CNPD (Portugal) - Deliberação 2019/297
CNPD - Deliberação 2019/297 | |
---|---|
Authority: | CNPD (Portugal) |
Jurisdiction: | Portugal |
Relevant Law: | Article 28 GDPR Article 13 of the e-Privacy Directive Article 13A of the Portuguese e-Privacy Act Portuguese Data Protection Act (Act 67/98) |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 06.05.2019 |
Published: | |
Fine: | 107.000 EUR |
Parties: | DECO PROTESTE Editores, Lda. |
National Case Number/Name: | Deliberação 2019/297 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Portuguese |
Original Source: | CNPD Website (in PT) |
Initial Contributor: | Jose Belo |
The DPA fined the controller €107,000 for repeatedly sending unsolicited marketing communications without the data subject's consent. The controller bore liability even though it was a third-party who sent the communications using their own database.
English Summary
Facts
A data subject received unsolicited direct marketing emails from Deco Proteste. Deco Proteste was the largest Portuguese Consumer Protection association, operating, in this matter, as Deco Proteste Edições Lda., a limited liability company.
The data subject never provided their personal data to Deco Proteste and, as a result, never consented to receiving direct marketing emails from the organization.
The data subject filed a complaint with the Portuguese DPA (CNPD).
After the investigation, 45 other unsolicited direct marketing emails, between the dates of 11th of October 2011 and 5 of June 2013, were added to the complaint.
Dispute
Deco Proteste claimed that the personal data of the data subject was part of a database owned by a direct marketing company it had subcontracted to provide direct marketing services. As such, it is the direct marketing company that was the controller, not Deco Proteste.
Holding
The DPA upheld the complaint and imposed a fine of €107,000.
Deco Proteste was assigned a role of a data controller. The DPA did not accept the controller's arguments that the marketing agency who sent the marketing communications was acting as an independent controller.The fact that the controller used a third party to assist in direct marketing of its products did not exclude their status of controller, even if the database used was owned by that third-party. Hence, the marketing company was considered by the DPA as a processor.
Also, the DPA explained the legitimate interest under Article 6(1)(f) GDPR was not the applicable legal basis to use the data subject's contact details for direct marketing purposes. The DPA considered that all direct marketing emails sent referred to products and services offered by controller. It also considered that controller freely, voluntarily and consciously decided to process personal data without any legal basis to promote its products and services, neglecting its legal obligations under the Personal Data Protection Act of 1998, in force at the time of the violations.
Marketing agencies sending such messages on behalf of the controller act as the latter's processor, regardless of the fact that the former are the sole holders of the contact details database used to send the messages.
Comment
Further Resources
English Machine Translation of the Decision
The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.