Datatilsynet (Denmark) - 2020-431-0075

From GDPRhub
Datatilsynet - 2020-431-0075
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1)(e) GDPR
Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 7 GDPR
Article 12(1) GDPR
Article 13(1)(d) GDPR
Article 58(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 30.09.2022
Fine: n/a
Parties: Smart Response
National Case Number/Name: 2020-431-0075
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: n/a

The Danish DPA reprimanded an online marketing service. The controller, among others, lacked legitimate interest under Article 6(1)(f) GDPR to process data on questionnaires. Also, it did not sufficiently inform data subjects of the inclusion on a "no-thanks" list against Articles 12(1) and 13(1)(d) GDPR.

English Summary

Facts

SmartResponse A/S (the controller) offers online marketing solutions for advertisers. It, among others, processes personal data of participants in Internet competitions. In order to sign up for an Internet competition, participants have to give consent for the controller to process information about them and to pass it on to the controller's business partners. In the present case, the collected data included e-mail addresses, gender, IP addresses, date of birth, telephone numbers and postal addresses of the participants.

Following an inquiry from the Consumer Ombudsman and a number of complaints from concerned data subjects, the Danish DPA initiated an investigation into the controller's processing of personal data. The procedure concerned i.a. the disclosure of personal data in connection with the offering of Internet competitions and questionnaires used in that context. In April 2020, the DPA sent a request to the controller asking to provide information on its processing activities, followed by several requests for additional clarification. Based on this, the DPA assessed the legal basis for processing, the retention periods and the information provided to data subjects on processing.

Holding

First, the DPA noted that the controller processed data of participants in online competitions based on Article 6(1)(a) GDPR. The processing was carried out for the purpose of direct marketing, as data subjects registered in the competition also consented to receive direct marketing from the controller and 45 business partners. The DPA acknowledged that the controller included a possibility to unsubscribe and withdraw consent by sending an email to the controller or contacting individuals advertisers. The DPA analysed the conditions for consent in Article 7 GDPR as well as the EDPB Guidelines 05/2020. It concluded that the conditions were met and the controller had a valid legal basis for conducting the competition and related direct marketing.

However, the DPA also investigated the legal basis for data processed in relation to a questionnaire offered to the participants with a view to adapting marketing to the individual's personal needs. In this regard, it held that the controller could not use Article 6(1)(f) GDPR as a legal basis. There was no proper balancing of interests at stake and the information asked in the questionnaire was too detailed to be passed on to business partners for the purpose of direct marketing under a legitimate interest legal basis. Nevertheless, since the controller ceased processing the questionnaires in November 2021, the DPA did not take further action in this regard.

In relation to the principles in Article 5 GDPR, the DPA noted that once consent was withdrawn, the participant's phone number and email address were registered on a "no-thanks" list, under the legal basis of Article 6(1)(f) GDPR, in order to prevent further direct marketing. Personal data processed on the basis of consent must then be deleted after consent is revoked unless there is another legal basis for the processing. The DPA considered this processing to be unnecessary and against the data minimisation principle. Moreover, this information was stored for 5 years, thereby violating the storage limitation principle of Article 5(1)(e) GDPR. Lastly, the DPA held that data subjects did not receive sufficient information about the inclusion on the 'no-thanks' list after consent had been withdrawn. The data subjects also did not have enough information to exercise their rights under Article 21 GDPR in order to stop direct marketing. Hence, the DPA found a violation of Articles 12(1) and 13(1)(d) GDPR.

By using its powers under Article 58(2) GDPR, the DPA reprimanded the controller for violations of Articles 5(1)(e), 6(1)(f), 12(1) and 13(1)(d) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

SmartResponse's processing of personal data in connection with the offering of internet competitions

Date: 30-09-2022

Decision Private companies Serious criticism Order Supervision / self-operating case Handled by the Data Council Obligation to provide information Processing basis Basic principles

In connection with the decision of a case concerning SmartResponse's processing of personal data, the Danish Data Protection Authority has taken a position on a number of matters which have a bearing on the data controller's processing of personal data for marketing.

Journal Number: 2020-431-0075

Summary

Based on an inquiry from the Consumer Ombudsman, the Danish Data Protection Authority initiated a case about SmartResponse A/S' processing of personal data. The case concerned i.a. the company's disclosure of personal data in connection with the offering of internet competitions and questionnaires that were used in that context.

In connection with the decision of the case, the Danish Data Protection Authority has taken a position on a number of matters which have a bearing on the data controller's processing of personal data for marketing purposes.

The consent complied with the rules

In order to participate in the Internet competition, participants had to consent to SmartResponse being able to process information about them and to SmartResponse being able to pass on the information to the company's business partners.

The Danish Data Protection Authority found that the consent obtained by SmartResponse was in accordance with the data protection rules.

The structure of the consent gave the Danish Data Protection Authority the opportunity to consider whether the requirement for voluntariness, including the requirement for granularity, was met, as SmartResponse collected personal data for its own use and passed on the information for use in the partners' direct marketing.

Dissemination of questionnaire information requires consent

SmartResponse offered participants in the internet competition to fill in a questionnaire with a view to adapting marketing to the individual's personal needs.

The questionnaire information was passed on to the collaboration partners on the basis of Section 13, subsection of the Data Protection Act. 2.

Prompted by comments from SmartResponse, the Danish Data Protection Authority found reason to assess the compliance of § 13 of the Data Protection Act with the Data Protection Regulation's Article 6, subsection 2-3.

The Norwegian Data Protection Authority found that, in the opinion of the Danish Data Protection Authority, it is doubtful whether Section 13 of the Data Protection Act falls within the national discretion, as Article 6, subsection 1 of the Data Protection Regulation. 2-3, allows.

The Norwegian Data Protection Authority therefore failed to apply Section 13 of the Data Protection Act in the case, and instead assessed the disclosure in accordance with Article 6, subsection of the Data Protection Regulation. 1, letter f (the balancing of interests rule).

