CNPD (Portugal) - Deliberação 2019/297: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Portugal |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoPT.png |DPA_Abbrevation=CNPD |DPA_With_Country=CNPD (Portugal) |Case_Number_Name...") |
mNo edit summary |
||
Line 20: | Line 20: | ||
|Date_Published= | |Date_Published= | ||
|Year=2019 | |Year=2019 | ||
|Fine= | |Fine=107.000 | ||
|Currency=EUR | |Currency=EUR | ||
Line 50: | Line 50: | ||
Portuguese DPA considers that an organisation is the controller of personal data when employing the services of a direct marketing company and using its database for direct marketing purposes. The direct marketing company, even if using its database for direct marketing purposes, acts on behalf of the controller and is a processor. | Portuguese DPA considers that an organisation is the controller of personal data when employing the services of a direct marketing company and using its database for direct marketing purposes. The direct marketing company, even if using its database for direct marketing purposes, acts on behalf of the controller and is a processor. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
A data subject complained about receiving unsolicited direct marketing emails from a company with whom she/he never provided personal data to. After the investigation by the CNPD, 45 other unsolicited direct marketing emails, between the dates of 11th of October 2011 and 5 of June 2013, were added to the complaint. | A data subject complained about receiving unsolicited direct marketing emails from a company with whom she/he never provided personal data to. After the investigation by the CNPD, 45 other unsolicited direct marketing emails, between the dates of 11th of October 2011 and 5 of June 2013, were added to the complaint. | ||
=== Dispute === | ===Dispute=== | ||
Company A claimed that the personal data in the database used to send direct marketing emails was owned by the direct marketing company, not them, and so, it is the direct marketing company that is the controller, not Company A. | Company A claimed that the personal data in the database used to send direct marketing emails was owned by the direct marketing company, not them, and so, it is the direct marketing company that is the controller, not Company A. | ||
=== Holding === | ===Holding=== | ||
Portuguese DPA considered that all direct marketing emails sent by the direct marketing company were of products and services offered by Company A. It also considered that Company A freely, voluntarily and consciously decided to process personal data without any legal basis to promote its products and services, neglecting its legal obligations under the Personal Data Protection Act of 1998, in force at the time of the offenses. | Portuguese DPA considered that all direct marketing emails sent by the direct marketing company were of products and services offered by Company A. It also considered that Company A freely, voluntarily and consciously decided to process personal data without any legal basis to promote its products and services, neglecting its legal obligations under the Personal Data Protection Act of 1998, in force at the time of the offenses. | ||
== Comment == | ==Comment== | ||
''Share your comments here!'' | ''Share your comments here!'' | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details. | The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details. | ||
Revision as of 12:25, 28 March 2021
CNPD - Deliberação 2019/297 | |
---|---|
Authority: | CNPD (Portugal) |
Jurisdiction: | Portugal |
Relevant Law: | Personal Data Protection Act (Act 67/98) |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 06.05.2019 |
Published: | |
Fine: | 107.000 EUR |
Parties: | n/a |
National Case Number/Name: | Deliberação 2019/297 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Portuguese |
Original Source: | CNPD Website (in PT) |
Initial Contributor: | Jose Belo |
Portuguese DPA considers that an organisation is the controller of personal data when employing the services of a direct marketing company and using its database for direct marketing purposes. The direct marketing company, even if using its database for direct marketing purposes, acts on behalf of the controller and is a processor.
English Summary
Facts
A data subject complained about receiving unsolicited direct marketing emails from a company with whom she/he never provided personal data to. After the investigation by the CNPD, 45 other unsolicited direct marketing emails, between the dates of 11th of October 2011 and 5 of June 2013, were added to the complaint.
Dispute
Company A claimed that the personal data in the database used to send direct marketing emails was owned by the direct marketing company, not them, and so, it is the direct marketing company that is the controller, not Company A.
Holding
Portuguese DPA considered that all direct marketing emails sent by the direct marketing company were of products and services offered by Company A. It also considered that Company A freely, voluntarily and consciously decided to process personal data without any legal basis to promote its products and services, neglecting its legal obligations under the Personal Data Protection Act of 1998, in force at the time of the offenses.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.