish to receive them. Nevertheless, the data subject received another direct marketing offer whereby the controller violated the objection to the processing of contact data for the purpose of direct marketing as per Section 103(4) and (5) ECA.
Taking into account the fact that the controller repeatedly violated its obligations under the ECA, the DPA considered that the issuance of a mandatory injunction in this case is necessary in order to put an end to the infringement as soon as possible. Therefore, the DPA reprimanded the controller for the above mentioned acts and ordered them to stop sending direct marketing offers to the data subject’s e-mail address. In case the controller failed to comply with the order, the DPA will impose a fine in the amount of €2,500.
Comment
The Estonian Electronic Communications Act incorporates the principles and requirements of the e-Privacy Directive as a separate legal instrument tailored to Estonia’s legal and regulatory framework.
The Article of the ECA regulating the requirement to include an option to opt-out of receiving direct marketing offers mirrors right to object under Article 21 GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.
PRIVACY PROTECTION AGAINST STATE TRANSPARENCY
INTERNAL USE
Note made: 29.02.2024 Inspection
Access restriction is valid until: 28.02.2099
in terms of p. 2, until the decision enters into force
Basis: AvTS § 35 (1) p. 12, AvTS § 35 (1) p. 2
PRESCRIPTION WARNING
In the case of the Electronic Communications Act No. 2.1.-1/24/181-367-3
Annika Kaljula, a lawyer from the Data Protection Inspectorate, issued the order
The time of making the prescription and
place 01.03.2024 in Tallinn
Staffrent OÜ
Addressee of the injunction –
address of the personal data processor: Ülemiste tee 3, Tallinn 11415
e-mail address: info@staffrent.ee
Personal data processor Member of the Board
responsible person
RESOLUTION:
1
§103(4)(5), §133(4) of the Electronic Communications Act (ESS), personal data protection
Act (IKS) § 56 subsection 1, subsection 2 clause 8, § 58 subsection 1 and protection of personal data
On the basis of Article 58(2)(f) of the General Regulation, I issue a mandatory injunction for compliance:
Stop sending direct marketing offers to email address xxx
I set the deadline for the execution of the injunction to be 08.03.2024.
Report compliance with the order to the Data Protection Inspectorate by this deadline at the latest.
DISPUTE REFERENCE:
This order can be challenged within 30 days by submitting either:
- a complaint to the Data Protection Inspectorate according to the Administrative Procedure Act or
- an appeal to the administrative court in accordance with the Code of Administrative Court Procedures (in the case of a case in point
to review the dispute in the matter).
Challenging an injunction does not suspend the obligation to fulfill it or the measures necessary for its fulfillment
implementation.
EXTORTION MONEY WARNING:
If the injunction has not been fulfilled by the set deadline, the Data Protection Inspectorate will determine
to the addressee of the injunction on the basis of § 60 of the Personal Data Protection Act:
Extortion money 2500 euros.
A fine may be imposed repeatedly - until the injunction is fulfilled. If the recipient does not pay
Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee / registry code 70004235 forced money, it will be forwarded to the bailiff to start the enforcement procedure. In this case, they are added
bailiff's fee and other enforcement costs for enforcement money.
VIOLATION PENALTY WARNING:
Protection of personal data against failure to comply with the injunction pursuant to Article 58 (2) of the General Regulation
misdemeanor proceedings may be initiated based on § 69 of the Personal Data Protection Act. For this act
a natural person may be fined up to 20,000,000 euros and a legal person
may be punished with a fine of up to 20,000,000 euros or up to 4 percent of his previous one
of the total worldwide annual turnover for the financial year, whichever is greater.
The out-of-court procedure for a misdemeanor is the Data Protection Inspectorate.
FACTUAL CIRCUMSTANCES:
The Data Protection Inspectorate (AKI) received a complaint from xxx (complainant) on 26.08.2022, according to which
the complainant's direct marketing offers to the e-mail address xxx from various Staffrent OÜ (data processor)
from e-mail addresses (work@staffrent.ee; jelizaveta@staffrent.ee; leonid@staffrent.ee;
juliana@staffrent.ee) on 16.10.2021; 26/07/2022; 26/08/2022; 14.09.2022. Sent
direct marketing offers lacked information on how a person can opt out of receiving them.
The applicant repeatedly informed the data processor by e-mail that he did not want direct marketing offers
receive and prohibited the data processor from using his contact details (I immediately demand my e-
deletion of the letter's address from your list and prohibit any information from being sent to my e-mail in the future
postal address).
Based on the information received, AKI started the supervision procedure regarding Staffrent OÜ and sent
inquiry to the data processor. The data processor replied to AKI on 26.09.2022: We are willing
considered, this offer will no longer be sent to the xxx email address.
In addition, AKI asked the data processor to clarify what changes were made and what they were
mistakes would not happen in the future and to confirm that information has been added to the direct marketing offers,
how can a person opt out of spam emails. AKI's inquiry was answered by the data processor
24.10.2022: We have informed all employees that this contact no longer needs advertising
send. And now we have a note: If you don't want to receive more offers from us, please
write "I no longer wish to receive offers" in response to the letter. The offer will only be sent
to interested companies that have previously received an offer over the phone.