The Norwegian Data Protection Authority found that the questionnaire information was too detailed to be passed on according to the balancing of interests rule, and that the passing on of the information therefore required consent.

The questions about the validity of the consent and processing of information in connection with questionnaires have been decided after submission to the Data Council.

Storage of personal data

SmartResponse stated in the case that the company stores information in order to document the validity of an obtained consent.

Personal data may be processed in order to demonstrate the validity of a consent while the processing is ongoing.

If the processing ceases, the relevant information must as a rule be deleted. However, the information may continue to be stored for a limited period in order to clarify whether a specific dispute may exist or arise.

SmartResponse had also stated that when a consent was withdrawn, the participant's phone number and email address were registered on a no-thanks list.

The Danish Data Protection Authority assessed that SmartResponse with the no-thanks list carried out an unnecessary processing of personal data which was not in accordance with the principle of data minimization and the balancing of interests rule. The Danish Data Protection Authority therefore expressed serious criticism of the company's processing of information on the no-list and notified SmartResponse of an order to delete the information.

Finally, SmartResponse had stated that the storage period for the information was 5 years in accordance with the statute of limitations in the Data Protection Act.

In this connection, the Danish Data Protection Authority found that a storage period of 5 years – set after the limitation period in the Data Protection Act – is not in accordance with the principle of storage limitation.

The obligation to provide information

SmartResponse stated that participants were directed to the company's personal data policy via a link that appeared in the internet competition, and that in this way the participants received the required information according to the GDPR.

However, the Danish Data Protection Authority assessed that the participants did not receive sufficient information about SmartResponse's processing of personal data, as the participants did not receive adequate information that SmartResponse continued to store personal data after a consent was withdrawn.

Decision

The Danish Data Protection Authority hereby returns to the case, where the Danish Data Protection Authority has on its own initiative investigated SmartResponse A/S' processing, including disclosure, of personal data in connection with the offering of internet competitions and associated questionnaires.

The Danish Data Protection Authority must – after the case's section 3.1. and 3.2. has been dealt with in the Data Council - pronounce the following:

1. Decision and order

After a review of the case, the Danish Data Protection Authority finds that SmartResponse's processing of personal data based on the data subject's consent has taken place in accordance with Article 6 of the Data Protection Regulation.

However, the Danish Data Protection Authority finds that SmartResponse's other processing of personal data, which is collected via questionnaires, has not taken place within the framework of the data protection rules.

In addition, it is the Danish Data Protection Authority's assessment that SmartResponse's storage of personal data in order to be able to document consent is carried out in accordance with Article 6 of the Data Protection Regulation.

The Danish Data Protection Authority, however, finds grounds for expressing serious criticism that SmartResponse's processing of personal data, which is carried out on the company's internal no-thanks list, has not taken place within the framework of Article 6 of the Data Protection Regulation.

The Danish Data Protection Authority also instructs SmartResponse to delete personal data which appears on SmartResponse's internal no-thanks list and which does not – on the basis of a likely or concrete dispute – require further storage.

The order is notified, cf. the data protection regulation, article 58, subsection 2, letter g, and the deadline for complying with the order is four weeks from today's date.

The Danish Data Protection Authority draws attention to the fact that failure to comply with an order issued by the Danish Data Protection Authority can be punished with a fine or imprisonment of up to 6 months, cf. section 41, subsection of the Data Protection Act. 2, No. 5.

In addition, the Danish Data Protection Authority finds grounds for expressing serious criticism that SmartResponse's storage of personal data for the purpose of documenting consent is in breach of Article 5, paragraph 1 of the Data Protection Regulation. 1, letter e.

Finally, the Danish Data Protection Authority finds grounds to express criticism that SmartResponse has not sufficiently observed the obligation to provide information pursuant to Article 13 of the Data Protection Regulation, cf. Article 12.

Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.

2. Case presentation

Following an inquiry from the Consumer Ombudsman and in connection with a number of complaints, the Danish Data Protection Authority became aware of SmartResponse's processing of personal data in connection with the offering of internet competitions.

Against this background, the Danish Data Protection Authority requested SmartResponse on 24 April 2020 for an opinion regarding the company's processing, including disclosure, of personal data in connection with the offering of internet competitions.

SmartResponse issued a statement on June 4, 2020. Subsequently, the Danish Data Protection Authority requested additional information, which SmartResponse sent respectively on 30 July 2020, 15 September 2021, 11 April 2022, 25 April 2022 and 10 May 2022.

From the information in the case, it appears that SmartResponse processes personal data in connection with internet competitions on the basis of the data subject's consent.

Processing of information about the registered person(s) is done for marketing purposes, as the registered person, by participating in internet competitions, also gives consent to receive direct marketing.

The competition is structured in such a way that on the first page of the competition, registrants are asked to fill in their name, e-mail, telephone number and gender (male or female).

At the same time, the following information about the consent appears:

"I give consent to receive marketing via phone calls, SMS, e-mail and letter from ClubSmart and SmartResponse A/S, as well as the competition's 45 partners. Read about us, your consent, the competition's partners, their products and forms of communication here. I also consent to the sharing of my personal data between ClubSmart, SmartResponse and the competition's partners. The personal data is processed as described in our privacy policy. The personal information is shared with the partners. The partners' treatment is described in their own privacy policies.

I can unsubscribe from direct marketing at any time, see more here

Fill in your information on this and the next page to participate in the competition.”

Registered users can then press "NEXT" or read more about the competition's terms and conditions, which can be accessed via an "embedded" link.

If the registrants press "NEXT", they will be redirected to page 2 of the competition, where registrants are asked to fill in their address and birthday information.

In connection with this, the registered person receives the following additional information:

"When you press "Participate now", you are in the competition.

In order to tailor the marketing, on the following pages you can answer a questionnaire from the companies, where the information is passed on to the company in accordance with your consent.

I confirm that the above information is correct.”

Registered users then have the option to press "JOIN NOW".

When "JOIN NOW" is pressed, registered participants participate in the competition - and at the same time consent to being contacted for marketing purposes.

