AKI (Estonia) - 2.1.-1/24/181-367-3
AKI - 2.1.-1/24/181-367-3 | |
---|---|
Authority: | AKI (Estonia) |
Jurisdiction: | Estonia |
Relevant Law: | Article 13 103 ESS |
Type: | Complaint |
Outcome: | Upheld |
Started: | 26.08.2022 |
Decided: | 01.03.2024 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 2.1.-1/24/181-367-3 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Estonian |
Original Source: | AKI (in ET) |
Initial Contributor: | im |
The DPA reprimanded a controller for sending direct marketing offers without an option to opt-out while claiming during the investigation, that the processing in question was suspended.
English Summary
Facts
On 26 August 2022 a data subject lodged a complaint according to which they received direct marketing offers to their e-mail address from various e-mail addresses belonging to Staffrent OÜ, a personnel outsourcing and staffing agency (‘controller’). The offers did not contain information on the possibility to opt out of receiving them. The data subject repeatedly contacted the controller, expressing their wish to not receive the direct marketing offers and prohibited the controller from further processing their contact details.
The DPA started an investigation into the matter and sent an inquiry to the controller regarding the allegations made against them. The controller replied on 24 October 2022 that they informed the data subject that no further offers will be sent to their e-mail address. Additionally, they added a note to their direct marketing offers regarding an option to unsubscribe.
However, on 27 October 2022, the data subject received another direct marketing offer from the controller, again without an information to opt-out. In its reply to the DPA, the controller stated that the e-mail in question was sent in error and promised to seek help from IT specialists. As a result, the DPA closed the monitoring procedure.
On 27 September 2023, the DPA received a letter of warning from another customer to whom the controller sent direct marketing offers omitting the information on how to opt-out. The controller explained to the DPA that their software broke down and the opt-out service did not work. However, the data subjects were guaranteed the possibility to send them a request for deletion of their data. The controller claimed that until the problem is solved, they will stop advertising.
On 8 February 2024, another customers’ complaint to the DPA contained the same allegations regarding the controller.
Holding
To begin with, the DPA stated that the processing in question concerns electronic direct marketing within the meaning of Section 5(1) of the Information Society Service Act. The use of electronic contact data for direct marketing is regulation by Section 103 of the Estonian Electronic Communications Act (‘ECA’) according to which the use of this data is permitted if:
1) the use of the contact data provides a clear and comprehensible opportunity to opt out of such use of his or her contact data in a free and simple manner at any time, or
2) a person will be allowed to exercise their right to refuse through an electronic communications network.
The DPA emphasized that pursuant to Section 103(4) and (5) ECA the use of contact details for direct marketing is prohibited if the user has objected to the processing of their electronic contact details for direct marketing.
In the light of the above, several data subjects refused to have their contact details deleted on several occasions. The controller confirmed to the DPA twice that no further offers will be sent to the data subjects that do not wish to receive them. Nevertheless, the data subject received another direct marketing offer whereby the controller violated the objection to the processing of contact data for the purpose of direct marketing as per Section 103(4) and (5) ECA.
Taking into account the fact that the controller repeatedly violated its obligations under the ECA, the DPA considered that the issuance of a mandatory injunction in this case is necessary in order to put an end to the infringement as soon as possible. Therefore, the DPA reprimanded the controller for the above mentioned acts and ordered them to stop sending direct marketing offers to the data subject’s e-mail address. In case the controller failed to comply with the order, the DPA will impose a fine in the amount of €2,500.
Comment
The Estonian Electronic Communications Act incorporates the principles and requirements of the e-Privacy Directive as a separate legal instrument tailored to Estonia’s legal and regulatory framework.
The Article of the ECA regulating the requirement to include an option to opt-out of receiving direct marketing offers mirrors right to object under Article 21 GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.
