Difference between revisions of "APD/GBA - 28/2020"
|Line 7:||Line 7:|
Revision as of 19:11, 11 November 2020
|APD/GBA - 28/2020|
|Relevant Law:||Article 6(1)(f) GDPR|
Article 17(1)(c) GDPR
Article 21(2) GDPR
|National Case Number/Name:||28/2020|
|European Case Law Identifier:||n/a|
|Original Source:||GBA (in NL)|
Belgian DPA (Litigation Chamber) imposed a fine of € 1,000 on a non-profit organisation for direct marketing practices without legal basis and notwithstanding the repeated objections to the processing by the complainant.
The decision followed a complaint filed by by a former donator of the organisation who continued to receive promotional materials after he had objected to the processing of his data for direct marketing purposes and requested that the organization erase his data from its database.
The litigation chamber concluded to a violation of the GDPR considering that:
Considering, amont others, the limited turnover of the organisation and also the fact that the practices continued over 5 years, the DPA concluded to a fine of 1000 euros.
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
File number : DOS-2019-04191 Subject : Complaint about the sending of publicity by Y VZW The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Mr Frank De Smet and Mr Yves Poullet, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC 95/46/EC (General Data Protection Regulation), hereinafter AVG; Having regard to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as WOG; Having regard to the internal rules of procedure as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; Having regard to the documents in the file; has taken the following decision regarding: - X, 'the complainant'; and - Y, "the defendant." 1. Facts and procedure 1. On 8 August 2019, the complainant submits a complaint to the Data Protection Authority against the defendant. 2. The subject of the complaint concerns the repeated receipt by mail, by the complainant, of promotional material from the defendant, even though the complainant asked the defendant (several times) to stop sending him such promotional material and to delete his personal data. 3. On 27 August 2019, the complaint will be declared admissible pursuant to Section 58 of the WOG, the complainant will be notified in accordance with Section 61 of the WOG and the complaint will be submitted to the Disputes Chamber pursuant to Section 62(1) of the WOG. 4. On 12 September 2019, the Disputes Chamber will decide on the basis of articles 95, §1, 1°, and 98 WOG that the complaint is ready to be dealt with on the merits. 5. By registered letter dated 12 September 2019, the parties will be informed that the complaint is ready to be dealt with on the merits and they will also be notified of the time limits for submitting their defences pursuant to Article 99 of the WOG. 6. On 6 October 2019, the Complainant's Disputes Chamber will receive by e-mail photographs of new publicity sent to him by post by the defendant. 7. On 10 October 2019, the Disputes Chamber will receive the defendant's defences. 8. By e-mail dated 7 December 2019, the complainant informs the Data Protection Authority that it has again received promotional material from the respondent and attaches supporting evidence. 9. By e-mail dated 27 April 2020, the Disputes Chamber informs the defendant of the intention to impose an administrative fine as well as the amount of the fine and the possibility for the defendant to submit its defences in this respect. 10. However, the Litigation Chamber was not allowed to receive any reaction from the defendant regarding this intention to impose an administrative fine. 2. Legal basis Article 6.1 AVG "Processing shall be lawful only if and in so far as at least one of the following conditions is fulfilled: a) the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes; b) processing is necessary for the performance of a contract to which the data subject is party, or to take measures at the request of the data subject prior to the conclusion of a contract; c) the processing is necessary to comply with a legal obligation incumbent on the controller; d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) processing is necessary for the purposes of pursuing the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the exercise of their functions'. Article 17.1(c) AVG "1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to him without unreasonable delay and the controller shall be obliged to erase personal data without unreasonable delay where one of the following applies: (...) (c) the data subject objects to the processing in accordance with Article 21(1) and there are no overriding compelling legitimate grounds for processing, or the data subject objects to the processing in accordance with Article 21(2);'. Article 17.1(d) AVG "1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to him without unreasonable delay and the controller shall be obliged to erase personal data without unreasonable delay where one of the following applies: (...) (d) personal data have been unlawfully processed;'. Article 21.2 AVG "Where personal data are processed for the purposes of direct marketing, the data subject shall have the right to object at any time to the processing of personal data relating to him/her for the purposes of such marketing, including profiling relating to direct marketing. Article 21.3 AVG "Where the data subject objects to processing for the purposes of direct marketing, personal data shall no longer be processed for those purposes. Article 21.4 AVG "4. The right referred to in paragraphs 1 and 2 shall be expressly brought to the attention of the data subject no later than at the time of the first contact with the data subject and shall be displayed clearly and separately from any other information. 