If "JOIN NOW" is clicked, registered persons are directed to a questionnaire where the registered persons are asked to fill in a number of additional information about themselves.

In this connection, the registered person(s) are asked to e.g. mobile phone provider, TV provider, connection to the labor market, possibly mortgage institution and electricity supplier.

3. Reason for the Data Protection Authority's decision

3.1. SmartResponse's processing of personal data based on consent

3.1.1.

SmartResponse has stated that SmartResponse processes information about name, e-mail address, gender, IP address, date of birth, telephone number and address in connection with the data subject's participation in the internet competition.

The processing is carried out for the purpose of direct marketing, as registered persons in connection with participation in the competition also consent to receive direct marketing from SmartResponse, ClubSmart and 45 business partners.

The information is processed on the basis of the data subject's consent, and the basis for processing is therefore the data protection regulation's article 6, subsection 1, letter a.

Information about name, e-mail address, telephone number and address is passed on to the business partners that appear in the consent, and this also takes place on the basis of the consent of the persons concerned.

It is SmartResponse's assessment that the given consent is voluntary, specific, informed and an unequivocal expression of will from the data subject, as:

SmartResponse can document that consent has been given. SmartResponse considers that the information about consent has been given sufficiently clearly. SmartResponse has made it clear to the data subject how consent can be withdrawn. SmartResponse considers that the consent has been given voluntarily.

Consent is an expression of an unequivocal expression of will from the data subject, as the data subject must actively fill in and tick check boxes as part of giving consent.

Data subjects are also informed that consent can be withdrawn at any time.

In this connection, SmartResponse has stated that registered users have the opportunity at any time to access the link to unsubscribe, which appears on every competition page offered by SmartResponse. The link can be accessed regardless of whether the competition participant participates in the competition (again) or not.

In addition to the link, SmartResponse sends a confirmation email, including a link to an unsubscribe portal is included. Furthermore, it is specified in the email that withdrawal of consent can also be done via email to info@smartresponse.dk or by contacting the individual advertisers (SmartResponse's business partners).

3.1.2. Relevant legal regulations

It follows from the data protection regulation's article 6, subsection 1, that processing is only lawful if and to the extent that at least one of the conditions in letter a-f applies.

From letter a, it appears that processing of personal data can be carried out if the data subject has given consent to the processing of his personal data for one or more specific purposes.

The conditions for a valid consent appear from Article 4, No. 11, and Article 7 of the Data Protection Regulation, and a valid consent therefore presupposes, among other things, that it is voluntary, specific, informed and an expression of an unequivocal expression of will.

The requirement of voluntariness implies that the data controller must give the data subject a free choice and control over personal data about the person concerned. Consent will not be given voluntarily if the data subject does not have a real free choice. This means, among other things, that a consent cannot be considered voluntary if the procedure for obtaining consent does not give the data subject the opportunity to give separate consent for different processing purposes regarding personal data, and the data subject is thus forced to consent to all purposes. A consent must therefore be granulated (divided)[1].

If a processing of personal data serves several purposes, the data controller must therefore obtain separate consent for each individual purpose for which personal data is to be processed on the basis of the data subject's consent. The data controller must therefore offer the data subject the opportunity to consent for one purpose, but refrain from consenting for other purposes.

In addition, the data subject must, according to the data protection regulation, article 7, subsection 3 - before consent is given - information is given about the right to withdraw consent at any time. In this connection, it is an additional validity requirement that it is just as easy to withdraw consent as it is to give it.

3.1.3. The Danish Data Protection Authority's assessment

SmartResponse has informed the case that the company – as a provider of internet competitions – collects, registers and passes on information about registered persons who have participated in the competition, on the basis of the consent of the persons concerned in accordance with the Data Protection Regulation, Article 6, subsection 1, letter a.

The Danish Data Protection Authority finds that SmartResponse's processing of information about registered persons is carried out in accordance with Article 6, subsection 1, letter a.

The Danish Data Protection Authority has emphasized that, in the opinion of the Danish Data Protection Authority, the consent is specific and informed, as it is clear from the consent what the purpose of the processing is (direct marketing), which information is processed on the basis of the consent, and which companies can receive and process the information , as a direct link has been inserted in the consent text, which further identifies the 45 collaboration partners.

The consent is also an expression of an unequivocal expression of intent, as the data subject must take an active action to participate in the competition – and thus consent to information about them being used for direct marketing.

The structure of the consent has given the Danish Data Protection Authority reason to consider whether the requirement for voluntariness, including the requirement for granularity, has been met, as SmartResponse collects data subject's consent for both SmartResponse's own use of the information and for SmartResponse's disclosure of the information for use by partners in direct marketing.

There will basically be different processing purposes if a company - on the basis of consent - wants to process information about its customers for marketing purposes and at the same time wants to pass on the information to other companies.

The Danish Data Protection Authority refers to the European Data Protection Board's guidance on consent[2], example 7 on the division of consent when there are several processing purposes:

"In one and the same request for consent, a retailer asks its customers for consent to their information being used to send them marketing material per e-mail, and for their information to be shared with other companies within the group. This consent is not granular as there is no separate consent for the two separate purposes and therefore the consent is not valid. […]”

However, it is the Danish Data Protection Authority's assessment that the present case differs from this, as there is no previous customer relationship between SmartResponse and the data subjects, and as SmartResponse collects, itself uses and passes on information for the purpose of marketing.

The purpose of the processing activities, which are carried out on the basis of the data subject's consent, is thus to collect, use and pass on information for the purpose of marketing, and based on this, the Danish Data Protection Authority is of the opinion that SmartResponse's own use of the information and SmartResponse's passing on of the information for use marketing must be considered a (collective) purpose.

Granulation of the consent cannot therefore be required, and as a result, in the opinion of the supervisory authority, the consent must also be considered voluntary.

In addition, the Danish Data Protection Authority is of the opinion that the data protection regulation's article 7, subsection 3, is fulfilled, as it is – given that the competition participant receives a confirmation email, from which various revocation options appear – it is just as easy to revoke a consent as it is to give it.