PRIVACY PROTECTION AGAINST STATE TRANSPARENCY INTERNAL USE Note made: 29.02.2024 Inspection Access restriction is valid until: 28.02.2099 in terms of p. 2, until the decision enters into force Basis: AvTS § 35 (1) p. 12, AvTS § 35 (1) p. 2 PRESCRIPTION WARNING In the case of the Electronic Communications Act No. 2.1.-1/24/181-367-3 Annika Kaljula, a lawyer from the Data Protection Inspectorate, issued the order The time of making the prescription and place 01.03.2024 in Tallinn Staffrent OÜ Addressee of the injunction – address of the personal data processor: Ülemiste tee 3, Tallinn 11415 e-mail address: info@staffrent.ee Personal data processor Member of the Board responsible person RESOLUTION: 1 §103(4)(5), §133(4) of the Electronic Communications Act (ESS), personal data protection Act (IKS) § 56 subsection 1, subsection 2 clause 8, § 58 subsection 1 and protection of personal data On the basis of Article 58(2)(f) of the General Regulation, I issue a mandatory injunction for compliance: Stop sending direct marketing offers to email address xxx I set the deadline for the execution of the injunction to be 08.03.2024. Report compliance with the order to the Data Protection Inspectorate by this deadline at the latest. DISPUTE REFERENCE: This order can be challenged within 30 days by submitting either: - a complaint to the Data Protection Inspectorate according to the Administrative Procedure Act or - an appeal to the administrative court in accordance with the Code of Administrative Court Procedures (in the case of a case in point to review the dispute in the matter). Challenging an injunction does not suspend the obligation to fulfill it or the measures necessary for its fulfillment implementation. EXTORTION MONEY WARNING: If the injunction has not been fulfilled by the set deadline, the Data Protection Inspectorate will determine to the addressee of the injunction on the basis of § 60 of the Personal Data Protection Act: Extortion money 2500 euros. A fine may be imposed repeatedly - until the injunction is fulfilled. If the recipient does not pay Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee / registry code 70004235 forced money, it will be forwarded to the bailiff to start the enforcement procedure. In this case, they are added bailiff's fee and other enforcement costs for enforcement money. VIOLATION PENALTY WARNING: Protection of personal data against failure to comply with the injunction pursuant to Article 58 (2) of the General Regulation misdemeanor proceedings may be initiated based on § 69 of the Personal Data Protection Act. For this act a natural person may be fined up to 20,000,000 euros and a legal person may be punished with a fine of up to 20,000,000 euros or up to 4 percent of his previous one of the total worldwide annual turnover for the financial year, whichever is greater. The out-of-court procedure for a misdemeanor is the Data Protection Inspectorate. FACTUAL CIRCUMSTANCES: The Data Protection Inspectorate (AKI) received a complaint from xxx (complainant) on 26.08.2022, according to which the complainant's direct marketing offers to the e-mail address xxx from various Staffrent OÜ (data processor) from e-mail addresses (work@staffrent.ee; jelizaveta@staffrent.ee; leonid@staffrent.ee; juliana@staffrent.ee) on 16.10.2021; 26/07/2022; 26/08/2022; 14.09.2022. Sent direct marketing offers lacked information on how a person can opt out of receiving them. The applicant repeatedly informed the data processor by e-mail that he did not want direct marketing offers receive and prohibited the data processor from using his contact details (I immediately demand my e- deletion of the letter's address from your list and prohibit any information from being sent to my e-mail in the future postal address). Based on the information received, AKI started the supervision procedure regarding Staffrent OÜ and sent inquiry to the data processor. The data processor replied to AKI on 26.09.2022: We are willing considered, this offer will no longer be sent to the xxx email address. In addition, AKI asked the data processor to clarify what changes were made and what they were mistakes would not happen in the future and to confirm that information has been added to the direct marketing offers, how can a person opt out of spam emails. AKI's inquiry was answered by the data processor 24.10.2022: We have informed all employees that this contact no longer needs advertising send. And now we have a note: If you don't want to receive more offers from us, please write "I no longer wish to receive offers" in response to the letter. The offer will only be sent to interested companies that have previously received an offer over the phone. Despite the above answers, the applicant received a new direct marketing offer on 27.10.2022 data processor's e-mail from galina@staffrent.ee. Also, the letter sent was missing again information on how to opt out of receiving emails. The data processor confirmed in the reply to AKI on 15.11.2022, that it was a letter sent by mistake. The data processor agreed to seek help from IT specialists and start using the marketing message platform Mailchimp, which would become unsolicited not sending an ad to an automated activity. The data processor agreed to stop the letters sending until the corresponding technical measures have been put into operation. AKI ended it supervision procedure. On 27.09.2023, AKI received a memo from another citizen to whom the data processor had sent direct marketing offers and the emails still lacked information on how to opt out of