Despite the above answers, the applicant received a new direct marketing offer on 27.10.2022
data processor's e-mail from galina@staffrent.ee. Also, the letter sent was missing again
information on how to opt out of receiving emails. The data processor confirmed in the reply to AKI on 15.11.2022,
that it was a letter sent by mistake. The data processor agreed to seek help from IT specialists
and start using the marketing message platform Mailchimp, which would become unsolicited
not sending an ad to an automated activity. The data processor agreed to stop the letters
sending until the corresponding technical measures have been put into operation. AKI ended it
supervision procedure.
On 27.09.2023, AKI received a memo from another citizen to whom the data processor had sent
direct marketing offers and the emails still lacked information on how to opt out of receiving emails.
During the supervision procedure, AKI proposed to the data processor to stop the newsletters
sending, unless they are accompanied by instructions or information that allows the recipient of the newsletter to
exercise the right to refuse. The data processor replied to AKI on 20.11.2023: At the present time
the mentioned shortcomings are addressed. Unfortunately, the software that enabled this option went away
broken, so some letters were delivered manually and there is no opt-out service, but in person
is guaranteed the possibility to send us a letter according to which we will delete his data. At the moment, until
the problem is solved, we will stop the delivery of the ad, or we will directly put a link where people can opt out and we will manually change our ad recipient list.
On 08.02.2024, the applicant (xxx) appealed to AKI with a new complaint, as he had received
direct marketing offer from the data processor (from the e-mail address
commerce@offer.staffrent.ee).
GROUNDS FOR DATA PROTECTION INSPECTION:
1. First, AKI explains the concept and nature of direct marketing. Electronic direct marketing
the term is not defined in law, but in practice it is treated as direct marketing
offers sent to natural or legal persons in connection with the sale of the product or
with service provision. For the most part, direct marketing is about commercial announcements
with shipping. According to § 5 (1) of the Information Society Service Act, a commercial announcement is any kind
types of information transmission designed to directly or indirectly promote the service provider
on behalf of the offer of goods or services or to improve the reputation of the service provider. The easiest
direct marketing can be recognized by its result. If sending an offer promotes anything
activities of the entrepreneur, it is always direct marketing.
2. Offers sent by the data processor by e-mail invite you to use the company
services (labor rental services): I am sure that the services provided by our company
could be of great interest to you. We are a recruitment and staffing company that
offers qualified specialists and service personnel from Holland, Finland, Estonia, Latvia
and to the German markets.STAFFRENT™for result-focused professionals
team. We know how hard it is to find the right person for a specific task these days,
that's why we've created our own outsourcing service that frees up European companies
from an additional problem and is helpful in achieving goals.
3. The applicant has received direct marketing offers in which he is offered a labor rental service,
to the e-mail address of the legal entity (xxx) on 16.10.2021; 26/07/2022;
26/08/2022; 14/09/2022; 27.10.2022 and 08.02.2022. Because the purpose of sending letters
is to promote the activities of the data processor in the provision of rental services, and letters are sent
to e-mail addresses of persons, it is electronic direct marketing.
4. The use of electronic contact data for direct marketing is regulated by the electronic
According to § 103 and subsection 2 of the Communications Act (ESS), a legal person is a communications service provider
the use of user or customer electronic contact data for direct marketing is
permitted if: 1) clear and comprehensible information is given each time when using contact data
a free and easy way to disable your contact information
use; 2) the person is enabled to realize his right to refusal
via an electronic communication network.
5. According to ESS § 103, paragraph 4, point 5, the use of contact data is direct marketing
prohibited if the user, customer or buyer of the communication service has prohibited theirs
use of electronic contact data for direct marketing.
6. The applicant has explicitly prohibited the deletion of his contact data on 18.10.2021,
2.08.2022 (I immediately request the deletion of my e-mail address from your list and prohibit
from now on sending any information to my e-mail address). In addition, confirmed
data processor to AKI on 26.09.2022 in the course of supervisory procedure No. 2.1.-5/22/20762, that
No more offers will be sent to the xxx email address. 24.10.2022 confirmed by the data processor
To AKI again: We have informed all employees that this contact is no longer available
need to send an ad. 7. Despite this, the complainant has received another direct marketing offer from the data processor
08.02.2024, with which the data processor has violated § 103, paragraph 4, point 5 of ESS
refuse to use contact details for direct marketing purposes because the applicant was
have repeatedly denied the use of their contact information.
8. AKI has conducted two supervision procedures, during which it has clarified
to the data processor the requirements arising from ESS for sending direct marketing offers.
The data processor has nevertheless failed to send direct marketing offers
regulate in such a way that the person who has their electronic contact information
banned, no offers would come.
9. Taking into account the factual circumstances and the fact that the data processor has repeatedly violated
obligations arising from the Electronic Communications Act and continues despite the prohibitions
sending direct marketing offers to the complainant's e-mail address, the inspection finds that
making a mandatory injunction in this case is necessary to stop the offense
as soon as possible and ensure the protection of the applicant's rights to his electronic
regarding the use of contact data.
(signed digitally)
Annika Kaljula
lawyer
on the authority of the Director General
