CNPD (Portugal) - Deliberação 2019/297: Difference between revisions

From GDPRhub
(Hi, thanks for contributing to the GDPRHub. Great summary! I implemented some changes in the structure of facts and holding to emphasise the subject matter. Since the short summary is not suppose to exceed 250 characters, I shortened a bit.)
Line 55: Line 55:
}}
}}


The Portuguese DPA considered that an organisation is the controller of personal data when employing the services of a direct marketing company to promote its products or services, even if using its database for direct marketing purposes.
The DPA fined the controller €107,000 for repeatedly sending unsolicited marketing communications without the data subject's consent. The controller bore liability even though it was a third-party who sent the communications using their own database.  
 
The direct marketing company, even if using its database for direct marketing purposes, acts on behalf of the controller and is a processor.
 
The Portuguese DPA also ruled that repeatedly sending unsolicited marketing communications without the data subject's consent, where said data subject is not an existing customer of the controller, breaches the GDPR and the ePrivacy Directive.  


==English Summary==
==English Summary==


===Facts===
===Facts===
A data subject complained about receiving unsolicited direct marketing emails from Deco Proteste (the largest Portuguese Consumer Protection association, operating, in this matter, as Deco Proteste Edições Lda., a limited liability company).   
A data subject received unsolicited direct marketing emails from Deco Proteste. Deco Proteste was the largest Portuguese Consumer Protection association, operating, in this matter, as Deco Proteste Edições Lda., a limited liability company
 
The data subject never provided their personal data to Deco Proteste and, as a result, never consented to receiving direct marketing emails from the organization.   


The data subject never provided her/his personal data to Deco Proteste and, as a result, never consented to receiving direct marketing emails from the organization.
The data subject filed a complaint with the Portuguese DPA (CNPD).  


After the investigation by the CNPD, 45 other unsolicited direct marketing emails, between the dates of 11th of October 2011 and 5 of June 2013, were added to the complaint.  
After the investigation, 45 other unsolicited direct marketing emails, between the dates of 11th of October 2011 and 5 of June 2013, were added to the complaint.


===Dispute===
===Dispute===
Deco Proteste claimed that the personal data of the data subject was part of a database owned by a direct marketing company it had subcontracted to provide direct marketing services. As such, it is the direct marketing company that is the controller, not Company A.
Deco Proteste claimed that the personal data of the data subject was part of a database owned by a direct marketing company it had subcontracted to provide direct marketing services. As such, it is the direct marketing company that was the controller, not Deco Proteste.


===Holding===
===Holding===
The Portuguese DPA did not accept the controller's arguments that (i) the marketing agency who sent the marketing communications was acting as an independent controller (and not the former's processor) and that (ii) the applicable legal basis to using the data subject's contact details for direct marketing purposes was the controller's legitimate interests, under Article 6(1)(f) of the GDPR.
The DPA upheld the complaint and imposed a fine of €107,000.
 
Portuguese DPA considered that all direct marketing emails sent by the direct marketing company were of products and services offered by Deco Proteste.  


It also considered that Deco Proteste freely, voluntarily and consciously decided to process personal data without any legal basis to promote its products and services, neglecting its legal obligations under the Personal Data Protection Act of 1998, in force at the time of the offences.  
Deco Proteste was assigned a role of a data controller. The DPA did not accept the controller's arguments that the marketing agency who sent the marketing communications was acting as an independent controller.The fact that the controller used a third party to assist in direct marketing of its products did not exclude their status of controller, even if the database used was owned by that third-party. Hence, the marketing company was considered by the DPA as a processor.  


The fact that Deco Proteste used a third party to assist in direct marketing of its products does not exclude controllership status of Deco Proteste, even if the database used was owned by the direct marketing company, which is considered by the CNPD as a processor acting on behalf of Deco Proteste, the controller.
Also, the DPA explained the legitimate interest under [[Article 6 GDPR|Article 6(1)(f) GDPR]] was not the applicable legal basis to use the data subject's contact  details for direct marketing purposes. The DPA considered that all direct marketing emails sent referred to products and services offered by controller. It also considered that controller freely, voluntarily and consciously decided to process personal data without any legal basis to promote its products and services, neglecting its legal obligations under the Personal Data Protection Act of 1998, in force at the time of the violations.


Marketing agencies sending such messages on behalf of the controller act as the latter's processor, regardless of the fact that the former are the sole holders of the contact details database used to send the messages.
Marketing agencies sending such messages on behalf of the controller act as the latter's processor, regardless of the fact that the former are the sole holders of the contact details database used to send the messages.

Revision as of 11:42, 10 September 2024

CNPD - Deliberação 2019/297
LogoPT.png
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 28 GDPR
Article 13 of the e-Privacy Directive
Article 13A of the Portuguese e-Privacy Act
Portuguese Data Protection Act (Act 67/98)
Type: Complaint
Outcome: Upheld
Started:
Decided: 06.05.2019
Published:
Fine: 107.000 EUR
Parties: DECO PROTESTE Editores, Lda.
National Case Number/Name: Deliberação 2019/297
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Portuguese
Original Source: CNPD Website (in PT)
Initial Contributor: Jose Belo

The DPA fined the controller €107,000 for repeatedly sending unsolicited marketing communications without the data subject's consent. The controller bore liability even though it was a third-party who sent the communications using their own database.  

English Summary

Facts

A data subject received unsolicited direct marketing emails from Deco Proteste. Deco Proteste was the largest Portuguese Consumer Protection association, operating, in this matter, as Deco Proteste Edições Lda., a limited liability company.

The data subject never provided their personal data to Deco Proteste and, as a result, never consented to receiving direct marketing emails from the organization.

The data subject filed a complaint with the Portuguese DPA (CNPD).

After the investigation, 45 other unsolicited direct marketing emails, between the dates of 11th of October 2011 and 5 of June 2013, were added to the complaint.

Dispute

Deco Proteste claimed that the personal data of the data subject was part of a database owned by a direct marketing company it had subcontracted to provide direct marketing services. As such, it is the direct marketing company that was the controller, not Deco Proteste.

Holding

The DPA upheld the complaint and imposed a fine of €107,000.

Deco Proteste was assigned a role of a data controller. The DPA did not accept the controller's arguments that the marketing agency who sent the marketing communications was acting as an independent controller.The fact that the controller used a third party to assist in direct marketing of its products did not exclude their status of controller, even if the database used was owned by that third-party. Hence, the marketing company was considered by the DPA as a processor.

Also, the DPA explained the legitimate interest under Article 6(1)(f) GDPR was not the applicable legal basis to use the data subject's contact details for direct marketing purposes. The DPA considered that all direct marketing emails sent referred to products and services offered by controller. It also considered that controller freely, voluntarily and consciously decided to process personal data without any legal basis to promote its products and services, neglecting its legal obligations under the Personal Data Protection Act of 1998, in force at the time of the violations.

Marketing agencies sending such messages on behalf of the controller act as the latter's processor, regardless of the fact that the former are the sole holders of the contact details database used to send the messages.

Comment


Further Resources

https://www.dn.pt/pais/comissao-de-protecao-de-dados-aplica-coima-de-107-mil-euros-a-deco-11515689.html

https://www.mondaq.com/data-protection/871388/new-fine-for-unsolicited-marketing-messages-by-portuguese-data-protection-authority

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.