receiving emails. During the supervision procedure, AKI proposed to the data processor to stop the newsletters sending, unless they are accompanied by instructions or information that allows the recipient of the newsletter to exercise the right to refuse. The data processor replied to AKI on 20.11.2023: At the present time the mentioned shortcomings are addressed. Unfortunately, the software that enabled this option went away broken, so some letters were delivered manually and there is no opt-out service, but in person is guaranteed the possibility to send us a letter according to which we will delete his data. At the moment, until the problem is solved, we will stop the delivery of the ad, or we will directly put a link where people can opt out and we will manually change our ad recipient list. On 08.02.2024, the applicant (xxx) appealed to AKI with a new complaint, as he had received direct marketing offer from the data processor (from the e-mail address commerce@offer.staffrent.ee). GROUNDS FOR DATA PROTECTION INSPECTION: 1. First, AKI explains the concept and nature of direct marketing. Electronic direct marketing the term is not defined in law, but in practice it is treated as direct marketing offers sent to natural or legal persons in connection with the sale of the product or with service provision. For the most part, direct marketing is about commercial announcements with shipping. According to § 5 (1) of the Information Society Service Act, a commercial announcement is any kind types of information transmission designed to directly or indirectly promote the service provider on behalf of the offer of goods or services or to improve the reputation of the service provider. The easiest direct marketing can be recognized by its result. If sending an offer promotes anything activities of the entrepreneur, it is always direct marketing. 2. Offers sent by the data processor by e-mail invite you to use the company services (labor rental services): I am sure that the services provided by our company could be of great interest to you. We are a recruitment and staffing company that offers qualified specialists and service personnel from Holland, Finland, Estonia, Latvia and to the German markets.STAFFRENT™for result-focused professionals team. We know how hard it is to find the right person for a specific task these days, that's why we've created our own outsourcing service that frees up European companies from an additional problem and is helpful in achieving goals. 3. The applicant has received direct marketing offers in which he is offered a labor rental service, to the e-mail address of the legal entity (xxx) on 16.10.2021; 26/07/2022; 26/08/2022; 14/09/2022; 27.10.2022 and 08.02.2022. Because the purpose of sending letters is to promote the activities of the data processor in the provision of rental services, and letters are sent to e-mail addresses of persons, it is electronic direct marketing. 4. The use of electronic contact data for direct marketing is regulated by the electronic According to § 103 and subsection 2 of the Communications Act (ESS), a legal person is a communications service provider the use of user or customer electronic contact data for direct marketing is permitted if: 1) clear and comprehensible information is given each time when using contact data a free and easy way to disable your contact information use; 2) the person is enabled to realize his right to refusal via an electronic communication network. 5. According to ESS § 103, paragraph 4, point 5, the use of contact data is direct marketing prohibited if the user, customer or buyer of the communication service has prohibited theirs use of electronic contact data for direct marketing. 6. The applicant has explicitly prohibited the deletion of his contact data on 18.10.2021, 2.08.2022 (I immediately request the deletion of my e-mail address from your list and prohibit from now on sending any information to my e-mail address). In addition, confirmed data processor to AKI on 26.09.2022 in the course of supervisory procedure No. 2.1.-5/22/20762, that No more offers will be sent to the xxx email address. 24.10.2022 confirmed by the data processor To AKI again: We have informed all employees that this contact is no longer available need to send an ad. 7. Despite this, the complainant has received another direct marketing offer from the data processor 08.02.2024, with which the data processor has violated § 103, paragraph 4, point 5 of ESS refuse to use contact details for direct marketing purposes because the applicant was have repeatedly denied the use of their contact information. 8. AKI has conducted two supervision procedures, during which it has clarified to the data processor the requirements arising from ESS for sending direct marketing offers. The data processor has nevertheless failed to send direct marketing offers regulate in such a way that the person who has their electronic contact information banned, no offers would come. 9. Taking into account the factual circumstances and the fact that the data processor has repeatedly violated obligations arising from the Electronic Communications Act and continues despite the prohibitions sending direct marketing offers to the complainant's e-mail address, the inspection finds that making a mandatory injunction in this case is necessary to stop the offense as soon as possible and ensure the protection of the applicant's rights to his electronic regarding the use of contact data. (signed digitally) Annika Kaljula lawyer on the authority of the Director General