In summary, it is the Danish Data Protection Authority's assessment that the requirements in Article 4, No. 11, and Article 7, subsection of the Data Protection Regulation. 3, is fulfilled, which is why SmartResponse's collection, registration and disclosure of personal data in connection with the internet competition on the basis of the registered consent has taken place in accordance with the data protection regulation's article 6, subsection 1, letter a.

The Danish Data Protection Authority notes that the Danish Data Protection Authority has not found reason to include or otherwise refer to the Data Protection Act § 13, subsection 1, in connection with the processing of section 3.1., as SmartResponse has stated that the relevant processing of personal data is based on consent according to the data protection regulation, article 6, subsection 1, letter a.

3.2. SmartResponse's processing of personal data via questionnaires

3.2.1.

SmartResponse has stated that, in addition to participating in the Internet competition, registrants are offered to complete a questionnaire.

The purpose of the questionnaire is to qualify the marketing for the personal needs of the person(s) registered. The form is also used to sort out marketing material, so that registered e.g. will not be offered home insurance if the registered person lives in an apartment etc.

SmartResponse has stated that it is voluntary for those registered to complete the questionnaire, and that it is thus possible to participate in the competition - and consent to receive marketing - without completing the subsequent questionnaire.

Registrants can - after pressing "JOIN NOW" - either close the internet browser or "scroll" past the questionnaire questions and press "EXIT, without this affecting the person(s) concerned's consent - or participation in the competition in general.

However, the questionnaire is structured in such a way that the questionnaire cannot be filled in partially. If the registrant chooses to answer the questions, all questions must therefore be answered.

In SmartResponse's opinion, the fact that the questionnaire is voluntary is made clear to registered users by the fact that registered users receive the following information on page 2 of the competition:

“[…]

In order to tailor the marketing, on the following pages you can answer a questionnaire from the companies, where the information is passed on to the company in accordance with your consent.

[…]”

In addition, the following appears from the competition conditions, which registrants can access via an "embedded" link on page 1 of the competition:

“How do you participate

You can participate by providing marketing consent to SmartResponse and our partner companies. In this connection, you also provide your name, e-mail, gender, IP address, telephone, address. In addition, you can also provide additional information, such as your areas of interest, if you wish to answer the questions on the pages that follow your participation. This makes it possible to tailor the marketing. You will find the marketing consent on our website together with the competition itself. When you give marketing consent, you participate in the competition.”

If the data subject chooses to answer the following questionnaire, non-sensitive personal data will be processed within the areas of interest to which the questions relate. The questionnaires can e.g. be about: mobile company, electricity provider and type of home.

SmartResponse has stated that there have previously been questions about whether a data subject was registered in RKI. However, the questions were removed in 2019, and the questionnaire therefore, in SmartResponse's view, only concerns general customer information.

SmartResponse has stated that the collection takes place on the basis of Article 6, paragraph 1 of the Data Protection Regulation. 1, letter f.

In addition to registering the questionnaire information itself, SmartResponse passes on the questionnaire information to its business partners.

Dissemination of information collected in connection with questionnaires takes place on the basis of section 13, subsection of the Data Protection Act. 2, cf. the data protection regulation, article 6, subsection 1, letter f. SmartResponse has stated in this connection that § 13, subsection of the Data Protection Act. 2, must be interpreted in accordance with the data protection regulation, article 6, subsection 1, letter f, ("interest balancing rule"), as no national access to derogation/derogation from Article 6, paragraph 1 is indicated. 1, letter f's detailed application.

As far as the balancing of interests that must be carried out according to Article 6, subsection 1, letter f, SmartResponse has stated that the disclosure only concerns general customer information and is necessary for SmartResponse or a third party to pursue a legitimate interest. In this connection, SmartResponse has referred to recital 47 of the data protection regulation, from which it appears that direct marketing can be considered a legitimate interest.

Furthermore, SmartResponse has stated that the data subjects are informed about the disclosure and that the data subjects have given independent consent to direct marketing in connection with participation in the internet competition.

SmartResponse has informed the Danish Data Protection Authority that the company per 1 November 2021 stopped offering competitions with associated questionnaires, and that SmartResponse therefore no longer processes supplementary questionnaire information about data subjects.

3.2.2. Relevant legal regulations

Based on the information received, the Danish Data Protection Authority assumes that the information that SmartResponse obtains from the data subjects in connection with the questionnaires is only personal data covered by Article 6 of the Data Protection Regulation. This provision reads as follows:

"Article 6. Processing is only lawful if and to the extent that at least one of the following conditions applies:

The data subject has given consent to the processing of his personal data for one or more specific purposes. Processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of measures taken at the data subject's request prior to entering into a contract. Processing is necessary to comply with a legal obligation owed to the data controller. Processing is necessary to protect the vital interests of the data subject or another natural person. Processing is necessary for the performance of a task in the interest of society or which falls under the exercise of public authority, which the data controller has been tasked with. Processing is necessary for the controller or a third party to pursue a legitimate interest, unless the data subject's interests or fundamental rights and freedoms requiring the protection of personal data take precedence, in particular if the data subject is a child.

The first paragraph, letter f) does not apply to processing carried out by public authorities as part of the performance of their tasks.

PCS. 2. Member States may maintain or introduce more specific provisions to adapt the application of this Regulation's provisions on processing for the purposes of compliance with paragraph 1, letters c) and e), by setting more precisely specific requirements for processing and other measures to ensure legal and fair processing, including for other specific data processing situations as referred to in Chapter IX.

PCS. 3. The basis for processing according to subsection 1, letters c) and e), must appear from:

a) EU law, or b) the national law of the Member States to which the data controller is subject.