3. Reason 3.1. As regards the infringement of Articles 17(1)(c), 21(2) and 21(3) AVG 11. It appears from the documents in the file that, following the defendant's repeated receipt of promotional material, the complainant requested the defendant by e-mail dated 5 July 2019 to stop sending him such promotional material and to delete his personal data: "Dear, After having asked this before, unfortunately without consequence, I would like to urge you again to stop misusing my address to send fundraising gadgets for your organization. Please delete my address immediately, as I never gave you permission to use my address in the context of GDPR. (…)” 12. The Complainant addressed this request to the Respondent following the receipt of gadgets by mail - in particular a bimonthly magazine and a pen with the Respondent's logo. 13. However, the defendant does not respond favourably to this request and continues to send similar promotional material to the complainant. 14. Even after notification of the complaint by the data protection authority to the defendant (by letter of 12 September 2019), the defendant continues the data processing for direct marketing purposes. 15. Indeed, by e-mail dated 6 October 2019, the complainant informs the Data Protection Authority about the receipt of new promotional material from the defendant - in particular a magazine and a toiletry bag - and attaches supporting documents. 16. By e-mail dated 10 October 2019, the Respondent transmits its defences to the Dispute Settlement Chamber. In response to the complaint, the defendant stated that the complainant's details had been included in its database since the complainant made a donation in 2012 for the benefit of the defendant. The latter states that they "overlooked [the complainant's] request to stop [the defendant's] correspondence" and that in the meantime it has been ensured that the complainant no longer receives any mail from [the defendant]. will receive him. 17. The defendant further states the following in his defense: "We will keep donors' details for another 10 years after their last donation, as stated in our privacy clause and communicated to all our donors when the new GDPR law is introduced. Because [the defendant] is always looking for donors to support its projects [...], we occasionally write to our former donors in the hope that they will repeat their financial help from the past. For these fundraising activities, we rely on the 'legitimate interest' as the legal basis for processing personal data, not on the explicit consent of the donor. After all, [defendant] can only achieve its objectives if the necessary means are available. That is why it is important for us to (may) appeal to as large a target audience as possible". 18. However, on 7 December 2019, the complainant informs the Data Protection Authority that it has again received promotional material from the defendant and attaches supporting documents. This is a letter dated 26 November 2019 asking the complainant to make a 'Christmas gift'. 19. The Disputes Chamber is of the opinion that sending such publicity should be regarded as "direct marketing" within the meaning of Article 21 of the AVG. In doing so, it applies the definition as included in Recommendation 1/2020 of the Data Protection Authority concerning the processing of personal data for direct marketing purposes: "Any communication, in whatever form, solicited or unsolicited, originating from an organisation or individual and aimed at the promotion or sale of services, products (whether in return for payment or free of charge), as well as brands or ideas, addressed by an organisation or individual acting in a commercial or non-commercial context, which is directly addressed to one or more natural persons in a private or professional context and involves the processing of personal data". This definition builds inter alia on the proposal for a Regulation of the European Parliament and of the Council on respect for privacy and protection of personal data in electronic communications and repealing Directive 2002/58/EC . 20. In the present case, it concerns unsolicited communication, sent by post to the person concerned and aimed at the promotion of the defendant's services, on the one hand, and the raising of funds by the defendant, on the other hand. The communication requires the processing of personal data, in particular the name and address of the data subject. 21. In accordance with recital 70 of the AVG, in the event of processing of personal data for the purposes of direct marketing, the data subject has the right to object to such processing at any time and free of charge, irrespective of whether it is initial or further processing. 22. Article 21.3 AVG stipulates in this respect that 'if a data subject objects to the processing for the purpose of direct marketing, the personal data will no longer be processed for these purposes'. 23. In the context of direct marketing, such an objection should therefore immediately and without further investigation lead to the outright cessation of all processing of data of the data subject for the purposes of such direct marketing . 24. In this case, however, the defendant does not comply with the objection made by the data subject pursuant to Article 21.2 AVG and continues the data processing for direct marketing purposes at least five months after the last objection by the complainant and three months after the notification of the complaint to the defendant by the Data Protection Authority. 25. The defendant is thus in breach of Articles 21.2 and 21.3 AVG. 26. The data subject not only objects to the processing of his personal data for direct marketing purposes, but also requests the defendant to delete his data in his e-mail dated 5 July 2019. By doing so, the data subject invokes his right under Article 17 of the AVG. 27. Pursuant to Article 17(1)(c) AVG, the data subject does indeed have the right vis-à-vis the controller 'to obtain without unreasonable delay the erasure of personal data relating to him' if the former 'objects to the processing pursuant to Article 21(2)'. 