CNPD (Portugal) - Deliberação 2019/297

From GDPRhub
CNPD - Deliberação 2019/297
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 28 GDPR
Article 13 of the e-Privacy Directive
Article 13A of the Portuguese e-Privacy Act
Portuguese Data Protection Act (Act 67/98)
Type: Complaint
Outcome: Upheld
Decided: 06.05.2019
Fine: 107.000 EUR
Parties: DECO PROTESTE Editores, Lda.
National Case Number/Name: Deliberação 2019/297
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Portuguese
Original Source: CNPD Website (in PT)
Initial Contributor: Jose Belo

The Portuguese DPA considered that an organisation is the controller of personal data when employing the services of a direct marketing company to promote its products or services, even if using its database for direct marketing purposes.

The direct marketing company, even if using its database for direct marketing purposes, acts on behalf of the controller and is a processor.

The Portuguese DPA also ruled that repeatedly sending unsolicited marketing communications without the data subject's consent, where said data subject is not an existing customer of the controller, breaches the GDPR and the ePrivacy Directive.

English Summary


A data subject complained about receiving unsolicited direct marketing emails from Deco Proteste (the largest Portuguese Consumer Protection association, operating, in this matter, as Deco Proteste Edições Lda., a limited liability company).

The data subject never provided her/his personal data to Deco Proteste and, as a result, never consented to receiving direct marketing emails from the organization.

After the investigation by the CNPD, 45 other unsolicited direct marketing emails, between the dates of 11th of October 2011 and 5 of June 2013, were added to the complaint.


Deco Proteste claimed that the personal data of the data subject was part of a database owned by a direct marketing company it had subcontracted to provide direct marketing services. As such, it is the direct marketing company that is the controller, not Company A.


The Portuguese DPA did not accept the controller's arguments that (i) the marketing agency who sent the marketing communications was acting as an independent controller (and not the former's processor) and that (ii) the applicable legal basis to using the data subject's contact details for direct marketing purposes was the controller's legitimate interests, under Article 6(1)(f) of the GDPR.

Portuguese DPA considered that all direct marketing emails sent by the direct marketing company were of products and services offered by Deco Proteste.

It also considered that Deco Proteste freely, voluntarily and consciously decided to process personal data without any legal basis to promote its products and services, neglecting its legal obligations under the Personal Data Protection Act of 1998, in force at the time of the offences.

The fact that Deco Proteste used a third party to assist in direct marketing of its products does not exclude controllership status of Deco Proteste, even if the database used was owned by the direct marketing company, which is considered by the CNPD as a processor acting on behalf of Deco Proteste, the controller.

Marketing agencies sending such messages on behalf of the controller act as the latter's processor, regardless of the fact that the former are the sole holders of the contact details database used to send the messages.


Further Resources

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.