The purpose of the processing must be set out in this legal basis or, as far as the processing referred to in subsection 1, letter e), be necessary for the performance of a task in the interest of society or which falls under the exercise of public authority, which the data controller has been assigned. This legal basis may contain specific provisions with a view to adapting the application of the provisions of this regulation, i.a. the general conditions for the legality of the data controller's processing, which types of information must be processed, affected data subjects, which entities personal data may be disclosed to and the purpose thereof, purpose limitations, storage periods and processing activities as well as processing procedures, including measures to ensure legal and reasonable processing such as in other specific data processing situations as referred to in Chapter IX. EU law or the national law of the Member States must fulfill a purpose in the interest of society and be proportionate to the legitimate aim being pursued.”

In preamble no. 47 to the data protection regulation, the following is stated:

"The legitimate interests of a data controller, including a data controller to whom personal data may be disclosed, or the legitimate interests of a third party may constitute a legal basis for processing, unless the data subject's interests or fundamental rights and freedoms take precedence, taking into account the data subject's reasonable expectations based on their relationship with the data controller. For example, such legitimate interests may exist when there is a relevant and appropriate relationship between the data subject and the data controller, e.g. if the data subject is a customer of or works for the data controller. In all cases, the presence of a legitimate interest requires a careful assessment, including whether a data subject at the time of and in connection with the collection of personal data can reasonably expect that processing for this purpose can take place. The interests and fundamental rights of the data subject may in particular take precedence over the interests of the controller if personal data is processed in circumstances where the data subject does not reasonably expect further processing. Since it is up to the legislature to determine by law the legal basis for the processing of personal data by public authorities, this legal basis should not apply to processing carried out by public authorities as part of the performance of their tasks. Processing of personal data that is strictly necessary to prevent fraud also constitutes a legitimate interest for the data controller concerned. Processing of personal data for direct marketing can be considered to have been carried out in a legitimate interest.”

Section 13, subsection of the Data Protection Act. 1, states that a company may not pass on information about a consumer to another company for direct marketing or use the information on behalf of another company for this purpose, unless the consumer has given his express consent to this. Disclosure and use as mentioned in subsection 1 may, however, take place without consent if it is general customer information that forms the basis for division into customer categories, and if the disclosure follows the balance of interests set out in the data protection regulation, article 6, subsection 1, letter f, cf. section 13, subsection of the Data Protection Act. 2.

In the general comments in the draft law (bill no. L 68 of 25 October 2017), by which Section 13 of the Data Protection Act was introduced, is, among other things, stated the following (on pp. 139-140):

"2.3.9. Processing in connection with marketing etc.

…

2.3.9.2. The Data Protection Regulation

This appears from the data protection regulation's article 6, subsection 2, that Member States may maintain or introduce more specific provisions to adapt the application of the regulation's provisions on processing for the purposes of compliance with subsection 1, letters c and e, by setting more precisely specific requirements for processing and other measures to ensure legal and fair processing, including for other specific data processing situations as referred to in Chapter IX (Articles 85-91).

It follows from the data protection regulation's article 6, subsection 3, which seems to lay down more detailed conditions for applying Article 6, subsection 2, that the basis for processing according to subsection 1, letters c and e, must appear from EU law or from the national law of the Member States to which the data controller is subject. Article 6 of the Data Protection Regulation, subsection 3, must be seen as an extension of Article 6, subsection 2. Article 6, subsection 3, is thus an elaboration of how the provisions introduced pursuant to Article 6, subsection 2, according to which the Member States may maintain or introduce specific rules, which will have to be elaborated in more detail.

According to the data protection regulation, it is thus possible to maintain and introduce more specific provisions to adapt the application in connection with Article 6, paragraph 1, letters c and e, regarding processing on the basis of a legal obligation or in the interest of society.

Furthermore, Article 21 of the Data Protection Regulation contains, among other things, rules on the right to object when personal data is processed for the purpose of direct marketing.

2.3.9.3. The Ministry of Justice's considerations and the design of the bill

As far as the personal data act's processing rules regarding marketing in the act's section 6, subsection 2-4, § 12 and § 36, subsection 2, 1st point, it is the Ministry of Justice's assessment that these rules can and should be maintained.

It is the Ministry of Justice's assessment that the data subject should have a decisive influence on the extent to which personal data about the person in question is processed for marketing purposes.

Narrow limits should therefore be laid down in the bill for the cases in which a company - without the individual consumer's consent - may pass on information about a consumer to other companies for marketing purposes, cf. section 13 of the bill."

In the comments to the proposed section 13 (p. 183 of the bill) it is stated, among other things:

"To § 13

…

It is proposed in section 13 to continue the provisions in section 6, subsection of the Personal Data Act. 2-4, and § 12. Furthermore, it is proposed to continue § 36, subsection of the Personal Data Act. 2, 1st point, adapted to the data protection regulation's changes to the right to object in relation to marketing.

In the proposed paragraph 1 lays down the main rule that companies may not pass on information about consumers to other companies for marketing purposes (or use the information on behalf of other companies for marketing purposes), unless the consumer has given his express consent to this. Regarding the consent requirement, please refer to Article 4, No. 11 and Article 7 of the Data Protection Regulation. In addition, consent must be obtained in accordance with the rules in Section 10 of the Marketing Act.

In paragraph 2 states the cases where an exception is made to the requirement for consent in subsection 1. As stated in the provision, customer information can only be disclosed without the customer's consent if two conditions are met.

Firstly, it must be general customer information that forms the basis for division into customer categories.

If this condition is met, the disclosure must, secondly, result from the balance of interests set out in the data protection regulation, article 6, subsection 1, letter f. According to this provision, disclosure can take place if disclosure is necessary for "the data controller or a third party to pursue a legitimate interest, unless the data subject's interests or fundamental rights and freedoms that require the protection of personal data precede this , especially if the data subject is a child.'' An example of this is the situation where a company has informed its customers that it will not pass on information about the customers to other companies for marketing purposes. If, in spite of this, the company were to decide to pass on the information, the consideration for the customers, cf. the data protection regulation's article 6, paragraph 1, letter f, depending on the circumstances, could argue against such disclosure taking place without the customers' prior consent.