28. However, the defendant does not respond favourably to the complainant's request for data to be erased and thus also violates Article 17.1(c) AVG. 3.2. With regard to the infringement of Article 6.1 and Article 21.4 of the AVG 29. In its statement of defence of 10 October 2019, the defendant states that it invokes the 'legitimate interest' (Article 6.1(f) of the AVG) as the legal basis for the processing of personal data and not the explicit consent of the data subjects (Article 6.1(a) of the AVG) for its direct marketing to former donors for fundraising purposes, in order to 'reach as large a target audience as possible'. 30. Although the AVG does not fully exclude the use of the legitimate interest as a legitimate ground for the processing of personal data for direct marketing purposes, this does not in any way mean that any processing for canvassing purposes can be considered justified. 31. In accordance with Article 6.1(f) AVG and the case-law of the Court of Justice of the European Union ('the Court'), three cumulative conditions must be fulfilled for a controller to validly rely on this ground of lawfulness, 'namely, in the first place, the protection of a legitimate interest of the controller or of the third party or parties to whom the data are disclosed, in the second place, the necessity of the processing of personal data in order to protect the legitimate interest and, in the third place, the condition that the fundamental rights and freedoms of the data subject do not prevail' (Rigas judgment ). 32. In order to be able to rely on the lawfulness of the 'legitimate interest' in accordance with Article 6(1)(f) AVG, the data controller must in other words demonstrate that 1) the interests it pursues in the processing may be recognised as legitimate (the 'purpose test'); 2) the intended processing is necessary for the realisation of these interests (the "necessity test"); and 3) weighing these interests against the interests, fundamental freedoms and fundamental rights of data subjects in favour of the controller (the 'balancing test'). 33. As regards the first condition (the so-called 'purpose test'), the AVG acknowledges that the processing of personal data for the purpose of direct marketing in se can be considered as carried out for a legitimate interest. 34. In this case it concerns direct marketing messages addressed to former donors with a view to the promotion of the defendant's services and the raising of funds by the defendant from these former donors. In accordance with recital 47 AVG, the interest pursued by the defendant as the person responsible for processing can in itself be regarded as justified. The first condition laid down in Article 6(1)(f) AVG is therefore met. 35. In order to fulfil the second condition, it must be demonstrated that the processing is necessary for the purposes pursued. This means in particular that the question must be asked whether the same result can be achieved by other means without the processing of personal data or without unnecessarily intrusive processing for the data subjects. 36. In the present case, it can be considered that the processing of personal data was necessary to achieve the purpose defined by the controller, in particular the direct marketing messages by letter to former donors for fundraising purposes. In order to direct this direct marketing to data subjects, their name and address will be processed. The purpose thus defined by the controller could indeed not be achieved without the aforementioned personal data processing. 37. However, the fact that the interest pursued by the controller is justified and that the processing of personal data is necessary to achieve this objective is not sufficient for the controller to be able to validly invoke Article 6.1(f) AVG. 38. In order to examine whether the third condition laid down in Article 6(1)(f) AVG - the so-called 'balancing test' between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, it is necessary, in accordance with recital 47 AVG, to take account first of all of the reasonable interests of the data subject. expectations of the person concerned. In particular, it should be assessed whether 'at the time and in the context of the collection of personal data, the data subject may reasonably expect that processing may be carried out for that purpose' . 39. This is also underlined by the Court in its judgment 'TK t v. Asociaţia de Proprietari bloc M5AScaraA' of 11 December 2019 : "The data subject's reasonable expectations that his or her personal data will not be processed when, in the given circumstances of the case, the data subject cannot reasonably expect the data to be further processed are also relevant to this consideration. 40. In the present case, the question arises as to whether the complainant could reasonably expect his personal data to be used for direct marketing purposes for fundraising purposes more than seven years after it was collected. 41. A second element to be taken into account, in addition to the reasonable expectations of the data subject, by a controller who intends to use the legitimate interest as a ground of lawfulness, is his obligation to provide additional safeguards for the benefit of the data subject. This is emphasised by the Group 29 in its Opinion 06/2014 : "This consideration must take a number of factors fully into account in order to ensure that due account is taken of the interest and fundamental rights of the persons concerned [...]. Factors to be taken into account in the balancing exercise include, inter alia: […] - additional safeguards that may mitigate undesirable consequences for the data subject, such as data minimisation, privacy enhancing technologies, enhanced transparency, the general and unconditional right to opt-out and data portability. ” 42. The provision of a right to object to the processing is an essential element in this respect. Indeed, without offering a real and effective right to object, no balance can be struck between the legitimate interests pursued by the controller and the fundamental freedoms and rights of data subjects. 