CNPD (Portugal) - Deliberação 2019/297

From GDPRhub
Revision as of 12:23, 28 March 2021 by Jose Belo (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Portugal |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoPT.png |DPA_Abbrevation=CNPD |DPA_With_Country=CNPD (Portugal) |Case_Number_Name...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CNPD - Deliberação 2019/297
LogoPT.png
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law:
Personal Data Protection Act (Act 67/98)
Type: Complaint
Outcome: Upheld
Started:
Decided: 06.05.2019
Published:
Fine: 107000 EUR
Parties: n/a
National Case Number/Name: Deliberação 2019/297
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Portuguese
Original Source: CNPD Website (in PT)
Initial Contributor: Jose Belo

Portuguese DPA considers that an organisation is the controller of personal data when employing the services of a direct marketing company and using its database for direct marketing purposes. The direct marketing company, even if using its database for direct marketing purposes, acts on behalf of the controller and is a processor.

English Summary

Facts

A data subject complained about receiving unsolicited direct marketing emails from a company with whom she/he never provided personal data to. After the investigation by the CNPD, 45 other unsolicited direct marketing emails, between the dates of 11th of October 2011 and 5 of June 2013, were added to the complaint.

Dispute

Company A claimed that the personal data in the database used to send direct marketing emails was owned by the direct marketing company, not them, and so, it is the direct marketing company that is the controller, not Company A.

Holding

Portuguese DPA considered that all direct marketing emails sent by the direct marketing company were of products and services offered by Company A. It also considered that Company A freely, voluntarily and consciously decided to process personal data without any legal basis to promote its products and services, neglecting its legal obligations under the Personal Data Protection Act of 1998, in force at the time of the offenses.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.