As examples of information that will then be able to be passed on without consent according to the proposed provision, information about the customer's name, address, gender and age can be mentioned. The same applies to general information about, for example, that the customer is a home owner, car owner, computer owner and the like. Correspondingly, e.g. information that this is a customer for leisure items, for baby and toddler items, for organic goods, for wine and spirits or other generally defined product groups.

On the other hand, according to the proposed provision, it will not be possible without consent to pass on information which reveals sensitive information about the customer.

It will also not be possible to pass on more detailed customer information or consumption habits without the customer's consent. There must, for example, information about whether the customer's car was bought on credit and, if applicable, information about the terms of the credit are not passed on. Information about the quantity of wine the customer buys must also not be passed on. This applies even if this does not in itself reveal that the customer has an alcohol addiction. Nor may more detailed information about what kind of wine the customer buys be passed on.”

3.2.3. The Danish Data Protection Authority's assessment

As stated in section 3.2.1. the personal data that SmartResponse collects and registers on the basis of the questionnaires is passed on to business partners.

The Danish Data Protection Authority finds, on the basis of the information that the Danish Data Protection Authority has received from SmartResponse, that the company cannot be considered to be solely collecting "general customer information" through the questionnaires.

Several of the information contain too specific and detailed information about the individual competition participant to be considered "general", and this information must therefore, in the opinion of the Danish Data Protection Authority, be considered to have a character so that it concerns what must be described as more detailed information about those registered. This is due, among other things, to the fact that the competition participant's specific mobile provider and TV provider are asked, which specific streaming services the competition participant uses, which electricity supplier the competition participant has, which mortgage institution the competition participant is a customer of, as well as the number of hours the competition participant has to the labor market.

Dissemination of such information about a consumer to another company for use in direct marketing or use of the information on behalf of another company for this purpose requires, according to Section 13 of the Data Protection Act and the processors for this, the consent of the data subject, cf. Section 13, subsection . 1 compared with subsection 2.

The Danish Data Protection Authority thus does not agree that the questionnaire information in its entirety could have been passed on to business partners on the basis of section 13, subsection 1 of the Data Protection Act. 2, cf. the data protection regulation, article 6, subsection 1, letter f.

SmartResponse has raised questions as to whether the arrangement resulting from Section 13 of the Data Protection Act is compatible with Article 6 of the Data Protection Regulation, as this provision does not appear to contain any national access to derogation/derogation with regard to the processing of personal data by private companies in SmartResponse's view. for the purpose of direct marketing.

After further consideration as a result of the above-mentioned question, it is, in the opinion of the Danish Data Protection Authority, doubtful whether section 13 of the Data Protection Act lies within the national discretion, as the Data Protection Regulation's article 6, subsection 2-3, allows.

According to EU law, it is the duty of the Danish Data Protection Authority to refrain from applying national legal provisions, to the extent that such application would be in conflict with directly applicable EU rules.

Against this background, the Danish Data Protection Authority has considered whether an isolated application of Article 6 in the present case will (also) lead to the consent of the data subjects being required for SmartResponse to pass on the questionnaire information for use by partners in direct marketing.

It is the Danish Data Protection Authority's opinion that application of Article 6 in the present situation leads to SmartResponse having to obtain consent from the data subjects for passing on the questionnaire information to business partners for use in direct marketing.

Thus, the Danish Data Protection Authority does not consider that – if the disclosure is assessed independently of what follows from Section 13 of the Data Protection Act – there will be a basis for the disclosure in the Data Protection Regulation's Article 6, subsection 1, letter f, since the questionnaire information, which the competition participant is asked to fill in, is too detailed to be passed on for the purpose of direct marketing within the framework of the regulation's article 6, subsection 1, letter f.

It should be noted here that, in the opinion of the Danish Data Protection Authority, there is no evidence, including not even in recital 47 of the data protection regulation, that requiring consent for disclosure in the present case would be in breach of the data protection regulation.

SmartResponse has informed the Danish Data Protection Authority that the company's processing of questionnaire information per 1 November 2021 ceased and that SmartResponse therefore no longer processes such questionnaire information about data subjects.

For that reason, the Norwegian Data Protection Authority does not take any further action in this regard.

3.3. SmartResponse's storage of personal data for documentation purposes

3.3.1.

SmartResponse has stated that the company stores personal data for the purpose of being able to document that a consent has been given that complies with applicable legislation, should the data subject make a complaint.

The storage takes place on the basis of the balancing of interests rule in the data protection regulation, article 6, subsection 1, letter f.

In this connection, SmartResponse stores information about giving consent (contact information, IP address and timestamp).

After consent has been withdrawn, SmartResponse registers the telephone number and e-mail address of data subjects who have withdrawn their consent on a "no thank you list".

The purpose of the no-thanks list is to document the revocation of consent, in order to avoid subsequent use of a revoked consent. SmartResponse thereby also blocks the use of false consents, and the company avoids subsequently passing on information to business partners where consent has been revoked.

If a registered person wishes to be deleted from the list, SmartResponse will comply with the request. However, SmartResponse is of the very clear opinion that the list is in practice exclusively for the benefit of the data subject, as SmartResponse thus ensures that the data subject does not receive marketing material and that information is not passed on to business partners.

Information for use in documentation is stored for 5 years from giving consent, just as information registered on the no-thanks list is stored for 5 years.

The deadline is set in order to be able to document compliance with the Data Protection Regulation, the Marketing Act and the Consumer Contracts Act when obtaining and using consents for direct marketing, cf. the limitation period for criminal liability in the Data Protection Act § 41, subsection 7. This is also stated to the data subjects in the personal data policy.

All other information submitted in the questionnaire is automatically anonymized 1 year after submission, so that the answers given cannot be attributed to the registered person.

3.3.2. Relevant legal regulations

The general principles for processing personal data appear in Article 5 of the Data Protection Regulation.

It appears from Article 5, subsection 1, letter c, that personal data must be sufficient, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Of Article 5, subsection 1, letter e, it also appears that personal data must be stored in such a way that it is not possible to identify the data subjects for a longer period of time than is necessary for the purposes for which the personal data in question is processed.