43. The unconditional nature of this right of objection is specific to processing for the purposes of direct marketing and is guaranteed by Article 21.3 of the AVG (see above). As mentioned above, in the context of direct marketing, this right of objection should immediately and without additional investigation lead to the outright cessation of any processing of data of the data subject for the purpose of direct marketing. 44. In accordance with recital 70 of the AVG, in fine, as well as Article 21.4 of the AVG, the data controller must also facilitate this right of objection in the context of direct marketing: "Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object at any time and free of charge to such processing, regardless of whether it is initial or further processing, including in the case of profiling insofar as it relates to direct marketing. This right must be expressly brought to the attention of the data subject in a clear and separate manner from other information. ” "The right referred to in paragraphs 1 and 2 shall be expressly brought to the attention of the data subject no later than at the time of the first contact with the data subject and shall be displayed clearly and separately from any other information". 45. Consequently, the data controller must clearly indicate the right to object, in simple and unambiguous language, in all direct marketing messages, from the first message. It is not sufficient to include the possibility to exercise this right in the privacy statement; this possibility should be explicitly proposed to the data subject. Incidentally, this obligation is not new and already existed, prior to the entry into force of the AVG, under Article 7 of Directive 95/46/EC. 46. In the present case, the defendant does not comply with this obligation imposed by Article 21.4 AVG and clarified by recital 70 AVG. In its defence, the defendant refers to its privacy statement but does not demonstrate that it has adequately facilitated the exercise of the right to object, as required by Article 21.4 AVG. After all, the marketing messages submitted by the complainant as evidence do not mention the possibility of exercising the right of objection. 47. Consequently, the defendant has not adequately guaranteed the general and unconditional right to object applicable to the processing of personal data for direct marketing and has failed to comply with its obligation to provide ab initio adequate additional safeguards that could mitigate any undesirable consequences for the data subject. 48. Since this element is essential in order to be able to validly invoke Article 6.1(f) AVG (legitimate interest) as a ground for lawfulness for the processing of personal data for the purposes of direct marketing, it must be decided in the present case that the third condition ('balancing test') is not met and the defendant could not validly continue the processing under Article 6.1(f) AVG. 49. The defendant thus violates Article 6.1 and Article 21.4 of the AVG. 50. Infringements of the above provisions are subject to the administrative fines set out in Article 83.5 of the AVG. 51. Taking into account the criteria contained in article 83.2 of the AVG as well as the case law of the Market Court , the Chamber of Disputes justifies the imposition of an administrative sanction in this case on the basis of the following circumstances: - the nature, seriousness and duration of the infringement (Article 83.2(a) AVG), in particular the persistence of the infringement of Articles 6.1, 17.1(c) and (d), 21.2, 21.3 and 21.4 AVG for a period of at least five months from the last objection and request for erasure by the complainant and three months from the notification of the complaint to the defendant by the defendant by the Data Protection Authority; - the fact that it is the first infringement found in respect of the controller concerned (Article 83(2)(e) AVG); - the degree of cooperation with the supervisory authority to remedy the breach and mitigate its possible negative consequences (Article 83.2(f) AVG): contrary to the defendant's submissions in its defence of 10 October 2019, despite the complainant's objection and request for data erasure and the notification of the complaint by the data protection authority, the defendant does not take the necessary measures to bring the breaches described above to an immediate end; the defendant continues to process data for direct marketing purposes under Article 6.1(f) AVG (legitimate interest); and - the fact that the defendant is a not-for-profit association with limited turnover (Article 83.2(k) AVG). 52. The Disputes Chamber points out that the other criteria of Article 83.2 of the AVG in this case are not of the nature that they lead to an administrative fine other than the one set by the Disputes Chamber in the context of this decision. 53. The Disputes Chamber is of the opinion that this fine is proportional in view of the financial statements published by the defendant in the Belgian Official Gazette for the financial year 2018 (positive result of EUR 518,120). 54. In view of the importance of transparency with regard to the decision-making of the Disputes Chamber, this decision shall be published on the website of the Data Protection Authority. However, it is not necessary for the identification data of the parties to be published directly for this purpose. FOR THESE REASONS, the Data Protection Authority's Litigation Chamber, after deliberation, shall decide: - pursuant to Article 58.2 c) and g) AVG and Article 100, §1, 6° WOG, order the defendant to comply favourably with the complainant's request for information in accordance with Article 17.1 c) AVG within the period of one month after receipt of this decision and to inform the complainant and the Disputes Chamber within the same period; and - on the basis of Article 83 AVG and Articles 100 §1, 13° and 101 WOG, to impose an administrative fine of EUR 1000 on the defendant for breach of Articles 6.1, 17.1(c) and (d), 21.2, 21.3 and 21.4 AVG. This decision may be appealed against under Article 108 §1 of the WOG within a period of thirty days from the notification to the Market Court with the Data Protection Authority as respondent.