It follows from the data protection regulation's article 6, subsection 1, that processing of personal data is only lawful if and to the extent that at least one of the conditions in letter a-f applies.

According to Article 6, paragraph 1, letter a, personal data can be processed when the data subject has given consent to the processing of his personal data for one or more specific purposes.

In addition, data controllers may, pursuant to Article 6, para. 1, letter f, process personal data if processing is necessary for the data controller or a third party to pursue a legitimate interest, unless the data subject's interests or fundamental rights and freedoms that require the protection of personal data precede this.

It follows from the regulation's article 7, subsection 1, that if the processing of personal data is based on consent, the data controller must be able to demonstrate that the data subject has given consent to the processing of his personal data. The data controller thus bears the burden of proof to be able to document the validity of a consent.

Registrants may pursuant to Article 7, subsection 3, withdraw your consent at any time.

In the EDPB's guidance 5/2020, it follows, among other things, following:

"104. Article 7 of the Data Protection Regulation, subsection 1, clearly describes the data controller's express obligation to demonstrate that a data subject has given consent. The burden of proof lies with the data controller, cf. Article 7, subsection 1.

Recital 42 states that: "If processing is based on the data subject's consent, the data controller should be able to demonstrate that the data subject has given consent to the processing." The data controllers are free to develop methods for complying with this provision that suit their daily operations. At the same time, the very obligation to demonstrate that the data controller has obtained valid consent should not in itself lead to additional disproportionate amounts of data processing work. That is, the data controllers should have enough data to demonstrate a connection to the processing (to show that consent was obtained), but they should not collect more information than necessary. It is up to the data controller to prove that valid consent has been obtained from the data subject. The data protection regulation does not specify exactly how this should be done. However, the data controller must be able to prove that a data subject has given consent in a given case. As long as a data processing activity continues, the obligation to demonstrate consent remains. After the end of the processing activity, the proof of consent should not be kept longer than is strictly necessary to comply with a legal obligation or for legal claims to be established, asserted or defended, cf. Article 17, paragraph 3, letter b) and e). The data controller can e.g. save received declarations of consent so that he can demonstrate how consent was obtained when it was obtained, and it must be possible to prove what information the data subject was presented with at the time of giving consent. The data controller must also be able to demonstrate that the data subject was informed and that the data controller's approach met all relevant criteria for a valid consent. The rationale behind this obligation in the data protection regulation is that the data controllers must be held accountable for obtaining valid consent from data subjects and for the consent mechanisms they have implemented. In an online situation, a data controller can e.g. store information about the session in which consent was given, together with documentation of the procedure for obtaining consent during the session and a copy of the information provided to the data subject. It would not be enough to simply refer to a proper configuration of the site in question.

[…]

"117. If consent is withdrawn, all data processing activities that were based on the consent and took place before the consent was withdrawn - and in accordance with

the data protection regulation – generally still valid, but the data controller must stop the affected processing activities. If there is no other legal basis that justifies the processing (e.g. further storage) of the data, the data controller should delete them.

[…]

The data controllers are obliged to delete information that was processed on the basis of consent when the consent is withdrawn, if there is no other purpose that justifies the further storage of the information. In addition to this situation, which is covered by Article 17, paragraph 1, letter b), a registered person can request to have other personal data that is processed based on another legal basis, e.g. on the basis of Article 6, subsection 1, letter b). The data controllers are obliged to assess whether continued processing of the personal data in question is appropriate, even if the data subject has not submitted a request for deletion.

[…].”

3.3.3. The Danish Data Protection Authority's assessment

3.3.3.1. Storage of personal data

According to the regulation's article 7, subsection 1, could demonstrate that the data subject has consented to the processing of information about himself while the processing is ongoing.

Data controllers – including SmartResponse – can therefore process personal data in order to be able to document the data subject's consent while the processing is ongoing.

If the data subject withdraws his consent, the processing, which is carried out on the basis of the consent in question, must cease.

The personal data in question, which is processed on the basis of consent, must then be deleted as a starting point, unless there is another legal basis for the processing.

In this connection, the Danish Data Protection Authority is of the opinion that, within the framework of the data protection regulation, Article 6, subsection 1, letter f, for a limited period, personal data may continue to be stored to document the data subject's consent in order to clarify whether a dispute may exist or arise. In cases where a dispute is likely to arise, the information may be stored for as long as is necessary in relation to clarifying the dispute.

The legitimate interest, which must be able to justify further storage according to Article 6, subsection 1, letter f, must, however, represent a real and current interest – and thus not a hypothetical interest – so that further storage of personal data with a view to documenting the data subject's consent can take place within the framework of the regulation's article 6, subsection 1, letter f. [3]

Since SmartResponse, as stated above, must be able to demonstrate the validity of the consents used for the processing of personal data, the Danish Data Protection Authority is of the opinion that it cannot be considered necessary to keep a list of revoked consents in order to avoid using a revoked consent to the processing of personal data.

It is against this background that the Danish Data Protection Authority is of the opinion that SmartResponse with the no-thanks list carries out unnecessary processing which neither complies with the regulation's article 5, subsection 1, letter c, or the necessity criterion in Article 6, subsection 1, letter f.

As a result, the Danish Data Protection Authority finds grounds to express serious criticism of SmartResponse's processing of personal data, which is carried out on the no-thanks list.

The Danish Data Protection Authority also instructs SmartResponse to delete personal data that appears on the no-thanks list and that does not – on the basis of a likely or concrete dispute – require further storage.

The order is notified, cf. the data protection regulation, article 58, subsection 2, letter g, and the deadline for complying with the order is four weeks from today's date.

In this connection, the Danish Data Protection Authority draws attention to the fact that failure to comply with an order issued by the Danish Data Protection Authority can be punished with a fine or imprisonment of up to 6 months, cf. section 41, subsection of the Data Protection Act. 2, No. 5.

3.3.3.2. The retention period

The Danish Data Protection Authority finds that the fixed storage period of 5 years is not in accordance with the principle of storage limitation, which appears from the data protection regulation's article 5, subsection 1, letter e.

It is the Danish Data Protection Authority's assessment that a storage period of 5 years, which is set on the basis of the limitation period in the Data Protection Act § 41, subsection 7, is not in accordance with the requirement of necessity in the regulation's article 5, subsection 1, letter e, as the mere possibility that a criminal case may be brought does not justify or necessitate that personal data be stored for 5 years.

A general storage period should be determined based on a concrete assessment based on the requirement of necessity in the regulation's Article 5, subsection 1, letter e. This period can, if necessary in individual cases, be extended when, for example, there is a concrete complaint, or if a legal claim must be established, asserted or defended.

The Norwegian Data Protection Authority therefore finds grounds to express serious criticism of SmartResponse's storage period of 5 years.

The Danish Data Protection Authority recommends that SmartResponse make a new assessment of the length of the storage period, where greater consideration is given to the general need to store the personal data in question. In this connection, i.a. information is included on how long a collected consent for direct marketing is normally used as well as the temporal probability that a consent will be disputed by the data subjects.

In this connection, it should also be included that complaints about telephone calls etc. must be presumed to arise in relatively close temporal connection to the inquiry complained of.

The EDPB's guidance, which is quoted above, as well as section 3.1 of the Data Protection Authority's guidance on consent can be included in relation to this.

3.4. SmartResponse's compliance with the obligation to provide information

3.4.1.

SmartResponse has stated that SmartResponse provides the information that appears in the company's personal data policy, which is linked to on the first page of the competition, to those registered.

In this connection, SmartResponse has forwarded a link to the company's personal data policy.

SmartResponse does not process personal data that is not collected directly from the data subjects, and the company therefore does not provide information according to Article 14 of the Data Protection Regulation.

3.4.2. Relevant legal regulations

It appears from Article 13 of the Data Protection Regulation that if personal data about a registrant is collected from the data subject, the data controller at the time the personal data is collected provides the data subject with all of the following information:

a) identity and contact details of the data controller and his possible representative b) contact details of a possible data protection advisor c) the purposes of the processing for which the personal data is to be used and the legal basis for the processing d) the legitimate interests pursued by the data controller or a third party, if the processing is based on Article 6, subsection 1, letter f) e) any recipients or categories of recipients of the personal data f) where it is relevant that the data controller intends to transfer personal data to a third country or an international organization and whether the Commission has made a decision on the adequacy of the level of protection, or in the case of transfers pursuant to Article 46 or 47 or Article 49, paragraph 1,

second paragraph, letter h), reference to the necessary or appropriate guarantees and how a copy thereof can be obtained or where they have been made available.

In addition to the information referred to in paragraph 1, the data controller must, at the time the personal data is collected, provide the data subject with the following additional information that is necessary to ensure fair and transparent processing:

a) the period of time for which the personal data will be stored, or if this is not possible, the criteria used to determine this period of time b) the right to request from the data controller access to and rectification or deletion of personal data or restriction of processing regarding the registered or to object to processing as well as the right to data portability c) when processing is based on Article 6, subsection 1, letter a), or Article 9, subsection 2, letter a), the right to withdraw consent at any time, without this affecting the lawfulness of processing based on consent, before its withdrawal d) the right to lodge a complaint with a supervisory authority e) on the communication of personal data is required by law or a requirement pursuant to a contract or a requirement that must be met in order to enter into a contract, as well as whether the data subject has an obligation to provide the personal data and the possible consequences of not providing such information f) the occurrence of automatic decisions , including profiling, as referred to in Article 22, paragraph 1 and 4, and in these cases at least meaningful information about the logic therein as well as the meaning and expected consequences of such processing for the data subject.

Of the data protection regulation, article 12, subsection 1, it appears that the data controller must take appropriate measures to provide any information as referred to in i.a. Article 13 to the data subject in a concise, transparent, easily understandable and easily accessible form and in clear and simple language.

3.4.3. The Danish Data Protection Authority's assessment

The Danish Data Protection Authority initially notes that the Danish Data Protection Authority agrees with SmartResponse's assessment that the company collects information from the data subject itself, and that SmartResponse is therefore obliged to observe Article 13 of the Data Protection Regulation.

The Danish Data Protection Authority finds that SmartResponse has not sufficiently complied with Article 13 of the Data Protection Regulation, cf. Article 12, subsection 1.

The Danish Data Protection Authority has placed emphasis on the fact that data subjects – as required by Article 13, subsection 1, letter c – it is not disclosed that SmartResponse pursuant to Article 6, subsection 1, letter f, continues to store information about the registered person(s) after a consent has been withdrawn.

In this connection, data subjects also do not receive sufficient information about the legitimate interest that SmartResponse pursues when SmartResponse - in order to document a valid consent - processes information in accordance with the regulation's Article 6, subsection 1, letter f, after a consent has been withdrawn.

This means that the data subject does not have the opportunity to safeguard his interests to a sufficient extent – e.g. by exercising the right to object under Article 21, paragraph 1 – which, in the opinion of the Danish Data Protection Authority, is not in accordance with Article 13, subsection 1, letter d, cf. Article 12, subsection 1.

In summary, the Danish Data Protection Authority finds that there are grounds for expressing criticism that SmartResponse has not sufficiently complied with Article 13 of the Data Protection Regulation, cf. Article 12, subsection 1.

The Danish Data Protection Authority found after a visit to SmartResponse's website on 9 November 2021 that SmartResponse has changed its privacy policy. The Norwegian Data Protection Authority has not dealt with this in the decision.



[1]   See European Data Protection Board Guidelines 5/2020 on consent under Regulation 2016/679 (version 1.1, adopted on 4 May 2020), page 13.

[2]   EDPB Guidelines 5/2020 on consent under Regulation 2016/679, example 7, page 12.

[3]   Article 29-Group Opinion 6/2014 on the legitimate interests of the controller as referred to in Article 7 of Directive 95/46/EC, page 27.